ApacheDS安装 [ LDAP和Kerberos ] 配置
2024-06-11 10:18:34
.
- 一 .前言
- 二 .安装apacheDS
- 2.1. 执行安装脚本
- 2.2. 启动ApacheDS
- 2.3. 安装Apache Directory Studio
- 2.4. 配置连接
- 2.5. 设置分区
- 2.6. 添加组
- 三 .修改配置
- 3.1. linux用户schema
- 3.2. 添加测试组
- 3.3. 添加用户
- 3.4. 修改用户密码
- 四 .LDAP用户同步
- 4.1. 安装LDAP client
- 4.2. 配置LDAP client
- 4.3. 重启服务nslcd
- 4.4. 验证
- 五 .Kerberos同步
- 5.1. 修改apacheds 配置,开启kerberos kdc
- 5.2. 安装kerberos client
- 5.3. 修改kerberos配置文件
- 5.4. 添加kerberos认证用户
- 5.5. kerberos 验证
- 5.6. kerberos 导出keytab文件
- 5.7. 验证keytab文件
- 六 .linux与kerberos用户统一
- 七 .特别鸣谢 [帅神]
一 .前言
- 安装包
| 组件 | 下载地址 |
|---|---|
| JDK 11 | https://mirrors.tuna.tsinghua.edu.cn/AdoptOpenJDK/11/jdk/x64/mac/ |
| Apache Directory Studio | https://directory.apache.org/studio/downloads.html |
| ApacheDS | http://directory.apache.org/apacheds/downloads.html |
百度云盘:
链接: https://pan.baidu.com/s/1GkFwUOhuMBdqZY8jx1p8Kg 密码: 4s3h
- 名词含义
| 名词 | 全称 | 含义 |
|---|---|---|
| CN | Common Name | 为用户名或服务器名,最长可以到80个字符,可以为中文; |
| OU | Organization Unit | 为组织单元,最多可以有四级,每级最长32个字符,可以为中文; |
| DC | Domain Component | 域组件 |
LDAP 目录类似于文件系统目录。
下列目录:
DC=redmond,DC=wa,DC=microsoft,DC=com
如果我们类比文件系统的话,可被看作如下文件路径:
Com\Microsoft\Wa\Redmond 例如:CN=test,OU=developer,DC=domainname,DC=com
在上面的代码中cn=test 可能代表一个用户名,ou=developer 代表一个 active directory 中的组织单位。这句话的含义可能就是说明 :
test 这个对象处在domainname.com 域的 developer 组织单元中。二 .安装apacheDS
2.1. 执行安装脚本
使用默认配置, 不断敲击回车即可…
我的安装位置为: /opt/apacheds-2.0.0.AM2
[root@localhost opt]# sh apacheds-2.0.0.AM26-64bit.bin WELCOME TO THE APACHEDS INSTALLER PROGRAM_ _ ____ ____ / \ _ __ __ _ ___| |__ ___| _ \/ ___|/ _ \ | '_ \ / _` |/ __| '_ \ / _ \ | | \___ \ / ___ \| |_) | (_| | (__| | | | __/ |_| |___) |/_/ \_\ .__/ \__,_|\___|_| |_|\___|____/|____/ |_|ApacheDS is distributed under the Apache Software License Version 2.0.Please, take some time to read the license terms below.Apache LicenseVersion 2.0, January 2004http://www.apache.org/licenses/TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION1. Definitions."License" shall mean the terms and conditions for use, reproduction,and distribution as defined by Sections 1 through 9 of this document."Licensor" shall mean the copyright owner or entity authorized bythe copyright owner that is granting the License."Legal Entity" shall mean the union of the acting entity and allother entities that control, are controlled by, or are under commoncontrol with that entity. For the purposes of this definition,"control" means (i) the power, direct or indirect, to cause thedirection or management of such entity, whether by contract orotherwise, or (ii) ownership of fifty percent (50%) or more of theoutstanding shares, or (iii) beneficial ownership of such entity."You" (or "Your") shall mean an individual or Legal Entityexercising permissions granted by this License."Source" form shall mean the preferred form for making modifications,including but not limited to software source code, documentationsource, and configuration files."Object" form shall mean any form resulting from mechanicaltransformation or translation of a Source form, including butnot limited to compiled object code, generated documentation,and conversions to other media types."Work" shall mean the work of authorship, whether in Source orObject form, made available under the License, as indicated by acopyright notice that is included in or attached to the work(an example is provided in the Appendix below)."Derivative Works" shall mean any work, whether in Source or Objectform, that is based on (or derived from) the Work and for which theeditorial revisions, annotations, elaborations, or other modificationsrepresent, as a whole, an original work of authorship. For the purposesof this License, Derivative Works shall not include works that remainseparable from, or merely link (or bind by name) to the interfaces of,the Work and Derivative Works thereof."Contribution" shall mean any work of authorship, includingthe original version of the Work and any modifications or additionsto that Work or Derivative Works thereof, that is intentionallysubmitted to Licensor for inclusion in the Work by the copyright owneror by an individual or Legal Entity authorized to submit on behalf ofthe copyright owner. For