Almalinux8.10加入openldap服务器配置指导 linux系统加入openldap服务认证 openldap用户统一认证配置
Almalinux8.10加入openldap服务器配置指导 linux系统加入openldap服务认证 openldap用户统一认证配置
一、Almalinux8.10配置openldap
1、安装OpenLDAP客户端软件包:yum installopenldap-clients nss-pam-ldapd
2、关闭selinux和防火墙,修改/etc/selinux/config文件或者setenforce 0,systemctl stop firewalld&& systemctldisable firewalld

3、修改/etc/nslcd.conf 配置文件,完整配置文件如下:
# nslcd configuration
uid nslcd
gid ldap
# LDAP server URI
uri ldap://10.252.14.21/
# Search base
base ou=Nexai,dc=nexai,dc=com
ssl no
tls_cacertdir/etc/openldap/cacerts//注意需要创建cacerts目录:mkdir/etc/openldap/cacerts
# base dc=nexai,dc=com
scope sub
# Bind credentials
binddn cn=admin,dc=nexai,dc=com
bindpw Nex@2026
# Search filters
filter passwd (objectClass=posixAccount)
filter shadow (objectClass=posixAccount)
filter group(objectClass=posixGroup)
# Attribute mappings
mappasswd uiduid
mappasswd uidNumberuidNumber
mappasswd gidNumbergidNumber
mappasswd homeDirectoryhomeDirectory
mappasswd loginShellloginShell
#mappasswd snsn
mappasswd gecoscn
mapgroupcncn
mapgroupgidNumbergidNumber
# Connection settings
bind_timelimit 30
timelimit 30
idle_timelimit 3600
pagesize 1000
referrals off
4、修改/etc/pam_ldap.conf 配置文件,完整配置文件如下:cat /etc/pam_ldap.conf
host 10.252.14.21
URI ldap://10.252.14.21/
BASE dc=nexai,dc=com
ldap_version 3

5、修改/etc/authselect/system-auth (/etc/pam .d/system-auth) 认证文件,完整配置文件如下:cat /etc/authselect/system-auth
# Generated by authselect on Thu Jan 22 15:52:24 2026
# Do not modify this file manually.
authrequiredpam_env.so
authrequiredpam_faildelay.so delay=2000000
authsufficientpam_fprintd.so
auth[default=1 ignore=ignore success=ok]pam_usertype.so isregular
auth[default=1 ignore=ignore success=ok]pam_localuser.so
authsufficientpam_unix.so nullok
auth[default=1 ignore=ignore success=ok]pam_usertype.so isregular
authsufficientpam_sss.so forward_pass
authsufficientpam_ldap.souse_first_pass
authrequiredpam_deny.so
accountrequiredpam_unix.so
accountsufficientpam_localuser.so
accountsufficientpam_usertype.so issystem
account[default=bad success=ok user_unknown=ignore] pam_sss.so
account[default=bad success=ok user_unknown=ignore] pam_ldap.so
accountrequiredpam_permit.so
passwordrequisitepam_pwquality.so local_users_only
passwordsufficientpam_unix.so sha512 shadow nullok use_authtok
password[success=1 default=ignore]pam_localuser.so
passwordsufficientpam_sss.so use_authtok
passwordsufficientpam_ldap.souse_authtok
passwordrequiredpam_deny.so
sessionoptionalpam_keyinit.so revoke
sessionrequiredpam_limits.so
-sessionoptionalpam_systemd.so
session[success=1 default=ignore]pam_succeed_if.so service in crond quiet use_uid
sessionrequiredpam_unix.so
sessionoptionalpam_sss.so
sessionoptionalpam_ldap.so
6、修改/etc/nsswitch.conf配置文件,完整配置文件如下:cat /etc/nsswitch.conf
passwd:files ldap
shadow:files ldap
group:files ldap
hosts:files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers:files
netmasks:files
networks:files
protocols:files
rpc:files
services:files sss
netgroup:files ldap
publickey:nisplus
automount:files ldap
aliases:files nisplus

7、修改/etc/pam.d/sshd配置文件,完整配置文件如下:cat /etc/pam.d/sshd
#%PAM-1.0
authrequiredpam_sepermit.so
authsubstackpassword-auth
authincludepostlogin
# Used with polkit to reauthorize users in remote sessions
-authoptionalpam_reauthorize.so prepare
accountrequiredpam_nologin.so
accountincludepassword-auth
passwordincludepassword-auth
# pam_selinux.so close should be the first session rule
sessionrequiredpam_selinux.so close
sessionrequiredpam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
sessionrequiredpam_selinux.so open env_params
sessionrequiredpam_namespace.so
sessionoptionalpam_keyinit.so force revoke
sessionincludepassword-auth
sessionincludepostlogin
# Used with polkit to reauthorize users in remote sessions
-sessionoptionalpam_reauthorize.so prepare

8、修改/etc/authselect/password-auth (/etc/pam.d/password-auth)配置文件,完整配置文件如下:cat/etc/authselect/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequiredpam_env.so
authrequiredpam_faildelay.so delay=2000000
authsufficientpam_unix.so nullok try_first_pass
authrequisitepam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_ldap.so use_first_pass
authrequiredpam_deny.so
accountrequiredpam_unix.so broken_shadow
accountsufficientpam_localuser.so
accountsufficientpam_succeed_if.so uid < 1000 quiet
account[default=bad success=ok user_unknown=ignore] pam_ldap.so
accountrequiredpam_permit.so
passwordrequisitepam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok
passwordsufficientpam_ldap.so use_authtok
passwordrequiredpam_deny.so
sessionoptionalpam_keyinit.so revoke
sessionrequiredpam_limits.so
-sessionoptionalpam_systemd.so
sessionoptionalpam_oddjob_mkhomedir.so umask=0077
session[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
sessionrequiredpam_unix.so
sessionoptionalpam_ldap.so

9、加载nslce进程:service nslcd restart

10、测试
9.1、输入id openldap用户,如id jqian

9.2、执行ldapsearch -x -H ldap://10.252.14.21 -D "cn=admin,dc=nexai,dc=com" -W -b "dc=nexai,dc=com",输入密码:Nex@2026
9.3、其它:测试openldap服务器端口连接性:curl ldap://10.252.14.21:389
