系統環境:CentOS 7
slapd版本:2.4.44
簡介
OpenLDAP是一款輕量級目錄訪問協議,基於X.500標准的,支持TCP/IP協議,用於實現賬號集中管理的開源軟件,提供一整套安全的賬號統一管理機制,屬於C/S架構。
OpenLDAP默認以Berkeley DB作為后端數據庫,Berkeley DB數據庫 是一類特殊的數據庫,主要以散列的數據類型進行數據存儲,主要用於搜索、瀏覽、更新查詢操作,對於一次寫入數據、多次查詢和搜索有很好的效果。
整體目標
后端服務器數量日益增加,賬號的數量也在不斷增加,賬號的統一管理變得尤為重要。結合堡壘機,主要針對服務器賬號體系接入LDAP管理做如下主要工作:
ldap server主從的搭建,ldap主從考慮用同步復制(syncrepl)實現,大致為slave到master以拉的模式同步目錄樹,master負責讀寫,slave只讀。另外主從都需接入負載均衡提供讀服務;
服務器賬號接入ldap,客戶端可以ssh遠程連接服務器用戶名和密碼登錄;
ldap管理客戶端的公鑰,使客戶端可以ssh服務器免密碼登錄;
ldap管理服務器用戶的sudo權限
OpenLDAP 目錄架構
分為兩種:互聯網命名組織架構、企業級命名組織架構
企業級命名組織架構
ou=People,dc=xxyd,dc=com
openldap相關縮寫:
LDAP相關的縮寫如下:
dn - distinguished name(區別名,主鍵)
o - organization(組織-公司)
ou - organization unit(組織單元-部門)
c - countryName(國家)
dc - domainComponent(域名)
sn - sure name(真實名稱)
cn - common name(常用名稱)
openldap組件:
OpenLDAP各組件的功能簡介:
slapd:主LDAP服務器
slurpd:負責與復制LDAP服務器保持同步的服務器
對網絡上的目錄進行操作的客戶機程序。下面這兩個程序是一對兒:
ldapadd:打開一個到LDAP服務器的連接,綁定、修改或增加條目
ldapsearch:打開一個到LDAP服務器的連接,綁定並使用指定的參數進行搜索
對本地系統上的數據庫進行操作的幾個程序:
slapadd:將以LDAP目錄交換格式(LDIF)指定的條目添加到LDAP數據庫中
slapcat:打開LDAP數據庫,並將對應的條目輸出為LDIF格式.
安裝服務端
yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /etc/openldap/
chown -R ldap.ldap /var/lib/ldap/
systemctl start slapd
vi /etc/openldap/ldap.conf
BASE dc=xxyd,dc=com
URI ldap://ldap.xxyd.com
slappasswd
cat /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=admin,dc=xxyd,dc=com" read
by * none
database hdb
suffix "dc=xxyd,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=xxyd,dc=com"
rootpw {SSHA}M7S4/DHYIOGx7PsQJFU6kyh00YRCyjhn
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
loglevel 4095
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d
chown -R ldap.ldap /var/lib/ldap/
systemctl restart slapd
systemctl status slapd
# 開機啟動
systemctl enable slapd
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password 這三句如果出現啟動不了可以干掉
安裝客戶端
Ubuntu client
apt-get install libpam-ldap nscd
##### The following extra packages will be installed:
##### auth-client-config ldap-auth-client ldap-auth-config libnss-ldap
安裝后仍然要填寫一些信息
LDAP server Uniform Resource Identifier
因為我用的同一台機器,所以我填的是 ldap://127.0.0.1:389,端口號選填
特別注意把它默認的ldapi:///換成ldap://
Distinguished name of the search base
就是你目錄樹的根,比如我的是 dc=chenjr,dc=cc
LDAP version to use: 3
Make local root Database admin: Yes
Does the LDAP database require login? No
LDAP account for root:
這個是裝LDAP服務器時的創建的那個admin賬號
我這里是 cn=admin,dc=xxyd,dc=com
LDAP root account password
# If you make a mistake and need to change a value, you can go through the menu again by issuing this command:
sudo dpkg-reconfigure ldap-auth-config
還需要編輯一些文件,首先是/etc/nsswitch.conf,它使得我們在linux下改變用戶密碼等屬性的時候會反映到LDAP中。在以下三行中的compat前面都加上ldap。
passwd: ldap compat
group: ldap compat
shadow: ldap compat
以上方式,ldap server不可用時,系統將不能登錄,需改成:
passwd: files [UNAVAIL=return] ldap
group: files [UNAVAIL=return] ldap
shadow: files [UNAVAIL=return] ldap
這樣,ldap client本地用戶不需要ldapserver驗證,即使ldap server宕機也不影響本地用戶登錄系統。
然后需要更改PAM的配置,編輯/etc/pam.d/common-session,在末尾加上一行,這使得用戶第一次登錄的時候創建主目錄
session required pam_mkhomedir.so skel=/etc/skel umask=0022
然后,編輯/etc/pam.d/common-password,將以下這行中的use_authtok刪掉,這是避免使用passwd命令時報錯而無法更改密碼
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
然后重啟nscd服務
sudo /etc/init.d/nscd restart
CentOS client
yum -y install nss-pam-ldapd
vim /etc/nslcd.conf
uri ldap://ldap.xxyd.com
base dc=xxyd,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
vim /etc/pam_ldap.conf
base dc=xxyd,dc=com
uri ldap://ldap.xxyd.com
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
vi /etc/pam.d/system-auth
auth sufficient pam_ldap.so try_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so
vi /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
vi /etc/sysconfig/authconfig
