It happens that the company where I work has used ldap centralized identity authentication, so I plan to study this architecture, but after reading many tutorials on the Internet, it is either incomplete or impossible to get it out. October After studying for three days, I finally got it out by combining the resources of all directions. It is not easy. Hey, here is a record:
One. Realization effect:
1. Realize centralized management of linux openldap account
2. Can control whether the account can be sudo to root
3. Can realize password and pubkey login
4. You can control which hosts the user can log in to
Two. System environment:
Red Hat Enterprise Linux Server release 6.7 (Santiago)
Three. Project topology:
Using two-node demonstration:
ldap server side: 192.168.85.137 (acts as both server and client)
ldap client : 192.168.85.139
4. Software version:
openldap-servers-2.4.40-16.el6.x86_64
#Preparation before installation:
p>
1. Turn off firewall and selinux
2. Configure hosts resolution:
192.168.85.137 node1
192.168.85.139 node2
3 .Configure ntp time synchronization:
ntpdate time.windows.com
# Install openldap server:
yum install -y openldap-servers-2.4.40-16.el6.x86_64 openldap-clients-2.4.40-16.el6.x86_64 openldap-2.4.40 -16.el6.x86_64 openldap-devel-2.4.40-16.el6.x86_64 compat-openldap.x86_64
# Initialize openldap configuration:
cp /usr/share/openldap -servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf chown -R ldap.ldap /etc/openldap chown -R ldap.ldap /var/lib/ldap
suffix "dc=hello,dc=com"
#Edit /etc/openldap/slapd.conf (Modify the following configuration, others can keep the default, or modify according to your own needs, I only modified the following three items here)
suffix "dc=hello,dc=com" #Configure the domain name suffix, similar to the last parent domain name rootdn "cn=admin,dc=hello,dc=com" #New administrator admin rootpw {SSHA}LoVG+OZ61YG95bbZbVDZnkotGRSchz+Q #Administrator’s password, which can be in plain text or cipher text, and the cipher text is generated by slappasswd
#Generate configuration file:
rm /etc/openldap/slapd .d/* -fr #Delete the old configuration database slaptest -f /etc/openldap/slapd.conf #Detect whether the configuration file has syntax errors Database
# Start ldap server:
/etc/init.d/slapd start
# openldap uses 389 by default, port, check whether the service is started successfully:
######################## ################### Client configuration
# Client deployment, install openldap client software:
yum install -y openldap-clients.x86_64 nss-pam-ldap
# Modify /etc/nslcd.conf and add the following content:
uri ldap://192.168.85.137/ base dc=hello,dc=com ssl no
# Modify /etc/pam_ldap.conf and add the following content:
base dc=hello,dc=com uri ldap://192.168.85.137/
# Modify / /etc/pam.d/system-auth
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid>=500 quiet auth sufficient pam_ldap.so #add ldap module auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid<500 quiet account required pam_ldap.so #add ldap module account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok md5 #add ldap module password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore]pam_succeed_if.so service in crond quiet session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_ldap.so #add ldap module
# Modify /etc/pam.d/sshd (This file is needed for ssh login. If you only modify /etc/pam.d/system- For auth, the console login is okay, but if you connect to remote ssh, there will be problems)
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid>=500 quiet auth sufficient pam_ldap.so use_first_pass #Load ldap auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid<500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so #Load ldap account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok #Load ldap password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore]pam_succeed_if.so service in crond quiet session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 #Create user home directory automatically session optional pam_ldap.so #Load ldap module
# Modify /etc/nsswitch.conf, specify the search order:
passwd: files ldap shadow: files ldap group: files ldap
# Modify /etc/sysconfig/authconfig
USESHADOW=yes USELDAPAUTH=yes USELOCAUTHORIZE=yes USELDAP=yes
# Create a new ou to store users:
dn: ou =People,dc=hello,dc=com ou: People objectClass: top objectClass: organizationalUnit
# Create a new ou to store the group:
dn: ou =Group,dc=hello,dc=com ou: Group objectClass: top objectClass: organizationalUnit
# New user user200
dn: uid=user200,ou=People,dc=hello,dc=com
uid: user200
cn: user200
sn: user200
objectClass: posixAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: shadowAccount
userPassword: {CRYPT}-s2a6QekMTXp6 #Here is the cipher text password, which is generated by the slappasswd -c -s command
shadowLastChange: 18171
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5204
gidNumber: 5204
homeDirectory: /home/user200
NOTE: Although you can fill in the plain text password, you can also fill in the cipher text password, but if you want To log in to Linux, you must fill in the password generated by slappasswd -c -s. This command generates a crypt(3) encrypted format, which can be recognized by Linux. Although it is said that plaintext can be used on the Internet, I did not try to succeed anyway.
# Start the ldap client
/etc/init.d/nslcd start
The configuration is complete, and the ssh remote connection is ready
############################# Configure user sudo
## ### Server configuration
1. You can configure sudo through the local sudo file or through the ldap server side. Here, use the ldap server side to configure.
# Copy the sudo schema
cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo. schema
# Edit /etc/slapd.conf and add the following configuration:
include /etc/openldap/schema/sudo.schema
# Generate a new database configuration:
rm -rf /etc /openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d/ # Empower, otherwise start sladp Will report an error
/etc/init.d/sladp restart #Restart the service to make the configuration take effect
# It is best to install phpldapadmin, this The web interface allows us to operate ldap graphically. The specific installation process can be google, which is omitted here, and one thing to note is that if you install phpldapadmin with yum, you may always prompt that the password is incorrect. I did not study the specific reasons. Download the source code from the Internet. Just install it, don’t worry about it
# New sudoers Ou:
dn: ou=sudoers,dc=hello,dc=com ou: sudoers objectClass: top objectClass: organizationalUnit
# New group admin:
dn: cn=admin,ou=group,dc=hello,dc=com
cn: admin
gidNumber: 505
objectClass: posixGroup
objectClass: top
# New sudo rule:
< div class="Highlighter">
dn: cn=%admin,ou=sudoers,dc=hello,dc=com objectClass: sudoRole cn: %admin sudoUser: %admin sudoHost: ALL sudoRunAsUser: root sudoOption: !authenticate sudoCommand: /bin/bash EOF