the purposes of this definition, "submitted"means any form of electronic, verbal, or written communication sentto the Licensor or its representatives, including but not limited tocommunication on electronic mailing lists, source code control systems,and issue tracking systems that are managed by, or on behalf of, theLicensor for the purpose of discussing and improving the Work, butexcluding communication that is conspicuously marked or otherwisedesignated in writing by the copyright owner as "Not a Contribution.""Contributor" shall mean Licensor and any individual or Legal Entityon behalf of whom a Contribution has been received by Licensor andsubsequently incorporated within the Work.2. Grant of Copyright License. Subject to the terms and conditions ofthis License, each Contributor hereby grants to You a perpetual,worldwide, non-exclusive, no-charge, royalty-free, irrevocablecopyright license to reproduce, prepare Derivative Works of,publicly display, publicly perform, sublicense, and distribute theWork and such Derivative Works in Source or Object form.3. Grant of Patent License. Subject to the terms and conditions ofthis License, each Contributor hereby grants to You a perpetual,worldwide, non-exclusive, no-charge, royalty-free, irrevocable(except as stated in this section) patent license to make, have made,use, offer to sell, sell, import, and otherwise transfer the Work,where such license applies only to those patent claims licensableby such Contributor that are necessarily infringed by theirContribution(s) alone or by combination of their Contribution(s)with the Work to which such Contribution(s) was submitted. If Youinstitute patent litigation against any entity (including across-claim or counterclaim in a lawsuit) alleging that the Workor a Contribution incorporated within the Work constitutes director contributory patent infringement, then any patent licensesgranted to You under this License for that Work shall terminateas of the date such litigation is filed.4. Redistribution. You may reproduce and distribute copies of theWork or Derivative Works thereof in any medium, with or withoutmodifications, and in Source or Object form, provided that Youmeet the following conditions:(a) You must give any other recipients of the Work orDerivative Works a copy of this License; and(b) You must cause any modified files to carry prominent noticesstating that You changed the files; and(c) You must retain, in the Source form of any Derivative Worksthat You distribute, all copyright, patent, trademark, andattribution notices from the Source form of the Work,excluding those notices that do not pertain to any part ofthe Derivative Works; and(d) If the Work includes a "NOTICE" text file as part of itsdistribution, then any Derivative Works that You distribute mustinclude a readable copy of the attribution notices containedwithin such NOTICE file, excluding those notices that do notpertain to any part of the Derivative Works, in at least oneof the following places: within a NOTICE text file distributedas part of the Derivative Works; within the Source form ordocumentation, if provided along with the Derivative Works; or,within a display generated by the Derivative Works, if andwherever such third-party notices normally appear. The contentsof the NOTICE file are for informational purposes only anddo not modify the License. You may add Your own attributionnotices within Derivative Works that You distribute, alongsideor as an addendum to the NOTICE text from the Work, providedthat such additional attribution notices cannot be construedas modifying the License.You may add Your own copyright statement to Your modifications andmay provide additional or different license terms and conditionsfor use, reproduction, or distribution of Your modifications, orfor any such Derivative Works as a whole, provided Your use,reproduction, and distribution of the Work otherwise complies withthe conditions stated in this License.5. Submission of Contributions. Unless You explicitly state otherwise,any Contribution intentionally submitted for inclusion in the Workby You to the Licensor shall be under the terms and conditions ofthis License, without any additional