自作クラスタ計算機:openldapを使ったldapサーバの基本設定
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| 自作クラスタ計算機:openldapを使ったldapサーバの基本設定 [2026/05/11 19:23] – [ユーザーの追加] koudai | 自作クラスタ計算機:openldapを使ったldapサーバの基本設定 [2026/05/13 14:04] (current) – [SSSD] koudai | ||
|---|---|---|---|
| Line 191: | Line 191: | ||
| ====== 計算ノードでの作業 ====== | ====== 計算ノードでの作業 ====== | ||
| + | |||
| + | < | ||
| + | $ apt install libnss-ldapd libpam-ldapd ldap-utils | ||
| + | </ | ||
| + | |||
| + | * LDAP server URI: ldap:// | ||
| + | * LDAP server search base: dc=cluster, | ||
| + | * Name services to configure: passwd, group, shadow, hosts (スペースキーでチェックを入れられます) | ||
| + | |||
| + | ユーザーがいるか確認 | ||
| + | |||
| + | < | ||
| + | $ getent passwd taro | ||
| + | taro: | ||
| + | </ | ||
| + | |||
| + | |||
| + | 参考 | ||
| + | |||
| + | |||
| + | https:// | ||
| + | |||
| + | https:// | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ====== SSSD ====== | ||
| + | |||
| 必要なパッケージのインストール | 必要なパッケージのインストール | ||
| Line 206: | Line 236: | ||
| [sssd] | [sssd] | ||
| services = nss, pam | services = nss, pam | ||
| - | domains = cluster.home.arpa | + | config_file_version = 2 |
| + | domains = default | ||
| - | [domain/cluster.home.arpa] | + | [domain/default] |
| id_provider = ldap | id_provider = ldap | ||
| auth_provider = ldap | auth_provider = ldap | ||
| - | ldap_uri = ldap:// | + | ldap_uri = ldap:// |
| ldap_search_base = dc=cluster, | ldap_search_base = dc=cluster, | ||
| - | # ユーザーとグループの場所 | + | # ユーザー・グループの場所 |
| - | ldap_user_search_base = ou=People, | + | ldap_user_search_base = ou=people, |
| - | ldap_group_search_base = ou=Groups, | + | ldap_group_search_base = ou=groups, |
| # 認証 | # 認証 | ||
| ldap_default_bind_dn = cn=admin, | ldap_default_bind_dn = cn=admin, | ||
| - | ldap_default_authtok = 【LDAPのパスワード】 | + | ldap_default_authtok = LDAPをインストールした際に設定したパスワード |
| - | # ホームディレクトリ | + | # TLS |
| - | ldap_user_home_directory | + | ldap_id_use_start_tls |
| + | ldap_tls_reqcert = never | ||
| + | ldap_auth_disable_tls_never_use_in_production = true | ||
| </ | </ | ||
| Line 285: | Line 318: | ||
| </ | </ | ||
| + | |||
| + | |||
| + | === memo === | ||
| + | |||
| + | < | ||
| + | # | ||
| + | # / | ||
| + | # | ||
| + | # This file is included from other service-specific PAM config files, | ||
| + | # and should contain a list of the authorization modules that define | ||
| + | # the central access policy for use on the system. | ||
| + | # only deny service to users whose accounts are expired in / | ||
| + | # | ||
| + | # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | ||
| + | # To take advantage of this, it is recommended that you configure any | ||
| + | # local modules either before or after the default block, and use | ||
| + | # pam-auth-update to manage selection of other modules. | ||
| + | # pam-auth-update(8) for details. | ||
| + | # | ||
| + | |||
| + | # here are the per-package modules (the " | ||
| + | account [success=ok new_authtok_reqd=done default=ignore] pam_ldap.so | ||
| + | account required pam_unix.so | ||
| + | # here's the fallback if no module succeeds | ||
| + | account requisite pam_deny.so | ||
| + | # prime the stack with a positive return value if there isn't one already; | ||
| + | # this avoids us returning an error just because nothing sets a success code | ||
| + | # since the modules above will each just jump around | ||
| + | account required pam_permit.so | ||
| + | # and here are more per-package modules (the " | ||
| + | account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 | ||
| + | # end of pam-auth-update config | ||
| + | |||
| + | </ | ||
自作クラスタ計算機/openldapを使ったldapサーバの基本設定.1778494989.txt.gz · Last modified: 2026/05/11 19:23 by koudai