Linux uses LDAP identity centralized certification

By Linux

It happens that the company where I work has used ldap centralized identity authentication, so I plan to study this architecture, but after reading many tutorials on the Internet, it is either incomplete or impossible to get it out. October After studying for three days, I finally got it out by combining the resources of all directions. It is not easy. Hey, here is a record:

One. Realization effect:

1. Realize centralized management of linux openldap account

2. Can control whether the account can be sudo to root

3. Can realize password and pubkey login

4. You can control which hosts the user can log in to

Two. System environment:

Red Hat Enterprise Linux Server release 6.7 (Santiago)

Three. Project topology:

Using two-node demonstration:

ldap server side: 192.168.85.137 (acts as both server and client)

ldap client : 192.168.85.139

4. Software version:

openldap-servers-2.4.40-16.el6.x86_64

#Preparation before installation:

p>

1. Turn off firewall and selinux

2. Configure hosts resolution:

192.168.85.137 node1
192.168.85.139 node2

3 .Configure ntp time synchronization:

ntpdate time.windows.com

# Install openldap server:

yum install -y openldap-servers-2.4.40-16.el6.x86_64 openldap-clients-2.4.40-16.el6.x86_64 openldap-2.4.40 -16.el6.x86_64 openldap-devel-2.4.40-16.el6.x86_64 compat-openldap.x86_64

# Initialize openldap configuration:

cp /usr/share/openldap -servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
chown -R ldap.ldap /etc/openldap
chown -R ldap.ldap /var/lib/ldap
suffix "dc=hello,dc=com"

#Edit /etc/openldap/slapd.conf (Modify the following configuration, others can keep the default, or modify according to your own needs, I only modified the following three items here)

suffix "dc=hello,dc=com" #Configure the domain name suffix, similar to the last parent domain name
rootdn "cn=admin,dc=hello,dc=com" #New administrator admin
rootpw {SSHA}LoVG+OZ61YG95bbZbVDZnkotGRSchz+Q #Administrator’s password, which can be in plain text or cipher text, and the cipher text is generated by slappasswd

#Generate configuration file:

rm /etc/openldap/slapd .d/* -fr #Delete the old configuration database
slaptest -f /etc/openldap/slapd.conf #Detect whether the configuration file has syntax errors Database

  

# Start ldap server:

 /etc/init.d/slapd start

# openldap uses 389 by default, port, check whether the service is started successfully:

share picture

######################## ################### Client configuration

# Client deployment, install openldap client software:

yum install -y openldap-clients.x86_64 nss-pam-ldap

  

# Modify /etc/nslcd.conf and add the following content:

uri ldap://192.168.85.137/
base dc=hello,dc=com
ssl no

  

# Modify /etc/pam_ldap.conf and add the following content:

base dc=hello,dc=com
uri ldap://192.168.85.137/

  

# Modify / /etc/pam.d/system-auth

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid>=500 quiet
auth sufficient pam_ldap.so #add ldap module
auth required pam_deny.so
 
account required pam_unix.so
account sufficient pam_succeed_if.so uid<500 quiet
account required pam_ldap.so #add ldap module
account required pam_permit.so
 
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok md5 #add ldap module
password required pam_deny.so
 
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore]pam_succeed_if.so service in crond quiet
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_ldap.so #add ldap module

# Modify /etc/pam.d/sshd (This file is needed for ssh login. If you only modify /etc/pam.d/system- For auth, the console login is okay, but if you connect to remote ssh, there will be problems)

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid>=500 quiet
auth sufficient pam_ldap.so use_first_pass #Load ldap
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid<500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so #Load ldap
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok #Load ldap
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore]pam_succeed_if.so service in crond quiet
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 #Create user home directory automatically
session optional pam_ldap.so #Load ldap module

  

 

# Modify /etc/nsswitch.conf, specify the search order:

passwd: files ldap
shadow: files ldap
group: files ldap

# Modify /etc/sysconfig/authconfig

USESHADOW=yes
USELDAPAUTH=yes
USELOCAUTHORIZE=yes
USELDAP=yes

# Create a new ou to store users:

dn: ou =People,dc=hello,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Create a new ou to store the group:

dn: ou =Group,dc=hello,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# New user user200

dn: uid=user200,ou=People,dc=hello,dc=com

uid: user200

cn: user200

sn: user200

objectClass: posixAccount

objectClass: person

objectClass: inetOrgPerson

objectClass: shadowAccount

userPassword: {CRYPT}-s2a6QekMTXp6 #Here is the cipher text password, which is generated by the slappasswd -c -s command

shadowLastChange: 18171

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 5204

gidNumber: 5204

homeDirectory: /home/user200

NOTE: Although you can fill in the plain text password, you can also fill in the cipher text password, but if you want To log in to Linux, you must fill in the password generated by slappasswd -c -s. This command generates a crypt(3) encrypted format, which can be recognized by Linux. Although it is said that plaintext can be used on the Internet, I did not try to succeed anyway.

