LDAP基于kerberos的sasl认证
环境:默认kerberos服务器已经建立
KDC:server1.example.com:192.168.32.31
LDAP服务器:station2.example.com 192.168.32.32
一、将ldap服务加入到kerberos中
[root@station2 ~]# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM:
kadmin: addprinc ldap/station2.example.com
kadmin: ktadd -k /etc/ldap.keytab
二、ldap开启kerberos的支持
[root@station2 ~]#vi /etc/sysconfig/dirsrv
KRB5_KTNAME=/etc/ldap.keytab ; export KRB5_KTNAME
[root@station2 ~]#vi /etc/sysconfig/dirsrv-admin
KRB5_KTNAME=/etc/ldap.keytab ; export KRB5_KTNAME
三、通过redhat-idm-console编辑sasl设置
1、SASL Mapping设置中add一个sasl map
l name选项中填:
gssapi-map
l Regular Expression选项中填:
uid=(.*),cn=station2.example.com,cn=gssapi,cn=auth
l Search Base DN选项中填:
uid=\1,ou=People,dc=station2,dc=example,dc=com
l search filter选项中填:
(objectclass=*)
2、重启dirsrv和dirsrv-admin服务后测试
[root@station2 ~]#service dirsrv restart
[root@station2 ~]#service dirsrv-admin restart
[root@station2 ldap]# ldapsearch -Y GSSAPI "uid=guest2002" -LLL SASL/GSSAPI authentication started
SASL username: guest2001@EXAMPLE.COM
SASL SSF: 56
SASL installing layers
dn: uid=guest2002,ou=People,dc=station2,dc=example,dc=com
uid: guest2002
cn: guest2002
sn: guest2002
mail: guest2002@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15083
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 2002
gidNumber: 2000
homeDirectory: /home/guests/guest2002
注:kdc的配置见http://netsword.blog.51cto.com/13993/520964
本文转自netsword 51CTO博客,原文链接:http://blog.51cto.com/netsword/549146