USELDAPAUTH=yes
USELDAP=yes
systemctl restart nslcd
切換用戶:/bash-4.2$
需:
vi /etc/pam.d/system-auth 添加
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
OpenLDAP用戶以及用戶組的添加
兩種方式:
一、通過migrationtools工具導入
二、自定義LDIF文件導入
通過migrationtools工具導入
migrationtools開源工具通過查找/etc/passwd、/etc/shadow、/etc/groups生成LDIF文件,並通過ldapadd命令更新數據庫數據,完成用戶添加。
此方式方便導入系統目前已存在的用戶以及用戶組
# 安裝migrationtools工具
yum -y install migrationtools
vi /usr/share/migrationtools/migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "xxyd.com";
$DEFAULT_BASE = "dc=xxyd,dc=com";
$EXTENDED_SCHEMA = 1;
# 通過migrationtools工具生成LDIF模板文件並生成系統用戶及組LDIF
cd ~
/usr/share/migrationtools/migrate_base.pl > base.ldif
/usr/share/migrationtools/migrate_passwd.pl /etc/passwd > passwd.ldif
/usr/share/migrationtools/migrate_group.pl /etc/group > group.ldif
### sed -i 's/padl/xxyd/g' *.ldif
刪除不必要的base.ldif信息(此處我只保留ou=Group、ou=Peopl相關項)
刪除不需要的用戶信息(group.ldif、passwd.ldif)
導入至OpenLDAP目錄樹中
ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ~/base.ldif
ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ~/passwd.ldif
ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ~/group.ldif
自定義LDIF導入
自定義用戶屬性信息導入OpenLDAP。
OpenLDAP加密傳輸
默認情況下,OpenLDAP服務端與客戶端之間使用明文進行驗證、查詢等一系列操作,由於在互聯網上進行傳輸存在不安全因素,需要提供OpenLDAP服務端證書以及修改配置文件來支持加密傳輸
強烈建議在制作證書過程使用泛域名,這樣滿足多IDC機房的時候使用同一個證書進行部署。比如:證書匹配 *.domain.com,每個IDC使用各自的域名
idc1.domain.com
idc2.domain.com
idc3.domain.com
部署過程只需要一個證書即可滿足所有IDC的需求,方便快捷。
客戶端還可以配兩個服務端地址,第一個服務端不可用自動連接第二個服務端。
自建CA
# 安裝OpenSSL軟件
yum -y install openssl-devel
# CA中心生成自身私鑰
# 為保證CA機構私鑰的安全,需要把私鑰文件權限設置為600
cd /etc/pki/CA
(umask 077;openssl genrsa -out private/cakey.pem 2048)
# CA簽發自身公鑰
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:xxyd.com
Organizational Unit Name (eg, section) []:YW
Common Name (eg, your name or your server's hostname) []:ldap.xxyd.com
Email Address []:976972175@qq.com
touch serial index.txt
echo "01" > serial
# 查看根證書信息
openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
OpenLDAP與CA集成
生成OpenLDAP服務端證書以及修改配置文件來支持SSL、TLS方式會話加密
# OpenLDAP服務端生成秘鑰
mkdir /etc/openldap/ssl
cd /etc/openldap/ssl
(umask 077;openssl genrsa -out ldapkey.pem 1024)
# OpenLDAP服務端向CA申請證書簽署請求
openssl req -new -key ldapkey.pem -out ldap.csr -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:xxyd.com
Organizational Unit Name (eg, section) []:YW
Common Name (eg, your name or your server's hostname) []:ldap.xxyd.com
Email Address []:976972175@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# CA核實並簽發證書
openssl ca -in ldap.csr -out ldapcert.pem -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 25 08:18:45 2018 GMT
Not After : Apr 22 08:18:45 2028 GMT
Subject:
countryName = CN
stateOrProvinceName = GD
organizationName = xxyd.com
organizationalUnitName = YW
commonName = ldap.xxyd.com
emailAddress = 976972175@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C9:0D:16:5C:91:04:27:E9:96:F4:60:6A:B9:ED:70:16:08:0A:96:32
X509v3 Authority Key Identifier:
keyid:CC:5A:C4:57:70:52:C0:67:D3:F3:BF:A6:3B:01:31:3C:7F:8D:07:66
Certificate is to be certified until Apr 22 08:18:45 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
OpenLDAP TLS/SASL部署
cp /etc/pki/CA/cacert.pem /etc/openldap/ssl/
chown -R ldap.ldap /etc/openldap/ssl/*
chmod -R 0400 /etc/openldap/ssl/*
vi /etc/openldap/slapd.conf
# TLSCACertificatePath /etc/openldap/certs
# TLSCertificateFile "\"OpenLDAP Server\""
# TLSCertificateKeyFile /etc/openldap/certs/password
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldapkey.pem
TLSVerifyClient never
vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
ss -lnp |grep 636
# 通過CA證書公鑰驗證OpenLDAP服務端證書的合法性
# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem
/etc/openldap/ssl/ldapcert.pem: OK
