账号集中管理系统设计与实现----OpenLDAP

本文涉及的产品
运维安全中心(堡垒机),企业双擎版|50资产|一周时长
运维安全中心(堡垒机),免费版 6个月
简介:

搭建一套OpenLDAP系统,实现账号的统一管理

可实现的功能:

1:OpenLDAP服务端的搭建

2PhpLDAPAdmin的搭建(便于web页面管理)

3: OpenLDAP服务端配置分组管理用户sudo权限分配;

    1)默认没有sudo权限;

    2)运维具有sudo到任何用户执行任何命令权限;

         3)研发具有相应的配置执行命令权限

4OpenLDAP客户端的配置

5OpenLDAPSSH

6OpenLDAP结合客户端PAM,限制用户登录主机

7OpenLDAP加入密码策略

    1)强制用户首次登录系统更改密码

    2)密码最小设置长度

    3)密码设置强度

    4)密码过期前警告天数

    5)密码过期后不能登录的天数

    6)密码尝试次数,被锁定

    7)密码失败后恢复时间

    8)是否允许用户修改密码

    9)账号锁定后,不能自动解锁,需管理员解锁

8MirrorMode同步实现OpenLDAP双主模式

9Keepalived+OpenLDAP实现OpenLDAP高可用

      10TCP Warppers


账号集中管理系统访问和维护流程:

wKiom1m3TnKRqyN7AADBDGl_5MY561.png-wh_50




实验环境:

系统:

主:CentOS6.5 64位 192.168.9.225

主:CentOS6.5 64 位 192.168.9.168

VIP: 192.168.9.253

客户端: CentoOS6.5 64位 192.168.9.176

软件包:

    openldap-2.4.45

    db-4.6.21

    phpldapadmin-1.2.3

    ltb-project-openldap-initscript-2.2

资料链接:

https://ltb-project.org/download
http://www.openldap.org/
http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/
http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz


一,安装OpenLDAP服务端

(俩台主安装方法一样)

1.1 基础环境配置

(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)

(2)关闭防火墙与SElinux

1
2
3
service iptables stop
chkconfig iptables off
sed  -i  's@SELINUX=enforcing@SELINUX=disabled@g'  /etc/selinux/config

(3)时间同步

1
2
3
yum -y  install  ntp
/usr/sbin/ntpdate  -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov
echo  "1 2 * * * /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov"  >>  /var/spool/cron/root

1.2 源码安装OpenLDAP

(1)yum安装依赖包

1
yum -y  install  gcc gcc-c++ unzip  gzip  bzip2  openssl-devel cyrus-sasl-devel krb5-devel tcp_wrappers-devel libtool-ltdl-devel openslp-devel unixODBC-devel mysql-devel

(2)源码安装Berkeley DB

1
2
3
4
5
6
7
8
9
cd  /usr/local/src/
wget http: //download .oracle.com /berkeley-db/db-4 .6.21. tar .gz
tar  xf db-4.6.21. tar .gz 
cd  db-4.6.21 /build_unix/
.. /dist/configure  --prefix= /usr/local/BDB4
make  &&  make  install
echo  "/usr/local/BDB4/lib"  >>  /etc/ld .so.conf.d /bdb .conf
ldconfig 
ln  -sv  /usr/local/BDB4/include  /usr/local/bdb

(3)源码安装OpenLDAP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
cd  /usr/local/src/
wget  ftp : //ftp .openldap.org /pub/OpenLDAP/openldap-release/openldap-2 .4.45.tgz
gunzip -c openldap-2.4.45.tgz  |  tar  xf -
cd  openldap-2.4.45
. /configure  --prefix= /usr/local/openldap2 .4 \
-- enable -slapd \
-- enable -dynacl \
-- enable -aci \
-- enable -cleartext \
-- enable -crypt  \
-- enable -lmpasswd \
-- enable -spasswd \
-- enable -modules \
-- enable -rewrite \
-- enable -rlookups \
-- enable -slapi \
-- enable -wrappers \
-- enable -backends \
-- enable -ndb=no \
-- enable -perl=no \
-- enable -overlays \
CPPFLAGS= "-I/usr/local/BDB4/include"  \
LDFLAGS= "-L/usr/local/BDB4/lib"
make  depend
make
make  test
make  install
echo  "/usr/local/openldap2.4/lib"  >>  /etc/ld .so.conf.d /ldap .conf
ldconfig
ln  -sv  /usr/local/openldap2 .4 /include  /usr/include/ldap2 .4
ln  -sv  /usr/local/openldap2 .4 /bin/ /usr/local/bin/
ln  -sv  /usr/local/openldap2 .4 /sbin/ /usr/local/sbin/

