使用IBM目录服务进行Linux用户验证

o=ibm,c=cn

|-ou=csdl,o=ibm,c=cn

  |-ou=gcl,ou=csdl,o=ibm,c=cn

     |-uid=user1,ou=gcl,ou=csdl,o=ibm,c=cn

     |-uid=user2,ou=gcl,ou=csdl,o=ibm,c=cn

 

  #rpm -ivh <PathToPkgs>/openldap-2.0.23-4.rpm

  #rpm -ivh <PathToPkgs>/nss_ldap-185-1.rpm

 

      # @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $

      #

      # This is the configuration file for the LDAP nameservice

      # switch library and the LDAP PAM module.

      #

      # PADL Software

      # http://www.padl.com

      #

      # Your LDAP server. Must be resolvable without using LDAP.

      #host 127.0.0.1

      

        host 192.168.0.188

      

      # The distinguished name of the search base.

      #base dc=example,dc=com

      

        base o=IBM,c=CN

      

      # Another way to specify your LDAP server is to provide an

      # uri with the server name. This allows to use

      # Unix Domain Sockets to connect to a local LDAP Server.

      #uri ldap://127.0.0.1/

      #uri ldaps://127.0.0.1/ 

      #uri ldapi://%2fvar%2frun%2fldapi_sock/

      # Note: %2f encodes the '/' used as directory separator

      # The LDAP version to use (defaults to 3

      # if supported by client library)

      #ldap_version 3

      

      # The distinguished name to bind to the server with.

      # Optional: default is to bind anonymously.

      #binddn cn=proxyuser,dc=example,dc=com

     

      # The credentials to bind with. 

      # Optional: default is no credential.

      

      # The distinguished name to bind to the server with

      # if the effective user ID is root. Password is

      # stored in /etc/ldap.secret (mode 600)

      #rootbinddn cn=manager,dc=example,dc=com

      

      # The port.

      # Optional: default is 389.

      

        port 389

      

      # The search scope.

      #scope sub

      #scope one

      #scope base

      # Search timelimit

      #timelimit 30

      # Bind timelimit

      #bind_timelimit 30

      # Idle timelimit; client will close connections

      # (nss_ldap only) if the server has not been contacted

      # for the number of seconds specified below.

      #idle_timelimit 3600

      

      # Filter to AND with uid=%s

      

        pam_filter objectclass=posixAccount

      

      # The user ID attribute (defaults to uid)

      

        pam_login_attribute uid

      

      # Search the root DSE for the password policy (works

      # with Netscape Directory Server)

      #pam_lookup_policy yes

      # Check the 'host' attribute for access control

      # Default is no; if set to yes, and user has no

      # value for the host attribute, and pam_ldap is

      # configured for account management (authorization)

      # then the user will not be allowed to login.

      #pam_check_host_attr yes

      # Group to enforce membership of

      #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

      # Group member attribute

      #pam_member_attribute uniquemember

      # Specify a minium or maximum UID number allowed

      #pam_min_uid 0

      #pam_max_uid 0

      # Template login attribute, default template user

      # (can be overriden by value of former attribute

      # in user's entry)

      #pam_login_attribute userPrincipalName

      #pam_template_login_attribute uid

      #pam_template_login nobody

      # HEADS UP: the pam_crypt, pam_nds_passwd,

      # and pam_ad_passwd options are no

      # longer supported.

      

      # Do not hash the password at all; presume

      # the directory server will do it, if

      # necessary. This is the default.

      #pam_password md5

     

        pam_password clear

      ssl no

      ... 

      ... 



      

  

  #mkdir /home/user1

  #cp /etc/skel/.* /home/user1

  #chown -R user1:user1 /home/user1