生产环境中CDH集群需要启用安全认证,在CDH7以后,Ranger被替换成了Ranger,因此启用安全认证的步骤包括:集群安装并启用Kerberos,安装OpenLDAP和客户端,集成sssd和SSH,Hive、impala、hue集成LDAP,Ranger集成LDAP,这几个步骤我们分成几篇文章都有详细的操作。
本篇文章主要讲解如何安装OpenLDAP和客户端,需要注意的是,CDP中的Hue要求OpenLDAP启用TLS,否则集成Ldap无法同步用户。
OpenLDAP安装及配置
1.执行如下命令安装OpenLDAP服务
[root@cdh1 ~]# yum -y install openldap-clients openldap openldap-servers migrationtools openldap-devel nss-pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl
查看安装的RPM包
[root@cdh1 ~]# rpm -qa |grep openldap openldap-devel-2.4.40-8.el7.x86_64 compat-openldap-2.3.43-5.el7.x86_64 openldap-2.4.40-8.el7.x86_64 openldap-servers-2.4.40-8.el7.x86_64 openldap-clients-2.4.40-8.el7.x86_64
2 使用openssl生成TLS加密文件
使用如下命令生成服务器的RSA私钥
[root@cdh1 ~]# openssl genrsa -out ldap.key 1024 Generating RSA private key, 1024 bit long modulus ..................................++++++ .++++++ e is 65537 (0x10001)
使用如下命令生成签名文件
[root@cdh1 ~]# openssl req -new -key ldap.key -out ldap.csr
只需要在Common Name处填写当前服务器的hostname,其他处留空。
使用如下命令生成公钥文件
[root@cdh1 ~]# openssl x509 -req -days 3653 -in ldap.csr -signkey ldap.key -out ldap.crt
将生成的公钥文件和私钥拷贝至/etc/openldap/certs目录下
[root@cdh1 ~]# cp ldap.crt ldap.key /etc/openldap/certs/ [root@cdh1 certs]# ll total 92 -rw-r--r--. 1 root root 65536 Dec 18 2019 cert8.db -rw-r--r--. 1 root root 16384 Dec 18 2019 key3.db -rw-r--r-- 1 root root 814 Dec 18 2019 ldap.crt -rw-r--r-- 1 root root 887 Dec 18 2019 ldap.key -r--r-----. 1 root ldap 45 Apr 19 2018 password -rw-r--r--. 1 root root 16384 Apr 19 2018 secmod.db
3 修改OpenLDAP的slapd.ldif配置文件
安装OpenLDAP服务后默认的配置文件及数据库文件在/usr/share/openldap-servers目录下,将slapd.ldif拷贝至/root目录下
cd /usr/share/openldap-servers cp slapd.ldif /root/
修改slapd.ldif文件,配置TLS密钥路径,增加include的文件及配置管理员账号和OpenLDAP的根域信息,完整文件如下:
[root@cdh1 ~]# cat slapd.ldif # # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid # # TLS settings # olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: /etc/openldap/certs/ldap.crt olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. # #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind # #olcSecurity: ssf=1 update_ssf=112 simple_bind=64 # # Load dynamic backend modules: # - modulepath is architecture dependent value (32/64-bit system) # - back_sql.la backend requires openldap-servers-sql package # - dyngroup.la and dynlist.la cannot be used at the same time # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/lib/openldap #olcModulepath: /usr/lib64/openldap #olcModuleload: accesslog.la #olcModuleload: auditlog.la #olcModuleload: back_dnssrv.la #olcModuleload: back_ldap.la #olcModuleload: back_mdb.la #olcModuleload: back_meta.la #olcModuleload: back_null.la #olcModuleload: back_passwd.la #olcModuleload: back_relay.la #olcModuleload: back_shell.la #olcModuleload: back_sock.la #olcModuleload: collect.la #olcModuleload: constraint.la #olcModuleload: dds.la #olcModuleload: deref.la #olcModuleload: dyngroup.la #olcModuleload: dynlist.la #olcModuleload: memberof.la #olcModuleload: pcache.la #olcModuleload: ppolicy.la #olcModuleload: refint.la #olcModuleload: retcode.la #olcModuleload: rwm.la #olcModuleload: seqmod.la #olcModuleload: smbk5pwd.la #olcModuleload: sssvlv.la #olcModuleload: syncprov.la #olcModuleload: translucent.la #olcModuleload: unique.la #olcModuleload: valsort.la # # Schema settings # dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///etc/openldap/schema/corba.ldif include: file:///etc/openldap/schema/core.ldif include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/duaconf.ldif include: file:///etc/openldap/schema/dyngroup.ldif include: file:///etc/openldap/schema/inetorgperson.ldif include: file:///etc/openldap/schema/java.ldif include: file:///etc/openldap/schema/misc.ldif include: file:///etc/openldap/schema/nis.ldif include: file:///etc/openldap/schema/openldap.ldif include: file:///etc/openldap/schema/ppolicy.ldif include: