ldap.conf dosyasindan alintidir..
> binddn cn=ottoman,o=turkiye,c=server
> bindpw fedora
slapd.conf dosyasindan alintidir..
> rootdn "cn=ottoman,o=turkiye,c=server"> rootpw matrix
Yukarida ldapsearch yapacak yetkili kullanici ile, LDAP Server'da tanimlanmis
kullanici sifre ayni degil.. Bunu duzeltmelisiniz.
Linux'da isler nasil yuruyor bilmiyorum ama "pam_ldap" daha dogrusu
"pam_ldap.so" olmadan bu is olmaz. Belki "nss_ldap" paketinin icinde geliyordur
ama normalde ikisi birbirinden ayridir. Bunu kontrol ediniz.
Daha sonra ufak bir test ile sonucu bildirirseniz iyi olur..
sh # ldapsearch -x -D "cn=ottoman,o=turkiye,c=server" -s sub \
-b "o=turkiye,c=server" -W
Bu komutla "o=turkiye,c=server" altinda arama yapacaksiniz. Sizden sifre
isteyecektir. Sifre olarak "ldap.conf" dosyanizda belirttiginiz "fedora"
sifresini kullanirsaniz iyi olur.. En azindan kafamizdaki yanlis sifre olayina
netlik gelmis olur..
Eger yukaridaki komut ciktisinda actiginiz kullaniciyi gorebilirseniz,
asagidaki komutu da yurutunuz..
sh # ldapsearch -x -D "cn=ottoman,o=turkiye,c=server" -s sub \
-b "o=turkiye,c=server" -W "posixAccount=XXXX_KULLANICISI"
Temelde mantik sudur... "ldapsearch" komutu ile dogru bir sekilde sorgulama
yapabilirseniz, bu sorgulama kriterlerine (verdiginiz parametrelere) bagli
kalarak "ldap.conf" dosyasi yapilandirilir. Yanlis anlamazsaniz su sekilde
soylemek istiyorum (daha dogru bir sekilde nasil soylenir bilmiyorum, simdiden
ozur dilerim), "ldap.conf" dosyasi oyle gelisi guzel yazilmaz.. Belli bir
sorgulama metoduna gore yazilmalidir. Sorgulama yapilirken, hersey dikkatle
incelenmelidir. Ornegin, DN uzerine sorgu yapabilen bir kullanici
"posixAccount" uzerine sorgu yapamayabilir. Bu gibi seyler cok onemlidir. Eger
"ldapsearch" sorgusunda direkt olarak kullanicinin cevre degiskenlerini
(environment) gorebiliyorsaniz, sorgu komutu ve parametreleri "ldap.conf"
dosyasina uygun sekilde girilmelidir..
Kullanici cevre degiskenleri asagidaki gibi gozukmelidir.. (FreeBSD client ile
2003 Active Directory Server'dan alinmistir.)
accountExpires: 9223372036854775807badPasswordTime:
128482882043593750badPwdCount: 0codePage: 0cn: mcelikcountryCode: 0displayName:
mcelikgivenName: mcelikinstanceType: 4lastLogoff: 0lastLogon:
128483301761718750logonCount: 12distinguishedName:
CN=mcelik,CN=Users,DC=xxxxx,DC=xxxxx
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=xxxxx,DC=xxxxx
objectClass: topobjectClass: personobjectClass:
organizationalPersonobjectClass: userobjectGUID::
6GfZ4IKSp0iRIIeVNF5aFQ==objectSid::
AQUAAAAAAAUVAAAASyy8Gt3o5BxDFwoyXQQAAA==pwdLastSet:
128482686877500000primaryGroupID: 513
name: mceliksAMAccountName: mceliksAMAccountType: 805306368msSFUGidNumber:
10003msSFUHomeDirectory: /home/mcelikmsSFULoginShell: /bin/shmsSFUName:
mcelikmsSFUNisDomain: winnetmsSFUPassword: XXXXXXXXXXXXXXXXXXXXXX
msSFUUidNumber: 10003
userAccountControl: 66048userPrincipalName: [EMAIL PROTECTED]: 3602uSNCreated:
3596whenChanged: 20080223193149.0ZwhenCreated: 20080223193127.0Z
UNIX LDAP Server ciktisi olarak soyle gorunmelidir.. (FreeBSD LDAP Server)
uid: mcelik
gidNumber: 1001
uidNumber: 1001
loginShell: /bin/sh
gecos: LDAP User
cn: mcelik
homeDirectory: /usr/home/mcelik/
userPassword: XXXXXXXXXXXXXXXXXXXXXXX
Daha once AAA (Authentication, Authorization, Accounting) mevzulari ile
ugrasmadiysaniz, direkt LDAP konusuna girmek biraz agir gelebilir. Iyice
arastirip ogrenmenizi tavsiye ederim. Oneri olarak, mesela herhangi bir servisi
LDAP uzerinden yonetebilirsiniz. Mesela Qmail icin yazilmis Vpopmail
uygulamasini LDAP ile konusturabilirsiniz. Bu noktada AAA icin sadece
Authentication yapmis olacaksiniz.. Bu konulari kavradiktan sonra, AAA
mevzusuna girmelisiniz.. Cunku cok karisiktir !!
Iyi calismalar..