1.4 配置实现功能

(1)配置文件模板

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# grep -v ^# slapd.conf | grep -v ^$
include         /usr/local/openldap2 .4 /etc/openldap/schema/corba .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/core .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/cosine .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/duaconf .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/dyngroup .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/inetorgperson .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/java .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/misc .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/nis .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/openldap .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/ppolicy .schema
include         /usr/local/openldap2 .4 /etc/openldap/schema/collective .schema
include          /usr/local/openldap2 .4 /etc/openldap/schema/sudo .schema
pidfile         /usr/local/openldap2 .4 /var/run/slapd .pid
argsfile     /usr/local/openldap2 .4 /var/run/slapd .args
modulepath     /usr/local/openldap2 .4 /libexec/openldap
moduleload accesslog.la
moduleload auditlog.la
moduleload ppolicy.la
moduleload syncprov.la
moduleload  back_mdb.la
moduleload  back_ldap.la
access to attrs=shadowLastChange,userPassword
         by self write
         by anonymous auth
         by dn.base= "cn=admin,dc=dabayouxi,dc=com"  write
         by * none
access to *
         by self write
         by *  read
database config
access to *
         by dn.exact= "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"  manage
         by dn.base= "cn=admin,dc=dabayouxi,dc=com"  write
         by * none
database    mdb
suffix         "dc=dabayouxi,dc=com"
rootdn         "cn=admin,dc=dabayouxi,dc=com"
rootpw        {SSHA}jnN16Laklfzlm4hCrob1nhUgUloLpvnm
directory     /data0/openldap-data
index objectClass                        eq ,pres
index ou,cn,mail,surname,givenname       eq ,pres,sub
index uidNumber,gidNumber,loginShell     eq ,pres
index uid,memberUid                      eq ,pres,sub
index nisMapName,nisMapEntry             eq ,pres,sub
loglevel 256
logfile  /data0/logs/slapd/slapd .log
checkpoint 2048 10
overlay ppolicy
ppolicy_default cn=default,ou=pwpolicies, dc =dabayouxi, dc =com

(2)添加sudo.schema

1
2
cp  -f  /usr/share/doc/sudo-1 .8.6p3 /schema .OpenLDAP  /usr/local/openldap2 .4 /etc/openldap/schema/sudo .schema
restorecon  /usr/local/openldap2 .4 /etc/openldap/schema/sudo .schema

(3)创建ldap用户和组

1
2
groupadd -r ldap
useradd  -r -g ldap -s  /sbin/nologin  ldap

(4)配置日志

1
2
3
4
5
6
7
8
9
10
11
12
mkdir  -p  /data0/logs/slapd
touch  /data0/logs/slapd/slapd .log
echo  "local4.* /data0/logs/slapd/slapd.log"  >>  /etc/rsyslog .d /openldap .conf
service rsyslog restart
echo  " /data0/logs/slapd/ *log {
missingok
compress
notifempty
daily
rotate 5
create 0600 root root
}" >>  /etc/logrotate .d /slapd

(5)配置数据存放路径

1
2
3
4
5
6
7
8
9
mkdir  -p  /data0/openldap-data
chmod  700  /data0/openldap-data/
cp  /usr/local/openldap2 .4 /etc/openldap/DB_CONFIG .example  /data0/openldap-data/DB_CONFIG
chown  -R ldap.ldap  /data0/openldap-data/
mkdir  -p  /usr/local/openldap2 .4 /etc/openldap/slapd .d
cd  /usr/local/openldap2 .4 /etc/openldap/
slaptest -f slapd.conf -F slapd.d/
echo  "BASE     dc =dabayouxi, dc =com
URI     ldap: //192 .168.9.168" >>  /usr/local/openldap2 .4 /etc/openldap/ldap .conf

