arinux

Linux サーバー設定備忘録
<< openLDAP 構築(39) - Vine 2.6 クライアント設定(1) | main | openLDAP 構築(41) - Vine 3.2 クライアント設定 >>
openLDAP 構築(40) - Vine 2.6 クライアント設定(2)


メモ ファイル編集


  1. /etc/ldap.conf
    host 10.1.1.15 10.1.1.16 #LDAPサーバーの IPアドレスまたはホスト名を参照順に「space」で区切って記述
    base dc=examples,dc=com
    sudoers_base ou=SUDOers,dc=examples,dc=com
    timelimit 120
    bind_timelimit 120
    idle_timelimit 3600
    pam_filter objectclass=posixAccount
    pam_login_attribute uid
    pam_password md5
    


  2. /etc/openldap/ldap.conf
    URI ldap://test15.examples.com
    BASE dc=examples,dc=com
    TLS_CACERTDIR /etc/openldap/cacerts
    TLS_CACERT /etc/openldap/cacerts/cacert.pem
    


  3. /etc/sysconfig/authconfig
    USEDB=no
    USEHESIOD=no
    USELDAP=yes       # default は no
    USENIS=no
    USEWINBIND=no
    USEKERBEROS=no
    USELDAPAUTH=yes   # default は no
    USEMD5=yes
    USESHADOW=yes
    USESMBAUTH=no
    


  4. /etc/nsswitch.conf
    (省略)
    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
    (省略)
    



メモ PAM 設定ファイル編集


  • system-auth を使用しない例です(su は除く)。
  • pam_unix.so よりも pam_ldap.so が先に 読まれるようにしています。

  1. /etc/pam.d/sshd
    #%PAM-1.0
    auth       required     /lib/security/pam_nologin.so
    auth       sufficient   /lib/security/pam_ldap.so
    auth       required     /lib/security/pam_unix_auth.so try_first_pass
    
    account    [default=bad success=ok user_unknown=ignore service_err=ignore ¥
    system_err=ignore authinfo_unavail=ignore] /lib/security/pam_ldap.so
    account    required     /lib/security/pam_unix_acct.so
    
    password   required     /lib/security/pam_cracklib.so retry=3 type=
    password   sufficient   /lib/security/pam_ldap.so
    password   required     /lib/security/pam_pwdb.so use_first_pass
    
    session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
    session    required     /lib/security/pam_unix_session.so
    session    optional     /lib/security/pam_ldap.so
    


  2. /etc/pam.d/passwd
    #%PAM-1.0
    auth       sufficient   /lib/security/pam_ldap.so
    auth       required     /lib/security/pam_unix_auth.so use_first_pass
    
    account    sufficient   /lib/security/pam_ldap.so
    account    required     /lib/security/pam_unix_acct.so
    
    password    required      /lib/security/pam_cracklib.so minlen=8 ¥
    dcredit=-1 ucredit=0 lcredit=0 ocredit=0 retry=3 type=
    password   sufficient   /lib/security/pam_ldap.so use_authtok
    password   sufficient   /lib/security/pam_unix.so use_authtok md5 shadow remember=1
    


  3. /etc/pam.d/su
    auth       sufficient   /lib/security/pam_rootok.so
    # Uncomment the following line to implicitly trust users in the "wheel" group.
    #auth       sufficient   /lib/security/pam_wheel.so trust use_uid
    # Uncomment the following line to require a user to be in the "wheel" group.
    auth       required     /lib/security/pam_wheel.so use_uid group=nsadmin group=wheel
    auth       required     /lib/security/pam_stack.so service=system-auth
    account    required     /lib/security/pam_stack.so service=system-auth
    password   required     /lib/security/pam_stack.so service=system-auth
    session    required     /lib/security/pam_stack.so service=system-auth
    session    optional     /lib/security/pam_xauth.so
    


  4. /etc/pam.d/sudo
    auth       required     /lib/security/pam_env.so
    auth       sufficient   /lib/security/pam_ldap.so
    auth       sufficient   /lib/security/pam_unix.so
    
    account    [default=bad success=ok user_unknown=ignore service_err=ignore ¥
    system_err=ignore authinfo_unavail=ignore] /lib/security/pam_ldap.so
    account    required     /lib/security/pam_unix.so
    
    password   required     /lib/security/pam_cracklib.so retry=3 type=
    password   sufficient   /lib/security/pam_ldap.so use_authtok
    password   sufficient   /lib/security/pam_unix.so use_authtok md5 shadow
    
    session    required     /lib/security/pam_limits.so
    session    optional     /lib/security/pam_ldap.so
    session    required     /lib/security/pam_unix.so
    



メモ logrotate ファイル編集


  1. /etc/syslog.conf
    # 以下を最終行に追加
    # Save sudo logs
    local3.*                          /var/log/sudo.log
    


  2. /etc/logrotate.d/syslog
    /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log ¥
    /var/log/cron /var/log/sudo.log {
            sharedscripts
            daily
            rotate 30
        postrotate
            /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        endscript
    



メモ Default の skel ファイル編集


  1. /etc/skel/.bashrc
    # .bashrc
    
    # User specific aliases and functions
    
    # Source global definitions
    if [ -f /etc/bashrc ]; then
            . /etc/bashrc
    fi
    
    #stty -ixon
    
    # unlimit stacksize for large aray in user mode
    #ulimit -s unlimited
    
    set -o noclobber
    
    # set aliases
    alias ls='ls -F --color=auto'
    alias ll='ls -la --color=auto'
    alias la='ls -a --color=auto'
    alias eng='LANG=C LANGUAGE=C LC_ALL=C'
    alias rm='rm -i'
    
    # user file-creation mask
    umask 022
    


  2. /etc/skel/.bash_profile
    # .bash_profile
    
    # Get the aliases and functions
    if [ -f ~/.bashrc ]; then
        . ~/.bashrc
    fi
    
    # User specific environment and startup programs
    
    # addpath $HOME/bin
    BASH_ENV=$HOME/.bashrc
    USERNAME=""
    
    export USERNAME BASH_ENV PATH LESSOPEN
    export PATH=$PATH:/usr/local/bin
    export LD_LIBRARY_PATH=/usr/local/lib
    



メモ その他


  1. CA証明書をコピー
    マスターの
      /usr/local/etc/openldap/cacerts/cacert.pem
    をクライアントの
      /etc/openldap/cacerts
    にコピー
    


  2. おまじない
    [root]# /sbin/ldconfig
    



ここまで

| arinux | openldap | 15:43 | comments(1) | trackbacks(0) | pookmark |
管理者の承認待ちコメントです。
| - | 2018/05/29 12:52 AM |









http://www.arinux.net/trackback/44
      1
2345678
9101112131415
16171819202122
23242526272829
30      
<< September 2018 >>
+ SELECTED ENTRIES
+ RECENT COMMENTS
+ RECENT TRACKBACK
+ CATEGORIES
+ ARCHIVES
+ 掲載予定のタイトル
  • Wordpress
  • Pukiwiki
  • SMTPs/POPs/IMAPs
  • fml
  • Tips
+ CSS Nite
+ MOBILE
qrcode
+ LINKS
+ RECOMMEND
+ PROFILE