Linux uses LDAP identity centralized certification

It happens that the company where I work has used ldap centralized identity authentication, so I plan to study this architecture, but after reading many tutorials on the Internet, it is either incomplete or impossible to get it out. October After studying for three days, I finally got it out by combining the resources of all directions. It is not easy. Hey, here is a record:

One. Realization effect:

1. Realize centralized management of linux openldap account

2. Can control whether the account can be sudo to root

3. Can realize password and pubkey login

4. You can control which hosts the user can log in to

Two. System environment:

Red Hat Enterprise Linux Server release 6.7 (Santiago)

Three. Project topology:

Using two-node demonstration:

ldap server side: 192.168.85.137 (acts as both server and client)

ldap client : 192.168.85.139

4. Software version:

openldap-servers-2.4.40-16.el6.x86_64

#Preparation before installation:

p>

1. Turn off firewall and selinux

2. Configure hosts resolution:

192.168.85.137 node1
192.168.85.139 node2

3 .Configure ntp time synchronization:

ntpdate time.windows.com

# Install openldap server:

yum install -y openldap-servers-2.4.40-16.el6.x86_64 openldap-clients-2.4.40-16.el6.x86_64 openldap-2.4.40 -16.el6.x86_64 openldap-devel-2.4.40-16.el6.x86_64 compat-openldap.x86_64

# Initialize openldap configuration:

cp /usr/share/openldap -servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
chown -R ldap.ldap /etc/openldap
chown -R ldap.ldap /var/lib/ldap
suffix "dc=hello,dc=com"

#Edit /etc/openldap/slapd.conf (Modify the following configuration, others can keep the default, or modify according to your own needs, I only modified the following three items here)

suffix "dc=hello,dc=com" #Configure the domain name suffix, similar to the last parent domain name
rootdn "cn=admin,dc=hello,dc=com" #New administrator admin
rootpw {SSHA}LoVG+OZ61YG95bbZbVDZnkotGRSchz+Q #Administrator’s password, which can be in plain text or cipher text, and the cipher text is generated by slappasswd

#Generate configuration file:

rm /etc/openldap/slapd .d/* -fr #Delete the old configuration database
slaptest -f /etc/openldap/slapd.conf #Detect whether the configuration file has syntax errors Database

  

# Start ldap server:

 /etc/init.d/slapd start

# openldap uses 389 by default, port, check whether the service is started successfully:

share picture

######################## ################### Client configuration

# Client deployment, install openldap client software:

yum install -y openldap-clients.x86_64 nss-pam-ldap

  

# Modify /etc/nslcd.conf and add the following content:

uri ldap://192.168.85.137/
base dc=hello,dc=com
ssl no

  

# Modify /etc/pam_ldap.conf and add the following content:

base dc=hello,dc=com
uri ldap://192.168.85.137/

  

# Modify / /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid>=500 quiet
auth sufficient pam_ldap.so #add ldap module
auth required pam_deny.so
 
account required pam_unix.so
account sufficient pam_succeed_if.so uid<500 quiet
account required pam_ldap.so #add ldap module
account required pam_permit.so
 
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok md5 #add ldap module
password required pam_deny.so
 
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore]pam_succeed_if.so service in crond quiet
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_ldap.so #add ldap module

# Modify /etc/pam.d/sshd (This file is needed for ssh login. If you only modify /etc/pam.d/system- For auth, the console login is okay, but if you connect to remote ssh, there will be problems)

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid>=500 quiet
auth sufficient pam_ldap.so use_first_pass #Load ldap
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid<500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so #Load ldap
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok #Load ldap
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore]pam_succeed_if.so service in crond quiet
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 #Create user home directory automatically
session optional pam_ldap.so #Load ldap module

  

 

# Modify /etc/nsswitch.conf, specify the search order:

passwd: files ldap
shadow: files ldap
group: files ldap

# Modify /etc/sysconfig/authconfig

USESHADOW=yes
USELDAPAUTH=yes
USELOCAUTHORIZE=yes
USELDAP=yes

# Create a new ou to store users:

dn: ou =People,dc=hello,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Create a new ou to store the group:

dn: ou =Group,dc=hello,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# New user user200

dn: uid=user200,ou=People,dc=hello,dc=com

uid: user200
cn: user200
sn: user200
objectClass: posixAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: shadowAccount
userPassword: {CRYPT}
-s2a6QekMTXp6 #Here is the cipher text password, which is generated by the slappasswd -c -s command
shadowLastChange:
18171
shadowMin:
0
shadowMax:
99999
shadowWarning:
7
loginShell:
/bin/bash
uidNumber:
5204
gidNumber:
5204
homeDirectory:
/home/user200

NOTE: Although you can fill in the plain text password, you can also fill in the cipher text password, but if you want To log in to Linux, you must fill in the password generated by slappasswd -c -s. This command generates a crypt(3) encrypted format, which can be recognized by Linux. Although it is said that plaintext can be used on the Internet, I did not try to succeed anyway.

share picture

# Start the ldap client

/etc/init.d/nslcd start

The configuration is complete, and the ssh remote connection is ready

share picture

############################# Configure user sudo

## ### Server configuration

1. You can configure sudo through the local sudo file or through the ldap server side. Here, use the ldap server side to configure.