(6)启动脚本下载,修改配置

1
2
3
4
5
6
7
8
9
10
11
12
cd  /usr/local/src/
wget https: //ltb-project .org /archives/ltb-project-openldap-initscript-2 .2. tar .gz
tar  -xvf ltb-project-openldap-initscript-2.2. tar .gz
mv  ltb-project-openldap-initscript-2.2 /slapd  /etc/init .d
vim  /etc/init .d /slapd
SLAPD_PATH= "/usr/local/openldap2.4"
DATA_PATH= "/data0/openldap-data"
BDB_PATH= "/usr/local/BDB4"
 
chmod  +x  /etc/init .d /slapd
chkconfig slapd on
service slapd restart

1.5 OpenLDAP目录树规划
# 将规划的dn导入,将以下内容写入ldif文件中使用ldapadd 命令添加到数据库

1
mkdir  -p  /data0/ldapldif/ { users , groups ,sudoers,policy}

(1)base.ldif

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
vim  /data0/ldapldif/base .ldif
dn:  dc =dabayouxi, dc =com
dc : dabayouxi
objectClass:  top
objectClass: domain
 
dn: ou= users , dc =dabayouxi, dc =com
ou:  users
objectClass:  top
objectClass: organizationalUnit
 
dn: ou= groups , dc =dabayouxi, dc =com
ou:  groups
objectClass:  top
objectClass: organizationalUnit
 
dn: ou=sudoers, dc =dabayouxi, dc =com
ou: sudoers
objectClass:  top
objectClass: organizationalUnit
 
dn: ou=pwpolicies, dc =dabayouxi, dc =com
ou: pwpolicies
objectClass:  top
objectClass: organizationalUnit
 
 
ldapadd -x -D cn=admin, dc =dabayouxi, dc =com -W -f  /data0/ldapldif/base .ldif 
Enter LDAP Password: 
adding new entry  "dc=dabayouxi,dc=com"
adding new entry  "ou=users,dc=dabayouxi,dc=com"
adding new entry  "ou=groups,dc=dabayouxi,dc=com"
adding new entry  "ou=sudoers,dc=dabayouxi,dc=com"
adding new entry  "ou=pwpolicies,dc=dabayouxi,dc=com"
-x    使用简单认证,不使用加密协议
-D    指定查找的dn,类似操作系统中的根目录
-W    输入密码,不想输入密码使用-w  passwd ,不推荐容易暴露密码
-f     指定ldif文件
 
# 通过 ldapsearch查看当前目录树结构
ldapsearch -x -LLL       # -LLL    禁止输出不匹配的消息

(2)groups.ldif

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
echo  "dn: cn=web,ou= groups , dc =dabayouxi, dc =com
objectClass: posixGroup
objectClass:  top
cn: web
gidNumber: 1501" >>  /data0/ldapldif/groups/web .ldif
 
echo  "dn: cn=core,ou= groups , dc =dabayouxi, dc =com
objectClass: posixGroup
objectClass:  top
cn: core
gidNumber: 1502" >>  /data0/ldapldif/groups/core .ldif
 
ldapadd -x -D cn=admin, dc =dabayouxi, dc =com -W -f  /data0/ldapldif/groups/web .ldif 
Enter LDAP Password: 
adding new entry  "cn=web,ou=groups,dc=dabayouxi,dc=com"
 
ldapadd -x -D cn=admin, dc =dabayouxi, dc =com -W -f  /data0/ldapldif/groups/core .ldif 
Enter LDAP Password: 
adding new entry  "cn=core,ou=groups,dc=dabayouxi,dc=com"

(3)users.ldif

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
echo  "dn: uid=webuser,ou= users , dc =dabayouxi, dc =com
uid: webuser
cn: webuser
objectClass: account
objectClass: posixAccount
objectClass:  top
objectClass: shadowAccount
userPassword: {SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange: 17412
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
loginShell:  /bin/bash
uidNumber: 2501
gidNumber: 1501
homeDirectory:  /home/webuser
pwdReset: TRUE" >>  /data0/ldapldif/users/webuser .ldif
 