terms or conditions.Notwithstanding the above, nothing herein shall supersede or modifythe terms of any separate license agreement you may have executedwith Licensor regarding such Contributions.6. Trademarks. This License does not grant permission to use the tradenames, trademarks, service marks, or product names of the Licensor,except as required for reasonable and customary use in describing theorigin of the Work and reproducing the content of the NOTICE file.7. Disclaimer of Warranty. Unless required by applicable law oragreed to in writing, Licensor provides the Work (and eachContributor provides its Contributions) on an "AS IS" BASIS,WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express orimplied, including, without limitation, any warranties or conditionsof TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR APARTICULAR PURPOSE. You are solely responsible for determining theappropriateness of using or redistributing the Work and assume anyrisks associated with Your exercise of permissions under this License.8. Limitation of Liability. In no event and under no legal theory,whether in tort (including negligence), contract, or otherwise,unless required by applicable law (such as deliberate and grosslynegligent acts) or agreed to in writing, shall any Contributor beliable to You for damages, including any direct, indirect, special,incidental, or consequential damages of any character arising as aresult of this License or out of the use or inability to use theWork (including but not limited to damages for loss of goodwill,work stoppage, computer failure or malfunction, or any and allother commercial damages or losses), even if such Contributorhas been advised of the possibility of such damages.9. Accepting Warranty or Additional Liability. While redistributingthe Work or Derivative Works thereof, You may choose to offer,and charge a fee for, acceptance of support, warranty, indemnity,or other liability obligations and/or rights consistent with thisLicense. However, in accepting such obligations, You may act onlyon Your own behalf and on Your sole responsibility, not on behalfof any other Contributor, and only if You agree to indemnify,defend, and hold each Contributor harmless for any liabilityincurred by, or claims asserted against, such Contributor by reasonof your accepting any such warranty or additional liability.Do you agree to the above license terms? [yes or no]yes
Unpacking the installer...
Extracting the installer...
Where do you want to install ApacheDS? [Default: /opt/apacheds-2.0.0.AM26]
/opt/apacheds-2.0.0.AM2
Where do you want to install ApacheDS instances? [Default: /var/lib/apacheds-2.0.0.AM26]What name do you want for the default instance? [Default: default]Where do you want to install the startup script? [Default: /etc/init.d]Which user do you want to run the server with (if not already existing, the specified user will be created)? [Default: apacheds]Which group do you want to run the server with (if not already existing, the specified group will be created)? [Default: apacheds]Installing...
id: apacheds: no such user
Done.
ApacheDS has been installed successfully.2.2. 启动ApacheDS
[root@localhost apacheds-2.0.0.AM2]# pwd
/opt/apacheds-2.0.0.AM2
[root@localhost apacheds-2.0.0.AM2]# sh bin/apacheds start default
Starting ApacheDS - default...
[root@localhost apacheds-2.0.0.AM2]# jps
26149 ApacheDsTanukiWrapper
26186 Jps
2.3. 安装Apache Directory Studio
Apache Directory Studio 安装有点坑, 要求JDK必须为11 . 我的电脑是mac环境刚开始的时候还报错…
我来说一下解决方式:
- 先安装JDK11, 我是直接下载的 :
https://mirrors.tuna.tsinghua.edu.cn/AdoptOpenJDK/11/jdk/x64/mac/
解压到指定的位置 :
/opt/tools/jdk-11.0.10.jdk
- 用记事本编辑Info.plist文件
增加属性,配置一下jdk的路径:
<array><string>-vm</string><string>/opt/tools/jdk-11.0.10.jdk/Contents/Home/bin/java</string><string>-keyring</string><string>~/.eclipse_keyring</string></array>
- 启动Apache Directory Studio
2.4. 配置连接
- 创建连接
设置连接信息 [注意端口为 :10389 ]
- 点击next
默认:user:uid=admin,ou=system password:secret
- 点击Finish保存即可
2.5. 设置分区
- 打开配置添加自定义分区
- 点击add
- Ctrl+S保存, 重启ApacheDS
[root@localhost apacheds-2.0.0.AM2]# pwd
/opt/apacheds-2.0.0.AM2
[root@localhost apacheds-2.0.0.AM2]# sh bin/apacheds restart default
Stopping ApacheDS - default...
