LINUX下基于LDAP集中系统用户认证系统

网友投稿 750 2023-02-15

本站部分文章、图片属于网络上可搜索到的公开信息,均用于学习和交流用途,不能代表睿象云的观点、立场或意见。我们接受网民的监督,如发现任何违法内容或侵犯了您的权益,请第一时间联系小编邮箱jiasou666@gmail.com 处理。

LINUX下基于LDAP集中系统用户认证系统

环境:ldap node1:192.168.100.151ldap node2:192.168.100.152client ip:192.168.100.153

===========================服务端===========================1、安装

安装DB

1
2
3
4
5
6
7
[root@localhost openldap]# yum install -y libtool-ltdl-devel.x86_64 libtool-ltdl.x86_64
[root@localhost tarbag]#tar -xzvf db-4.8.26.tar.gz -C ../software/
[root@localhost tarbag]# cd ../software/db-4.8.26/build_unix/
[root@localhost build_unix]# ../dist/configure
[root@localhost build_unix]#make install
[root@localhost build_unix]#echo "/usr/local/BerkeleyDB.4.8/lib/" >> /etc/ld.so.conf
[root@localhost build_unix]#ldconfig -vv

安装openldap

1
2
3
4
5
6
7
8
9
10
[root@localhost tarbag]#tar zxvf openldap-2.4.21.tgz -C ../software/
[root@localhost tarbag]# cd ../software/openldap-2.4.21/
[root@localhost openldap-2.4.21]# ./configure --prefix=/usr/local/openldap-2.4.21 --enable-syslog --enable-modules --with-tls CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include/ LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib/
[root@localhost openldap-2.4.21]#make depend
[root@localhost openldap-2.4.21]#make
[root@localhost openldap-2.4.21]#make test 这个需要比较长的时间.如果觉得没必要执行这一步的可以跳过.直接make install
[root@localhost openldap-2.4.21]#make install
[root@localhost openldap-2.4.21]# cd /usr/local/openldap-2.4.21/
[root@localhost openldap-2.4.21]# ls
bin etc include lib libexec sbin share var

2、openldap配置

下载openssh-lpk_openldap.schema

生成密码:

1
2
3
4
5
[root@localhost~]# cd /usr/local/openldap-2.4.21/sbin/
[root@localhost sbin]# ./slappasswd
Newpassword:
Re-enter newpassword:
{SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ密码是123456这个密码写到slapd.conf里面的rootpw位置

配置slapd.conf

修改syslog.conf

重启syslog

1
2
3
4
5
[root@localhost openldap]# service syslog restart
Shutting down kernel logger:[OK]
Shutting down system logger:[OK]
Starting system logger:[OK]
Starting kernel logger:[OK]

启动ldap

启动方法1:

1
# /usr/local/openldap-2.4.21/libexec/slapd # 直接进入后台工作

启动方法2:

1
# /usr/local/openldap-2.4.21/libexec/slapd -d 256 # 依旧在前端,有debug信息
1
2
3
4
5
6
7
[root@localhost run]# /usr/local/openldap-2.4.21/libexec/slapd
[root@localhost run]# netstat -lntp
Active Internet connections(only servers)
Proto Recv-QSend-QLocal Address Foreign Address State PID/Program name
tcp000.0.0.0:3890.0.0.0:*LISTEN22917/slapd
tcp00:::389:::*LISTEN22917/slapd
tcp00:::22:::*LISTEN1987/sshd

3、生成公私密钥对(任何一台机器都行)

4、导入ldap数据根:

====================客户端====================IP地址:192.168.100.153

1、安装openssh补丁包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@localhost tarbag]# gunzip openssh-lpk-5.9p1-0.3.14.patch.gz
[root@localhost tarbag]# tar zxvf openssh-5.9p1.tar.tar
[root@localhost tarbag]# cd openssh-5.9p1
[root@localhost openssh-5.9p1]# patch -Np1 -i /usr/local/src/tarbag/openssh-lpk-5.9p1-0.3.14.patch
patching file auth2-pubkey.c
patching file auth-rsa.c
patching file config.h.in
patching file configure.ac
patching file ldapauth.c
patching file ldapauth.h
patching file lpk-user-example.txt
patching file Makefile.in
patching file openssh-lpk_openldap.schema
patching file openssh-lpk_sun.schema
patching file README.lpk
patching file servconf.c
patching file servconf.h
patching file sshd.c
patching file sshd_config
patching file sshd_config.5
patching file version.h
[root@localhost tarbag]#./configure \
--prefix=/usr\
--sysconfdir=/etc/ssh\
--libexecdir=/usr/sbin\
--with-md5-passwords\
--with-pam\
--with-libs="-lldap"\
--with-cppflags="-DWITH_LDAP_PUBKEY"\
[root@localhost tarbag]#make
[root@localhost tarbag]#make install

2、修改sshd配置文件

修改:nsswitch.conf

1
2
3
4
[root@localhost openssh-5.9p1]# vi /etc/nsswitch.conf
passwd:files ldap
shadow:files ldap
group:files ldap

修改authconfig

1
2
3
4
5
6
[root@localhost etc]# cat /etc/sysconfig/authconfig | grep yes
USELDAPAUTH=yes
USESHADOW=yes
USELOCAUTHORIZE=yes
USELDAP=yes
USECRACKLIB=yes

