系統環境:CentOS 7
slapd版本:2.4.44html
簡介
OpenLDAP是一款輕量級目錄訪問協議,基於X.500標準的,支持TCP/IP協議,用於實現帳號集中管理的開源軟件,提供一整套安全的帳號統一管理機制,屬於C/S架構。java
OpenLDAP默認以Berkeley DB做爲後端數據庫,Berkeley DB數據庫 是一類特殊的數據庫,主要以散列的數據類型進行數據存儲,主要用於搜索、瀏覽、更新查詢操做,對於一次寫入數據、屢次查詢和搜索有很好的效果。linux
總體目標
後端服務器數量日益增長,帳號的數量也在不斷增長,帳號的統一管理變得尤其重要。結合堡壘機,主要針對服務器帳號體系接入LDAP管理作以下主要工做:算法
ldap server主從的搭建,ldap主從考慮用同步複製(syncrepl)實現,大體爲slave到master以拉的模式同步目錄樹,master負責讀寫,slave只讀。另外主從都需接入負載均衡提供讀服務;數據庫
服務器帳號接入ldap,客戶端能夠ssh遠程鏈接服務器用戶名和密碼登陸;vim
ldap管理客戶端的公鑰,使客戶端能夠ssh服務器免密碼登陸;後端
ldap管理服務器用戶的sudo權限centos
OpenLDAP 目錄架構
分爲兩種:互聯網命名組織架構、企業級命名組織架構api
企業級命名組織架構
ou=People,dc=xxyd,dc=com安全
openldap相關縮寫:
LDAP相關的縮寫以下:
dn - distinguished name(區別名,主鍵)
o - organization(組織-公司)
ou - organization unit(組織單元-部門)
c - countryName(國家)
dc - domainComponent(域名)
sn - sure name(真實名稱)
cn - common name(經常使用名稱)
openldap組件:
OpenLDAP各組件的功能簡介:
slapd:主LDAP服務器
slurpd:負責與複製LDAP服務器保持同步的服務器
對網絡上的目錄進行操做的客戶機程序。下面這兩個程序是一對兒:
ldapadd:打開一個到LDAP服務器的鏈接,綁定、修改或增長條目
ldapsearch:打開一個到LDAP服務器的鏈接,綁定並使用指定的參數進行搜索
對本地系統上的數據庫進行操做的幾個程序:
slapadd:將以LDAP目錄交換格式(LDIF)指定的條目添加到LDAP數據庫中
slapcat:打開LDAP數據庫,並將對應的條目輸出爲LDIF格式.
安裝服務端
yum -y install openldap openldap-servers openldap-clients openldap-devel compat-openldap
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap.ldap /etc/openldap/
chown -R ldap.ldap /var/lib/ldap/
systemctl start slapd
vi /etc/openldap/ldap.conf
BASE dc=xxyd,dc=com
URI ldap://ldap.xxyd.com
slappasswd
cat /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=admin,dc=xxyd,dc=com" read
by * none
database hdb
suffix "dc=xxyd,dc=com"
checkpoint 1024 15
rootdn "cn=admin,dc=xxyd,dc=com"
rootpw {SSHA}M7S4/DHYIOGx7PsQJFU6kyh00YRCyjhn
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
loglevel 4095
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d
chown -R ldap.ldap /var/lib/ldap/
systemctl restart slapd
systemctl status slapd
# 開機啓動
systemctl enable slapd
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password 這三句若是出現啓動不了能夠幹掉
安裝客戶端
Ubuntu client
apt-get install libpam-ldap nscd ##### The following extra packages will be installed: ##### auth-client-config ldap-auth-client ldap-auth-config libnss-ldap 安裝後仍然要填寫一些信息 LDAP server Uniform Resource Identifier 由於我用的同一臺機器,因此我填的是 ldap://127.0.0.1:389,端口號選填 特別注意把它默認的ldapi:///換成ldap:// Distinguished name of the search base 就是你目錄樹的根,好比個人是 dc=chenjr,dc=cc LDAP version to use: 3 Make local root Database admin: Yes Does the LDAP database require login? No LDAP account for root: 這個是裝LDAP服務器時的建立的那個admin帳號 我這裏是 cn=admin,dc=xxyd,dc=com LDAP root account password # If you make a mistake and need to change a value, you can go through the menu again by issuing this command: sudo dpkg-reconfigure ldap-auth-config 還須要編輯一些文件,首先是/etc/nsswitch.conf,它使得咱們在linux下改變用戶密碼等屬性的時候會反映到LDAP中。在如下三行中的compat前面都加上ldap。 passwd: ldap compat group: ldap compat shadow: ldap compat 以上方式,ldap server不可用時,系統將不能登陸,需改爲: passwd: files [UNAVAIL=return] ldap group: files [UNAVAIL=return] ldap shadow: files [UNAVAIL=return] ldap 這樣,ldap client本地用戶不須要ldapserver驗證,即便ldap server宕機也不影響本地用戶登陸系統。 而後須要更改PAM的配置,編輯/etc/pam.d/common-session,在末尾加上一行,這使得用戶第一次登陸的時候建立主目錄 session required pam_mkhomedir.so skel=/etc/skel umask=0022 而後,編輯/etc/pam.d/common-password,將如下這行中的use_authtok刪掉,這是避免使用passwd命令時報錯而沒法更改密碼 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass 而後重啓nscd服務 sudo /etc/init.d/nscd restart
CentOS client
yum -y install nss-pam-ldapd vim /etc/nslcd.conf uri ldap://ldap.xxyd.com base dc=xxyd,dc=com ssl no tls_cacertdir /etc/openldap/cacerts vim /etc/pam_ldap.conf base dc=xxyd,dc=com uri ldap://ldap.xxyd.com ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 vi /etc/pam.d/system-auth auth sufficient pam_ldap.so try_first_pass account [default=bad success=ok user_unknown=ignore] pam_ldap.so password sufficient pam_ldap.so use_authtok session optional pam_ldap.so vi /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap vi /etc/sysconfig/authconfig USELDAPAUTH=yes USELDAP=yes systemctl restart nslcd 切換用戶:/bash-4.2$ 需: vi /etc/pam.d/system-auth 添加 session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