Stopped ApacheDS - default.
Starting ApacheDS - default...2.6. 添加组
三 .修改配置
3.1. linux用户schema
- 刷新 ou=schema
- 将m-disabled配置修改为false,修改之后就可以有posixAccount、posixGroup相关属性。
3.2. 添加测试组
- 断开连接,重新刷新
- 添加组
3.3. 添加用户
- 创建test.ldif文件
dn: uid=test,ou=Group,dc=yss,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 18663
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 0
homeDirectory: /home/test- 选择刚创建的文件生成用户
3.4. 修改用户密码
- 双击修改用户密码
四 .LDAP用户同步
4.1. 安装LDAP client
- 前置环境处理
- 关闭SELinux
[root@localhost ~]# setenforce 0
setenforce: SELinux is disabled
[root@localhost ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
[root@localhost ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled
- 关闭iptables
查看防火墙状态
firewall-cmd --state
停止firewall
systemctl stop firewalld.service
禁止firewall开机启动
systemctl disable firewalld.service- 在需要同步的物理机上执行安装指令
yum install nss-pam-ldapd openldap-clients openldap -y
[root@localhost ~]# yum install nss-pam-ldapd openldap-clients openldap -y
已加载插件:fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Determining fastest mirrors
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64&infra=stock&content=altarch error was
12: Timeout on https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64&infra=stock&content=altarch: (28, 'Operation timed out after 30001 milliseconds with 0 out of 0 bytes received')* base: mirrors.huaweicloud.com* epel: mirrors.bfsu.edu.cn* extras: mirrors.huaweicloud.com* updates: mirrors.huaweicloud.com
HDP-3.1-GPL-repo-1 | 2.9 kB 00:00
HDP-3.1-repo-1 | 2.9 kB 00:00
HDP-3.1.5.0 | 2.9 kB 00:00
HDP-GPL-3.1.5.0 | 2.9 kB 00:00
HDP-UTILS-1.1.0.22 | 2.9 kB 00:00
HDP-UTILS-1.1.0.22-repo-1 | 2.9 kB 00:00
ambari-2.7.5.0 | 2.9 kB 00:00
base | 3.6 kB 00:00
extras | 2.9 kB 00:00
nginx | 2.9 kB 00:00
updates | 2.9 kB 00:00
(1/2): updates/7/x86_64/primary_db | 5.7 MB 00:03
(2/2): nginx/x86_64/primary_db | 60 kB 00:04
软件包 openldap-2.4.44-22.el7.x86_64 已安装并且是最新版本
正在解决依赖关系
--> 正在检查事务
---> 软件包 nss-pam-ldapd.x86_64.0.0.8.13-25.el7 将被 安装
--> 正在处理依赖关系 nscd,它被软件包 nss-pam-ldapd-0.8.13-25.el7.x86_64 需要
---> 软件包 openldap-clients.x86_64.0.2.4.44-22.el7 将被 安装
--> 正在检查事务
---> 软件包 nscd.x86_64.0.2.17-323.el7_9 将被 安装
--> 解决依赖关系完成依赖关系解决================================================================================Package 架构 版本 源 大小
================================================================================
正在安装:nss-pam-ldapd x86_64 0.8.13-25.el7 base 164 kopenldap-clients x86_64 2.4.44-22.el7 base 191 k
为依赖而安装:nscd x86_64 2.17-323.el7_9 updates 288 k事务概要
================================================================================
安装 2 软件包 (+1 依赖软件包)总下载量:643 k
安装大小:1.1 M
Downloading packages:
(1/3): nss-pam-ldapd-0.8.13-25.el7.x86_64.rpm | 164 kB 00:00
(2/3): openldap-clients-2.4.44-22.el7.x86_64.rpm | 191 kB 00:00