echo  "dn: uid=coreuser,ou= users , dc =dabayouxi, dc =com
uid: coreuser
cn: coreuser
objectClass: account
objectClass: posixAccount
objectClass:  top
objectClass: shadowAccount
userPassword: {SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange: 17412
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
loginShell:  /bin/bash
uidNumber: 2502
gidNumber: 1502
homeDirectory:  /home/coreuser
pwdReset: TRUE" >>  /data0/ldapldif/users/coreuser .ldif
 
ldapadd -x -D cn=admin, dc =dabayouxi, dc =com -W -f  /data0/ldapldif/users/webuser .ldif 
Enter LDAP Password: 
adding new entry  "uid=webuser,ou=users,dc=dabayouxi,dc=com"
 
ldapadd -x -D cn=admin, dc =dabayouxi, dc =com -W -f  /data0/ldapldif/users/coreuser .ldif 
Enter LDAP Password: 
adding new entry  "uid=coreuser,ou=users,dc=dabayouxi,dc=com"

(4)sudoers.ldif

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
vim  /data0/ldapldif/sudoers/defaults .ldif
dn: cn=defaults,ou=sudoers, dc =dabayouxi, dc =com
objectClass:  top
objectClass: sudoRole
cn: defaults
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset 
 
vim  /data0/ldapldif/sudoers/web .ldif
dn: cn=%web,ou=sudoers, dc =dabayouxi, dc =com
objectClass:  top
objectClass: sudoRole
cn: %web
sudoHost: ALL
sudoRunAsUser: www
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoCommand: ALL
sudoUser: %web
 
vim  /data0/ldapldif/sudoers/core .ldif
dn: cn=%core,ou=sudoers, dc =dabayouxi, dc =com
objectClass:  top
objectClass: sudoRole
cn: %core
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoCommand: ALL
sudoUser: %core
 
ldapadd -x -D cn=admin, dc =dabayouxi, dc =com -W -f  /data0/ldapldif/sudoers/defaults .ldif 
Enter LDAP Password: 
adding new entry  "cn=defaults,ou=sudoers,dc=dabayouxi,dc=com"
 
ldapadd -x -D cn=admin, dc =dabayouxi, dc =com -W -f  /data0/ldapldif/sudoers/web .ldif 
Enter LDAP Password: 
adding new entry  "cn=%web,ou=sudoers,dc=dabayouxi,dc=com"
 
ldapadd -x -D cn=admin, dc =dabayouxi, dc =com -W -f  /data0/ldapldif/sudoers/core .ldif 
Enter LDAP Password: 
adding new entry  "cn=%core,ou=sudoers,dc=dabayouxi,dc=com"

(5)pwpolicies.ldif

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
echo  "dn: cn=default,ou=pwpolicies, dc =dabayouxi, dc =com
cn: default
objectClass: pwdPolicy
objectClass: person
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 259200
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 2592000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: TRUE
sn: dummy value" >>  /data0/ldapldif/policy/default .ldif
 
ldapadd -x -D cn=admin, dc =dabayouxi, dc =com -W -f  /data0/ldapldif/policy/default .ldif 
Enter LDAP Password: 
adding new entry  "cn=default,ou=pwpolicies,dc=dabayouxi,dc=com"

1.6 安装PhpLDAPAdmin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
yum  install  -y httpd php php-mbstring php-pear php-ldap
cd  /usr/local/src/
wget https: //jaist .dl.sourceforge.net /project/phpldapadmin/phpldapadmin-php5/1 .2.3 /phpldapadmin-1 .2.3.zip
unzip phpldapadmin-1.2.3.zip
mkdir  -p  /data0/web_root/
mv  phpldapadmin-1.2.3  /data0/web_root/phpldapadmin
echo  "<VirtualHost *:80>
     ServerAdmin openldap@dabayouxi.com
     DocumentRoot  /data0/web_root/phpldapadmin
     ServerName openldap.dabayouxi.com
     ErrorLog  /data0/logs/apache/openldap .dabayouxi.com-error_log
     CustomLog  /data0/logs/apache/openldap .dabayouxi.com-access_log common
    <Directory  "/data/web_root/phpldapadmin" >
       Options FollowSymLinks
       AllowOverride all
       Require all granted
    < /Directory >
< /VirtualHost >" >>  /etc/httpd/conf/httpd .conf
mkdir  -p  /data0/logs/apache/
service httpd restart
 
cp  /data0/web_root/phpldapadmin/config/config .php.example  /data0/web_root/phpldapadmin/config/config .php
vim  /data0/web_root/phpldapadmin/config/config .php
$servers->setValue( 'server' , 'host' , '192.168.9.168' );
$servers->setValue( 'server' , 'port' ,389);