# 確認當前套接字是否能通過CA的驗證
# openssl s_client -connect ldap.xxyd.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = CN, ST = GD, L = SZ, O = xxyd.com, OU = YW, CN = ldap.xxyd.com, emailAddress = 976972175@qq.com
verify return:1
depth=0 C = CN, ST = GD, O = xxyd.com, OU = YW, CN = ldap.xxyd.com, emailAddress = 976972175@qq.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=CN/ST=GD/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
i:/C=CN/ST=GD/L=SZ/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIBATANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCR0QxCzAJBgNVBAcMAlNaMRAwDgYDVQQKDAdubmsuY29tMQswCQYD
VQQLDAJZVzEVMBMGA1UEAwwMbGRhcC5ubmsuY29tMR8wHQYJKoZIhvcNAQkBFhA5
NzY5NzIxNzVAcXEuY29tMB4XDTE4MDQyNTA4MTg0NVoXDTI4MDQyMjA4MTg0NVow
cTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdEMRAwDgYDVQQKDAdubmsuY29tMQsw
CQYDVQQLDAJZVzEVMBMGA1UEAwwMbGRhcC5ubmsuY29tMR8wHQYJKoZIhvcNAQkB
FhA5NzY5NzIxNzVAcXEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDW
sexciew5xl6Yl324mBQ3EEMJvZYO+GJ7PWqoQg1qPVvfg5jUYs66ONOxmYTb+Kfw
oMuWicyptJofwAC8CRSdm0tzZI5JBgKrHfZMmjQh9rXF4rnmKWv6LhKupDfWT0aJ
DZZIdnrYJ8jFX5iU5SaO6C/gS+X6cuKf0yQJr6cb7QIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUyQ0WXJEEJ+mW9GBque1wFggKljIwHwYDVR0jBBgwFoAUzFrE
V3BSwGfT87+mOwExPH+NB2YwDQYJKoZIhvcNAQELBQADggEBAGwpTJzHMA7Xe1EI
0aicAF7zNnep7fAFTx6t6SJgD1Yio+uwE6xpLiDq9XT8bHmqmS4RK96eB/Il1ZT9
I0gk/7nOm9qU9tfjgvQVfL/tr1/L+gu9Q86tFUrgrR6aHI9U0VTtOug6j0/kMu5Y
xo4H6O5/blmV9lmRI65/FDJlaQCJHsWK6fJzBiqh2OtszVgInDEum/L3GVN+oL+L
SLLqWqvCv8QDkmvEpe7ht0/tb9C2foED1+lI+H9zQKM3lUI2Bp4SRp4nwpIyvnGc
uq/+EzijIeW+WagPMeNtH+9h20kmvbzCog+YGWXQOkozhXCuHCgzn6+qtPYaLuZT
WHlPkKA=
-----END CERTIFICATE-----
1 s:/C=CN/ST=GD/L=SZ/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
i:/C=CN/ST=GD/L=SZ/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIJAJA1elZ+21+rMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCU1oxEDAOBgNVBAoMB25uay5j
b20xCzAJBgNVBAsMAllXMRUwEwYDVQQDDAxsZGFwLm5uay5jb20xHzAdBgkqhkiG
9w0BCQEWEDk3Njk3MjE3NUBxcS5jb20wHhcNMTgwNDI1MDgwMTQ4WhcNMjgwNDIy
MDgwMTQ4WjB+MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR0QxCzAJBgNVBAcMAlNa
MRAwDgYDVQQKDAdubmsuY29tMQswCQYDVQQLDAJZVzEVMBMGA1UEAwwMbGRhcC5u
bmsuY29tMR8wHQYJKoZIhvcNAQkBFhA5NzY5NzIxNzVAcXEuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLLSFTcyLeQNeZMlddJ5v388TQJpUByN
bbq0cjdeWWg9OHqF6+JIA481B8lGlmZXpUmOsWbxMpgb4M98AQ9zM48SybbNTVMf
Is3GMz0YkXSGsqj6id3FkXs3wfPR6UpWhAQuuoHaovHEia9TVmK/ypK+OIY+F8qv
p3qmWDCmxNOAR6tyndxcp3hG2rrIWTUkVoZWoEpPzRsesKdVYJ/CzscFQc9x2jM8
RgQzX59Z3dM6XR2eT9byhzwPHIy7wiZBg3kesQ+3dIoRYsHWkqK5dzDA3W1Lj1pY
xGN+udRhXSK0o9HlXd457g6SqPpEFRxClAB8fGu+7BqyiCeFOvPbJQIDAQABo1Aw
TjAdBgNVHQ4EFgQUzFrEV3BSwGfT87+mOwExPH+NB2YwHwYDVR0jBBgwFoAUzFrE
V3BSwGfT87+mOwExPH+NB2YwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAjPFE1jDbvRhTxjJ40eBssnr/E6h+baY4eDnU+dSiO7BhaA+DQY2ANdCi7scu
pfqceQ6UPpvjNZC8bQOqc1j57kXGCK6Na1k70cP7Tpdtp1ZA0kBe43aUi7quwsYP
b0boBwAmBFZ7C958Pgmv58r+GGTidd1RMJR111FT8hceC4WiMTrMTxCj1EFWm2c4
wv0uZIg0awGy8TS3nfSNb9t7YiFQYjlV/xUOBzobZZRl0e8FdQ7mO7qogoOmR8r/
2P5SJk6FjH0ENKb9igwlMDnlm1E78ZUjLbfvAfyPLSUE3kYoIFa9Xa0dyVV46IuW
u3tdbPBah5v6z3FkcbAldZHeGw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=GD/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
issuer=/C=CN/ST=GD/L=SZ/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2213 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 55054DE6A2BDA0AB00F94966542DF551E357F9B3F07B5B6F1DD3567D0CBEE311
Session-ID-ctx:
Master-Key: 1E1248619CC913A090967862C855CD9F43299DFE60A52D8BFBB515A8C6C01A74DD2E2E939C97B5414C1DA0A05FC16D2A
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1524647608
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
