使用 Windows Active Directory 进行 LDAP 身份验证

了解如何使用 Windows Active Directory 为 LDAP 身份验证配置 SSL 或 TLS。

过程

  1. 将 Windows Active Directory 用户添加到数据库。
    create user <user> password <password>
    根据密码策略定义密码。
    示例:
    nzsql -c "create user ad_user1 password 'password';"
  2. 设置身份验证类型:
    • 将身份验证设置为 AD,同时关闭 SSL/TLS
      1. 运行命令。
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=nzdevelopment,dc=com' NAMECASE lowercase SERVER 'AD_SERVER' SSL 'OFF' BINDPW Netezzapwd BINDDN 'cn=ad_admin_user1,cn=Users,dc=nzdevelopment,dc=com' ATTRNAME 'sAMAccountName';"
      2. 现在, sssd.conf 文件看起来如下。
        [domain/external_ldap]

###The below common parameters and values should not be changed

ldap_default_authtok_type = obfuscated_password
ldap_schema = AD
ldap_group_name = CN
ldap_user_name = sAMAccountName
ignore_group_members = True
auth_provider = ldap
ldap_rfc2307_fallback_to_local_users = True
ldap_referrals = False
override_homedir = /home/%u
ldap_network_timeout = 3
ldap_opt_timeout = 60
cache_credentials = True
entry_cache_group_timeout = 0
entry_cache_user_timeout = 0
ldap_search_timeout = 30
id_provider = ldap
entry_cache_timeout = 600
case_sensitive = False
ldap_id_mapping = True
#ldap_group_attribute =
#debug_level = 10

###Supplied from Input

ldap_uri = ldap://AD_SERVER:389
ldap_user_search_base = dc=nzdevelopment,dc=com
ldap_default_bind_dn = cn=ad_admin_user1,cn=Users,dc=nzdevelopment,dc=com
ldap_tls_reqcert = never
#ldap_id_use_start_tls =
#ldap_tls_cacert =

ldap_default_authtok = AAAQAA5gKJVg+dHVdi2LU9uTepJAJRYtMh1mlO8vp4ysVuFjw5OrxTeY4MteantA1+FLTm2+XGmtdokCsiZAfGExIlsAAQID
[sssd]
services = nss, ifp, sudo, ssh, pam
domains = external_ldap

[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]
#debug_level = 10

[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]

        如果 AD 服务器上有很多组和用户,可以通过在 sssd.conf 文件中添加 ldap_group_member = uniqueMember 来提高登录性能。

        1.将 ldap_group_member = uniqueMember 添加到 /etc/sssd/sssd.conf[domain/external_ldap] 部分。
        ignore_group_members = True (add only if not present since this variable was already exist)
ldap_group_member = uniqueMember
        2.重新启动 sssd 服务。
        systemctl stop sssd ; rm -f /var/lib/sss/db/* ; systemctl start sssd

        3.验证身份验证。

    • 将身份验证设置为 AD 并开启 SSL
      必须由可信 CA 向 AD 服务器颁发证书。 获取 CA 证书文件并将其保存在 Netezza Performance Server 系统上的某个位置。 对于 Netezza Performance Server系统的高可用性 (HA) 系统,将文件保存在共享驱动器上的某个位置,如 /nz 下的新目录。 两个 Netezza Performance Server 系统节点必须能够使用相同的路径名访问证书文件。
      1. 将 AD 身份验证与 SSL 设置为 ON。
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=nzdevelopment,dc=com' NAMECASE lowercase SERVER 'AD_SERVER' SSL 'ON' BINDPW Netezzapwd BINDDN 'cn=ad_admin_user1,cn=Users,dc=nzdevelopment,dc=com' ATTRNAME 'sAMAccountName' CACERT '/nz/caCert/ca_cert.pem';"
        CACERT 是 CA 证书文件的路径。
      2. 现在, sssd.conf 文件看起来如下。
        [domain/external_ldap]

###The below common parameters and values should not be changed

ldap_default_authtok_type = obfuscated_password
ldap_schema = AD
ldap_group_name = CN
ldap_user_name = sAMAccountName
ignore_group_members = True
auth_provider = ldap
ldap_rfc2307_fallback_to_local_users = True
ldap_referrals = False
override_homedir = /home/%u
ldap_network_timeout = 3
ldap_opt_timeout = 60
cache_credentials = True
entry_cache_group_timeout = 0
entry_cache_user_timeout = 0
ldap_search_timeout = 30
id_provider = ldap
entry_cache_timeout = 600
case_sensitive = False
ldap_id_mapping = True
#ldap_group_attribute =
#debug_level = 10

