openldap集中认证(传统方式)
2020-07-29 09:11
92 查看
1.安装依赖包
安装openldap相关依赖包,并设置开机启动
yum -y install openldap openldap-clients openldap-servers cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/* systemctl start slapd.service systemctl enable slapd.service
2.构建ldap基础框架
1. 搭建基础ldap框架
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif cat<<EOF|ldapadd -Y EXTERNAL -H ldapi:/// dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=example,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA}MS94aAHiQVwoVFS3FXvPp1ontvkJsHR7 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read EOF
2.2增加Manager,People,Group目录
cat<<EOF|ldapadd -x -W -D "cn=Manager,dc=example,dc=com" dn: dc=example,dc=com o: example com dc: example objectClass: top objectClass: dcObject objectClass: organization dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: LDAP Manager dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group EOF
2.2增加800001用户
cat<<EOF|ldapadd -x -W -D "cn=Manager,dc=example,dc=com" dn: uid=800001,ou=People,dc=example,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: demo uid: 800001 uidNumber: 3000 gidNumber: 100 homeDirectory: /home/ldapusers loginShell: /bin/bash gecos: Demo [Demo user (at) example] userPassword: 111111 shadowLastChange: 17058 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 dn: cn=ops,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: top cn: ops gidNumber: 80001 memberUid: 800001 EOF
3.增加overlay功能
3.1 memberof功能
cat<<EOF|ldapadd -Q -Y EXTERNAL -H ldapi:/// dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModuleLoad: memberof olcModulePath: /usr/lib64/openldap/ EOF cat<<EOF|ldapadd -Q -Y EXTERNAL -H ldapi:/// dn: olcOverlay=memberof,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfUniqueNames olcMemberOfMemberAD: uniqueMember olcMemberOfMemberOfAD: memberOf EOF cat<<EOF|ldapmodify -Q -Y EXTERNAL -H ldapi:/// dn: cn=module{1},cn=config add: olcmoduleload olcmoduleload: refint EOF cat<<EOF|ldapadd -Q -Y EXTERNAL -H ldapi:/// dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner EOF
3.2 host模块
不推荐使用基于host模块的访问控制,因为host需要单个添加,而不能通过添加host组达到动态添加host的功能
cat << EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=module,cn=config objectClass: olcModuleList cn: module EOF cat << EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModulePath olcModulePath: /usr/lib64/openldap/ EOF cat << EOF | ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// dn: cn=module{0},cn=config add: olcModuleLoad olcModuleLoad: dynlist.la EOF cat << EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=dynlist,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: dynlist olcDlAttrSet: inetOrgPerson labeledURI EOF cat << EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=ldapns,cn=schema,cn=config objectClass: olcSchemaConfig cn: ldapns olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) olcAttributeTypes: {1}( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus' DESC 'Currently logged in sessions for a user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX OMsDirectoryString ) olcObjectClasses: {0}( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 'Auxiliary object class for adding authorizedService attribute' SUP top AUXILIARY MAY authorizedService ) olcObjectClasses: {1}( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxiliary object class for adding host attribute' SUP top AUXILIARY MAY host ) olcObjectClasses: {2}( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject' DESC 'Auxiliary object class for login status attribute' SUP top AUXILIARY MAY loginStatus ) EOF
3.3添加sudo模块
cat<<EOF|ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=sudo,cn=schema,cn=config objectClass: olcSchemaConfig cn: sudo olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s ) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substrin gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s ) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5Substring sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Com mand(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4 .1.1466.115.121.1.26 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User( s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3 .6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Opti ons(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466 .115.121.1.26 ) olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'U ser(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1. 1466.115.121.1.26 ) olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC ' Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4. 1.1466.115.121.1.26 ) olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'S tart of time interval for which the entry is valid' EQUALITY generalizedTim eMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.24 ) olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'En d of time interval for which the entry is valid' EQUALITY generalizedTimeMa tch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .24 ) olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an i nteger to order the sudoRole entries' EQUALITY integerMatch ORDERING intege rOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'Sudoer Entries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ su doNotBefore $ sudoNotAfter $ description ) ) EOF