# OpenLDAP從服務器部署
拷貝 cacert.pem ldapcert.pem ldapkey.pem至/etc/openldap/ssl/
chown -R ldap.ldap /etc/openldap/ssl/*
chmod -R 0400 /etc/openldap/ssl/*
vi /etc/openldap/slapd.conf
# TLSCACertificatePath /etc/openldap/certs
# TLSCertificateFile "\"OpenLDAP Server\""
# TLSCertificateKeyFile /etc/openldap/certs/password
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldapkey.pem
TLSVerifyClient never
vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
ss -lnp |grep 636
客戶端部署
剝離基礎組件故障對於平台的影響
非常幸運OpenLDAP的客戶端配置文件中支持 nss_initgroups_ignoreusers 的配置。也就是說可以將角色用戶( root、service、oracle、read_only等)忽略掉,不需要進行OpenLDAP請求,而直接在本地進行權限認證即可。個人賬號及權限在OpenLDAP中維護,而角色賬號是在服務器passwd&shadow中維護的。
Ubuntu客戶端
# rsync -azP ldap.xxyd.com:/etc/pki/CA/cacert.pem /etc/ldap/ssl/
# vi /etc/ldap.conf
base dc=xxyd,dc=com
uri ldaps://ldap.xxyd.com
#ssl start_tls
#ssl no
ssl on
## nss_initgroups_ignoreusers set ignore local user
nss_initgroups_ignoreusers root,daemon,bin,sys,sync,mail,nobody,syslog,sshd
# vi /etc/ldap/ldap.conf
BASE dc=xxyd,dc=com
URI ldaps://ldap.xxyd.com
TLS_CACERT /etc/ldap/ssl/cacert.pem
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
/etc/init.d/nscd restart
CentOS客戶端
rsync -azP ldap.xxyd.com:/etc/pki/CA/cacert.pem /etc/openldap/cacerts/
vi /etc/openldap/ldap.conf
URI ldaps://ldap.xxyd.com/
## nss_initgroups_ignoreusers set ignore local user
nss_initgroups_ignoreusers root,daemon,bin,operator,sync,mail,nobody,adm,sshd
vi /etc/pam_ldap.conf
# ssl start_tls
# ssl no
uri ldaps://ldap.xxyd.com/
ssl on
vi /etc/nslcd.conf
# ssl no
uri ldaps://ldap.xxyd.com/
ssl on
tls_cacertfile /etc/openldap/cacerts/cacert.pem
service nslcd restart
# 通過客戶端測試SSL連接是否正常
# yum -y install openldap-clients
# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
ldap_start_tls: Operations error (1)
additional info: TLS already started
anonymous
Result: Success (0)
# LAP用戶驗證密碼
# ldapwhoami -D "uid=test01,ou=People,dc=xxyd,dc=com" -W -H ldaps://ldap.xxyd.com -v
ldap_initialize( ldaps://ldap.xxyd.com:636/??base )
Enter LDAP Password:
dn:uid=test01,ou=People,dc=xxyd,dc=com
Result: Success (0)
# 通過getent在客戶端執行,查看能否獲取賬號信息
# getent passwd test01
test01:x:1001:1001:test01:/home/test01:/bin/bash
sudo權限控制
cp /usr/share/doc/sudo-1.8.6p7/schema.OpenLDAP /etc/openldap/schema/sudo.schema
vi /etc/openldap/slapd.conf
include /etc/openldap/schema/sudo.schema
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
# 根據實際需求添加sudo項
# cat ~/sudoers.ldif
dn: ou=sudoers,dc=xxyd,dc=com
objectClass: top
objectClass: organizationalUnit
ou: sudoers
dn: cn=defaults,ou=sudoers,dc=xxyd,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
sudoOrder: 1
dn: cn=%apps,ou=sudoers,dc=xxyd,dc=com
objectClass: top
objectClass: sudoRole
cn: %apps
sudoUser: %apps
sudoHost: ALL
sudoRunAsUser: %apps
sudoCommand: /bin/kill
sudoCommand: /usr/bin/nohup
sudoCommand: /usr/bin/vi
sudoCommand: /bin/cp
sudoCommand: /bin/mv
sudoCommand: /bin/ln
sudoCommand: /bin/mkdir
sudoOption: !authenticate
sudoOrder: 2
dn: cn=%www-data,ou=sudoers,dc=xxyd,dc=com
objectClass: top
objectClass: sudoRole
cn: %www-data
sudoUser: %www-data
sudoHost: ALL
sudoRunAsUser: %www-data
sudoCommand: /bin/kill
sudoCommand: /usr/bin/nohup
sudoCommand: /usr/bin/vi
sudoCommand: /bin/cp
sudoCommand: /bin/mv
sudoCommand: /bin/ln
sudoCommand: /bin/mkdir
sudoCommand: /usr/bin/rsync
sudoOption: !authenticate
sudoOrder: 3
# ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ~/sudoers.ldif
Enter LDAP Password:
adding new entry "ou=sudoers,dc=xxyd,dc=com"
adding new entry "cn=defaults,ou=sudoers,dc=xxyd,dc=com"
adding new entry "cn=%apps,ou=sudoers,dc=xxyd,dc=com"
adding new entry "cn=%www-data,ou=sudoers,dc=xxyd,dc=com"
