在使用OpenLDAP作为集中式认证之后会发现OpenLDAP下的所有用户都可以登录服务器,这是相当危险的。因此看到有人使用组来实现OpenLDAP下的用户访问服务器。
1.首先在OpenLDAP服务器建立对应的组
我在ou为group下建立一个opsgroup,opsgroup的gid为23794
2.我再建立一个用户,或者直接修改一个帐号的主组(primary group).
这里注意用户的主组为opsgroup。
3.建立一个user2用户不属于该组,是不能登录服务器的以做对比
4.现在测试
现在user1、user2都可以登录客户机
5.注意我客户机是CentOS 6.8,如果是CentOS 5.x的版本略有差异
1
2
|
echo
"filter passwd (gidNumber=23794)"
>>
/etc/nslcd
.conf
/etc/init
.d
/nslcd
restart
|
以上配置为gid为23794的组可以登录服务器,也就是opsgroup的组用户可以登录
注意:可以登录服务器的用户一定要是主组为opsgroup,否则即便是组下面的用户也是不能登录的
从上面测试可以看到user1可以正常登录,而主组不是opsgroup的user2是不能登录的,通过控制组来限制用户登录服务器
6.脚本自动实现判断
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
#!/bin/bash
function
get_gid() {
ldapsearch -x gidNumber -b
"cn=$1,ou=group,dc=vxuepin,dc=com"
2>
/dev/null
|
grep
"^gidNumber"
|
awk
'{print $2}'
}
function
filter_on_centos5() {
#samples:
#nss_base_passwd dc=vxuepin,dc=com?sub?gidNumber=1000
#nss_base_passwd dc=vxuepin,dc=com?sub?|(gidNumber=1000)(gidNumber=1003)
cp
/etc/ldap
.conf
/etc/ldap
.conf.`
date
+%Y%m%d`
local
groups
=
"$1"
echo
"***** Getting filter *****"
n=$(
echo
$
groups
|
awk
-F
','
'{print NF}'
)
if
[ $n -
eq
1 ];
then
gid=$(get_gid $
groups
)
[ -z $gid ] && {
echo
"Can't find group $1"
;
exit
3; }
filter=
"gidNumber=$gid"
else
filter=
"|"
for
group
in
$(
echo
$
groups
|
sed
's/,/ /g'
);
do
gid=$(get_gid $group)
[ -z $gid ] && {
echo
"Can't find group $group"
;
exit
3; }
filter=
"$filter"
"(gidNumber=$gid)"
done
fi
filter=
"nss_base_passwd dc=vxuepin,dc=com?sub?"
"$filter"
echo
$filter
echo
"***** Config ldap.conf *****"
echo
$filter >>
/etc/ldap
.conf
}
function
filter_on_centos6() {
#samples:
#filter passwd (gidNumber=1000)
#filter passwd (|(gidNumber=1000)(gidNumber=1003))
cp
/etc/nslcd
.conf
/etc/nslcd
.conf.`
date
+%Y%m%d`
local
groups
=
"$1"
echo
"***** Getting filter *****"
n=$(
echo
$
groups
|
awk
-F
','
'{print NF}'
)
if
[ $n -
eq
1 ];
then
gid=$(get_gid $
groups
)
[ -z $gid ] && {
echo
"Can't find group $1"
;
exit
3; }
filter=
"(gidNumber=$gid)"
else
filter=
"(|"
for
group
in
$(
echo
$
groups
|
sed
's/,/ /g'
);
do
gid=$(get_gid $group)
[ -z $gid ] && {
echo
"Can't find group $group"
;
exit
3; }
filter=
"$filter"
"(gidNumber=$gid)"
done
filter=
"$filter"
")"
fi
filter=
"filter passwd $filter"
echo
$filter
echo
"***** Restart nslcd *****"
echo
$filter >>
/etc/nslcd
.conf
service nslcd restart
}
if
[ -z $1 ];
then
echo
"please input groupname"
;
exit
1
fi
if
[ `
uname
-r|
grep
el6|
wc
-l` -
eq
1 ];
then
filter_on_centos6 $1;
elif
[ `
uname
-r|
grep
el5|
wc
-l` -
eq
1 ];
then
filter_on_centos5 $1;
else
echo
"os unsupport!"
;
fi
|
以上脚本参考http://opjasee.com/2016/01/24/openldap-group-filter.html,略有改动
本文转自 rong341233 51CTO博客,原文链接:http://blog.51cto.com/fengwan/1846879