{"version":"1.0","provider_name":"Jui-Nan Lin's Blog","provider_url":"https:\/\/jnlin.org","author_name":"jnlin","author_url":"https:\/\/jnlin.org\/author\/jnlin\/","title":"Enable nss_ldap in FreeBSD","html":"\u8acb\u5b89\u88dd ports\/net\/nss_ldap:\r\n\r\n
\r\n# cd \/usr\/ports\/net\/nss_ldap\r\n# cat > files\/patch-shadow <<EOF\r\n--- ldap-pwd.c.orig\tSat Oct 16 22:22:29 2004\r\n+++ ldap-pwd.c\tSun Oct 17 12:45:08 2004\r\n@@ -92,19 +92,19 @@\r\n   size_t tmplen;\r\n   char *tmp;\r\n \r\n-  if (_nss_ldap_oc_check (ld, e, \"shadowAccount\") == NSS_SUCCESS)\r\n-    {\r\n-      \/* don't include password for shadowAccount *\/\r\n-      if (buflen < 3)\r\n-\treturn NSS_TRYAGAIN;\r\n-\r\n-      pw->pw_passwd = buffer;\r\n-      strcpy (buffer, \"x\");\r\n-      buffer += 2;\r\n-      buflen -= 2;\r\n-    }\r\n-  else\r\n-    {\r\n+\/*  if (_nss_ldap_oc_check (ld, e, \"shadowAccount\") == NSS_SUCCESS)\r\n+ *    {\r\n+ *\/      \/* don't include password for shadowAccount *\/\r\n+\/*      if (buflen < 3)\r\n+ *\treturn NSS_TRYAGAIN;\r\n+ *\r\n+ *     pw->pw_passwd = buffer;\r\n+ *     strcpy (buffer, \"x\");\r\n+ *     buffer += 2;\r\n+ *     buflen -= 2;\r\n+ *   }\r\n+ * else\r\n+ *\/    {\r\n       stat =\r\n \t_nss_ldap_assign_userpassword (ld, e, AT (userPassword),\r\n \t\t\t\t       &pw->pw_passwd, &buffer, &buflen);\r\nEOF\r\n# make install clean\r\n<\/pre><\/code><\/blockquote>\r\n\r\nPatch \u7684\u539f\u56e0\u8acb\u770b\u9019\u88e1<\/a>\u3002\r\n\r\n\u63a5\u8457\u8acb\u4fee\u6539 \/usr\/local\/etc\/nss_ldap.conf:\r\n
\r\n# cat > \/usr\/local\/etc\/nss_ldap.conf <<EOF\r\n# The distinguished name of the search base.\r\nbase dc=cs,dc=nctu,dc=edu,dc=tw\r\n\r\n# Another way to specify your LDAP server is to provide an\r\n# uri with the server name. This allows to use\r\n# Unix Domain Sockets to connect to a local LDAP Server.\r\n#uri ldap:\/\/127.0.0.1\/\r\n#uri ldapi:\/\/%2fvar%2frun%2fopenldap%2fldapi\/\r\n#uri ldaps:\/\/127.0.0.1\/\r\nuri ldaps:\/\/ldap.cs.nctu.edu.tw\/\r\n\r\n# The distinguished name to bind to the server with\r\n# if the effective user ID is root. Password is\r\n# stored in \/etc\/ldap.secret (mode 600)\r\nrootbinddn cn=Manager,dc=cs,dc=nctu,dc=edu,dc=tw\r\n\r\n# Filter to AND with uid=%s\r\npam_filter objectclass=posixAccount\r\n\r\n# The user ID attribute (defaults to uid)\r\npam_login_attribute uid\r\n\r\n# RFC2307bis naming contexts\r\n# Syntax:\r\n# nss_base_XXX          base?scope?filter\r\n# where scope is {base,one,sub}\r\n# and filter is a filter to be &'d with the\r\n# default filter.\r\n# You can omit the suffix eg:\r\n# nss_base_passwd       ou=People,\r\n# to append the default base DN but this\r\n# may incur a small performance impact.