share picture

# Start the ldap client

/etc/init.d/nslcd start

The configuration is complete, and the ssh remote connection is ready

share picture

############################# Configure user sudo

## ### Server configuration

1. You can configure sudo through the local sudo file or through the ldap server side. Here, use the ldap server side to configure.

# Copy the sudo schema

 cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo. schema

# Edit /etc/slapd.conf and add the following configuration:

include /etc/openldap/schema/sudo.schema

# Generate a new database configuration:

rm -rf /etc /openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d/ # Empower, otherwise start sladp Will report an error
/etc/init.d/sladp restart #Restart the service to make the configuration take effect

 

# It is best to install phpldapadmin, this The web interface allows us to operate ldap graphically. The specific installation process can be google, which is omitted here, and one thing to note is that if you install phpldapadmin with yum, you may always prompt that the password is incorrect. I did not study the specific reasons. Download the source code from the Internet. Just install it, don’t worry about it

# New sudoers Ou:

dn: ou=sudoers,dc=hello,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit

# New group admin:

dn: cn=admin,ou=group,dc=hello,dc=com
cn: admin
gidNumber: 505
objectClass: posixGroup
objectClass: top

  

# New sudo rule:

< div class="Highlighter"> 

dn: cn=%admin,ou=sudoers,dc=hello,dc=com
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoRunAsUser: root
sudoOption: !authenticate
sudoCommand: /bin/bash
EOF

# Add the user to the admin group, this user has the authority to sudo to root

cat >> modify_gid.ldif << EOF



dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify

replace: gidNumber

gidNumber: 505



EOF





ldapmodify -x -W -D "cn=admin,dc= hello,dc=com" -f modify_gid.ldif

# ## Client configuration:

cat >> /etc/nsswitch.conf << EOF

sudoers: ldap files
EOF

## ###################################### Configure ssh secret key login

< p># Copy schema

cp /usr/share/doc/openssh-ldap-5. 3p1/openssh-lpk-openldap.schema /etc/openldap/schema/

# /etc/openldap/sladp.conf Add ssh schema

include /etc/openldap/schema/openssh-lpk-openldap.schema

# Regenerate a new configuration file:

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd. d/ # Empower, otherwise an error will be reported when starting sladp
/etc/init.d/sladp restart #Restart the service to make the configuration effective

# Configuration sshldap configuration file (My environment is not configured to set up a configuration file and there is no problem. I don't know when I will use this configuration, but it is better to match it, just to be safe)

< pre>cp /usr/share/doc/openssh-ldap-5.3p1/ldap.conf /etc/ssh/

# Add the following configuration file to /etc/ssh/ldap.conf

uri ldap://< /span>192.168.85.137/

base dc=hello,dc=com

ssl no

# Configuration /etc/ssh/sshd_config

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysCommand /usr/bin/get_pubkey #This command can be implemented by yourself, as long as you can get the pubkey in the end, it’s okay to make sure that there is no space at the end of the configuration. Otherwise, an error will be reported.

AuthorizedKeysCommandRunAs nobody

# get_pubkey content (actually connect to the ldap server and retrieve the key):

#!/bin/sh -e

ldapsearch -x -D 'cn=admin,dc=hello, dc=com' -w 123qaz\! -b 'ou=People,dc=hello,dc=com' -H ldap://192.168.85.137'(&(objectClass =posixAccount)(uid='"$1"'))' \

'sshPublicKey ' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

# user200 adds new attributes to support pubkey:

< pre>cat >> add_objectclass.ldif << EOF
dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify

add: objectclass

objectClass: ldapPublicKey

-

add: sshPublicKey

sshPublicKey: ssh -rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKFoN4eC4bkKYDjK7YoivzGz2tpHbL2Gu4fyEIHrVDuxFwBHt2sKNG / Y56xDIwaMczeLgJkymjzfq7bZTJxZHAKN4x3qvzBA0UYSjnbr3YM9yMKqCllEWMjhVCchDI7vclO / VhsZRB / rSsGivIQjPEzwnn7qcnPhkqte6pa5i5C71NlcFf2Bz3HIE6zpcRFKEYrQgEcJa2fNFDUuY9PN5O1KRahSIPmg2mvWrr7DgTzI + TjCtlxrZuWXJPmJUuV2CWl9J4xcq5KV8Pf8LwlTvIuLx1hnYhojelM7LE4jh2mXweWl4My8xoeOw5hhJ9ekGTQgi1EeooVexguDHo / pnQ == [email protected]
EOF