浏览器访问输入:http://192.168.9.168

wKiom1m3gT6CZtekAAFcKLll9-8872.png-wh_50

1.7 MirrorMode同步实现OpenLDAP双主模式

(1)192.168.9.168上slapd.conf最后添加

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
vim  /usr/local/openldap2 .4 /etc/openldap/slapd .conf
#添加以下内容
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID    1
syncrepl rid=123
          provider=ldap: //192 .168.9.225/
          bindmethod=simple
          binddn= "cn=admin,dc=dabayouxi,dc=com"
          credentials=dabayouxi
          searchbase= "dc=dabayouxi,dc=com"
          schemachecking=off
          type =refreshAndPersist
          retry= "60 +"
mirrormode on
 
cd  /usr/local/openldap2 .4 /etc/openldap/
slaptest -u
rm  -rf slapd.d/*
slaptest -f slapd.conf -F slapd.d/
service slapd restart

(2)192.168.9.225上slapd.conf最后添加

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
vim  /usr/local/openldap2 .4 /etc/openldap/slapd .conf
#添加以下内容
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID    2
syncrepl rid=123
          provider=ldap: //192 .168.9.168/
          bindmethod=simple
          binddn= "cn=admin,dc=dabayouxi,dc=com"
          credentials=dabayouxi
          searchbase= "dc=dabayouxi,dc=com"
          schemachecking=off
          type =refreshAndPersist
          retry= "60 +"
mirrormode on
 
cd  /usr/local/openldap2 .4 /etc/openldap/
slaptest -u
rm  -rf slapd.d/*
slaptest -f slapd.conf -F slapd.d/
service slapd restart

(2)测试同步


1.8 Keepalived+OpenLDAP实现OpenLDAP高可用

(1)下载安装keepalive

1
2
3
4
5
6
7
8
cd  /usr/local/src/
wget http: //www .keepalived.org /software/keepalived-1 .2.13. tar .gz
yum  install  -y pcre-devel openssl-devel popt-devel
tar  xf keepalived-1.2.13. tar .gz 
cd  keepalived-1.2.13
. /configure  --prefix= /usr/local/keepalived
make
make  install

(2)配置keepalived配置成系统服务

1
2
3
4
5
6
7
8
cd  /usr/local/keepalived/
cp  etc /rc .d /init .d /keepalived  /etc/init .d/
cp  etc /sysconfig/keepalived  /etc/sysconfig/
mkdir  /etc/keepalived
cp  etc /keepalived/keepalived .conf  /etc/keepalived/
cp  sbin /keepalived  /usr/sbin/
chkconfig keepalived on
chkconfig --list keepalived

(3)配置OpenLDAP热备

Master 192.168.9.168

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
vim  /etc/keepalived/keepalived .conf
 
! Configuration File  for  keepalived
global_defs {
         router_id OpenLDAP_HA
}
 
vrrp_instance OpenLDAP {
         state Backup               
         interface eth0
         virtual_router_id 53     
         priority 100                 
         advert_int 1
         nopreempt                  
         authentication {
                 auth_type PASS
                 auth_pass dabayouxi
         }
         virtual_ipaddress {
                 192.168.9.253
          }
    }
    virtual_server 192.168.9.253 389 {
          delay_loop 6
          nat_mask 255.255.255.0
          persistence_timeout 50
          protocol TCP
          real_server 192.168.9.168 389 {
                   weight 3
                   notify_down  "/etc/keepalived/openldap.sh"
                   TCP_CHECK {
                           connect_timeout 5
                           nb_get_retry 2
                           delay_before_retry 3
                   }
          }
  }
 
 
vim  /etc/keepalived/openldap .sh
#!/bin/bash
/etc/init .d /keepalived  stop
 
chmod  +x  /etc/keepalived/openldap .sh 
 
service keepalived start
Starting keepalived:                                       [  OK  ]
 