(3/3): nscd-2.17-323.el7_9.x86_64.rpm | 288 kB 00:00
--------------------------------------------------------------------------------
总计 1.3 MB/s | 643 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction正在安装 : nscd-2.17-323.el7_9.x86_64 1/3正在安装 : nss-pam-ldapd-0.8.13-25.el7.x86_64 2/3正在安装 : openldap-clients-2.4.44-22.el7.x86_64 3/3验证中 : openldap-clients-2.4.44-22.el7.x86_64 1/3验证中 : nss-pam-ldapd-0.8.13-25.el7.x86_64 2/3验证中 : nscd-2.17-323.el7_9.x86_64 3/3已安装:nss-pam-ldapd.x86_64 0:0.8.13-25.el7 openldap-clients.x86_64 0:2.4.44-22.el7作为依赖被安装:nscd.x86_64 0:2.17-323.el7_9完毕!
4.2. 配置LDAP client
- 添加client服务器到LDAP服务,注意IP
[root@localhost ~]# authconfig --enablemkhomedir --disableldaptls --enableldap --enableldapauth --ldapserver="192.168.101.30:10389" --ldapbasedn="dc=yss,dc=com" --updategetsebool: SELinux is disabled
[root@localhost ~]#
- 这个指令修改了/etc/nsswitch.conf 以及/etc/openldap/ldap.conf文件
- /etc/nsswitch.conf
[root@localhost ~]# cat /etc/nsswitch.conf |egrep -v "^#|^$"
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
[root@localhost ~]#
- /etc/pam.d/system-auth
[root@localhost ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.soaccount required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.sopassword requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.sosession optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
- /etc/sysconfig/authconfig
[root@localhost ~]# more /etc/sysconfig/authconfigUSELDAP=yes
USELDAPAUTH=yes
USELOCAUTHORIZE=yes
USESHADOW=yes
....- /etc/ssh/sshd_config
[root@localhost ~]# cat /etc/ssh/sshd_config | grep UsePAM
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
UsePAM yes
[root@localhost ~]#
4.3. 重启服务nslcd
[root@localhost ~]# systemctl restart nslcd
[root@localhost ~]# systemctl restart sshd
4.4. 验证
创建 test02.ldif文件
dn: uid=test02,ou=Group,dc=yss,dc=com
uid: test02
cn: test02
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 18663
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 6666
gidNumber: 666
homeDirectory: /home/test02
需要注意的事情 :
- uid 和 cn 一般都是相同的
- uidNumber 是用户的id , 这个一定要改, 要是不存在的用户组id
- loginShell 默认 /bin/bash 就行
- gidNumber 这个是用户组的id
- homeDirectory : 用户的home目录
使用su指令进行切换就行…
[root@localhost home]# su -l test02
创建目录 '/home/test02'。
上一次登录:三 3月 17 15:29:57 CST 2021pts/3 上
[test02@localhost ~]$ pwd
/home/test02
[test02@localhost ~]$ id
uid=6666(test02) gid=0(root) 组=0(root)
五 .Kerberos同步
5.1. 修改apacheds 配置,开启kerberos kdc
选取对应的服务器 , 鼠标右键单击 Open Configuration .
打开配置页面,勾选上Enable Kerberos Server,Enable Kerberos Change Password Server,改完之后control+s 保存,
重启apacheds 生效。
[root@localhost apacheds-2.0.0.AM2]# sh bin/apacheds restart default
Stopping ApacheDS - default...
Stopped ApacheDS - default.
Starting ApacheDS - default...
