RH423-8 LDAP基于Kerberos的sasl认证

LDAP基于kerberos的sasl认证

环境：默认kerberos服务器已经建立

      KDC：server1.example.com：192.168.32.31

      LDAP服务器：station2.example.com 192.168.32.32

一、将ldap服务加入到kerberos中

[root@station2 ~]# kadmin

Authenticating as principal root/admin@EXAMPLE.COM with password.

Password for root/admin@EXAMPLE.COM:

kadmin:  addprinc ldap/station2.example.com

kadmin:  ktadd  -k /etc/ldap.keytab

二、ldap开启kerberos的支持

[root@station2 ~]#vi /etc/sysconfig/dirsrv

KRB5_KTNAME=/etc/ldap.keytab ; export KRB5_KTNAME

[root@station2 ~]#vi /etc/sysconfig/dirsrv-admin

KRB5_KTNAME=/etc/ldap.keytab ; export KRB5_KTNAME

三、通过redhat-idm-console编辑sasl设置

1、SASL Mapping设置中add一个sasl map

l  name选项中填：

gssapi-map

l  Regular Expression选项中填：

uid=(.*),cn=station2.example.com,cn=gssapi,cn=auth

l  Search Base DN选项中填：

uid=\1,ou=People,dc=station2,dc=example,dc=com

l  search filter选项中填：

（objectclass=*）

2、重启dirsrv和dirsrv-admin服务后测试

[root@station2 ~]#service dirsrv restart

[root@station2 ~]#service dirsrv-admin restart

[root@station2 ldap]# ldapsearch -Y GSSAPI "uid=guest2002" -LLL                                   SASL/GSSAPI authentication started

SASL username: guest2001@EXAMPLE.COM

SASL SSF: 56

SASL installing layers

dn: uid=guest2002,ou=People,dc=station2,dc=example,dc=com

uid: guest2002

cn: guest2002

sn: guest2002

mail: guest2002@example.com

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

shadowLastChange: 15083

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 2002

gidNumber: 2000

homeDirectory: /home/guests/guest2002

注：kdc的配置见http://netsword.blog.51cto.com/13993/520964

本文转自netsword 51CTO博客，原文链接:http://blog.51cto.com/netsword/549146