3、重启sshd

1
# service sshd restart

4、增加文件

===========================Autofs配置===========================

(也可以用ldap里面的auto.schema来配置.我觉得没有这个来得方便.)

ldap 共享家目录 client使用autofs自动挂载对应的家目录 做这个是解决Could not chdir to home directory /home/hsf: No such file or directory

ldap nfs配置:

1
2
3
4
5
6
[root@localhost home]# cat /etc/exports
/home192.168.100.0/255.255.255.0(rw,async,wdelay,root_squash,no_subtree_check,anonuid=65534,anongid=65534)
[root@localhost home]# service portmap start
[root@localhost home]# service nfs start
[root@localhost home]# chkconfig nfs on
[root@localhost home]# chkconfig portmap on

client配置:

1
2
3
4
5
6
7
[root@localhost~]# cat /etc/auto.master
#
/home/etc/auto.nfs--timeout=100
[root@localhost~]# cat /etc/auto.nfs
*192.168.100.151:/home/&
[root@localhost~]# service autofs start
[root@localhost~]# service portmap start

测试client端:

1
2
3
4
5
6
7
[root@localhost~]# cd /home/
[root@localhost home]# ls
[root@localhost home]#
[root@localhost home]# su - test
-sh-3.00$pwd
/home/test/
-sh-3.00$

===================Ldap+sudoers配置=================:

先添加sudoer.schema配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
[root@localhost log]#vi /etc/openldap/schema/sudoer.schema
attributetype(1.3.6.1.4.1.15953.9.1.1
NAME'sudoUser'
DESC'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX1.3.6.1.4.1.1466.115.121.1.26)
attributetype(1.3.6.1.4.1.15953.9.1.2
NAME'sudoHost'
DESC'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX1.3.6.1.4.1.1466.115.121.1.26)
attributetype(1.3.6.1.4.1.15953.9.1.3
NAME'sudoCommand'
DESC'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX1.3.6.1.4.1.1466.115.121.1.26)
attributetype(1.3.6.1.4.1.15953.9.1.4
NAME'sudoRunAs'
DESC'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX1.3.6.1.4.1.1466.115.121.1.26)
attributetype(1.3.6.1.4.1.15953.9.1.5
NAME'sudoOption'
DESC'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX1.3.6.1.4.1.1466.115.121.1.26)
attributetype(1.3.6.1.4.1.15953.9.1.6
NAME'sudoRunAsUser'
DESC'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX1.3.6.1.4.1.1466.115.121.1.26)
attributetype(1.3.6.1.4.1.15953.9.1.7
NAME'sudoRunAsGroup'
DESC'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX1.3.6.1.4.1.1466.115.121.1.26)
attributetype(1.3.6.1.4.1.15953.9.1.8
NAME'sudoNotBefore'
DESC'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX1.3.6.1.4.1.1466.115.121.1.24)
attributetype(1.3.6.1.4.1.15953.9.1.9
NAME'sudoNotAfter'
DESC'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX1.3.6.1.4.1.1466.115.121.1.24)
attributeTypes(1.3.6.1.4.1.15953.9.1.10
NAME'sudoOrder'
DESC'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX1.3.6.1.4.1.1466.115.121.1.27)
objectclass(1.3.6.1.4.1.15953.9.2.1NAME'sudoRole'SUP top STRUCTURAL
DESC'Sudoer Entries'
MUST(cn)
MAY(sudoUser$sudoHost$sudoCommand$sudoRunAs$sudoRunAsUser$
sudoRunAsGroup$sudoOption$sudoNotBefore$sudoNotAfter$
sudoOrder$description$ou)
)

将这个sudoer.schema加到slapd.conf中

1
2
[root@localhost log]# cat /etc/openldap/slapd.conf | grep sudo
include/etc/openldap/schema/sudoer.schema

sudoer默认Ldif数据.

导入sudo数据到Ldap中.

====================sudo client配置==================:

配置 ldap.conf

验证:

1
2
3
[root@localhost~]# sudo -V | grep ldap
ldap.conf path:/etc/ldap.conf
ldap.secret path:/etc/ldap.secret

安装好后重启下ldap服务

测试:

===================openldap主主配置==============

节点1:192.168.100.151节点2:192.168.100.152

节点1(node1)配置slapd.conf配置文件的最后一行追加如下配置

节点2(node2)配置slapd.conf配置文件的最后一行追加如下配置

===================配置 TLS 安全性==================

修改客户端/etc/openldap/ldap.conf

1
2
[root@localhost etc]# vi ldap.conf
TLS_CACERT/etc/openldap/cacerts/cacert.pem

重启客户端sshd

1
2
3
[root@localhost etc]# service sshd restart
Stopping sshd:[OK]
Starting sshd:[OK]

查看ldap服务器日志:

配置ldap node2证书将前面生成的cacert.pem newcert.pem newreq.pem抟到从服务器对应的位置上.修改权限修改下slapd.conf 重启Ldap服务即可.

配置主主Ldap时.客户机配置需要增加两台主主的IP:

重启client sshd基于openldap+openssh-lpk+sudo+tls用户验证管理完成.

标签:认证 系统 IT 工作 数据
上一篇:gearman+mysql实现持久化队列
下一篇:it运维难点(IT运维的日常)
相关文章

 发表评论

暂时没有评论,来抢沙发吧~