Xiaopei's DokuWiki

These are the good times in your life,
so put on a smile and it'll be alright

User Tools

Site Tools


it:ad

AD Active Directory 活动目录 (on Windows Server)

String  X.500 AttributeType
------------------------------
CN      commonName
L       localityName
ST      stateOrProvinceName
O       organizationName
OU      organizationalUnitName
C       countryName
STREET  streetAddress
DC      domainComponent
UID     userid

概念

搭建

导入导出 LDIFDE (LDAP Data Interchange Format Data Exchange)

Linux 加入 AD

可按此教程: DirectControl - Community Ubuntu Documentation

Centrify DirectControl Express can quickly and easily join an Ubuntu server or desktop to Active Directory and supports authentication using your Active Directory username and password or SSO using Kerberos.

如果遇到 PAM 故障, 如 adinfo 显示 CentrifyDC mode: disconnected, 则按以下步骤 debug:

  1. turn on debugging “/usr/share/centrifydc/bin/addebug on”
  2. run “adinfo –diag”
  3. google
  4. turn off debugging “/usr/share/centrifydc/bin/addebug off”

很可能是 DNS 故障, 可尝试去掉其他只保留 AD DNS 服务器.

其他方法

使用 LDAP 做 AD 验证

.shelldap.rc
server:    geneegroup.com
binddn:    cn=Li Xiaopei,ou=dev,dc=geneegroup,dc=com
bindpass:  password
basedn:    dc=geneegroup,dc=com

架设在 Linux 上的 PHP WEB 服务, 做 AD 验证

PHP 可利用 ldap_bind 做 LDAP 验证.

但用 LDAP 做 AD 验证时, 若 AD 对用户有 userWorkstations 限制, 则会遇到以下问题, 而此问题(可能)无解:

531 ERROR_INVALID_WORKSTATION, Entry not allowed to log on to this computer.1)

不过可先使用 centrify(千万别用 winbind + samba, 太麻烦), 将 Linux 服务器加入 AD DOMAIN 并启用 PAM, 再使用 PECL :: Package :: PAM (php5-auth-pam on ubuntu) 利用 pam 做验证.

it/ad.txt · Last modified: 2018/04/18 14:37 by admin