OpenLDAP用戶以及用戶組的添加
兩種方式:
1、經過migrationtools工具導入
2、自定義LDIF文件導入
經過migrationtools工具導入
migrationtools開源工具經過查找/etc/passwd、/etc/shadow、/etc/groups生成LDIF文件,並經過ldapadd命令更新數據庫數據,完成用戶添加。
此方式方便導入系統目前已存在的用戶以及用戶組
# 安裝migrationtools工具 yum -y install migrationtools vi /usr/share/migrationtools/migrate_common.ph $DEFAULT_MAIL_DOMAIN = "xxyd.com"; $DEFAULT_BASE = "dc=xxyd,dc=com"; $EXTENDED_SCHEMA = 1; # 經過migrationtools工具生成LDIF模板文件並生成系統用戶及組LDIF cd ~ /usr/share/migrationtools/migrate_base.pl > base.ldif /usr/share/migrationtools/migrate_passwd.pl /etc/passwd > passwd.ldif /usr/share/migrationtools/migrate_group.pl /etc/group > group.ldif ### sed -i 's/padl/xxyd/g' *.ldif
刪除沒必要要的base.ldif信息(此處我只保留ou=Group、ou=Peopl相關項)
刪除不須要的用戶信息(group.ldif、passwd.ldif)
導入至OpenLDAP目錄樹中
ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ~/base.ldif ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ~/passwd.ldif ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ~/group.ldif
自定義LDIF導入
自定義用戶屬性信息導入OpenLDAP。
OpenLDAP加密傳輸
默認狀況下,OpenLDAP服務端與客戶端之間使用明文進行驗證、查詢等一系列操做,因爲在互聯網上進行傳輸存在不安全因素,須要提供OpenLDAP服務端證書以及修改配置文件來支持加密傳輸
強烈建議在製做證書過程使用泛域名,這樣知足多IDC機房的時候使用同一個證書進行部署。好比:證書匹配 *.domain.com,每一個IDC使用各自的域名
idc1.domain.com
idc2.domain.com
idc3.domain.com
部署過程只須要一個證書便可知足全部IDC的需求,方便快捷。
客戶端還能夠配兩個服務端地址,第一個服務端不可用自動鏈接第二個服務端。
自建CA
# 安裝OpenSSL軟件 yum -y install openssl-devel # CA中心生成自身私鑰 # 爲保證CA機構私鑰的安全,須要把私鑰文件權限設置爲600 cd /etc/pki/CA (umask 077;openssl genrsa -out private/cakey.pem 2048) # CA簽發自身公鑰 openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GD Locality Name (eg, city) [Default City]:SZ Organization Name (eg, company) [Default Company Ltd]:xxyd.com Organizational Unit Name (eg, section) []:YW Common Name (eg, your name or your server's hostname) []:ldap.xxyd.com Email Address []:976972175@qq.com touch serial index.txt echo "01" > serial # 查看根證書信息 openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
OpenLDAP與CA集成
生成OpenLDAP服務端證書以及修改配置文件來支持SSL、TLS方式會話加密
# OpenLDAP服務端生成祕鑰
mkdir /etc/openldap/ssl
cd /etc/openldap/ssl
(umask 077;openssl genrsa -out ldapkey.pem 1024)
# OpenLDAP服務端向CA申請證書籤署請求
openssl req -new -key ldapkey.pem -out ldap.csr -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:xxyd.com
Organizational Unit Name (eg, section) []:YW
Common Name (eg, your name or your server's hostname) []:ldap.xxyd.com
Email Address []:976972175@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# CA覈實並簽發證書
openssl ca -in ldap.csr -out ldapcert.pem -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 25 08:18:45 2018 GMT
Not After : Apr 22 08:18:45 2028 GMT
Subject:
countryName = CN
stateOrProvinceName = GD
organizationName = xxyd.com
organizationalUnitName = YW
commonName = ldap.xxyd.com
emailAddress = 976972175@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C9:0D:16:5C:91:04:27:E9:96:F4:60:6A:B9:ED:70:16:08:0A:96:32
X509v3 Authority Key Identifier:
keyid:CC:5A:C4:57:70:52:C0:67:D3:F3:BF:A6:3B:01:31:3C:7F:8D:07:66
Certificate is to be certified until Apr 22 08:18:45 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
OpenLDAP TLS/SASL部署
cp /etc/pki/CA/cacert.pem /etc/openldap/ssl/
chown -R ldap.ldap /etc/openldap/ssl/*
chmod -R 0400 /etc/openldap/ssl/*
vi /etc/openldap/slapd.conf
# TLSCACertificatePath /etc/openldap/certs
# TLSCertificateFile "\"OpenLDAP Server\""
# TLSCertificateKeyFile /etc/openldap/certs/password
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldapkey.pem
TLSVerifyClient never
vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
ss -lnp |grep 636
# 經過CA證書公鑰驗證OpenLDAP服務端證書的合法性
# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem
/etc/openldap/ssl/ldapcert.pem: OK
# 確認當前套接字是否能經過CA的驗證
# openssl s_client -connect ldap.xxyd.com:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = CN, ST = GD, L = SZ, O = xxyd.com, OU = YW, CN = ldap.xxyd.com, emailAddress = 976972175@qq.com
verify return:1
depth=0 C = CN, ST = GD, O = xxyd.com, OU = YW, CN = ldap.xxyd.com, emailAddress = 976972175@qq.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=CN/ST=GD/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
i:/C=CN/ST=GD/L=SZ/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIBATANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCR0QxCzAJBgNVBAcMAlNaMRAwDgYDVQQKDAdubmsuY29tMQswCQYD
VQQLDAJZVzEVMBMGA1UEAwwMbGRhcC5ubmsuY29tMR8wHQYJKoZIhvcNAQkBFhA5
NzY5NzIxNzVAcXEuY29tMB4XDTE4MDQyNTA4MTg0NVoXDTI4MDQyMjA4MTg0NVow
cTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdEMRAwDgYDVQQKDAdubmsuY29tMQsw
CQYDVQQLDAJZVzEVMBMGA1UEAwwMbGRhcC5ubmsuY29tMR8wHQYJKoZIhvcNAQkB
FhA5NzY5NzIxNzVAcXEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDW
sexciew5xl6Yl324mBQ3EEMJvZYO+GJ7PWqoQg1qPVvfg5jUYs66ONOxmYTb+Kfw
oMuWicyptJofwAC8CRSdm0tzZI5JBgKrHfZMmjQh9rXF4rnmKWv6LhKupDfWT0aJ
DZZIdnrYJ8jFX5iU5SaO6C/gS+X6cuKf0yQJr6cb7QIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUyQ0WXJEEJ+mW9GBque1wFggKljIwHwYDVR0jBBgwFoAUzFrE
V3BSwGfT87+mOwExPH+NB2YwDQYJKoZIhvcNAQELBQADggEBAGwpTJzHMA7Xe1EI
0aicAF7zNnep7fAFTx6t6SJgD1Yio+uwE6xpLiDq9XT8bHmqmS4RK96eB/Il1ZT9
I0gk/7nOm9qU9tfjgvQVfL/tr1/L+gu9Q86tFUrgrR6aHI9U0VTtOug6j0/kMu5Y
xo4H6O5/blmV9lmRI65/FDJlaQCJHsWK6fJzBiqh2OtszVgInDEum/L3GVN+oL+L
SLLqWqvCv8QDkmvEpe7ht0/tb9C2foED1+lI+H9zQKM3lUI2Bp4SRp4nwpIyvnGc
uq/+EzijIeW+WagPMeNtH+9h20kmvbzCog+YGWXQOkozhXCuHCgzn6+qtPYaLuZT
WHlPkKA=
-----END CERTIFICATE-----
1 s:/C=CN/ST=GD/L=SZ/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
i:/C=CN/ST=GD/L=SZ/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIJAJA1elZ+21+rMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCU1oxEDAOBgNVBAoMB25uay5j
b20xCzAJBgNVBAsMAllXMRUwEwYDVQQDDAxsZGFwLm5uay5jb20xHzAdBgkqhkiG
9w0BCQEWEDk3Njk3MjE3NUBxcS5jb20wHhcNMTgwNDI1MDgwMTQ4WhcNMjgwNDIy
MDgwMTQ4WjB+MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR0QxCzAJBgNVBAcMAlNa
MRAwDgYDVQQKDAdubmsuY29tMQswCQYDVQQLDAJZVzEVMBMGA1UEAwwMbGRhcC5u
bmsuY29tMR8wHQYJKoZIhvcNAQkBFhA5NzY5NzIxNzVAcXEuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLLSFTcyLeQNeZMlddJ5v388TQJpUByN
bbq0cjdeWWg9OHqF6+JIA481B8lGlmZXpUmOsWbxMpgb4M98AQ9zM48SybbNTVMf
Is3GMz0YkXSGsqj6id3FkXs3wfPR6UpWhAQuuoHaovHEia9TVmK/ypK+OIY+F8qv
p3qmWDCmxNOAR6tyndxcp3hG2rrIWTUkVoZWoEpPzRsesKdVYJ/CzscFQc9x2jM8
RgQzX59Z3dM6XR2eT9byhzwPHIy7wiZBg3kesQ+3dIoRYsHWkqK5dzDA3W1Lj1pY
xGN+udRhXSK0o9HlXd457g6SqPpEFRxClAB8fGu+7BqyiCeFOvPbJQIDAQABo1Aw
TjAdBgNVHQ4EFgQUzFrEV3BSwGfT87+mOwExPH+NB2YwHwYDVR0jBBgwFoAUzFrE
V3BSwGfT87+mOwExPH+NB2YwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAjPFE1jDbvRhTxjJ40eBssnr/E6h+baY4eDnU+dSiO7BhaA+DQY2ANdCi7scu
pfqceQ6UPpvjNZC8bQOqc1j57kXGCK6Na1k70cP7Tpdtp1ZA0kBe43aUi7quwsYP
b0boBwAmBFZ7C958Pgmv58r+GGTidd1RMJR111FT8hceC4WiMTrMTxCj1EFWm2c4
wv0uZIg0awGy8TS3nfSNb9t7YiFQYjlV/xUOBzobZZRl0e8FdQ7mO7qogoOmR8r/
2P5SJk6FjH0ENKb9igwlMDnlm1E78ZUjLbfvAfyPLSUE3kYoIFa9Xa0dyVV46IuW
u3tdbPBah5v6z3FkcbAldZHeGw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=GD/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
issuer=/C=CN/ST=GD/L=SZ/O=xxyd.com/OU=YW/CN=ldap.xxyd.com/emailAddress=976972175@qq.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2213 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 55054DE6A2BDA0AB00F94966542DF551E357F9B3F07B5B6F1DD3567D0CBEE311
Session-ID-ctx:
Master-Key: 1E1248619CC913A090967862C855CD9F43299DFE60A52D8BFBB515A8C6C01A74DD2E2E939C97B5414C1DA0A05FC16D2A
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1524647608