# Copy the sudo schema

 cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo. schema

# Edit /etc/slapd.conf and add the following configuration:

include /etc/openldap/schema/sudo.schema

# Generate a new database configuration:

rm -rf /etc /openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d/ # Empower, otherwise start sladp Will report an error
/etc/init.d/sladp restart #Restart the service to make the configuration take effect

 

# It is best to install phpldapadmin, this The web interface allows us to operate ldap graphically. The specific installation process can be google, which is omitted here, and one thing to note is that if you install phpldapadmin with yum, you may always prompt that the password is incorrect. I did not study the specific reasons. Download the source code from the Internet. Just install it, don’t worry about it

# New sudoers Ou:

dn: ou=sudoers,dc=hello,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit

# New group admin:

dn: cn=admin,ou=group,dc=hello,dc=com
cn: admin
gidNumber: 505
objectClass: posixGroup
objectClass: top

  

# New sudo rule:

< div class="Highlighter">

dn: cn=%admin,ou=sudoers,dc=hello,dc=com
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoRunAsUser: root
sudoOption: !authenticate
sudoCommand: /bin/bash
EOF

# Add the user to the admin group, this user has the authority to sudo to root

cat >> modify_gid.ldif << EOF


dn: uid
=user200,ou=People,dc=hello,dc=com
changetype: modify
replace: gidNumber
gidNumber:
505

EOF


ldapmodify
-x -W -D "cn=admin,dc= hello,dc=com" -f modify_gid.ldif

# ## Client configuration:

cat >> /etc/nsswitch.conf << EOF

sudoers: ldap files
EOF

## ###################################### Configure ssh secret key login

< p># Copy schema

cp /usr/share/doc/openssh-ldap-5. 3p1/openssh-lpk-openldap.schema /etc/openldap/schema/

# /etc/openldap/sladp.conf Add ssh schema

include /etc/openldap/schema/openssh-lpk-openldap.schema

# Regenerate a new configuration file:

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd. d/ # Empower, otherwise an error will be reported when starting sladp
/etc/init.d/sladp restart #Restart the service to make the configuration effective

# Configuration sshldap configuration file (My environment is not configured to set up a configuration file and there is no problem. I don't know when I will use this configuration, but it is better to match it, just to be safe)

< pre>cp /usr/share/doc/openssh-ldap-5.3p1/ldap.conf /etc/ssh/

# Add the following configuration file to /etc/ssh/ldap.conf

uri ldap://< /span>192.168.85.137/

base dc=hello,dc=com
ssl no

# Configuration /etc/ssh/sshd_config

RSAAuthentication yes

PubkeyAuthentication yes
AuthorizedKeysCommand
/usr/bin/get_pubkey #This command can be implemented by yourself, as long as you can get the pubkey in the end, it’s okay to make sure that there is no space at the end of the configuration. Otherwise, an error will be reported.
AuthorizedKeysCommandRunAs nobody

# get_pubkey content (actually connect to the ldap server and retrieve the key):

#!/bin/sh -e

ldapsearch
-x -D 'cn=admin,dc=hello, dc=com' -w 123qaz\! -b 'ou=People,dc=hello,dc=com' -H ldap://192.168.85.137'(&(objectClass =posixAccount)(uid='"$1"'))' \
'sshPublicKey ' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

# user200 adds new attributes to support pubkey:

< pre>cat >> add_objectclass.ldif << EOF
dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify

add: objectclass

objectClass: ldapPublicKey

-

add: sshPublicKey

sshPublicKey: ssh -rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKFoN4eC4bkKYDjK7YoivzGz2tpHbL2Gu4fyEIHrVDuxFwBHt2sKNG / Y56xDIwaMczeLgJkymjzfq7bZTJxZHAKN4x3qvzBA0UYSjnbr3YM9yMKqCllEWMjhVCchDI7vclO / VhsZRB / rSsGivIQjPEzwnn7qcnPhkqte6pa5i5C71NlcFf2Bz3HIE6zpcRFKEYrQgEcJa2fNFDUuY9PN5O1KRahSIPmg2mvWrr7DgTzI + TjCtlxrZuWXJPmJUuV2CWl9J4xcq5KV8Pf8LwlTvIuLx1hnYhojelM7LE4jh2mXweWl4My8xoeOw5hhJ9ekGTQgi1EeooVexguDHo / pnQ == [email protected]
EOF