[root@localhost apacheds-2.0.0.AM2]#
5.2. 安装kerberos client
- 安装kerberos 客户端
yum install krb5-workstation krb5-libs krb5-auth-dialog -y
yum install krb5-workstation krb5-libs krb5-auth-dialog -y
5.3. 修改kerberos配置文件
- 修改/etc/krb5.conf文件, 配置kdc地址
vi /etc/krb5.conf
5.4. 添加kerberos认证用户
导入kdc-data.ldif 到ldap ,文件内容如下
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
dc: example
o: example.comdn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Usersdn: uid=hnelson,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0dn: uid=krbtgt,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: KDC Service
sn: Service
uid: krbtgt
userPassword: secret
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5KeyVersionNumber: 0dn: uid=ldap,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: randall
krb5PrincipalName: ldap/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0
- 通过Apache Directory Studio
右键连接->import ->ldif import 选择指定文件。
- 导入成功
5.5. kerberos 验证
#输入密码 文件中指定的是secret
[root@localhost apacheds-2.0.0.AM2]# kinit hnelson
Password for hnelson@EXAMPLE.COM:
#查看ticket
[root@localhost apacheds-2.0.0.AM2]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: hnelson@EXAMPLE.COMValid starting Expires Service principal
2021-03-17T16:19:26 2021-03-18T16:19:12 krbtgt/EXAMPLE.COM@EXAMPLE.COMrenew until 2021-03-24T16:19:125.6. kerberos 导出keytab文件
使用ktutil 导出keytab 文件
[root@localhost apacheds-2.0.0.AM2]# ktutil
ktutil: add_entry -password -p hnelson@EXAMPLE.COM -k 1 -e aes128-cts-hmac-sha1-96
Password for hnelson@EXAMPLE.COM:
ktutil: wkt /opt/hnelson.keytab
ktutil: q
[root@localhost apacheds-2.0.0.AM2]#
add_entry 为每一种加密方式添加keytab ,然后用wkt 将keytab写入到文件。
5.7. 验证keytab文件
[root@localhost apacheds-2.0.0.AM2]# kinit -kt /opt/hnelson.keytab hnelson
[root@localhost apacheds-2.0.0.AM2]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: hnelson@EXAMPLE.COMValid starting Expires Service principal
2021-03-17T16:31:43 2021-03-18T16:31:38 krbtgt/EXAMPLE.COM@EXAMPLE.COMrenew until 2021-03-24T16:31:38
六 .linux与kerberos用户统一
- sman用户的ldif配置
- 注意要和kerberos的认证在同一个域下面.
dn: uid=sman,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: sman
gidNumber: 666
homeDirectory: /home/sman
krb5KeyVersionNumber: 1
krb5PrincipalName: sman@EXAMPLE.COM
sn: sman
uid: sman
uidNumber: 6668
krb5Key:: MBGgAwIBA6EKBAgs3IwczpIjCA==
krb5Key:: MBmgAwIBEaESBBDZ4KQ8CUaBfkx/xz+Mo6nf
krb5Key:: MBmgAwIBF6ESBBA+wfd6dpePW9BH3npNz4gx
krb5Key:: MCGgAwIBEKEaBBhMSqjaSWQWy4yiAaQq6lgVdvhu1jjaFtM=
loginShell: /bin/bash
shadowLastChange: 18663
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
userPassword:: e1NTSEF9eG5LRUJMNVljNTA4amtkQ3NBLzA2NW1QU3ltOEFVMS9KUjVOclE9PQ==- 直接导入即可.
3. 查看sman
- 修改密码
- 验证
[root@localhost conf]# su -l sman
创建目录 '/home/sman'。
[sman@localhost ~]$
[root@localhost ~]# kinit sman
Password for sman@EXAMPLE.COM:
[root@localhost ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_CwJLBLC
Default principal: sman@EXAMPLE.COMValid starting Expires Service principal
2021-03-17T17:28:23 2021-03-18T17:28:16 krbtgt/EXAMPLE.COM@EXAMPLE.COMrenew until 2021-03-24T17:28:16
七 .特别鸣谢 [帅神]
https://blog.csdn.net/weixin_41609807/article/details/114586185
https://zhuanlan.zhihu.com/p/355985595
ApacheDS安装 [ LDAP和Kerberos ] 配置相关推荐
- HDP安全之集成kerberos/LDAP、ranger;安装部署kerberos;安装Knox;安装LDAP;启动LDAP;验证Knox网关
5.HDP安全之集成kerberos/LDAP.ranger 集成HDP kerberos /LDAP/ranger之前必须先了解为什么要这样做,kerberos/LDAP是用来做身份认证的,rang ...
