centos ldap client 设定

 centos 6.4

ldap server 位于ubuntu 12.04 Server上

1.安装

yum -y install openldap-clients nss-pam-ldapd

一个完整的配置（地址点此）：

[root@www ~]# yum -y install openldap-clients nss-pam-ldapd
[root@www ~]# vi /etc/openldap/ldap.conf
# add at the last line
# LDAP server's URI
URI ldap://10.0.0.39/
# specify Suffix
BASE dc=server,dc=world
TLS_CACERTDIR /etc/openldap/cacerts
[root@www ~]# vi /etc/nslcd.conf
# line 131: specify URI, Suffix
uri ldap://10.0.0.39/
base dc=server,dc=world
ssl no
tls_cacertdir /etc/openldap/cacerts
[root@www ~]# vi /etc/pam_ldap.conf
# line 17: make it comment
# host 127.0.0.1
# line 20: specify Suffix
base dc=server,dc=world
# add at the last line
uri ldap://10.0.0.39/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
[root@www ~]# vi /etc/pam.d/system-auth
# add like follows
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        sufficient    pam_ldap.so use_first_pass
 auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
 account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    sufficient    pam_ldap.so use_authtok
 password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
 session     optional      pam_ldap.so
# add if you need ( create home directory automatically if it's none )
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077

[root@www ~]# vi /etc/nsswitch.conf
passwd:files ldap# line 33: add
shadow:files ldap# add
group:files ldap# add
netgroup:ldap# line 57: change
automount: files ldap# line 61: change
[root@www ~]# vi /etc/sysconfig/authconfig
# line 18: change
USELDAP=yes
[root@www ~]# chkconfig nslcd on 
[root@www ~]# shutdown -r now
www.server.world login: fermi# user on LDAP
Password:
Creating directory '/home/fermi'.
[fermi@www ~]$ # just logined
[fermi@www ~]$ passwd# try to change LDAP password
Changing password for user fermi.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information changed for fermi
passwd: all authentication tokens updated successfully.