cat<<EOF|ldapadd -x -W -D "cn=Manager,dc=example,dc=com" dn: ou=SUDOers,dc=example,dc=com ou: SUDOers objectClass: top objectClass: organizationalUnit dn: cn=defaults,ou=SUDOers,dc=example,dc=com objectClass: sudoRole cn: defaults sudoOption: requiretty sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin sudoOption: logfile = /var/log/sudo EOF
cat<<EOF|ldapadd -x -W -D "cn=Manager,dc=example,dc=com" dn: cn=sudo_ops_role,ou=SUDOers,dc=example,dc=com objectClass: sudoRole cn: sudo_ops_role sudoOption: !authenticate sudoRunAsUser: root sudoCommand: ALL sudoHost: ALL sudoUser: 800001 EOF
3.4 ppolicy模块
cat<<EOF|ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: ppolicy.la EOF cat<<EOF|ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=ppolicy,cn=schema,cn=config objectClass: olcSchemaConfig cn: ppolicy olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALI TY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.27 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.27 SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALI TY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQU ALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALI TY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.27 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQ UALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466 .115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQU ALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInt erval' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4 .1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQU ALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange ' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQU ALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {15}( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFail ure' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {16}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'Loadable module that instantiates check_password() function' EQUALITY case ExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP t op AUXILIARY MAY pwdCheckModule ) olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AU XILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdC heckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLoc kout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMu stChange $ pwdAllowUserChange $ pwdSafeModify $ pwdMaxRecordedFailure ) ) EOF
cat<<EOF|ldapmodify -Y EXTERNAL -H ldapi:/// dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config changeType: add objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE EOF cat<<EOF|ldapadd -x -W -D "cn=Manager,dc=example,dc=com" dn: ou=ppolicy,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: ppolicy EOF cat<<EOF|ldapadd -x -W -D "cn=Manager,dc=example,dc=com" dn: cn=default,ou=ppolicy,dc=example,dc=com cn: default objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 604800 pwdFailureCountInterval: 0 pwdGraceAuthnLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 600 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: FALSE pwdCheckModule: check_password.so EOF
4.设置多主镜像同步
4.1设置同步overlay
cat<<EOF|ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la EOF cat<<EOF|ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100 EOF
4.2在主机1上执行
cat<<EOF|ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=config changetype: modify replace: olcServerID olcServerID: 0 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://192.168.137.155:389/ bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=111111 searchbase="dc=example,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov EOF
4.3在主机2上
cat<<EOF|ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://192.168.137.154:389/ bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=111111 searchbase="dc=example,dc=com" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov EOF
4.设置日志
echo "local4.* /var/log/openldap.log">>/etc/rsyslog.conf cat>/etc/logrotate.d/slapd<<EOF /var/log/openldap.log { rotate 14 size 10M missingok compress copytruncate } EOF systemctl restart rsyslog
5. 客户端配置
yum remove -y openldap-clients nss-pam-ldapd yum install -y openldap-clients nss-pam-ldapd authconfig --enablemd5 --enablemkhomedir --enableldap --enableldapauth --ldapserver="192.168.118.140" --ldapbasedn="dc=example,dc=com" --update systemctl restart nslcd id 800001 echo "sudoers: files ldap" >> /etc/nsswitch.conf echo "uri ldap://192.168.118.140/" >> /etc/sudo-ldap.conf echo "base dc=example,dc=com" >> /etc/sudo-ldap.conf echo "sudoers_base ou=SUDOers,dc=example,dc=com" >> /etc/sudo-ldap.conf systemctl restart nslcd sed -i "7i account required pam_access.so" /etc/pam.d/sshd echo "+:ALL:192.168.118.0/24" >> /etc/security/access.conf echo "+:ALL:ALL" >> /etc/security/access.conf
相关文章推荐
- DL,DT,DD,比传统table更语义,解析更快的table列表方式
- Ajax 传统的请求方式和使用AJAX的请求方式区别
- 前端学习总结——CSS布局方式之传统布局
- 18、关于drools Web版本kie-wb传统方式安装
- PushKit和传统长连接方式的比较
- CentOS 7 部署三分赛 车程序出 售(主从复制,传统方式及GTID)
- jsp之获传统方式取后台数据
- SpringBoot、Spring传统方式设置Bean属性对比
- 限流不只是分布式应用的专属,了解下传统应用限流技术的正确打开方式
- iClap专访:颠覆传统办公方式,规范化产品管理系统
- 带checkbox的ListView实现(一)——数据与渲染完全分离的传统实现方式
- 传统语言的编译和执行方式和C#、Java有什么不同?
- 打破传统的页面展示方式
- Java并发01----传统线程中创建线程的两种方式
- 瀑布流布局的两种实现方式:传统多列浮动和绝对定位布局
- 关闭SSH传统密码登陆方式
- 传统应用开发方式和业务驱动开发方式比较
- 传统解析xml的方式
- 传统的创建线程的两种方式
- java多线程之创建线程的两种传统方式