UbuntuHelp:AlternativeActiveDirectory/zh
来自Ubuntu中文
 |
翻译人员: |
isbasic |
Active Directory from Microsoft is a directory service that uses some open protocols, like Kerberos, LDAP and SSL. There are several ways to use AD for authentication, and with LDAP tools you can extend a local authentication scheme to "cache" your Active Directory credentials.
微软推出的活动目录是一种采用开放式协议的目录服务,类似Kerberos,LDAP和SSL。有几种方法采用AD(Active Directory)进行认证,结合LDAP的工具,你可以扩展本地的认证计划,以"快取"您的Active Directory证书。
LDAP Caching:
LDAP 高速缓存
Configuration and Installation
配置与安装
To install a LDAP caching system you need to compile libpam-script from source and install ldap-utils. Note: you don't have to configure anything in Active Directory for LDAP caching. I have a premade deb for installing libpam-script (https://help.ubuntu.com/community/AlternativeActiveDirectory?action=AttachFile&do=get&target=libpam-script_0.1.11-1_i386.deb%29) on a Feisty system for anyone not interested in compiling their own. It was compiled with default options and a deb file automatically generated with checkinstall. Then you need to set up /etc/pam.d/common-auth as follows:
安装一个LDAP的缓存系统,你需要汇编位于libpam -脚本从源代码和安装的LDAP utils调整.注:您不需要有任何配置在Active Directory中为LDAP的缓存。我有一个premade deb的安装位于libpam -脚本的(https://help.ubuntu.com/community/AlternativeActiveDirectory?action=AttachFile&do=get&target=libpam-script_0.1.11-1_i386.deb%29) 日去战斗系统,任何人不有兴趣在编制自己的。它在编译时默认的选项和deb文件自动生成与checkinstall 。那么你需要设置/ etc / pam.d /通用认证如下:
set up /etc/security/onauth:
编辑 /etc/security/onauth:
[[ #!/bin/bash
userid=$1
service=$2
# $3 is supposed to contain $PAM_AUTHTOK, but this guarantees the correct token is used
authtok=$PAM_AUTHTOK
ldapsearch -h <serverip> -p <port> -D"$1@your.domain.here" -x -w$authtok -b "dc=your,dc=domain,dc=here" "(samaccountname=$1)" samaccountname | grep -v filter | grep -i $1 | cut -f2 -d' ' > /tmp/ldap
if [ "`cat /tmp/ldap`" == "$1" ]; then
usermod -p `mkpasswd $authtok` $1;
fi
exit 0]]
This script sets the local password for any domain account to whatever the domain password is. Make sure this is what you want, because any local accounts will have their password changed after a successful login to the domain. Password changing must be done through other means; the Active Directory is the final authority on passwords with this mechanism, and it is one way.
这个剧本集本地密码的任何域帐户,无论域密码。作出肯定这是你想要做的,因为任何地方的帐户将有自己的密码改成功後,登录到域。密码不断变化的,必须通过其他手段; Active Directory是最後权威的密码实行这种机制,这是其中一个方法。
Local Accounts
本地帐户
Configure Accounts
配置帐户
Local accounts are necessary before any users can login to the system. This can be done either through a local passwd file or by setting up LDAP for the Linux users. Either way, extraction of the account names from Active Directory has to be done to synchronize the accounts before use. The following script illustrates one way to make the users:
本地户口之前,还需要任何用户可以登录到该系统。这是可以做到的要么通过本地密码文件或者设立的LDAP为Linux用户。无论哪种方式,提取帐户名称由主动目录必须做同步帐户,然後才能使用。请看下面的代码说明了一个方法,使用户:
[[#!/bin/bash
# usage: makeuser <domain> <username> [details]
useradd $2 -c"$3 $4 $5 $6" -d/home/$1/$2 -m]]
This script can be called recursively with a list of usernames from a file by using:
此脚本可被称为递归一份清单的用户从一个文件用:
while read line; do sudo ./makeuser mydomain ${line}; done
The userlist file should be formatted similar to the following:
该userlist档案中要格式化类似如下的问题:
[[firstuser User, First
seconduser User, Second 2nd
thirduser User, 3rd Third details]]
By calling the makeuser script with a domain component, it is easier to search which domain the user was created from at authentication time; thus this method supports multiple domains (for example using a simple getent passwd <user>, and grepping/cutting the results), as long as each domain contains a unique set of users. To create the userlist file, I used a bit of LDAP querying and manipulating the results. You can use any means you wish to get the list. Once accounts are created, you should have an automated way to recreate this list and reimport the usernames on a regular basis to ensure any new accounts created on the Active Directory are also reflected in your local cache. Inquiries: MailTo(clay DOT berlo AT gmail DOT com)
致电makeuser脚本与领域构件,它是比较容易搜索,其中域用户创建,从在认证时间,因此这种方法支持多种域名(如:用一个简单的getent在 passwd <user> , grepping /切割结果),只要每一个域包含了一套独特的用户。创造userlist文件,我用有点LDAP的查询和操纵的结果。你可以使用任何手段,你想获得这份名单。一旦账户创造了,你应该有一个自动化的方法可以给这份名单,并reimport用户名就定期举行,以确保任何新设立的账户上的Active Directory也反映在你的本地高速缓存。咨询电话:发邮件至(粘土斑点berlo在Gmail的斑点组件)