< p># Submit user200 attribute modification to ldap server

ldapadd -x -w 123qaz\! -D "cn=admin,dc=hello,dc=com" -f add_objectclass.ldif

##################################### #### Restrict users to only log in to specified hosts

By default, users can log in to all hosts. At this time, we can limit which specified hosts the user can log in. You can configure /etc on the client /security/access.conf, it can also be restricted in openldap, here it is controlled on the openldap server side:

1. You can restrict which hosts a user logs in based on host

2. You can also Restrict which users are allowed to log in to a host based on the host

########## Restrict which hosts the user can log in to:

# Import new The schema

cat> /etc/openldap/schem a/ldapns.schema << EOF
attributetype (1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC
'IANA GSS-API authorized service name< span style="color: #800000;">'
EQUALITY caseIgnoreMatch
SYNTAX
1.3.6.1.4.1.1466.115.121.1.< span style="color: #800080;">15{256})

attributetype (
1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus'
DESC
'Currently logged in sessions for a user< span style="color: #800000;">'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX OMsDirectoryString)

objectclass (
1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC
'Auxiliary object class for adding authorizedService attribute< span style="color: #800000;">'
SUP top
AUXILIARY
MAY authorizedService)

objectclass (
1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC
'Auxiliary object class for adding host attribute< span style="color: #800000;">'
SUP top
AUXILIARY
MAY host)

objectclass (
1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject'
DESC
'Auxiliary object class for login status attribute< span style="color: #800000;">'
SUP top
AUXILIARY
MAY loginStatus )
EOF

# Configure /etc/slapd.conf and add the following content:

include /etc/openldap/schema/ldapns.schema


modulepath
/usr/lib64/openldap
moduleload dynlist.la

overlay dynlist
dynlist
-attrset inetOrgPerson labeledURI

# Regenerate the database configuration:

< pre>rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap.ldap /etc/openldap/slapd.d/ # Empower, otherwise an error will be reported when starting sladp

/etc/init.d/sladp restart #Restart the service for the configuration to take effect

# Define the host group redis and webserver, the two groups contain different hosts :

cat << EOF | ldapadd -x -W -H ldaps:///< span style="color: #008000;"> -D cn=admin,dc=hello,dc=com

dn: ou=servers,dc=hello,dc=com
objectClass: organizationalUnit
ou: servers

dn: ou
=redis,ou=servers,dc=hello,dc=com
objectClass: organizationalUnit
objectClass: hostObject
ou: redis
host: node1

host: node2


dn: ou
=webserver,ou=servers,dc=hello,dc=com
objectClass: organizationalUnit
objectClass: hostObject
ou: webserver
host: node1

EOF

# The user adds a new attribute to support automatic reading of the hosts in the host group

dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify
add: objectClass
objectClass: hostObject
-
add: labeledURI
labeledURI: ldap:
///ou=webserver,ou=servers ,dc=hello,dc=com?host

#Client/etc/pam_ldap.conf Add configuration:

pam_check_host_attr yes

# Through the above configuration, the client can automatically obtain the host configured in the host group, but now it is Take the group as the unit. If you want to add a host that does not belong to any group, you can directly add the host attribute to the user, and then add the hostname to log in separately:

cat >> add_objectclass.ldif << EOF
dn: uid=user200,ou=People,dc=hello,dc=com
changetype: modify
add: host
host: node3
EOF

ldapadd -x -w 123qaz\! -D "cn=admin,dc=hello,dc=com" -f add_objectclass.ldif

ok!, now a new host Nod3 is added

NOTE: This can only be restricted based on the host name of the client The user logs in. When the user logs in, the client will query from ldap whether the host field in the user attribute is consistent with the hostname of the host to be logged in. If they are consistent, you can log in, or reject it. All must ensure that the hostname is consistent with the attribute configuration. And if you want to log in through ssh, you must ensure that the /etc/pam.d/sshd file is configured correctly, otherwise the host will not take effect (the specific configuration is given at the beginning of this article)

## Here is the second way: Specify which users are allowed to log in on the host:

# Add hosts device

dn: cn=node2,ou= servers,dc=hello,dc=com

objectClass: ipHost
objectClass: device
objectClass: extensibleObject
ipHostNumber:
192.168.85.139
cn: node2
uniquemember: uid
=user200,ou=people,dc=hello,dc=com #Specify allowed login users
< /pre>