file:///etc/openldap/schema/collective.ldif # # Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # # # Configuration database # dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c n=auth" manage by * none # # Server status monitoring # dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: monitor olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c n=auth" read by dn.base="cn=Manager,dc=macro,dc=com" read by * none # # Backend database definitions # dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcSuffix: dc=macro,dc=com olcRootDN: cn=Manager,dc=macro,dc=com olcRootPW: 123456 olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uidNumber,gidNumber,loginShell eq,pres olcDbIndex: uid,memberUid eq,pres,sub olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
4.删除掉原来的配置,重新生成OpenLDAP的配置
[root@cdh1 slapd.d]# rm -rf /etc/openldap/slapd.d/* [root@cdh1 slapd.d]# slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif
测试配置文件是否正确,返回“config file testing succeeded”则表示配置文件正确
[root@cdh1 ~]# slaptest -u -F /etc/openldap/slapd.d config file testing succeeded
[root@cdh1 ~]# chown -R ldap. /etc/openldap/slapd.d/ [root@cdh1 ~]# ll /etc/openldap/slapd.d/ total 8 drwxr-x--- 3 ldap ldap 4096 Dec 19 2019 cn=config -rw------- 1 ldap ldap 600 Dec 19 2019 cn=config.ldif
5.安装OpenLDAP的数据库文件
将/usr/share/openldap-servers/目录下的DB_CONFIG.example文件拷贝至/var/lib/ldap目录下并重命名为DB_CONFIG,操作如下:
[root@cdh1 lib]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
修改数据库文件属主
[root@cdh01 lib]# chown -R ldap. /var/lib/ldap [root@cdh01 lib]# ll /var/lib/ldap/ total 4 -rw-r--r-- 1 ldap ldap 845 Feb 9 2020 DB_CONFIG
6.完成上述操作后,执行如下命令将slapd服务添加到系统自启动服务并启动slapd服务,查看服务启动状态
[root@cdh1 lib]# systemctl enable slapd [root@cdh1 lib]# systemctl start slapd [root@cdh1 lib]# systemctl status slapd
到此OpenLDAP服务安装成功。
导入根域和管理员账户
1.创建root.ldif文件,内容如下
[root@cdh1 ~]# vim root.ldif dn: dc=macro,dc=com dc: macro objectClass: top objectClass: domain dn: cn=Manager,dc=macro,dc=com objectClass: organizationalRole cn: Manager
2.导入根域及管理员信息到OpenLDAP服务中
[root@cdh1 ~]# ldapadd -D "cn=Manager,dc=macro,dc=com" -W -x -f root.ldif Enter LDAP Password: adding new entry "dc=macro,dc=com" adding new entry "cn=Manager,dc=macro,dc=com"
3.查看导入是否成功
[root@cdh1 ~]# ldapsearch -h cdh1.macro.com -b "dc=macro,dc=com" -D "cn=Manager,dc=macro,dc=com" -W
导入基础文件、用户和用户组
前面安装了migrationtools服务,这里可以通过该服务生成OpenLDAP的基础文件、用户和用户组的ldif文件。1.进入/usr/share/migrationtools/目录修改migrate_common.ph文件,将文件中的$DEFAULT_MAIL_DOMAIN和$DEFAULT_BASE修改为自己OpenLDAP的域
[root@cdh1 ~]# vim /usr/share/migrationtools/migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "macro.com"; # Default base $DEFAULT_BASE = "dc=macro,dc=com";
2.使用如下命令导出OpenLdap的base.ldif文件
[root@cdh1 ~]# /usr/share/migrationtools/migrate_base.pl >base.ldif
3.执行如下命令导出操作系统的group.ldif文件
[root@cdh1 ~]# /usr/share/migrationtools/migrate_group.pl /etc/group >group.ldif
4.使用如下命令导出操作系统用户的ldif文件
[root@cdh1 ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd > user.ldif
使用ldapadd命令将基础文件和用户和组导入OpenLDAP
[root@cdh1 ldap]# ldapadd -D "cn=Manager,dc=macro,dc=com" -W -x -f base.ldif
4.查看是否导入成功
[root@cdh1 ldap]# ldapsearch -h cdh1.macro.com -b "dc=macro,dc=com" -D "cn=Manager,dc=macro,dc=com" -W | grep dn
OpenLDAP客户端配置
1.在所有客户端节点安装OpenLDAP的客户端软件包
yum install -y openldap-clients
2.修改/etc/openldap/ldap.conf文件,内容如下
[root@cdh2 ~]# cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts URI ldap://cdh1.macro.com BASE dc=macro,dc=com # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
3.测试客户端是否配置成功
[root@cdh2 ~]# ldapsearch -D "cn=Manager,dc=macro,dc=com" -W |grep dn Enter LDAP Password: dn: dc=macro,dc=com dn: cn=Manager,dc=macro,dc=com dn: ou=People,dc=macro,dc=com dn: ou=Group,dc=macro,dc=com dn: cn=root,ou=Group,dc=macro,dc=com dn: cn=bin,ou=Group,dc=macro,dc=com dn: cn=daemon,ou=Group,dc=macro,dc=com dn: cn=sys,ou=Group,dc=macro,dc=com