## 為test01用戶添加附加組
# cat add_apps.ldif
dn: cn=apps,ou=Group,dc=xxyd,dc=com
objectClass: posixGroup
objectClass: top
cn: apps
userPassword: {crypt}x
gidNumber: 1500
memberUid: test01
dn: uid=apps,ou=People,dc=xxyd,dc=com
uid: apps
cn: apps
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1500
gidNumber: 1500
homeDirectory: /home/apps
# ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f add_apps.ldif
Enter LDAP Password:
adding new entry "cn=apps,ou=Group,dc=xxyd,dc=com"
adding new entry "uid=apps,ou=People,dc=xxyd,dc=com"
客戶端
centos 客戶端
authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --disablesssd --disablesssdauth --disableldaptls --enablelocauthorize --ldapserver=ldap.xxyd.com --ldapbasedn="dc=xxyd,dc=com" --enableshadow --update
vi /etc/nsswitch.conf
sudoers: ldap files
vi /etc/sudo-ldap.conf
uri ldaps://ldap.xxyd.com/
base dc=xxyd,dc=com
SUDOERS_BASE ou=sudoers,dc=xxyd,dc=com
vi /etc/pam_ldap.conf
uri ldaps://ldap.xxyd.com/
service nslcd restart
Ubuntu客戶端
# export SUDO_FORCE_REMOVE=yes
# apt-get install sudo-ldap
# ls -lh /etc/sudo-ldap.conf
lrwxrwxrwx 1 root root 14 Apr 28 01:22 /etc/sudo-ldap.conf -> ldap/ldap.conf
# vi /etc/ldap/ldap.conf
SUDOERS_BASE ou=sudoers,dc=xxyd,dc=com
# echo "sudoers: ldap files" >> /etc/nsswitch.conf
# service nscd restart
# 測試
# su - test01
$ sudo -l
匹配此主機上 test01 的默認條目:
requiretty, !visiblepw, always_set_home, env_reset, env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path = /sbin:/bin:/usr/sbin:/usr/bin, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
用戶 test01 可以在該主機上運行以下命令:
(%apps) NOPASSWD: /bin/kill, /usr/bin/nohup, /usr/bin/vi, /bin/cp, /bin/mv, /bin/ln, /bin/mkdir
#備注:Ubuntu和CentOS命令路徑部分有區別,如vi
密碼策略
vi /etc/openldap/slapd.conf
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy
#密碼加密算法,不加這一行密碼將明文顯示
password-hash {SSHA}
#Add和Modify中傳遞的密碼明文保存數據庫中必須進行Hash加密
ppolicy_hash_cleartext
ppolicy_use_lockout
#默認密碼控制策略
ppolicy_default "cn=default,ou=policies,dc=xxyd,dc=com"
rm -rf /etc/openldap/slapd.d/*
# slaptest -u
config file testing succeeded
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
#參考/root/openldap-2.4.44/servers/slapd/schema/ppolicy.ldif
#定義默認密碼策略
# cat policy.ldif
dn: ou=policies, dc=xxyd,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Policies
dn: cn=default, ou=policies, dc=xxyd,dc=com
objectClass: top
objectClass: person
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdLockoutDuration: 15
pwdInHistory: 6
pwdCheckQuality: 2
pwdExpireWarning: 1296000
pwdMaxAge: 15552000
pwdMinLength: 8
pwdGraceAuthNLimit: 3
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdMaxFailure: 3
pwdFailureCountInterval: 86400
pwdSafeModify: TRUE
pwdLockout: TRUE
sn: dummy value
#密碼策略注解
pwdLockout 是否開啟賬戶鎖定功能
pwdMaxFailure 密碼最大失敗次數,超過后賬號被鎖定
pwdLockoutDuration 帳戶保持鎖定的時間(秒為單位),默認為0表示無法訪問賬戶
pwdInHistory 歷史密碼維護列表中密碼的數量
pwdCheckQuality 檢查密碼質量,0不檢查,1、2檢查
pwdExpireWarning 密碼過期提醒,單位秒
pwdMaxAge 密碼有效期,單位秒
pwdMinLength 密碼最小長度
pwdGraceAuthNLimit 密碼過期后寬限期
pwdAllowUserChange 是否允許用戶更改自己的密碼
pwdLockout 超過pwdMaxFailure定義的無效密碼嘗試次數時是否鎖定賬戶
pwdMustChange 用戶在帳戶鎖定后由管理員重置帳戶后是否必須更改密碼
pwdMaxFailure 允許的最大連續失敗密碼嘗試次數
pwdFailureCountInterval 密碼失敗次數復位時間
pwdSafeModify 用戶在密碼修改操作期間是否必須發送當前密碼
# ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f policy.ldif
Enter LDAP Password:
adding new entry "ou=policies, dc=xxyd, dc=com"
adding new entry "cn=default, ou=policies, dc=xxyd, dc=com"
# 定義用戶遵守指定密碼策略
# cat test02.ldif
dn: cn=test02,ou=Group,dc=xxyd,dc=com
objectClass: posixGroup
objectClass: top
cn: test02
userPassword: {crypt}x
gidNumber: 1002
dn: uid=test02,ou=People,dc=xxyd,dc=com
uid: test02
cn: test02
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$Yu95/zTK$g/nCoExrQwlf80a8Gc0VxMNzkJWa7icUVinFWwEjPBad/KhCNDs81hUVCYA7vV/dJdw7.zSBu2Yz.F0gVJH0a/