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
# OpenLDAP從服務器部署
拷貝 cacert.pem ldapcert.pem ldapkey.pem至/etc/openldap/ssl/
chown -R ldap.ldap /etc/openldap/ssl/*
chmod -R 0400 /etc/openldap/ssl/*
vi /etc/openldap/slapd.conf
# TLSCACertificatePath /etc/openldap/certs
# TLSCertificateFile "\"OpenLDAP Server\""
# TLSCertificateKeyFile /etc/openldap/certs/password
TLSCACertificateFile /etc/openldap/ssl/cacert.pem
TLSCertificateFile /etc/openldap/ssl/ldapcert.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldapkey.pem
TLSVerifyClient never
vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=yes
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
ss -lnp |grep 636
客戶端部署
剝離基礎組件故障對於平臺的影響
很是幸運OpenLDAP的客戶端配置文件中支持 ==nss_initgroups_ignoreusers== 的配置。也就是說能夠將角色用戶( root、service、oracle、read_only等)忽略掉,不須要進行OpenLDAP請求,而直接在本地進行權限認證便可。我的帳號及權限在OpenLDAP中維護,而角色帳號是在服務器passwd&shadow中維護的。
Ubuntu客戶端
# rsync -azP ldap.xxyd.com:/etc/pki/CA/cacert.pem /etc/ldap/ssl/ # vi /etc/ldap.conf base dc=xxyd,dc=com uri ldaps://ldap.xxyd.com #ssl start_tls #ssl no ssl on ## nss_initgroups_ignoreusers set ignore local user nss_initgroups_ignoreusers root,daemon,bin,sys,sync,mail,nobody,syslog,sshd # vi /etc/ldap/ldap.conf BASE dc=xxyd,dc=com URI ldaps://ldap.xxyd.com TLS_CACERT /etc/ldap/ssl/cacert.pem #TLS_CACERT /etc/ssl/certs/ca-certificates.crt /etc/init.d/nscd restart
CentOS客戶端
rsync -azP ldap.xxyd.com:/etc/pki/CA/cacert.pem /etc/openldap/cacerts/ vi /etc/openldap/ldap.conf URI ldaps://ldap.xxyd.com/ ## nss_initgroups_ignoreusers set ignore local user nss_initgroups_ignoreusers root,daemon,bin,operator,sync,mail,nobody,adm,sshd vi /etc/pam_ldap.conf # ssl start_tls # ssl no uri ldaps://ldap.xxyd.com/ ssl on vi /etc/nslcd.conf # ssl no uri ldaps://ldap.xxyd.com/ ssl on tls_cacertfile /etc/openldap/cacerts/cacert.pem service nslcd restart # 經過客戶端測試SSL鏈接是否正常 # yum -y install openldap-clients # ldapwhoami -v -x -Z ldap_initialize( <DEFAULT> ) ldap_start_tls: Operations error (1) additional info: TLS already started anonymous Result: Success (0) # LAP用戶驗證密碼 # ldapwhoami -D "uid=test01,ou=People,dc=xxyd,dc=com" -W -H ldaps://ldap.xxyd.com -v ldap_initialize( ldaps://ldap.xxyd.com:636/??base ) Enter LDAP Password: dn:uid=test01,ou=People,dc=xxyd,dc=com Result: Success (0) # 經過getent在客戶端執行,查看可否獲取帳號信息 # getent passwd test01 test01:x:1001:1001:test01:/home/test01:/bin/bash
sudo權限控制
cp /usr/share/doc/sudo-1.8.6p7/schema.OpenLDAP /etc/openldap/schema/sudo.schema
vi /etc/openldap/slapd.conf
include /etc/openldap/schema/sudo.schema
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
# 根據實際需求添加sudo項
# cat ~/sudoers.ldif
dn: ou=sudoers,dc=xxyd,dc=com
objectClass: top
objectClass: organizationalUnit
ou: sudoers
dn: cn=defaults,ou=sudoers,dc=xxyd,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
sudoOrder: 1
dn: cn=%apps,ou=sudoers,dc=xxyd,dc=com
objectClass: top
objectClass: sudoRole
cn: %apps
sudoUser: %apps
sudoHost: ALL
sudoRunAsUser: %apps
sudoCommand: /bin/kill
sudoCommand: /usr/bin/nohup
sudoCommand: /usr/bin/vi
sudoCommand: /bin/cp
sudoCommand: /bin/mv
sudoCommand: /bin/ln
sudoCommand: /bin/mkdir
sudoOption: !authenticate
sudoOrder: 2
dn: cn=%www-data,ou=sudoers,dc=xxyd,dc=com
objectClass: top
objectClass: sudoRole
cn: %www-data
sudoUser: %www-data
sudoHost: ALL
sudoRunAsUser: %www-data
sudoCommand: /bin/kill
sudoCommand: /usr/bin/nohup
sudoCommand: /usr/bin/vi
sudoCommand: /bin/cp
sudoCommand: /bin/mv
sudoCommand: /bin/ln
sudoCommand: /bin/mkdir
sudoCommand: /usr/bin/rsync
sudoOption: !authenticate
sudoOrder: 3
# ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ~/sudoers.ldif
Enter LDAP Password:
adding new entry "ou=sudoers,dc=xxyd,dc=com"
adding new entry "cn=defaults,ou=sudoers,dc=xxyd,dc=com"
adding new entry "cn=%apps,ou=sudoers,dc=xxyd,dc=com"