-- Mehmet CELIK> Date: Sun, 24 Feb 2008 13:34:31 +0200> From: [EMAIL
PROTECTED]> To: [email protected]> Subject: [FreeBSD] Openldap
yapilandirmasi> > Merhaba, openldap yapilandirmasi ilgili ilk sorumda>
cevaplarindan dolayi Mehmet CElik bey e tesekkur> ederim. Benden istediginiz
dosyalari yapistiriyorum.> > Not : Aktif olan satirlar.> nsswitch.conf> passwd:
files ldap> shadow: files ldap> group: files ldap> bootparams: nisplus
[NOTFOUND=return] files> ethers: files> netmasks: files> networks: files>
protocols: files ldap> rpc: files> services: files ldap> netgroup: files ldap>
publickey: nisplus> automount: files ldap> aliases: files nisplus> > ldap.conf>
> host 127.0.0.1> base o=turkiye,c=server> binddn
cn=ottoman,o=turkiye,c=server> bindpw fedora> scope sub> timelimit 10>
bind_timelimit 10> idle_timelimit 3600> nss_initgroups_ignoreusers>
root,ldap,named,avahi,haldaemon> uri ldap://127.0.0.1/> ssl no> tls_cacertdir
/etc/openldap/cacerts> pam_password md5> > PAM login dosyasi> > #%PAM-1.0> auth
[user_unknown=ignore success=ok ignore=ignore> default=bad] pam_securetty.so>
auth include system-auth> account required pam_nologin.so> account include
system-auth> password include system-auth> # pam_selinux.so close should be the
first session> rule> session required pam_selinux.so close> session include
system-auth> session required pam_loginuid.so> session optional pam_console.so>
# pam_selinux.so open should only be followed by> sessions to be executed in
the user context> session required pam_selinux.so open> session optional
pam_keyinit.so force revoke> session optional pam_ck_connector.so> > Pam
system-auth> > #%PAM-1.0> # This file is auto-generated.> # User changes will
be destroyed the next time> authconfig is run.> auth required pam_env.so> auth
sufficient pam_unix.so nullok> try_first_pass> auth sufficient pam_ldap.so
use_first_pass> auth required pam_deny.so> > account required pam_unix.so
broken_shadow> account sufficient pam_localuser.so> account sufficient
pam_succeed_if.so uid < 500> quiet> account [default=bad success=ok>
user_unknown=ignore] pam_ldap.so> account required pam_permit.so> > password
requisite pam_cracklib.so> try_first_pass retry=3> password sufficient
pam_unix.so md5 nullok> try_first_pass use_authtok> password sufficient
pam_ldap.so use_authtok> password required pam_deny.so> > session optional
pam_keyinit.so revoke> session required pam_limits.so> session [success=1
default=ignore]> pam_succeed_if.so service in crond quiet use_uid> session
required pam_unix.so> session optional pam_ldap.so> > slapd.conf> > # Allow
self write access> # Allow authenticated users read access> # Allow anonymous
users to authenticate> # Directives needed to implement policy:> # access to
dn.base="" by * read> # access to dn.base="cn=Subschema" by * read> # access to
*> # by self write> # by users read> # by anonymous auth> #> # if no access
controls are present, the default> policy> # allows anyone and everyone to read
anything but> restricts> # updates to rootdn. (e.g., "access to * by * read")>
#> # rootdn can always read and write EVERYTHING!> >
#######################################################################> # ldbm
and/or bdb database definitions>
#######################################################################> >
database bdb> suffix "o=turkiye,c=server"> rootdn
"cn=ottoman,o=turkiye,c=server"> # Cleartext passwords, especially for the
rootdn,> should> # be avoided. See slappasswd(8) and slapd.conf(5) for>
details.> # Use of strong authentication encouraged.> rootpw matrix> # rootpw
{MD5}4Rxxi5niaxyotF8t9FXHCw==> > # The database directory MUST exist prior to
running> slapd AND > # should only be accessible by the slapd and slap> tools.>
# Mode 700 recommended.> directory /var/lib/ldap> > ldapsearch v.s. client icin
olan araclar bulunuyor mu> ?> GQ diye bir arac kullanmaya calisiyorum> >
nss_ldap kurulu ama pam_ldap kurulu degil ama arama> yapica nss_ldap geliyor.>
> ilginiz icin tekrar tesekkur ederim iyi bilmedigim bir> konu ogrenmek
istiyorum dersaneyede gittim ama ldap> konusuna iyi
deginilmemisti.Tesekkurler.> > > >
___________________________________________________________________> Yahoo!
kullaniyor musunuz? http://tr.mail.yahoo.com> Istenmeyen postadan biktiniz mi?
Istenmeyen postadan en iyi korunma > Yahoo! Posta'da> > > FreeBSD 6 kitabi:
http://www.acikakademi.com/catalog/freebsd6>
---------------------------------------------------------------------> Listeye
soru sormadan once lutfen http://ipucu.enderunix.org sitesine bakiniz.> >
Cikmak icin, e-mail: [EMAIL PROTECTED]> Liste arsivi:
http://news.gmane.org/gmane.org.user-groups.bsd.turkey> >
_________________________________________________________________
Shed those extra pounds with MSN and The Biggest Loser!
http://biggestloser.msn.com/