shadowLastChange: 17638
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/test02
pwdPolicySubentry: cn=default,ou=policies,dc=xxyd,dc=com
定義用戶登錄修改密碼
為了增強用戶密碼安全性,一般需要用戶更改初始密碼
方式有兩種:用戶登錄后通過passwd命令更改、用戶登錄系統是提示更改初始密碼否則無法登錄
推進第二種
為了定義密碼控制策略,將pwdReset屬性和值添加至用戶的屬性中,否則不生效
# cat << EOF |ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W
dn: uid=test02,ou=People,dc=xxyd,dc=com
changetype: modify
replace: pwdReset
pwdReset: TRUE
EOF
#查看定義用戶的策略信息
# pwdReset屬於隱藏屬性,默認ldapsearch無法獲取隱藏屬性,通過“+”號可獲取查詢包含的隱藏屬性
# ldapsearch -x -LLL uid=test02 +
dn: uid=test02,ou=People,dc=xxyd,dc=com
pwdPolicySubentry: cn=default,ou=policies,dc=xxyd,dc=com
structuralObjectClass: account
entryUUID: 0fc49c74-dd83-1037-8006-65040a056c63
creatorsName: cn=admin,dc=xxyd,dc=com
createTimestamp: 20180426095056Z
pwdChangedTime: 20180426095747Z
pwdHistory: 20180426095747Z#1.3.6.1.4.1.1466.115.121.1.40#105#{crypt}$6$Yu95/z
TK$g/nCoExrQwlf80a8Gc0VxMNzkJWa7icUVinFWwEjPBad/KhCNDs81hUVCYA7vV/dJdw7.zSBu2
Yz.F0gVJH0a/
pwdReset: TRUE
entryCSN: 20180426095747.741644Z#000000#000#000000
modifiersName: uid=test02,ou=People,dc=xxyd,dc=com
modifyTimestamp: 20180426095747Z
entryDN: uid=test02,ou=People,dc=xxyd,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
客戶端配置
CentOS 客戶端
vi /etc/pam_ldap.conf
bind_policy soft
pam_password md5
pam_lookup_policy yes
pam_password clear_remove_old
service nslcd restart
# ssh test02@10.1.101.116
test02@10.1.101.116's password:
You are required to change your LDAP password immediately.
Creating directory '/home/test02'.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user test02.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information changed for test02
passwd: all authentication tokens updated successfully.
Ubuntu 客戶端
vi /etc/pam_ldap.conf
bind_policy soft
pam_password md5
pam_lookup_policy yes
pam_password clear_remove_old
service nscd restart
密碼審計控制
# cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}auditlog
dn: olcOverlay=auditlog,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log
EOF
mkdir /var/log/slapd
chown -R ldap.ldap /var/log/slapd
service slapd restart
日志
vi /etc/openldap/slapd.conf
loglevel 0x80 0x1
logfile /var/log/slapd/slapd.log
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
mkdir /var/log/slapd/
chown -R ldap.ldap /var/log/slapd/
# vi /etc/logrotate.d/ldap
/var/log/slapd/slapd.log {
prerotate
/usr/bin/chattr -a /var/log/slapd/slapd.log
endscript
compress
delaycompress
notifempty
rotate 100
size 10M
postrotate
/usr/bin/chattr +a /var/log/slapd/slapd.log
endscript
}
vi /etc/rsyslog.conf
local4.* /var/log/slapd/slapd.log
service rsyslog restart
ssh public key
服務端
yum -y install openssh-ldap
cp /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema /etc/openldap/schema/
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
# 添加測試賬戶
# cat test03.ldif
dn: cn=test03,ou=Group,dc=xxyd,dc=com
objectClass: posixGroup
objectClass: top
cn: test03
userPassword: {crypt}x
gidNumber: 1003
dn: uid=test03,ou=People,dc=xxyd,dc=com
uid: test03
cn: test03
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: ldapPublicKey
userPassword: {crypt}$6$Yu95/zTK$g/nCoExrQwlf80a8Gc0VxMNzkJWa7icUVinFWwEjPBad/KhCNDs81hUVCYA7vV/dJdw7.zSBu2Yz.F0gVJH0a/
shadowLastChange: 17638
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/test03
pwdPolicySubentry: cn=default,ou=policies,dc=xxyd,dc=com
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBZpJc0dfiPsHlfPNEJBUqhCGZX2wGabxklz09ptnriLoCh9AeYj39suHPptTZDAGiOn8JxrdYK4SubEby9WdQ/t2kVE60Bytw+Jyc2YjEhVb1iJinMd1sdck7O3YBDJoCt0WTf7USAQE7e1oH54kDCPQcPozid7AjbrF2mzxnFpQ== rsa-key-20101209
# ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f test03.ldif
Enter LDAP Password:
adding new entry "cn=test03,ou=Group,dc=xxyd,dc=com"
adding new entry "uid=test03,ou=People,dc=xxyd,dc=com"
客戶端
CentOS client
yum -y install openssh-ldap
# vi /etc/ssh/ldap.conf
URI ldaps://ldap.xxyd.com/
BASE dc=xxyd,dc=com
ssl on
# vi /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs nobody
# vi /usr/libexec/openssh/ssh-ldap-wrapper
#!/bin/bash
# get configuration from /etc/ldap.conf
for x in $(sed -n 's/^\([a-zA-Z_]*\) \(.*\)$/\1="\2"/p' /etc/ldap.conf); do
eval $x;
done
# local user do not search ldap
USER=$1
for user in `echo $nss_initgroups_ignoreusers|sed 's/,/ /g'`; do
exit ;
done
exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
# service sshd restart
# grep test03 /var/log/secure
Apr 27 15:15:37 new sshd[31926]: Accepted publickey for test03 from xx.xx.xx.xx port 6658 ssh2
Apr 27 15:15:37 new sshd[31926]: pam_unix(sshd:session): session opened for user test03 by (uid=0)
Ubuntu client
# 升級OpenSSH (6.2以上版本)
## 搭建telnet server
# apt-get install openbsd-inetd telnetd
# vi /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd
# vi /etc/securetty
# Telnet
pts/0
pts/1
pts/2
# 限制telnet登錄ip,只允許指定ip段(信任ip段)登錄
# vi /etc/hosts.deny
in.telnetd:ALL EXCEPT 192.168.0.0/24
service openbsd-inetd restart
# telnet 登錄服務器升級OpenSSh版本
telnet x.x.x.x
cp /etc/init.d/ssh /root/ssh.old
cp -r /etc/ssh /root/
cp /etc/pam.d/sshd /root/
grep sshd /etc/passwd | head -1 | awk -F: '{print $1,$3,$4,$6,$7}' > /root/ssh_user
# 卸載openssh 舊版本,卸載之前必須確認可用telnet登錄,以下步驟telnet登錄服務器操作
apt-get -y purge openssh-client openssh-server
apt-get -y install zlib1g-dev libssl-dev libpam0g-dev make
## 安裝openssh 7.2
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.2p2.tar.gz
useradd -u `awk '{print $2}' /root/ssh_user` -g `awk '{print $3}' /root/ssh_user` -d `awk '{print $4}' /root/ssh_user` -s `awk '{print $5}' /root/ssh_user` sshd
tar zxvf openssh-7.2p2.tar.gz
cd openssh-7.2p2/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-md5-passwords --with-pam --with-tcp-wrappers
make &&make install
# ssh -V
OpenSSH_7.2p2, OpenSSL 1.0.1 14 Mar 2012
# cat > /etc/ssh/sshd_config << EOF
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AuthorizedKeysCommand /etc/ssh/ldap-keys.sh
AuthorizedKeysCommandUser nobody
EOF
# cat > /etc/ssh/ssh_config <<EOF
Host *
SendEnv LANG LC_*
HashKnownHosts yes
#GSSAPIAuthentication yes
#GSSAPIDelegateCredentials no
EOF
### 7.2 不支持GSSAPI參數
/etc/ssh/ssh_config line 4: Unsupported option "gssapiauthentication"
/etc/ssh/ssh_config line 5: Unsupported option "gssapidelegatecredentials"
###
cat > /etc/pam.d/sshd << EOF
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
@include common-password
EOF
apt-get -y install ldap-utils
vi /etc/ssh/ldap-keys.sh
#!/bin/bash
# get configuration from /etc/ldap.conf
for x in $(sed -n 's/^\([a-zA-Z_]*\) \(.*\)$/\1="\2"/p' /etc/ldap.conf); do
eval $x;
done
# local user do not search ldap
for USER in `echo $nss_initgroups_ignoreusers|sed 's/,/ /g'`; do
if [ $USER == $1 ];then
exit
fi
done
OPTIONS=
case "$ssl" in
start_tls)
case "$tls_checkpeer" in
no) OPTIONS+="-Z";;
*) OPTIONS+="-ZZ";;
esac;;
esac
# ldap user search ldap sshPublicKey
ldapsearch $OPTIONS -H ${uri} -w "${bindpw}" -D "${binddn}" -b "${base}" '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' \
| sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
chmod +x /etc/ssh/ldap-keys.sh
# 拷貝舊的ssh啟動腳本
cp /root/ssh.old /etc/init.d/ssh
# service ssh start
#開機啟動
update-rc.d ssh defaults
# ssh 升級完成之后卸載telnet服務,還原配置
apt-get purge openbsd-inetd telnetd
sed -i '/Telnet/d' /etc/securetty
sed -i '/pts\//d' /etc/securetty
sed -i '/in.telnetd/d' /etc/hosts.deny
參考鏈接:
