IBM AIX和Microsoft Active Directory与Kerberos和LDAP的集成
发布时间:2016-10-09 10:12:35 所属栏目:Unix 来源:站长网
导读:副标题#e# 为什么是 Kerberos 和 LDAP LDAP 对于存储和检索 AIX 用户的用户属性非常有效,但使用 LDAP 进行身份验证仍然需要用户提供一个 AIX 密码和一个 AD 密码。Kerberos 支持 AIX 使用本地 AD 协议,参照用户的 Microsoft Windows 密码进行用户身份验证
|
尝试以 AD 定义的用户的身份使用 Secure Shell (SSH) 连接到主机: ssh aixtest@localhost 您应该能够进行登录。登录之后,检查 AUTHSTATE 环境变量和 klist 输出(类似下列示例),以确保 Kerberos 被用于身份验证。 示例输出
aixtest@localhost's password:
*******************************************************************************
* *
* *
* Welcome to AIX Version 6.1! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
Could not chdir to home directory /home/aixtest: The file access permissions do not allow
the specified action.
$ pwd
/
$ echo $AUTHSTATE
KRB5LDAP
$ /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_x0000000000000001
Default principal: aixtest@TEST.LOCAL
Valid starting Expires Service principal
01/25/13 14:02:59 01/26/13 00:02:52 krbtgt/TEST.LOCAL@TEST.LOCAL
Renew until 01/26/13 14:02:59
$ exit
Connection to localhost closed.
注意:AUTHSTATE 变量应包含 KRB5LDAP,而且运行 klist 应该返回一个有效的 Kerberos 票据。 示例配置文件 /etc/krb5/krb5.conf
[libdefaults]
default_realm = TEST.LOCAL
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = arcfour-hmac
default_tgs_enctypes = arcfour-hmac
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
TEST.LOCAL = {
kdc = PDC1.TEST.LOCAL:88
kdc = PDC2.TEST.LOCAL:88
admin_server = PDC1.TEST.LOCAL:749
master_kdc = PDC1.TEST.LOCAL
default_domain = TEST.LOCAL
}
[domain_realm]
.TEST.LOCAL = TEST.LOCAL
TEST.LOCAL = TEST.LOCAL
PDC1.TEST.LOCAL = TEST.LOCAL
PDC2.TEST.LOCAL = TEST.LOCAL
test.local = TEST.LOCAL
.test.local = TEST.LOCAL
[logging]
default = SYSLOG:debug:local1
/etc/security/ldap/ldap.cfg
ldapservers:pdc1.test.local
binddn:CN=AIX Service,OU=AIX,DC=test,DC=local
bindpwd:{DESv2}AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEEE
authtype:unix_auth
useSSL:no
userattrmappath:/etc/security/ldap/sfur2user.map
groupattrmappath:/etc/security/ldap/sfur2group.map
userbasedn:OU=AIX,DC=test,DC=local
groupbasedn:OU=AIX,DC=test,DC=local
userclasses:user,person,organizationalperson
groupclasses:group
ldapport:389
searchmode:ALL
defaultentrylocation:LDAP
serverschematype:sfur2
/etc/methods.cfg
LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64
NIS:
program = /usr/lib/security/NIS
program_64 = /usr/lib/security/NIS_64
DCE:
program = /usr/lib/security/DCE
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes
KRB5LDAP:
options = auth=KRB5,db=LDAP(编辑:淮北站长网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