###Supplied from Input

ldap_uri = ldaps://AD_SERVER:636
ldap_user_search_base = dc=nzdevelopment,dc=com
ldap_default_bind_dn = cn=ad_admin_user1,cn=Users,dc=nzdevelopment,dc=com
ldap_tls_reqcert = demand
ldap_id_use_start_tls = False
ldap_tls_cacert = /nz/caCert/ca_cert.pem

ldap_default_authtok = AAAQAAIxX3meMywHbwCnnFQRhRJAHpAICVBjoXmg6OhLr9ASy0RijAO4WdYwAioHf5Fmy6yQc0g8/CXOrx7VQ1BbrfYAAQID
[sssd]
services = nss, ifp, sudo, ssh, pam
domains = external_ldap

[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]
#debug_level = 10

[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]

      如果 AD 服务器上有很多组和用户,可以通过在 sssd.conf 文件中添加 ldap_group_member = uniqueMember 来提高登录性能。

      1.将 ldap_group_member = uniqueMember 添加到 /etc/sssd/sssd.conf[domain/external_ldap] 部分。
      ignore_group_members = True (add only if not present since this variable was already exist)
ldap_group_member = uniqueMember
      2.重新启动 sssd 服务。
      systemctl stop sssd ; rm -f /var/lib/sss/db/* ; systemctl start sssd

      3.验证身份验证。

    • 将身份验证设置为 AD 并开启 TLS

      您可以使用 TLS 与 LDAP/AD 服务器建立安全连接。 为此,请在 CA 证书文件中启用 TLS 标志。

      1. 通过 TLS 设置 AD 身份验证。
        nzsql -c " SET AUTHENTICATION LDAP BASE 'dc=nzdevelopment,dc=com' NAMECASE lowercase SERVER 'AD_SERVER' SSL 'OFF' TLS 'ON' BINDPW Netezzapwd BINDDN 'cn=ad_admin_user1,cn=Users,dc=nzdevelopment,dc=com' ATTRNAME 'sAMAccountName' CACERT '/nz/caCert/ca_cert.pem';"
        注意: 不能同时将 TLS 和 SSL 设置为 ON
      2. 现在, sssd.conf 文件看起来如下。
        [domain/external_ldap]

###The below common parameters and values should not be changed

ldap_default_authtok_type = obfuscated_password
ldap_schema = AD
ldap_group_name = CN
ldap_user_name = sAMAccountName
ignore_group_members = True
auth_provider = ldap
ldap_rfc2307_fallback_to_local_users = True
ldap_referrals = False
override_homedir = /home/%u
ldap_network_timeout = 3
ldap_opt_timeout = 60
cache_credentials = True
entry_cache_group_timeout = 0
entry_cache_user_timeout = 0
ldap_search_timeout = 30
id_provider = ldap
entry_cache_timeout = 600
case_sensitive = False
ldap_id_mapping = True
#ldap_group_attribute =
#debug_level = 10

###Supplied from Input

ldap_uri = ldap://AD_SERVER:389
ldap_user_search_base = dc=nzdevelopment,dc=com
ldap_default_bind_dn = cn=ad_admin_user1,cn=Users,dc=nzdevelopment,dc=com
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True
ldap_tls_cacert = /nz/caCert/ca_cert.pem

ldap_default_authtok = AAAQAAIxX3meMywHbwCnnFQRhRJAHpAICVBjoXmg6OhLr9ASy0RijAO4WdYwAioHf5Fmy6yQc0g8/CXOrx7VQ1BbrfYAAQID
[sssd]
services = nss, ifp, sudo, ssh, pam
domains = external_ldap

[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]
#debug_level = 10

[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
        注意: SET AUTHENTICATION 命令中提到的 Active Directory 服务器必须与 LDAP 服务器证书文件中的主机名一致。

      如果 AD 服务器上有很多组和用户,可以通过在 sssd.conf 文件中添加 ldap_group_member = uniqueMember 来提高登录性能。

      1.将 ldap_group_member = uniqueMember 添加到 /etc/sssd/sssd.conf[domain/external_ldap] 部分。
      ignore_group_members = True (add only if not present since this variable was already exist)
ldap_group_member = uniqueMember
      2.重新启动 sssd 服务。
      systemctl stop sssd ; rm -f /var/lib/sss/db/* ; systemctl start sssd

      3.验证身份验证。