自作クラスタ計算機:openldapを使ったldapサーバの基本設定
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| 自作クラスタ計算機:openldapを使ったldapサーバの基本設定 [2026/05/11 19:25] – koudai | 自作クラスタ計算機:openldapを使ったldapサーバの基本設定 [2026/05/13 14:04] (current) – [SSSD] koudai | ||
|---|---|---|---|
| Line 191: | Line 191: | ||
| ====== 計算ノードでの作業 ====== | ====== 計算ノードでの作業 ====== | ||
| + | |||
| + | < | ||
| + | $ apt install libnss-ldapd libpam-ldapd ldap-utils | ||
| + | </ | ||
| + | |||
| + | * LDAP server URI: ldap:// | ||
| + | * LDAP server search base: dc=cluster, | ||
| + | * Name services to configure: passwd, group, shadow, hosts (スペースキーでチェックを入れられます) | ||
| + | |||
| + | ユーザーがいるか確認 | ||
| + | |||
| + | < | ||
| + | $ getent passwd taro | ||
| + | taro: | ||
| + | </ | ||
| + | |||
| + | |||
| + | 参考 | ||
| + | |||
| + | |||
| + | https:// | ||
| + | |||
| + | https:// | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ====== SSSD ====== | ||
| + | |||
| 必要なパッケージのインストール | 必要なパッケージのインストール | ||
| Line 222: | Line 252: | ||
| # 認証 | # 認証 | ||
| ldap_default_bind_dn = cn=admin, | ldap_default_bind_dn = cn=admin, | ||
| - | ldap_default_authtok = admin_password | + | ldap_default_authtok = LDAPをインストールした際に設定したパスワード |
| - | # パスワード | + | # TLS |
| + | ldap_id_use_start_tls = false | ||
| ldap_tls_reqcert = never | ldap_tls_reqcert = never | ||
| - | + | ldap_auth_disable_tls_never_use_in_production | |
| - | # UID/GID | + | |
| - | enumerate | + | |
| </ | </ | ||
| Line 289: | Line 318: | ||
| </ | </ | ||
| + | |||
| + | |||
| + | === memo === | ||
| + | |||
| + | < | ||
| + | # | ||
| + | # / | ||
| + | # | ||
| + | # This file is included from other service-specific PAM config files, | ||
| + | # and should contain a list of the authorization modules that define | ||
| + | # the central access policy for use on the system. | ||
| + | # only deny service to users whose accounts are expired in / | ||
| + | # | ||
| + | # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | ||
| + | # To take advantage of this, it is recommended that you configure any | ||
| + | # local modules either before or after the default block, and use | ||
| + | # pam-auth-update to manage selection of other modules. | ||
| + | # pam-auth-update(8) for details. | ||
| + | # | ||
| + | |||
| + | # here are the per-package modules (the " | ||
| + | account [success=ok new_authtok_reqd=done default=ignore] pam_ldap.so | ||
| + | account required pam_unix.so | ||
| + | # here's the fallback if no module succeeds | ||
| + | account requisite pam_deny.so | ||
| + | # prime the stack with a positive return value if there isn't one already; | ||
| + | # this avoids us returning an error just because nothing sets a success code | ||
| + | # since the modules above will each just jump around | ||
| + | account required pam_permit.so | ||
| + | # and here are more per-package modules (the " | ||
| + | account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 | ||
| + | # end of pam-auth-update config | ||
| + | |||
| + | </ | ||
自作クラスタ計算機/openldapを使ったldapサーバの基本設定.1778495119.txt.gz · Last modified: 2026/05/11 19:25 by koudai