实验环境

一台Centos 6.8 安装ldap server
一台Centos 6.8安装ldap client

修改hosts文件，使IP对应域名

本环境中没有使用dns ，由hosts文件代替

#本环境中没有使用dns ，由hosts文件代替
echo '192.168.85.129    dev.com' >> /etc/hosts

关闭防火墙

service iptables stop
chkconfig iptables off

关闭selinux

setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

软件安装

yum install -y nss-pam-ldapd openldap-clients

配置openLDAP-client

cp /etc/nsswitch.conf /etc/nsswitch.conf.old

#让 NSS 服务使用 OpenLDAP 服务器
sed -i '/^passwd:.*$/s//&  ldap/g' /etc/nsswitch.conf
sed -i '/^shadow:.*$/s//&  ldap/g' /etc/nsswitch.conf
sed -i '/^group:.*$/s//&  ldap/g' /etc/nsswitch.conf


#配置ldapclient 配置文件
cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.old
cat >> /etc/openldap/ldap.conf <<EOF
host 192.168.85.129
BASE dc=dev,dec=com
URI ldap://dev.com ldap://dev.com:389
ssl off
EOF

启用LDAP身份验证机制

cp /etc/sysconfig/authconfig /etc/sysconfig/authconfig.old
cat > /etc/sysconfig/authconfig <<EOF
IPADOMAINJOINED=no
USEMKHOMEDIR=no
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
USEFPRINTD=yes
FORCESMARTCARD=no
PASSWDALGORITHM=sha512 
USELDAPAUTH=yes
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESSSD=no
USEHESIOD=no
USEMD5=yes
FORCELEGACY=no
EOF

pam 认证

cp /etc/pam_ldap.conf /etc/pam_ldap.conf.old
sed 's/^host/#&/g' /etc/pam_ldap.conf
sed 's/^base/#&/g' /etc/pam_ldap.conf
cat >> /etc/pam_ldap.conf<<EOF
host=192.168.85.129
base dc=dev,dc=com
uri ldap://dev.com
EOF

nslcd 服务

cp /etc/nslcd.conf /etc/nslcd.conf.old
cat >> /etc/nslcd.conf <<EOF
uri ldap://dev.com
base dc=dev,dc=com
EOF

编辑系统认证文件，保证使用LDAP来认证

<pre>
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.old
cat > /etc/pam.d/system-auth<EOF

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
</b>
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
</b>
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
</b>
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
EOF
</pre>

重启nslcd服务

service nslcd restart