< p># Submit user200 attribute modification to ldap server

ldapadd -x -w 123qaz\! -D "cn=admin,dc=hello,dc=com" -f add_objectclass.ldif

##################################### #### Restrict users to only log in to specified hosts

By default, users can log in to all hosts. At this time, we can limit which specified hosts the user can log in. You can configure /etc on the client /security/access.conf, it can also be restricted in openldap, here it is controlled on the openldap server side:

1. You can restrict which hosts a user logs in based on host

2. You can also Restrict which users are allowed to log in to a host based on the host

########## Restrict which hosts the user can log in to:

# Import new The schema

cat> /etc/openldap/schem a/ldapns.schema << EOF
attributetype (1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'

 DESC 'IANA GSS-API authorized service name< span style="color: #800000;">' 
 EQUALITY caseIgnoreMatch 
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.< span style="color: #800080;">15{256}) 
 
attributetype (1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus' 
 DESC 'Currently logged in sessions for a user< span style="color: #800000;">' 
 EQUALITY caseIgnoreMatch 
 SUBSTR caseIgnoreSubstringsMatch 
 ORDERING caseIgnoreOrderingMatch 
 SYNTAX OMsDirectoryString) 
 
objectclass (1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' 
 DESC 'Auxiliary object class for adding authorizedService attribute< span style="color: #800000;">' 
 SUP top 
 AUXILIARY 
 MAY authorizedService) 
 
objectclass (1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' 
 DESC 'Auxiliary object class for adding host attribute< span style="color: #800000;">' 
 SUP top 
 AUXILIARY 
 MAY host) 
 
objectclass (1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject' 
 DESC 'Auxiliary object class for login status attribute< span style="color: #800000;">' 
 SUP top 
 AUXILIARY 
 MAY loginStatus )
EOF

# Configure /etc/slapd.conf and add the following content:

include /etc/openldap/schema/ldapns.schema



modulepath /usr/lib64/openldap

moduleload dynlist.la



overlay dynlist

dynlist-attrset inetOrgPerson labeledURI

# Regenerate the database configuration:

< pre>rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap.ldap /etc/openldap/slapd.d/ # Empower, otherwise an error will be reported when starting sladp

/etc/init.d/sladp restart #Restart the service for the configuration to take effect

# Define the host group redis and webserver, the two groups contain different hosts :

cat << EOF | ldapadd -x -W -H ldaps:///< span style="color: #008000;"> -D cn=admin,dc=hello,dc=com

dn: ou=servers,dc=hello,dc=com

objectClass: organizationalUnit

ou: servers



dn: ou=redis,ou=servers,dc=hello,dc=com

objectClass: organizationalUnit

objectClass: hostObject

ou: redis

host: node1

host: node2



dn: ou=webserver,ou=servers,dc=hello,dc=com

objectClass: organizationalUnit

objectClass: hostObject

ou: webserver

host: node1

EOF

# The user adds a new attribute to support automatic reading of the hosts in the host group

dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify

add: objectClass

objectClass: hostObject

-

add: labeledURI

labeledURI: ldap:///ou=webserver,ou=servers ,dc=hello,dc=com?host

#Client/etc/pam_ldap.conf Add configuration:

pam_check_host_attr yes

# Through the above configuration, the client can automatically obtain the host configured in the host group, but now it is Take the group as the unit. If you want to add a host that does not belong to any group, you can directly add the host attribute to the user, and then add the hostname to log in separately:

cat >> add_objectclass.ldif << EOF
dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify

add: host

host: node3
EOF

ldapadd -x -w 123qaz\! -D "cn=admin,dc=hello,dc=com" -f add_objectclass.ldif

ok!, now a new host Nod3 is added

NOTE: This can only be restricted based on the host name of the client The user logs in. When the user logs in, the client will query from ldap whether the host field in the user attribute is consistent with the hostname of the host to be logged in. If they are consistent, you can log in, or reject it. All must ensure that the hostname is consistent with the attribute configuration. And if you want to log in through ssh, you must ensure that the /etc/pam.d/sshd file is configured correctly, otherwise the host will not take effect (the specific configuration is given at the beginning of this article)