adding new entry "cn=%www-data,ou=sudoers,dc=xxyd,dc=com"
## 爲test01用戶添加附加組
# cat add_apps.ldif
dn: cn=apps,ou=Group,dc=xxyd,dc=com
objectClass: posixGroup
objectClass: top
cn: apps
userPassword: {crypt}x
gidNumber: 1500
memberUid: test01
dn: uid=apps,ou=People,dc=xxyd,dc=com
uid: apps
cn: apps
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1500
gidNumber: 1500
homeDirectory: /home/apps
# ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f add_apps.ldif
Enter LDAP Password:
adding new entry "cn=apps,ou=Group,dc=xxyd,dc=com"
adding new entry "uid=apps,ou=People,dc=xxyd,dc=com"
客戶端
centos 客戶端
authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --disablesssd --disablesssdauth --disableldaptls --enablelocauthorize --ldapserver=ldap.xxyd.com --ldapbasedn="dc=xxyd,dc=com" --enableshadow --update vi /etc/nsswitch.conf sudoers: ldap files vi /etc/sudo-ldap.conf uri ldaps://ldap.xxyd.com/ base dc=xxyd,dc=com SUDOERS_BASE ou=sudoers,dc=xxyd,dc=com vi /etc/pam_ldap.conf uri ldaps://ldap.xxyd.com/ service nslcd restart
Ubuntu客戶端
# export SUDO_FORCE_REMOVE=yes
# apt-get install sudo-ldap
# ls -lh /etc/sudo-ldap.conf
lrwxrwxrwx 1 root root 14 Apr 28 01:22 /etc/sudo-ldap.conf -> ldap/ldap.conf
# vi /etc/ldap/ldap.conf
SUDOERS_BASE ou=sudoers,dc=xxyd,dc=com
# echo "sudoers: ldap files" >> /etc/nsswitch.conf
# service nscd restart
# 測試
# su - test01
$ sudo -l
匹配此主機上 test01 的默認條目:
requiretty, !visiblepw, always_set_home, env_reset, env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path = /sbin:/bin:/usr/sbin:/usr/bin, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
用戶 test01 能夠在該主機上運行如下命令:
(%apps) NOPASSWD: /bin/kill, /usr/bin/nohup, /usr/bin/vi, /bin/cp, /bin/mv, /bin/ln, /bin/mkdir
#備註:Ubuntu和CentOS命令路徑部分有區別,如vi
密碼策略
vi /etc/openldap/slapd.conf
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy
#密碼加密算法,不加這一行密碼將明文顯示
password-hash {SSHA}
#Add和Modify中傳遞的密碼明文保存數據庫中必須進行Hash加密
ppolicy_hash_cleartext
ppolicy_use_lockout
#默認密碼控制策略
ppolicy_default "cn=default,ou=policies,dc=xxyd,dc=com"
rm -rf /etc/openldap/slapd.d/*
# slaptest -u
config file testing succeeded
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
config file testing succeeded
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
#參考/root/openldap-2.4.44/servers/slapd/schema/ppolicy.ldif
#定義默認密碼策略
# cat policy.ldif
dn: ou=policies, dc=xxyd,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Policies
dn: cn=default, ou=policies, dc=xxyd,dc=com
objectClass: top
objectClass: person
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdLockoutDuration: 15
pwdInHistory: 6
pwdCheckQuality: 2
pwdExpireWarning: 1296000
pwdMaxAge: 15552000
pwdMinLength: 8
pwdGraceAuthNLimit: 3
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdMaxFailure: 3
pwdFailureCountInterval: 86400
pwdSafeModify: TRUE
pwdLockout: TRUE
sn: dummy value
#密碼策略註解
pwdLockout 是否開啓帳戶鎖定功能
pwdMaxFailure 密碼最大失敗次數,超事後帳號被鎖定
pwdLockoutDuration 賬戶保持鎖定的時間(秒爲單位),默認爲0表示沒法訪問帳戶
pwdInHistory 歷史密碼維護列表中密碼的數量
pwdCheckQuality 檢查密碼質量,0不檢查,一、2檢查
pwdExpireWarning 密碼過時提醒,單位秒
pwdMaxAge 密碼有效期,單位秒
pwdMinLength 密碼最小長度
pwdGraceAuthNLimit 密碼過時後寬限期
pwdAllowUserChange 是否容許用戶更改本身的密碼
pwdLockout 超過pwdMaxFailure定義的無效密碼嘗試次數時是否鎖定帳戶
pwdMustChange 用戶在賬戶鎖定後由管理員重置賬戶後是否必須更改密碼
pwdMaxFailure 容許的最大連續失敗密碼嘗試次數
pwdFailureCountInterval 密碼失敗次數復位時間
pwdSafeModify 用戶在密碼修改操做期間是否必須發送當前密碼
# ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f policy.ldif
Enter LDAP Password:
adding new entry "ou=policies, dc=xxyd, dc=com"
adding new entry "cn=default, ou=policies, dc=xxyd, dc=com"
# 定義用戶遵照指定密碼策略
# cat test02.ldif
dn: cn=test02,ou=Group,dc=xxyd,dc=com
objectClass: posixGroup
objectClass: top
cn: test02
userPassword: {crypt}x
gidNumber: 1002
dn: uid=test02,ou=People,dc=xxyd,dc=com
uid: test02
cn: test02
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$Yu95/zTK$g/nCoExrQwlf80a8Gc0VxMNzkJWa7icUVinFWwEjPBad/KhCNDs81hUVCYA7vV/dJdw7.zSBu2Yz.F0gVJH0a/
