LDAP部署統一認證機制以及phpldapadmin(Centos7環境)

時間 2019-12-07

標籤 ldap 部署統一認證機制以及 phpldapadmin centos7 centos 環境欄目 Tomcat 简体版

原文原文鏈接

LDAP部署統一認證機制以及phpldapadmin

1、LDAP簡介

因爲公司內部系統劇增,服務器太多,每一個系統、服務器的帳號都各不相同。因此決定採用LDAP的方式來一統Linux用戶統一認證。背景隨着團隊人員、服務器增多,每臺服務器的帳號都獨立管理,從而致使:運維人員維護成本太高員工操做很是不便員工須要記住的帳號太多沒有明確的權限劃分那麼經過統一認證,能夠實現的效果有:員工增減,快速開通、註銷帳號全部用戶具備權限的服務器

2、LDAP部署

環境：php

角色	系統	IP
Server	centos7	192.168.3.157
Client	centos7	192.168.3.158

務必關閉server端selinux
sed -i ‘/SELINUX/s/enforcing/disabled/g’ /etc/sysconfig/selinux
systemctl disable firewalld
reboothtml

步驟：java

①使用yum部署openldap
[root@server ~] #yum install -y openldap openldap-clients openldap-servers migrationtoolslinux

②部署後優化而且啓動slapd
[root@server ~] #vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldifweb

修改其中兩行
olcSuffix: dc=haze,dc=com               
olcRootDN: cn=root,dc=haze,dc=com
添加一行
olcRootPW: 123456    #密碼能夠明文，可使用slappasswd輸出成密文粘貼至此，注意參數與密碼之間的空格

[root@server ~] #vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldifvim

修改其中一行
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=root,dc=haze,dc=com" read by * none

[root@server ~] #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIGcentos

[root@server ~] #chown -R ldap:ldap /var/lib/ldapapi

[root@server ~] #chown -R ldap:ldap /etc/openldap/certs
給予證書權限，否則沒法啓動服務，卡死在這兒一下午bash

[root@server ~] #slaptest -u服務器

56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

checksum error:校驗和錯誤，不影響實驗，輸出succeeded成功

[root@server ~] #systemctl start slapd

[root@server ~] #systemctl enable slapd

[root@server ~] #netstat -tunlp | egrep "389|636"

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      3557/slapd          
tcp6       0      0 :::389                  :::*                    LISTEN      3557/slapd

③添加應有架構到ldap
[root@server ~] #cd /etc/openldap/schema/

[root@server schema] # vim start.sh

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif

[root@server schema] # sh start.sh

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=collective,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=corba,cn=schema,cn=config"    

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
    additional info: olcAttributeTypes: Duplicate attributeType: "2.5.4.2"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=duaconf,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=java,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=misc,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openldap,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=pmi,cn=schema,cn=config"
 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"

④使用migati建立ldap dit
[root@server schema] #cd /usr/share/migrationtools/

[root@server migrationtools] #vim migrate_common.ph

修改其中四行
$NAMINGCONTEXT{'group'} = "ou=Groups";         #61行Groups添加s
$DEFAULT_MAIL_DOMAIN = "haze.com";        #71行修改域值
$DEFAULT_BASE = "dc=haze,dc=com";        #74行dc
$EXTENDED_SCHEMA = 1;                    #90行0改成1，打開擴展架構

[root@server migrationtools] #./migrate_base.pl > /root/base.ldif

[root@server migrationtools] #ldapadd -x -W -D "cn=root,dc=haze,dc=com" -f /root/base.ldif

Enter LDAP Password: 
adding new entry "dc=haze,dc=com"

adding new entry "ou=Hosts,dc=haze,dc=com"

adding new entry "ou=Rpc,dc=haze,dc=com"

adding new entry "ou=Services,dc=haze,dc=com"

adding new entry "nisMapName=netgroup.byuser,dc=haze,dc=com"

adding new entry "ou=Mounts,dc=haze,dc=com"

adding new entry "ou=Networks,dc=haze,dc=com"

adding new entry "ou=People,dc=haze,dc=com"

adding new entry "ou=Groups,dc=haze,dc=com"

adding new entry "ou=Netgroup,dc=haze,dc=com"

adding new entry "ou=Protocols,dc=haze,dc=com"

adding new entry "ou=Aliases,dc=haze,dc=com"

adding new entry "nisMapName=netgroup.byhost,dc=haze,dc=com"

⑤建立預用戶目錄guests以及建立測試用戶設置密碼

[root@server migrationtools] #mkdir /home/guests
[root@server migrationtools] #useradd -d /home/guests/ldapuser1 ldapuser1 
[root@server migrationtools] #useradd -d /home/guests/ldapuser2 ldapuser2
[root@server migrationtools] #echo 'password' | passwd --stdin ldapuser1
[root@server migrationtools] #echo 'password' | passwd --stdin ldapuser2

⑥如今將這些用戶和組和IT密碼從/etc/過濾到不一樣的文件

[root@server migrationtools] #getent passwd | tail -n 5 > /root/users
[root@server migrationtools] #getent shadow | tail -n 5 > /root/shadow
[root@server migrationtools] #getent group | tail -n 5 > /root/groups

[root@server migrationtools] #cd /usr/share/migrationtools

[root@server migrationtools] #vim migrate_passwd.pl

......
sub read_shadow_file
{
        open(SHADOW, "/root/shadow") || return;    #188行改爲/root/shadow
        while(<SHADOW>) {
                chop;
                ($shadowUser) = split(/:/, $_);
                $shadowUsers{$shadowUser} = $_;
        }
        close(SHADOW);
......

⑦如今須要使用遷移工具爲這些用戶建立LDIF文件
[root@server migrationtools] #./migrate_passwd.pl /root/users > users.ldif
[root@server migrationtools] #./migrate_group.pl /root/groups > groups.ldif
[root@server migrationtools] #ldapadd -x -W -D "cn=root,dc=haze,dc=com" -f users.ldif
[root@server migrationtools] #ldapadd -x -W -D "cn=root,dc=haze,dc=com" -f groups.ldif
若是報錯了，從新導出一次，再來添加
[root@server migrationtools] #ldapsearch -x -b "dc=haze,dc=com" -H ldap://127.0.0.1

......
result: 0 Success

# numResponses: 24
# numEntries: 23

3、客戶端配置

步驟：

[root@client ~]yum install -y nss-pam*
nss-pam爲交換模塊和驗證模塊

[root@client ~]authconfig-tui

[root@client ~]# mkdir /home/guests/ldapuser1
[root@client ~]su - ldapuser1
-bash-4.2$

看到進入bash，測試成功

參考連接:
http://blog.chinaunix.net/uid...
https://jingyan.baidu.com/alb...

4、部署應用服務器管理ldap

步驟：

①更新yum第三方源安裝phpldapadmin
[root@server ~] #yum -y install epel-re*
[root@server ~] #yum install -y phpldapadmin

②配置phpldapadmin
[root@server ~] #vim /etc/httpd/conf.d/phpldapadmin.conf

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require local
    Require ip 192.168.3.0/24
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
  </IfModule>
</Directory>

[root@server ~] #vim /etc/phpldapadmin/config.php

.....
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
.....

將uid結尾的註釋掉，也就是行首添加//，將dn結尾的行打開，行首去掉//

[root@server ~] #systemctl start httpd
[root@server ~] #systemctl stop firewalld

③訪問http://192.168.3.157/ldapadmin

使用web方式b/s結構管理ldap方便了運維人員

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。