## Here is the second way: Specify which users are allowed to log in on the host:

# Add hosts device

dn: cn=node2,ou= servers,dc=hello,dc=com

objectClass: ipHost

objectClass: device

objectClass: extensibleObject

ipHostNumber: 192.168.85.139

cn: node2

uniquemember: uid=user200,ou=people,dc=hello,dc=com #Specify allowed login users
< /pre>

# Client configuration:

/etc/pam_ldap.conf Add configuration:

pam_groupdn cn=node2,ou=servers,dc=hello,dc=com

pam_member_attribute uniquemember

yum install -y openldap-servers-2.4. 40-16.el6.x86_64 openldap-clients-2.4.40-16.el6.x86_64 openldap-2.4.40-16.el6.x86_64 openldap-devel-2.4.40-16.el6.x86_64 compat-openldap.x86_64


cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
chown -R ldap.ldap /etc/openldap
chown -R ldap.ldap /var/lib/ldap
suffix "dc=hello,dc=com"


suffix "dc=hello,dc=com" #Configure the domain name suffix, similar to the last parent domain name
rootdn "cn=admin,dc=hello,dc=com" #New administrator admin
rootpw {SSHA}LoVG+OZ61YG95bbZbVDZnkotGRSchz+Q #Administrator’s password, which can be in plain text or cipher text, and the cipher text is generated by slappasswd


rm /etc/openldap/slapd.d/* -fr #Delete the old configuration database
slaptest -f /etc/openldap/slapd.conf #Detect whether the configuration file has syntax errors Database


/etc/init.d/slapd start


yum install -y openldap-clients.x86_64 nss-pam-ldap


uri ldap://192.168.85.137/
base dc=hello,dc=com
ssl no


base dc=hello,dc=com
uri ldap://192.168.85.137/


auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid>=500 quiet
auth sufficient pam_ldap.so #add ldap module
auth required pam_deny.so
 
account required pam_unix.so
account sufficient pam_succeed_if.so uid<500 quiet
account required pam_ldap.so #add ldap module
account required pam_permit.so
 
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok md5 #add ldap module
password required pam_deny.so
 
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore]pam_succeed_if.so service in crond quiet
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_ldap.so #add ldap module


auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid>=500 quiet
auth sufficient pam_ldap.so use_first_pass #Load ldap
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid<500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so #Load ldap
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok #Load ldap
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore]pam_succeed_if.so service in crond quiet
session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 #Create user home directory automatically
session optional pam_ldap.so #Load ldap module


passwd: files ldap
shadow: files ldap
group: files ldap


USESHADOW=yes
USELDAPAUTH=yes
USELOCAUTHORIZE=yes
USELDAP=yes


dn: ou=People,dc=hello,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit


dn: ou=Group,dc=hello,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit


dn: uid=user200,ou=People,dc=hello,dc=com

uid: user200

cn: user200

sn: user200

objectClass: posixAccount

objectClass: person

objectClass: inetOrgPerson

objectClass: shadowAccount

userPassword: {CRYPT}-s2a6QekMTXp6 #Here is the cipher text password, which is generated by the slappasswd -c -s command

shadowLastChange: 18171

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 5204

gidNumber: 5204

homeDirectory: /home/user200

 cp /usr/share/doc/sudo- 1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo.schema


include /etc/openldap/schema/sudo.schema


rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d/ # Empower, otherwise start sladp Will report an error
/etc/init.d/sladp restart #Restart the service to make the configuration take effect

 dn: ou=sudoers,dc=hello,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit

dn: cn=admin,ou=group,dc=hello,dc=com
cn: admin
gidNumber: 505
objectClass: posixGroup< br>objectClass: top

dn: cn=%admin,ou=sudoers,dc=hello,dc=com
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoRunAsUser: root
sudoOption: !authenticate
sudoCommand: /bin/bash
EOF


cat >> modify_gid.ldif << EOF



dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify

replace: gidNumber

gidNumber: 505



EOF





ldapmodify -x -W -D "cn=admin,dc=hello,dc=com" -f modify_gid.ldif

cat >> /etc/nsswitch.conf << EOF

sudoers:    ldap    files
EOF

cp /usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-openldap.schema /etc/openldap/schema/

include /etc/openldap/schema/openssh-lpk-openldap.schema

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap/slapd.d/ #赋权,不然启动sladp 会报错
/etc/init.d/sladp restart    #重启服务让配置生效

cp /usr/share/doc/openssh-ldap-5.3p1/ldap.conf /etc/ssh/

uri ldap://192.168.85.137/

base dc=hello,dc=com

ssl no

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysCommand /usr/bin/get_pubkey   #这个命令可以自己实现,只要最终能获取pubkey就行了,切结配置末尾不要有空格,否则会报错。