shadowLastChange: 17638
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/test02
pwdPolicySubentry: cn=default,ou=policies,dc=xxyd,dc=com
定義用戶登陸修改密碼
爲了加強用戶密碼安全性,通常須要用戶更改初始密碼
方式有兩種:用戶登陸後經過passwd命令更改、用戶登陸系統是提示更改初始密碼不然沒法登陸
推動第二種
爲了定義密碼控制策略,將pwdReset屬性和值添加至用戶的屬性中,不然不生效
# cat << EOF |ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W
dn: uid=test02,ou=People,dc=xxyd,dc=com
changetype: modify
replace: pwdReset
pwdReset: TRUE
EOF
#查看定義用戶的策略信息
# pwdReset屬於隱藏屬性,默認ldapsearch沒法獲取隱藏屬性,經過「+」號可獲取查詢包含的隱藏屬性
# ldapsearch -x -LLL uid=test02 +
dn: uid=test02,ou=People,dc=xxyd,dc=com
pwdPolicySubentry: cn=default,ou=policies,dc=xxyd,dc=com
structuralObjectClass: account
entryUUID: 0fc49c74-dd83-1037-8006-65040a056c63
creatorsName: cn=admin,dc=xxyd,dc=com
createTimestamp: 20180426095056Z
pwdChangedTime: 20180426095747Z
pwdHistory: 20180426095747Z#1.3.6.1.4.1.1466.115.121.1.40#105#{crypt}$6$Yu95/z
TK$g/nCoExrQwlf80a8Gc0VxMNzkJWa7icUVinFWwEjPBad/KhCNDs81hUVCYA7vV/dJdw7.zSBu2
Yz.F0gVJH0a/
pwdReset: TRUE
entryCSN: 20180426095747.741644Z#000000#000#000000
modifiersName: uid=test02,ou=People,dc=xxyd,dc=com
modifyTimestamp: 20180426095747Z
entryDN: uid=test02,ou=People,dc=xxyd,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
客戶端配置
CentOS 客戶端
vi /etc/pam_ldap.conf bind_policy soft pam_password md5 pam_lookup_policy yes pam_password clear_remove_old service nslcd restart # ssh test02@10.1.101.116 test02@10.1.101.116's password: You are required to change your LDAP password immediately. Creating directory '/home/test02'. WARNING: Your password has expired. You must change your password now and login again! Changing password for user test02. Enter login(LDAP) password: New password: Retype new password: LDAP password information changed for test02 passwd: all authentication tokens updated successfully.
Ubuntu 客戶端
vi /etc/pam_ldap.conf bind_policy soft pam_password md5 pam_lookup_policy yes pam_password clear_remove_old service nscd restart
密碼審計控制
# cat << EOF | ldapadd -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}auditlog
dn: olcOverlay=auditlog,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log
EOF
mkdir /var/log/slapd
chown -R ldap.ldap /var/log/slapd
service slapd restart
日誌
vi /etc/openldap/slapd.conf
loglevel 0x80 0x1
logfile /var/log/slapd/slapd.log
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
mkdir /var/log/slapd/
chown -R ldap.ldap /var/log/slapd/
# vi /etc/logrotate.d/ldap
/var/log/slapd/slapd.log {
prerotate
/usr/bin/chattr -a /var/log/slapd/slapd.log
endscript
compress
delaycompress
notifempty
rotate 100
size 10M
postrotate
/usr/bin/chattr +a /var/log/slapd/slapd.log
endscript
}
vi /etc/rsyslog.conf
local4.* /var/log/slapd/slapd.log
service rsyslog restart
ssh public key
服務端
yum -y install openssh-ldap
cp /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema /etc/openldap/schema/
rm -rf /etc/openldap/slapd.d/*
slaptest -u
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
# 添加測試帳戶
# cat test03.ldif
dn: cn=test03,ou=Group,dc=xxyd,dc=com
objectClass: posixGroup
objectClass: top
cn: test03
userPassword: {crypt}x
gidNumber: 1003
dn: uid=test03,ou=People,dc=xxyd,dc=com
uid: test03
cn: test03
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: ldapPublicKey
userPassword: {crypt}$6$Yu95/zTK$g/nCoExrQwlf80a8Gc0VxMNzkJWa7icUVinFWwEjPBad/KhCNDs81hUVCYA7vV/dJdw7.zSBu2Yz.F0gVJH0a/
shadowLastChange: 17638
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/test03
pwdPolicySubentry: cn=default,ou=policies,dc=xxyd,dc=com
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBZpJc0dfiPsHlfPNEJBUqhCGZX2wGabxklz09ptnriLoCh9AeYj39suHPptTZDAGiOn8JxrdYK4SubEby9WdQ/t2kVE60Bytw+Jyc2YjEhVb1iJinMd1sdck7O3YBDJoCt0WTf7USAQE7e1oH54kDCPQcPozid7AjbrF2mzxnFpQ== rsa-key-20101209
# ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f test03.ldif
Enter LDAP Password:
adding new entry "cn=test03,ou=Group,dc=xxyd,dc=com"
adding new entry "uid=test03,ou=People,dc=xxyd,dc=com"
客戶端
CentOS client
yum -y install openssh-ldap
# vi /etc/ssh/ldap.conf
URI ldaps://ldap.xxyd.com/
BASE dc=xxyd,dc=com
ssl on
# vi /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs nobody
# vi /usr/libexec/openssh/ssh-ldap-wrapper
#!/bin/bash
# get configuration from /etc/ldap.conf
for x in $(sed -n 's/^\([a-zA-Z_]*\) \(.*\)$/\1="\2"/p' /etc/ldap.conf); do
eval $x;
done
# local user do not search ldap
USER=$1
for user in `echo $nss_initgroups_ignoreusers|sed 's/,/ /g'`; do
exit ;
done
exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
# service sshd restart
# grep test03 /var/log/secure
Apr 27 15:15:37 new sshd[31926]: Accepted publickey for test03 from xx.xx.xx.xx port 6658 ssh2
Apr 27 15:15:37 new sshd[31926]: pam_unix(sshd:session): session opened for user test03 by (uid=0)
Ubuntu client
# 升級OpenSSH (6.2以上版本)
## 搭建telnet server
# apt-get install openbsd-inetd telnetd
# vi /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd
# vi /etc/securetty
# Telnet
pts/0
pts/1
pts/2
# 限制telnet登陸ip,只容許指定ip段(信任ip段)登陸
# vi /etc/hosts.deny
in.telnetd:ALL EXCEPT 192.168.0.0/24
service openbsd-inetd restart
# telnet 登陸服務器升級OpenSSh版本
telnet x.x.x.x
cp /etc/init.d/ssh /root/ssh.old
cp -r /etc/ssh /root/
cp /etc/pam.d/sshd /root/
grep sshd /etc/passwd | head -1 | awk -F: '{print $1,$3,$4,$6,$7}' > /root/ssh_user
# 卸載openssh 舊版本,卸載以前必須確承認用telnet登陸,如下步驟telnet登陸服務器操做
apt-get -y purge openssh-client openssh-server
apt-get -y install zlib1g-dev libssl-dev libpam0g-dev make
## 安裝openssh 7.2
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.2p2.tar.gz
useradd -u `awk '{print $2}' /root/ssh_user` -g `awk '{print $3}' /root/ssh_user` -d `awk '{print $4}' /root/ssh_user` -s `awk '{print $5}' /root/ssh_user` sshd
tar zxvf openssh-7.2p2.tar.gz
cd openssh-7.2p2/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-md5-passwords --with-pam --with-tcp-wrappers
make &&make install
# ssh -V
OpenSSH_7.2p2, OpenSSL 1.0.1 14 Mar 2012
# cat > /etc/ssh/sshd_config << EOF
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AuthorizedKeysCommand /etc/ssh/ldap-keys.sh
AuthorizedKeysCommandUser nobody
EOF
# cat > /etc/ssh/ssh_config <<EOF
Host *
SendEnv LANG LC_*
HashKnownHosts yes
#GSSAPIAuthentication yes
#GSSAPIDelegateCredentials no
EOF
### 7.2 不支持GSSAPI參數
/etc/ssh/ssh_config line 4: Unsupported option "gssapiauthentication"
/etc/ssh/ssh_config line 5: Unsupported option "gssapidelegatecredentials"
###
cat > /etc/pam.d/sshd << EOF
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
session required pam_env.so # [1]
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
@include common-password
EOF
apt-get -y install ldap-utils
vi /etc/ssh/ldap-keys.sh
#!/bin/bash
# get configuration from /etc/ldap.conf
for x in $(sed -n 's/^\([a-zA-Z_]*\) \(.*\)$/\1="\2"/p' /etc/ldap.conf); do
eval $x;
done
# local user do not search ldap
for USER in `echo $nss_initgroups_ignoreusers|sed 's/,/ /g'`; do
if [ $USER == $1 ];then
exit
fi
done
OPTIONS=
case "$ssl" in
start_tls)
case "$tls_checkpeer" in
no) OPTIONS+="-Z";;
*) OPTIONS+="-ZZ";;
esac;;
esac
# ldap user search ldap sshPublicKey
ldapsearch $OPTIONS -H ${uri} -w "${bindpw}" -D "${binddn}" -b "${base}" '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' \
| sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
chmod +x /etc/ssh/ldap-keys.sh
# 拷貝舊的ssh啓動腳本
cp /root/ssh.old /etc/init.d/ssh
# service ssh start
#開機啓動
update-rc.d ssh defaults
# ssh 升級完成以後卸載telnet服務,還原配置
apt-get purge openbsd-inetd telnetd
sed -i '/Telnet/d' /etc/securetty
sed -i '/pts\//d' /etc/securetty
sed -i '/in.telnetd/d' /etc/hosts.deny
參考連接:
https://www.linuxidc.com/Linux/2011-10/45739.htm
https://marc.waeckerlin.org/computer/blog/ssh_and_ldap
主機控制策略
http://ju.outofmemory.cn/entry/146609
服務端
# vi /etc/openldap/schema/ldapns.schema
# $
# : ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $
# LDAP Name Service Additional Schema
# http://www.iana.org/assignments/gssapi-service-names
#
# Not part of the distribution: this is a workaround!
#
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus'
DESC 'Currently logged in sessions for a user'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX OMsDirectoryString )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService )
objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top
AUXILIARY
MAY host )
objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject'
DESC 'Auxiliary object class for login status attribute'
SUP top
AUXILIARY
MAY loginStatus )
# vi /etc/openldap/slapd.conf
include /etc/openldap/schema/ldapns.schema
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d/
service slapd restart
cat <<EOF | ldapadd -x -D cn=admin,dc=xxyd,dc=com -W -H ldap://ldap.xxyd.com/
dn: ou=APP,ou=People,dc=xxyd,dc=com
ou: APP
objectClass: top
objectClass: organizationalUnit
EOF
cat <<EOF | ldapadd -x -D cn=admin,dc=xxyd,dc=com -W -H ldap://ldap.xxyd.com/
dn: ou=DB,ou=People,dc=xxyd,dc=com
ou: DB
objectClass: top
objectClass: organizationalUnit
EOF
規劃:
ou=APP 應用運維人員帳戶根路徑;
ou=DB 數據庫管理員帳戶根路徑
Ubuntu客戶端
# echo "pam_check_host_attr yes" >> /etc/pam_ldap.conf # vi /etc/ldap.conf nss_base_passwd ou=APP,ou=People,dc=xxyd,dc=com nss_base_shadow ou=APP,ou=People,dc=xxyd,dc=com nss_base_group ou=APP,ou=People,dc=xxyd,dc=com ## 註明:應用服務器設置ou=APP,ou=People,dc=xxyd,dc=com ## 數據庫服務器設置ou=DB,ou=People,dc=xxyd,dc=com ## 同時登錄應用和數據庫服務器設置ou=People,dc=xxyd,dc=com ## /etc/ldap.conf配置文件注意不要有多餘的空格分隔符,不然ldap-keys.sh腳本會報語法錯誤 # service nscd restart
CentOS 客戶端
測試,應用運維人員只能登陸應用服務器,數據庫管理員只能登陸數據庫服務器
數據同步
主從同步
主服務器同步策略配置
編輯OpenLDAP主配置文件
vi /etc/ldap/slapd.conf
moduleload syncprov.la index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
從新生成數據庫文件,使其配置生效
service slapd stop rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ chown -R ldap.ldap /etc/openldap/slapd.d/ service slapd restart ss -lnp |grep slapd
從服務器配置
編輯OpenLDAP主配置文件
vi /etc/openldap/slapd.conf
moduleload syncprov.la index entryCSN,entryUUID eq syncrepl rid=002 provider=ldap://10.1.31.128:389/ type=refreshOnly retry="60 10 600 +" interval=00:00:00:10 searchbase="dc=xxyd,dc=com" scope=sub schemachecking=off bindmethod=simple binddn="cn=admin,dc=xxyd,dc=com" attrs="*,+" credentials=PASSWD # Refer updates to the master updatedn "cn=admin,xxyd,dc=com" updateref ldap://10.1.31.243
從新生成數據庫文件,使其配置生效
service slapd stop rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ chown -R ldap.ldap /etc/openldap/slapd.d/ service slapd restart ss -lnp |grep slapd
導入數據條目
主服務器上導出數據條目:
ldapsearch -x -b 'dc=com,dc=cn' > ldapbackup.ldif
傳輸備份數據到備服務器上並導入
ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f ldapbackup.ldif
比對主備服務器數據條目是否一致
ldapsearch -x -LLL |wc -l
從新生成數據庫文件,使其配置生效
service slapd stop rm -rf /etc/ldap/slapd.d/ slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ chown -R openldap.openldap /etc/ldap/slapd.d/ service slapd restart ss -lnp |grep slapd
主從同步驗證
主服務器上添加條目
ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f group.test02.ldif ldapadd -x -D "cn=admin,dc=xxyd,dc=com" -W -f passwd.test02.ldif
查看從服務器上是否存在新添加的條目
ldapsearch -x -LLL uid=test02
查看同步日誌
/var/log/syslog
多主同步(N-Way Multimaster)
服務器同步策略配置
多主模式,多臺服務器配置一致,只需更改ip/域名便可
編輯OpenLDAP配置文件
# vi /etc/openldap/slapd.conf
moduleload syncprov.la
index entryUUID,entryCSN eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 1 ldaps://ldap01.xxyd.com
serverID 2 ldaps://ldap02.xxyd.com
syncrepl rid=001
provider=ldaps://ldap01.xxyd.com
binddn="cn=admin,dc=xxyd,dc=com"
bindmethod=simple
credentials=PASSWD
searchbase="dc=xxyd,dc=com"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
syncrepl rid=002
provider=ldaps://ldap02.xxyd.com
binddn="cn=admin,dc=xxyd,dc=com"
bindmethod=simple
credentials=PASSWD
searchbase="dc=xxyd,dc=com"
type=refreshAndPersist
retry="5 5 300 5"
timeout=1
mirrormode TRUE
## 填寫本機監聽地址
# vi /etc/sysconfig/slapd
SLAPD_URLS="ldapi:/// ldaps://ldap01.xxyd.com"
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
chown -R ldap.ldap /etc/openldap/slapd.d
systemctl restart slapd
同步數據測試
在一臺主服務器上添加或刪除數據,會當即同步到另外一臺主服務器上即測試成功。
高可用
方案1、
客戶端鏈接兩臺openldap服務器(主從或主主模式或多主模式)
第一臺不可用時會自動鏈接到第二臺
vi /etc/ldap.conf
uri ldaps://ldap01.xxyd.com ldaps://ldap02.xxyd.com
重啓服務
service nscd restart
方案二
兩臺openldap服務器使用主從或主主模式
結合keepalived配置VIP實現故障切換
客戶端鏈接域名:uri ldaps://ldap.xxyd.com,ldap.xxyd.com域名指向VIP
自助修改密碼
https://www.ilanni.com/?p=13822
數據備份
ldapsearch -x -b 'dc=xxyd,dc=com' > backupldap_$(date +%Y%m%d-%H%M).ldif
參考連接:
http://chuansong.me/n/317694151860 https://blog.csdn.net/m1213642578/article/details/52578360 http://www.zytrax.com/books/ldap/ch6/ppolicy.html http://blog.163.com/excellent_2008/blog/static/30760156201392362414238/ https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap http://briteming.blogspot.com/2017/11/setting-up-openldap-server-with-openssh.html https://www.cnblogs.com/moonson/archive/2008/11/20/1337775.html