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
     link /loopback  00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1 /8  scope host lo
     inet6 ::1 /128  scope host 
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
     link /ether  fa:9b:55:ac:33:00 brd ff:ff:ff:ff:ff:ff
     inet 192.168.9.168 /24  brd 192.168.9.255 scope global eth0
     inet 192.168.9.253 /32  scope global eth0
     inet6 fe80::f89b:55ff:feac:3300 /64  scope link 
        valid_lft forever preferred_lft forever

Master 192.168.9.225

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
vim  /etc/keepalived/keepalived .conf
! Configuration File  for  keepalived
global_defs {
         router_id OpenLDAP_HA   
}
 
vrrp_instance OpenLDAP {
         state Backup               
         interface eth0
         virtual_router_id 53     
         priority 90                 
         advert_int 1
         authentication {
                 auth_type PASS
                 auth_pass dabayouxi 
         }
         virtual_ipaddress {
                 192.168.9.253
          }
    }
    virtual_server 192.168.9.253 389 {
          delay_loop 6
          nat_mask 255.255.255.0
          persistence_timeout 50
          protocol TCP
          real_server 192.168.9.225 389 {
                   weight 3
                   notify_down  "/etc/keepalived/openldap.sh"
                   TCP_CHECK {
                           connect_timeout 5
                           nb_get_retry 2
                           delay_before_retry 3
                   }
          }
  }
  
  vim  /etc/keepalived/openldap .sh
#!/bin/bash
/etc/init .d /keepalived  stop
 
chmod  +x  /etc/keepalived/openldap .sh
 
service keepalived start

(4)验证


二,安装OpenLDAP客户端

2.1 基础环境配置

(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)

(2)关闭防火墙与SElinux

1
2
3
service iptables stop
chkconfig iptables off
sed  -i  's@SELINUX=enforcing@SELINUX=disabled@g'  /etc/selinux/config

(3)时间同步

1
2
3
yum -y  install  ntp
/usr/sbin/ntpdate  -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov
echo  "1 2 * * * /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov"  >>  /var/spool/cron/root

1.2 源码安装OpenLDAP

(1)yum安装依赖包

1
yum -y  install  openldap  openldap-devel compat-openldap nss-pam-ldapd

(2)备份源文件

1
2
3
4
5
6
7
8
9
10
cp  /etc/nslcd .conf  /etc/nslcd .conf_default
cp  /etc/nsswitch .conf   /etc/nsswitch .conf_dafault
cp  /etc/pam .d /system-auth-ac   /etc/pam .d /system-auth-ac_default
cp  /etc/pam .d /password-auth-ac   /etc/pam .d /password-auth-ac_default
cp  /etc/pam .d /fingerprint-auth-ac  /etc/pam .d /fingerprint-auth-ac_default
cp  /etc/pam .d /smartcard-auth-ac  /etc/pam .d /smartcard-auth-ac_default
cp  /etc/pam .d /sshd  /etc/pam .d /sshd_default
cp  /etc/pam .d /login  /etc/pam .d /login_default
cp  /etc/openldap/ldap .conf  /etc/openldap/ldap .conf_defalut
cp  /etc/sudo-ldap .conf  /etc/sudo-ldap .conf_default

(3)停用sssd服务

1
service sssd stop && chkconfig sssd off

(4)客户端文件配置修改

#/etc/nslcd.conf

1
2
3
4
5
vim  /etc/nslcd .conf
uri ldap: //192 .168.9.253
base  dc =dabayouxi, dc =com
ssl no
tls_cacertdir  /etc/openldap/cacerts

#/etc/pam_ldap.conf

1
2
3
4
5
6
7
8
9
vim  /etc/pam_ldap .conf
uri ldap: //192 .168.9.253
base  dc =dabayouxi, dc =com
ssl no
tls_cacertdir  /etc/openldap/cacerts
pam_password md5
bind_policy soft
pam_lookup_policy  yes
pam_password clear_remove_old

#/etc/pam.d/system-auth

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
vim  /etc/pam .d /system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  try_first_pass retry=3  type =
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service  in  crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

#/etc/pam.d/password-auth

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
vim  /etc/pam .d /password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  try_first_pass retry=3  type =
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service  in  crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

#/etc/pam.d/fingerprint-auth

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
vim  /etc/pam .d /fingerprint-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service  in  crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