# Client configuration:

/etc/pam_ldap.conf Add configuration:

pam_groupdn cn=node2,ou=servers,dc=hello,dc=com

pam_member_attribute uniquemember

yum install -y openldap-servers-2.4. 40-16.el6.x86_64 openldap-clients-2.4.40-16.el6.x86_64 openldap-2.4.40-16.el6.x86_64 openldap-devel-2.4.40-16.el6.x86_64 compat-openldap.x86_64

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
chown -R ldap.ldap /etc/openldap
chown -R ldap.ldap /var/lib/ldap
suffix "dc=hello,dc=com"

suffix "dc=hello,dc=com" #Configure the domain name suffix, similar to the last parent domain name
rootdn "cn=admin,dc=hello,dc=com" #New administrator admin
rootpw {SSHA}LoVG+OZ61YG95bbZbVDZnkotGRSchz+Q #Administrator’s password, which can be in plain text or cipher text, and the cipher text is generated by slappasswd

rm /etc/openldap/slapd.d/* -fr #Delete the old configuration database
slaptest -f /etc/openldap/slapd.conf #Detect whether the configuration file has syntax errors Database

/etc/init.d/slapd start

yum install -y openldap-clients.x86_64 nss-pam-ldap

uri ldap://192.168.85.137/
base dc=hello,dc=com
ssl no

base dc=hello,dc=com
uri ldap://192.168.85.137/

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid>=500 quiet
auth sufficient pam_ldap.so #add ldap module
auth required pam_deny.so
 
account required pam_unix.so
account sufficient pam_succeed_if.so uid<500 quiet
account required pam_ldap.so #add ldap module
account required pam_permit.so
 
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok md5 #add ldap module
password required pam_deny.so
 
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore]pam_succeed_if.so service in crond quiet
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_ldap.so #add ldap module

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid>=500 quiet
auth sufficient pam_ldap.so use_first_pass #Load ldap
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid<500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so #Load ldap
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok #Load ldap
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore]pam_succeed_if.so service in crond quiet
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 #Create user home directory automatically
session optional pam_ldap.so #Load ldap module

passwd: files ldap
shadow: files ldap
group: files ldap

USESHADOW=yes
USELDAPAUTH=yes
USELOCAUTHORIZE=yes
USELDAP=yes

dn: ou=People,dc=hello,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=hello,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

dn: uid=user200,ou=People,dc=hello,dc=com

uid: user200
cn: user200
sn: user200
objectClass: posixAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: shadowAccount
userPassword: {CRYPT}
-s2a6QekMTXp6 #Here is the cipher text password, which is generated by the slappasswd -c -s command
shadowLastChange:
18171
shadowMin:
0
shadowMax:
99999
shadowWarning:
7
loginShell:
/bin/bash
uidNumber:
5204
gidNumber:
5204
homeDirectory:
/home/user200

 cp /usr/share/doc/sudo- 1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo.schema

include /etc/openldap/schema/sudo.schema

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d/ # Empower, otherwise start sladp Will report an error
/etc/init.d/sladp restart #Restart the service to make the configuration take effect

 dn: ou=sudoers,dc=hello,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit

dn: cn=admin,ou=group,dc=hello,dc=com
cn: admin
gidNumber: 505
objectClass: posixGroup< br>objectClass: top

dn: cn=%admin,ou=sudoers,dc=hello,dc=com
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoRunAsUser: root
sudoOption: !authenticate
sudoCommand: /bin/bash
EOF

cat >> modify_gid.ldif << EOF


dn: uid
=user200,ou=People,dc=hello,dc=com
changetype: modify
replace: gidNumber
gidNumber:
505

EOF


ldapmodify
-x -W -D "cn=admin,dc=hello,dc=com" -f modify_gid.ldif

cat >> /etc/nsswitch.conf << EOF

sudoers: ldap files
EOF

cp /usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-openldap.schema /etc/openldap/schema/

include /etc/openldap/schema/openssh-lpk-openldap.schema

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d/ #赋权,不然启动sladp 会报错
/etc/init.d/sladp restart #重启服务让配置生效

cp /usr/share/doc/openssh-ldap-5.3p1/ldap.conf /etc/ssh/

uri ldap://192.168.85.137/

base dc=hello,dc=com
ssl no

RSAAuthentication yes

PubkeyAuthentication yes
AuthorizedKeysCommand
/usr/bin/get_pubkey #这个命令可以自己实现,只要最终能获取pubkey就行了,切结配置末尾不要有空格,否则会报错。
AuthorizedKeysCommandRunAs nobody