- centos安装LDAP即配置
1.安装ldap (1) #yum install -y openldap openldap-clients openldap-servers migrationtools #cp /usr/shar ...
- Freeipa - LDAP与autofs配置
Freeipa - LDAP与autofs配置 什么是freeipa 移步官网 服务器分配规划 服务器名称 IP地址 ipa server & NFS server 192.168.50.14 ...
- centos7 ldap php,php7安装ldap扩展
当前使用Centos7.x系统,php使用7.4版本,wlnmp一键包已支持该扩展 ldap扩展包含在php源码包中 1.安装所需依赖,如果在编译时还提示缺少其他依赖,请自行安装 yum instal ...
- ubuntu安装LDAP
参考文献: https://help.ubuntu.com/12.04/serverguide/openldap-server.html(最主要的) http://www.linuxidc.com/L ...
- 虚拟ldap服务器,ldap服务器 客户端配置
ldap服务器 客户端配置 内容精选 换一换 云桌面支持通过瘦终端(TC).软终端(中标麒麟.UOS.Windows 7和Windows 10操作系统)以及浏览器方式接入,多种登录方式可让您灵活存取文 ...
- yum mysql的安装目录在哪_linux下yum安装 mysql 及详细配置及修改mysql默认目录
linux下yum安装 mysql 及详细配置及修改mysql默认目录. 一.[root@sample ~]# yum -y install mysql-server ← 安装MySQL -..略 I ...
- CDH集成Kerberos配置
转载自 JavaChen Blog,作者:JavaChen 原文链接地址:http://blog.javachen.com/2014/11/04/config-kerberos-in-cdh-hdfs ...
- Windowds10安装LDAP服务器和客户端及遇到问题的整理
windows环境 OpenLDAPforWindows的安装 我是64位电脑,所以选择64位安装程序: 下载链接1: https://www.maxcrc.de/wp-content/uploads ...
最新文章
- GMM-HMM语音识别算法
- js之call,apply和bind的模拟实现
- 共享内存 传一个类指针_C++指针
- python+selenium自动化测试——浏览器驱动
- MKL学习——线性代数概念相关
- Python爬取网页
- spikingjelly里面的元组处理方式
- 平台允许同时在线人数 显示_《女神异闻录4G》Steam同时在线人数创新纪录
- HTML DOM 基础
- Java HashMap原理
- Java 操作 word 文档 (一)初识 word 文档
- Python爬虫系列之得物小程序data算法
- 大学毕业必须知道的东西:三方协议、报到证(派遣证)、干部身份
- 笔记本计算机涂硅脂,笔记本电脑怎么涂cpu散热硅脂
- 软件测试工程师需要掌握哪些技能呢?
- 慢内容广告:品牌增长的长线主义
- ios16更新了什么内容 ios16更新内容汇总
- 带宽、线速、吞吐量概念
- 对LARS(Least Angle Regression)的简单理解
- 在手机安装 Kali Linux
热门文章
- 处理器,操作系统,编译器,调试器,语言和工具,网络
- 在新加坡生活是一种什么体验?
- 业务规则管理(Business Rules Management,简称BRM)
- matlab SPWM产生,采用MATLAB对SPWM进行辅助设计
- Implementing the 3DVIA Composer Player ActiveX in Windows Presentation Foundation
- 为女儿认识英文写的一款Flash游戏(简易打字)
- ASIL:汽车功能安全等级总结
- MadGraph_5tutorial(三)lhapdf6安装
- 又是一年春风来:Maggot++成功摆脱Fantis版权!并成功获取自更新模式!
- python从零写一个采集器:获取网页信息