#/etc/pam.d/smartcard-auth

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
vim  /etc/pam .d /smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success= done  ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
auth        required      pam_deny.so
 
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    required      pam_pkcs11.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service  in  crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

#/etc/pam.d/sshd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
vim  /etc/pam .d /sshd
#%PAM-1.0
auth       required    pam_sepermit.so
auth       include      password-auth
account    required     pam_access.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so  open  env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth

#/etc/pam.d/login

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
vim  /etc/pam .d /login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    required     pam_limits.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so  open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so

#/etc/nsswitch.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
vim  /etc/nsswitch .conf
passwd :     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND= return ] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   ldap
publickey:  nisplus
automount:  files ldap
sudoers:    files ldap

#/etc/sysconfig/authconfig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
vim  /etc/sysconfig/authconfig  
IPADOMAINJOINED=no
USEMKHOMEDIR= yes
USEPAMACCESS=no
CACHECREDENTIALS= yes
USESSSDAUTH=no
USESHADOW= yes
USEWINBIND=no
USESSSD=no
PASSWDALGORITHM=sha512
FORCELEGACY=no
USEFPRINTD=no
USEHESIOD=no
FORCESMARTCARD=no
USELDAPAUTH= yes
IPAV2NONTP=no
USELDAP= yes
USECRACKLIB= yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELOCAUTHORIZE= yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USEDB=no
USEPASSWDQC=no

# /etc/sudo-ldap.conf 

1
2
echo  "uri ldap: //192 .168.9.253
sudoers_base ou=sudoers, dc =dabayouxi, dc =com" >>  /etc/sudo-ldap .conf

#/etc/openldap/ldap.conf

1
2
3
4
vim  /etc/openldap/ldap .conf
TLS_CACERTDIR  /etc/openldap/cacerts
URI ldap: //192 .168.9.253
BASE  dc =dabayouxi, dc =com

#/etc/security/access.conf

1
2
3
vim  /etc/security/access .conf
添加内容
-:ALL EXCEPT root web : ALL

(5)启动服务

1
service nslcd restart

(6)测试










本文转自 wpf926 51CTO博客,原文链接:http://blog.51cto.com/wupengfei/1964734,如需转载请自行联系原作者
目录
相关文章
|
Oracle 安全 关系型数据库
搭建 OpenLDAP 自助修改密码系统
让修改open ldap密码变得简单
1258 0
搭建 OpenLDAP 自助修改密码系统
|
16天前
|
运维 安全 BI
【运维有小邓】如何进行AD域文件权限管理?
在网络资源管理中,谁可访问资源及访问级别至关重要。Active Directory环境下,管理文件服务器权限耗时且繁琐。ADManager Plus提供批量管理用户NTFS和共享权限的功能,简化权限分配、修改与撤销流程,提升管理效率,确保资源安全。通过集中式界面,管理员能快速准确地控制资源访问,优化环境管理。
【运维有小邓】如何进行AD域文件权限管理?
|
2月前
|
存储 JavaScript 数据库
ToB项目身份认证AD集成(一):基于目录的用户管理、LDAP和Active Directory简述
本文介绍了基于目录的用户管理及其在企业中的应用,重点解析了LDAP协议和Active Directory服务的概念、关系及差异。通过具体的账号密码认证时序图,展示了利用LDAP协议与AD域进行用户认证的过程。总结了目录服务在现代网络环境中的重要性,并预告了后续的深入文章。
|
4月前
|
运维 数据安全/隐私保护 数据库管理
企业实战项目之服务器用户权限集中管理
企业实战项目之服务器用户权限集中管理
|
存储 运维 安全
特权账号管理系统PAM的优势特点
独立的密码保险库设计,保障账号密码存储的安全性,独创的风险检测中心,随时掌握IT环境的风险值,高效的运维管理,提升IT运维系统的主动防御能力,降低企业敏感信息外泄的风险。
115 0
|
存储 数据可视化 关系型数据库
MySQL 权限体系、账户的管理|学习笔记
快速学习 MySQL 权限体系、账户的管理
MySQL 权限体系、账户的管理|学习笔记
|
安全 虚拟化 Windows
|
测试技术 网络安全 数据库