AuthorizedKeysCommandRunAs nobody

#!/bin/sh -e

ldapsearch -x -D cn=admin,dc=hello,dc=com -w 123qaz\! -b ou=People,dc=hello,dc=com -H ldap://192.168.85.137 ‘(&(objectClass=posixAccount)(uid=‘"$1"‘))‘ \

sshPublicKey | sed -n /^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp

cat >> add_objectclass.ldif << EOF
dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify

add: objectclass

objectClass: ldapPublicKey

-

add: sshPublicKey

sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKFoN4eC4bkKYDjK7YoivzGz2tpHbL2Gu4fyEIHrVDuxFwBHt2sKNG/Y56xDIwaMczeLgJkymjzfq7bZTJxZHAKN4x3qvzBA0UYSjnbr3YM9yMKqCllEWMjhVCchDI7vclO/VhsZRB/rSsGivIQjPEzwnn7qcnPhkqte6pa5i5C71NlcFf2Bz3HIE6zpcRFKEYrQgEcJa2fNFDUuY9PN5O1KRahSIPmg2mvWrr7DgTzI+TjCtlxrZuWXJPmJUuV2CWl9J4xcq5KV8Pf8LwlTvIuLx1hnYhojelM7LE4jh2mXweWl4My8xoeOw5hhJ9ekGTQgi1EeooVexguDHo/pnQ== [email protected]
EOF

cat > /etc/openldap/schema/ldapns.schema << EOF
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME authorizedService

          DESC IANA GSS-API authorized service name

          EQUALITY caseIgnoreMatch

          SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )



attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME loginStatus

          DESC Currently logged in sessions for a user

          EQUALITY caseIgnoreMatch

          SUBSTR caseIgnoreSubstringsMatch

          ORDERING caseIgnoreOrderingMatch

          SYNTAX OMsDirectoryString )



objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME authorizedServiceObject

          DESC Auxiliary object class for adding authorizedService attribute

          SUP top

          AUXILIARY

          MAY authorizedService )



objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME hostObject

          DESC Auxiliary object class for adding host attribute

          SUP top

          AUXILIARY

          MAY host )



objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME loginStatusObject

          DESC Auxiliary object class for login status attribute

          SUP top

          AUXILIARY

          MAY loginStatus )
EOF

include     /etc/openldap/schema/ldapns.schema



modulepath /usr/lib64/openldap

moduleload dynlist.la



overlay dynlist

dynlist-attrset inetOrgPerson labeledURI

rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap.ldap /etc/openldap/slapd.d/   #赋权,不然启动sladp 会报错

/etc/init.d/sladp restart    #重启服务让配置生效

cat << EOF | ldapadd -x -W -H ldaps:/// -D cn=admin,dc=hello,dc=com

dn: ou=servers,dc=hello,dc=com

objectClass: organizationalUnit

ou: servers



dn: ou=redis,ou=servers,dc=hello,dc=com

objectClass: organizationalUnit

objectClass: hostObject

ou: redis

host: node1

host: node2



dn: ou=webserver,ou=servers,dc=hello,dc=com

objectClass: organizationalUnit

objectClass: hostObject

ou: webserver

host: node1

EOF

dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify

add: objectClass

objectClass: hostObject

-

add: labeledURI

labeledURI: ldap:///ou=webserver,ou=servers,dc=hello,dc=com?host

pam_check_host_attr yes

cat >> add_objectclass.ldif << EOF
dn: uid=user200,ou=People,dc=hello,dc=com

changetype: modify

add: host

host: node3
EOF

ldapadd -x -w 123qaz\! -D "cn=admin,dc=hello,dc=com" -f add_objectclass.ldif

dn: cn=node2,ou=servers,dc=hello,dc=com

objectClass: ipHost

objectClass: device

objectClass: extensibleObject

ipHostNumber: 192.168.85.139

cn: node2

uniquemember: uid=user200,ou=people,dc=hello,dc=com  #指定允许登陆用户

pam_groupdn cn=node2,ou=servers,dc=hello,dc=com

pam_member_attribute uniquemember

, , , , ,

Leave a Comment

Your email address will not be published.