openldap主機訪問控制（基於用戶組）

創建組織單元

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: ou=host,dc=suntv,dc=tv
ou: host
objectClass: organizationalUnit

dn: ou=people,dc=suntv,dc=tv
ou: people
objectClass: organizationalUnit

dn: ou=group,dc=suntv,dc=tv
ou: group
objectClass: organizationalUnit
_EOF_

創建用戶組

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: cn=admin,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: admin
gidNumber: 2001

dn: cn=op,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: op
gidNumber: 2002

dn: cn=dev,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: dev
gidNumber: 2003
_EOF_

創建用戶

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: uid=admin01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: admin01
cn: admin01
sn: admin01
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2001
homeDirectory: /home/admin01

dn: uid=op01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: op01
cn: op01
sn: op01
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 2002
homeDirectory: /home/op01

dn: uid=dev01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: dev01
cn: dev01
sn: dev01
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 2003
homeDirectory: /home/dev01
_EOF_

創建受權用戶組

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: cn=admin,ou=host,dc=suntv,dc=tv
objectclass: groupOfNames
cn: admin
member: uid=admin01,ou=people,dc=suntv,dc=tv

dn: cn=dev,ou=host,dc=suntv,dc=tv
objectclass: groupOfNames
cn: dev
member: uid=dev01,ou=people,dc=suntv,dc=tv

dn: cn=op,ou=host,dc=suntv,dc=tv
objectclass: groupOfNames
cn: dev
member: uid=op01,ou=people,dc=suntv,dc=tv
_EOF_

openldap服務器配置反向組查詢

# /etc/openldap/slapd.conf　確保有如下配置項
modulepath /usr/lib64/openldap
moduleload memberof.la
overlay memberof

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

測試

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=op01,ou=people,dc=suntv,dc=tv "uid=op01" memberOf

# extended LDIF
#
# LDAPv3
# base <uid=op01,ou=people,dc=suntv,dc=tv> with scope subtree
# filter: uid=op01
# requesting: memberOf 
#

# op01, people, suntv.tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
memberOf: cn=op,ou=host,dc=suntv,dc=tv # 這裏是關鍵

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=admin01,ou=people,dc=suntv,dc=tv "uid=admin01" memberOf

# admin01, people, suntv.tv
dn: uid=admin01,ou=people,dc=suntv,dc=tv
memberOf: cn=all,ou=host,dc=suntv,dc=tv

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=dev01,ou=people,dc=suntv,dc=tv "uid=dev01" memberOf

# dev01, people, suntv.tv
dn: uid=dev01,ou=people,dc=suntv,dc=tv
memberOf: cn=dev,ou=host,dc=suntv,dc=tv

登陸服務器配置

yum -y install openldap-clients sssd

authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --ldapserver=ldaps://master.local,ldaps://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablelocauthorize --enableldaptls --enablemkhomedir  --update

cat > /etc/sssd/sssd.conf << _EOF_
[domain/LDAP]
debug_level = 9
cache_credentials = True
enumerate = false

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldaps://master.local
ldap_backup_uri = ldaps://slave.local
ldap_search_base = dc=suntv,dc=tv
ldap_user_search_base = ou=people,dc=suntv,dc=tv
ldap_group_search_base = ou=group,dc=suntv,dc=tv

access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))

ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_tls_reqcert = never
ldap_id_use_start_tls = false

[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2

[nss]
domains = LDAP
filter_users = root
filter_groups = root

[pam]
domains = LDAP

[sudo]
domains = LDAP

[ssh]
domains = LDAP
_EOF_

配置自啓動

centso7 : 
systemctl restart sssd
systemctl enable sssd

centos6 : 
/etc/init.d/sssd restart
chkconfig sssd on

權限

192.168.1.21 centos7  容許op組及admin組登陸
ldap_access_filter =  (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=op,ou=host,dc=suntv,dc=tv))

192.168.1.22 centos6  容許dev組及admin組登陸
ldap_access_filter =  (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))

測試結果

op01　登陸192.168.1.21成功，登陸192.168.1.22失敗
dev01 登陸192.168.1.21失敗，登陸192.168.1.22成功
admin 登陸192.168.1.21成功，登陸192.168.1.22成功

[root@centos-1-21 home]# ll
total 0
drwx------ 2 admin01 admin 79 Oct 14 16:40 admin01
drwx------ 2 op01    op    79 Oct 14 16:40 op01

[root@centos6-1-22 home]# ll
total 8
drwx------ 2 admin01 admin 4096 Oct 14 16:40 admin01
drwx------ 2 dev01   dev   4096 Oct 14 16:40 dev01