\r\n#nss_base_passwd        ou=People,\r\n#nss_base_shadow        ou=People,\r\nnss_base_group          ou=Group,\r\nnss_base_hosts          ou=Hosts,\r\nnss_base_services       ou=Services,\r\nnss_base_networks       ou=Networks,\r\nnss_base_protocols      ou=Protocols,\r\nnss_base_rpc            ou=Rpc,\r\nnss_base_ethers ou=Ethers,\r\nnss_base_netmasks       ou=Networks,\r\nnss_base_bootparams     ou=Ethers,\r\nnss_base_aliases        ou=Aliases,\r\nnss_base_netgroup       ou=Netgroup,\r\n\r\nEOF\r\n<\/code><\/blockquote>\r\n\r\n\u5982\u679c\u4f60\u4e0d\u4f7f\u7528 samba, \u5247 nss_base_passwd \u53ca nss_base_shadow \u5169\u884c\u524d\u9762\u7684\u8a3b\u89e3\u53ef\u4ee5\u62ff\u6389\u3002\r\n\r\n\u63a5\u8457\u8acb\u5c07 rootdn \u7684\u5bc6\u78bc\u5b58\u653e\u5728 \/usr\/local\/etc\/nss_ldap.secret \u4e2d\uff0c\u8b93 nss_ldap \u53ef\u4ee5\u7528 rootdn \u8b80\u5beb LDAP \u4e2d\u7684\u5bc6\u78bc\u3002\r\n\r\n
\r\n      # echo 'rootdn_password' > \/usr\/local\/etc\/nss_ldap.secret\r\n      # chmod 600 \/usr\/local\/etc\/nss_ldap.secret \r\n<\/code><\/blockquote>\r\n\r\n\u63a5\u8457\u4fee\u6539 \/etc\/master.passwd\uff0c\u5728\u6700\u5f8c\u9762\u52a0\u4e0a\u4e00\u884c: +:*::::::::\r\n\u9084\u6709 \/etc\/group\uff0c\u4e5f\u662f\u5728\u6700\u5f8c\u9762\u52a0\u4e0a: +:*::\r\n\r\n\u63a5\u8457\u4fee\u6539 \/etc\/nsswitch.conf\uff1a\uff08\u659c\u9ad4\u5b57\u7684\u90e8\u4efd\u8868\u793a\u589e\u52a0\u7684\u90e8\u4efd\uff09\r\n\r\n
\r\ngroup: compat\r\ngroup_compat: ldap<\/i> nis\r\nhosts: files dns\r\nnetworks: files\r\npasswd: compat\r\npasswd_compat: ldap<\/i> nis\r\nshells: files\r\n<\/code><\/blockquote>\r\n\r\n\u63a5\u4e0b\u4f86\u5c31\u53ef\u4ee5\u767b\u5165\u6e2c\u8a66\u770b\u770b\u4e86\u3002\r\n\r\n\u9019\u6a23\u7684\u4fee\u6539\u65b9\u5f0f\u4e0d\u80fd\u4f7f\u7528 \/usr\/bin\/passwd \u4fee\u6539\u5bc6\u78bc\uff0c\u53ef\u4ee5\u4f7f\u7528\u9019\u500b script <\/a>\u4f86\u8b93\u4f7f\u7528\u8005\u4fee\u6539\u5bc6\u78bc\u3002\u539f\u672c\u7684\u7a0b\u5f0f\u5728\u9019\u88e1<\/a>\uff0c\u6211\u7a0d\u5fae\u4fee\u6539\u4e86\u4e00\u4e0b\u8b93\u5b83\u9069\u5408\u7528\u5728\u76ee\u524d\u7684 LDAP \u4e0a\u3002\u5982\u679c\u4f60\u4e0d\u4f7f\u7528 Samba\uff0c\u8acb\u5c07 Samba \u7684\u90e8\u4efd mark \u8d77\u4f86\u3002\r\n\r\n\u8a3b:\r\n1. \u5982\u679c\u4f60\u8981\u8b93 Linux \u7684\u7cfb\u7d71\u4e5f\u4f7f\u7528 LDAP \u4f5c\u8a8d\u8b49\uff0c\u5247\u4f60\u4e00\u5b9a\u8981\u52a0\u4e0a nss_ldap \u7684 patch\uff0c\u5426\u5247 FreeBSD \u6703\u7121\u6cd5\u767b\u5165\u3002\r\n2. \u5982\u679c\u4f60\u53ef\u4ee5\u767b\u5165\uff0c\u4f46\u662f\u5728\u666e\u901a user\u4e0b\u6253 id \u51fa\u4f86\u7684\u7d50\u679c\u6c92\u6709 username\uff0c\u90a3\u4f60\u8981\u53bb\u4fee\u6539 slapd.conf\uff0c\u5c07 Anonymous Read \u7684\u6b0a\u9650\u52a0\u5165\u5373\u53ef\u3002 \r\n3. \u76ee\u524d FreeBSD 5.x \u53ea\u652f\u63f4 passwd \u8207 group \u6a94\u7684 name service switching, netgroup, amd map, hosts, alias \u7b49\u5c1a\u672a\u652f\u63f4\u3002","type":"rich"}