#!/bin/sh -e

ldapsearch
-x -D cn=admin,dc=hello,dc=com -w 123qaz\! -b ou=People,dc=hello,dc=com -H ldap://192.168.85.137 ‘(&(objectClass=posixAccount)(uid=‘"$1"‘))‘ \
sshPublicKey | sed -n /^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp

cat >> add_objectclass.ldif << EOF
dn: uid=user200,ou=People,dc=hello,dc=com
changetype: modify
add: objectclass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh
-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKFoN4eC4bkKYDjK7YoivzGz2tpHbL2Gu4fyEIHrVDuxFwBHt2sKNG/Y56xDIwaMczeLgJkymjzfq7bZTJxZHAKN4x3qvzBA0UYSjnbr3YM9yMKqCllEWMjhVCchDI7vclO/VhsZRB/rSsGivIQjPEzwnn7qcnPhkqte6pa5i5C71NlcFf2Bz3HIE6zpcRFKEYrQgEcJa2fNFDUuY9PN5O1KRahSIPmg2mvWrr7DgTzI+TjCtlxrZuWXJPmJUuV2CWl9J4xcq5KV8Pf8LwlTvIuLx1hnYhojelM7LE4jh2mXweWl4My8xoeOw5hhJ9ekGTQgi1EeooVexguDHo/pnQ== [email protected]
EOF

cat > /etc/openldap/schema/ldapns.schema << EOF
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME authorizedService
DESC
IANA GSS-API authorized service name
EQUALITY caseIgnoreMatch
SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{256} )

attributetype (
1.3.6.1.4.1.5322.17.2.2 NAME loginStatus
DESC
Currently logged in sessions for a user
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX OMsDirectoryString )

objectclass (
1.3.6.1.4.1.5322.17.1.1 NAME authorizedServiceObject
DESC
Auxiliary object class for adding authorizedService attribute
SUP top
AUXILIARY
MAY authorizedService )

objectclass (
1.3.6.1.4.1.5322.17.1.2 NAME hostObject
DESC
Auxiliary object class for adding host attribute
SUP top
AUXILIARY
MAY host )

objectclass (
1.3.6.1.4.1.5322.17.1.3 NAME loginStatusObject
DESC
Auxiliary object class for login status attribute
SUP top
AUXILIARY
MAY loginStatus )
EOF

include     /etc/openldap/schema/ldapns.schema


modulepath
/usr/lib64/openldap
moduleload dynlist.la

overlay dynlist
dynlist
-attrset inetOrgPerson labeledURI

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d/ #赋权,不然启动sladp 会报错
/etc/init.d/sladp restart #重启服务让配置生效

cat << EOF | ldapadd -x -W -H ldaps:/// -D cn=admin,dc=hello,dc=com

dn: ou=servers,dc=hello,dc=com
objectClass: organizationalUnit
ou: servers

dn: ou
=redis,ou=servers,dc=hello,dc=com
objectClass: organizationalUnit
objectClass: hostObject
ou: redis
host: node1

host: node2


dn: ou
=webserver,ou=servers,dc=hello,dc=com
objectClass: organizationalUnit
objectClass: hostObject
ou: webserver
host: node1

EOF

dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify
add: objectClass
objectClass: hostObject
-
add: labeledURI
labeledURI: ldap:
///ou=webserver,ou=servers,dc=hello,dc=com?host

pam_check_host_attr yes

cat >> add_objectclass.ldif << EOF
dn: uid=user200,ou=People,dc=hello,dc=com
changetype: modify
add: host
host: node3
EOF

ldapadd -x -w 123qaz\! -D "cn=admin,dc=hello,dc=com" -f add_objectclass.ldif

dn: cn=node2,ou=servers,dc=hello,dc=com

objectClass: ipHost
objectClass: device
objectClass: extensibleObject
ipHostNumber:
192.168.85.139
cn: node2
uniquemember: uid
=user200,ou=people,dc=hello,dc=com #指定允许登陆用户

pam_groupdn cn=node2,ou=servers,dc=hello,dc=com

pam_member_attribute uniquemember

WordPress database error: [Table 'yf99682.wp_s6mz6tyggq_comments' doesn't exist]
SELECT SQL_CALC_FOUND_ROWS wp_s6mz6tyggq_comments.comment_ID FROM wp_s6mz6tyggq_comments WHERE ( comment_approved = '1' ) AND comment_post_ID = 5076 ORDER BY wp_s6mz6tyggq_comments.comment_date_gmt ASC, wp_s6mz6tyggq_comments.comment_ID ASC

Leave a Comment

Your email address will not be published.