https://www.linuxidc.com/Linux/2011-10/45739.htm
https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
主機控制策略
http://ju.outofmemory.cn/entry/146609
服務端
# vi /etc/openldap/schema/ldapns.schema
# $
# : ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $
# LDAP Name Service Additional Schema
# http://www.iana.org/assignments/gssapi-service-names
#
# Not part of the distribution: this is a workaround!
#
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus'
DESC 'Currently logged in sessions for a user'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX OMsDirectoryString )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService )
objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top
AUXILIARY
MAY host )
objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject'
DESC 'Auxiliary object class for login status attribute'
SUP top
AUXILIARY
MAY loginStatus )
# vi /etc/openldap/slapd.conf
include /etc/openldap/schema/ldapns.schema
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
cat <<EOF | ldapadd -x -D cn=admin,dc=xxyd,dc=com -W -H ldap://ldap.xxyd.com/
dn: ou=APP,ou=People,dc=xxyd,dc=com
ou: APP
objectClass: top
objectClass: organizationalUnit
EOF
cat <<EOF | ldapadd -x -D cn=admin,dc=xxyd,dc=com -W -H ldap://ldap.xxyd.com/
dn: ou=DB,ou=People,dc=xxyd,dc=com
ou: DB
objectClass: top
objectClass: organizationalUnit
EOF
規划:
ou=APP 應用運維人員賬戶根路徑;
ou=DB 數據庫管理員賬戶根路徑
Ubuntu客戶端
# echo "pam_check_host_attr yes" >> /etc/pam_ldap.conf
# vi /etc/ldap.conf
nss_base_passwd ou=APP,ou=People,dc=xxyd,dc=com
nss_base_shadow ou=APP,ou=People,dc=xxyd,dc=com
nss_base_group ou=APP,ou=People,dc=xxyd,dc=com
## 注明:應用服務器設置ou=APP,ou=People,dc=xxyd,dc=com
## 數據庫服務器設置ou=DB,ou=People,dc=xxyd,dc=com
## 同時登陸應用和數據庫服務器設置ou=People,dc=xxyd,dc=com
## /etc/ldap.conf配置文件注意不要有多余的空格分隔符,否則ldap-keys.sh腳本會報語法錯誤
# service nscd restart
CentOS 客戶端
測試,應用運維人員只能登錄應用服務器,數據庫管理員只能登錄數據庫服務器
數據同步
主從同步
主服務器同步策略配置
編輯OpenLDAP主配置文件
vi /etc/ldap/slapd.conf
moduleload syncprov.la
index entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
重新生成數據庫文件,使其配置生效
service slapd stop
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
ss -lnp |grep slapd
從服務器配置
編輯OpenLDAP主配置文件
vi /etc/openldap/slapd.conf
moduleload syncprov.la
index entryCSN,entryUUID eq
syncrepl rid=002
provider=ldap://10.1.31.128:389/
type=refreshOnly
retry="60 10 600 +"
interval=00:00:00:10
searchbase="dc=xxyd,dc=com"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=admin,dc=xxyd,dc=com"
attrs="*,+"
credentials=PASSWD
# Refer updates to the master
updatedn "cn=admin,xxyd,dc=com"
updateref ldap://10.1.31.243
重新生成數據庫文件,使其配置生效
service slapd stop
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
ss -lnp |grep slapd
導入數據條目
主服務器上導出數據條目:
ldapsearch -x -b 'dc=com,dc=cn' > ldapbackup.ldif
傳輸備份數據到備服務器上並導入
ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ldapbackup.ldif
比對主備服務器數據條目是否一致
ldapsearch -x -LLL |wc -l
重新生成數據庫文件,使其配置生效
service slapd stop
rm -rf /etc/ldap/slapd.d/
slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/
chown -R openldap.openldap /etc/ldap/slapd.d/
service slapd restart
ss -lnp |grep slapd
主從同步驗證
主服務器上添加條目
ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f group.test02.ldif
ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f passwd.test02.ldif
查看從服務器上是否存在新添加的條目
ldapsearch -x -LLL uid=test02
查看同步日志
/var/log/syslog
多主同步(N-Way Multimaster)
服務器同步策略配置
多主模式,多台服務器配置一致,只需更改ip/域名即可
編輯OpenLDAP配置文件
# vi /etc/openldap/slapd.conf
moduleload syncprov.la
index entryUUID,entryCSN eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 1 ldaps://ldap01.xxyd.com
serverID 2 ldaps://ldap02.xxyd.com
syncrepl rid=001
provider=ldaps://ldap01.xxyd.com
binddn="cn=admin,dc=xxyd,dc=com"
bindmethod=simple
credentials=PASSWD
searchbase="dc=xxyd,dc=com"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
syncrepl rid=002
provider=ldaps://ldap02.xxyd.com
binddn="cn=admin,dc=xxyd,dc=com"
bindmethod=simple
credentials=PASSWD
searchbase="dc=xxyd,dc=com"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
mirrormode TRUE
## 填寫本機監聽地址
# vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldaps://ldap01.xxyd.com"
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d
systemctl restart slapd
同步數據測試
在一台主服務器上添加或刪除數據,會立即同步到另一台主服務器上即測試成功。
高可用
方案一、
客戶端連接兩台openldap服務器(主從或主主模式或多主模式)
第一台不可用時會自動連接到第二台
vi /etc/ldap.conf
uri ldaps://ldap01.xxyd.com ldaps://ldap02.xxyd.com
重啟服務
service nscd restart
方案二
兩台openldap服務器使用主從或主主模式
結合keepalived配置VIP實現故障切換
客戶端連接域名:uri ldaps://ldap.xxyd.com,ldap.xxyd.com域名指向VIP
自助修改密碼
https://www.ilanni.com/?p=13822
數據備份
ldapsearch -x -b 'dc=xxyd,dc=com' > backupldap_$(date +%Y%m%d-%H%M).ldif
參考鏈接:
http://chuansong.me/n/317694151860
https://blog.csdn.net/m1213642578/article/details/52578360
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
http://blog.163.com/excellent_2008/blog/static/30760156201392362414238/
https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap
http://briteming.blogspot.com/2017/11/setting-up-openldap-server-with-openssh.html
https://www.cnblogs.com/moonson/archive/2008/11/20/1337775.html