ldap + kerberos 整合

第一部分:ldap

1. 安裝ldaphtml

yum install -y openldap openldap-clients openldap-servers openldap-devel



2. 配置ldapnode

複製代碼
# cat /etc/openldap/slapd.conf 
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/kerberos.schema

pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

loglevel 135
idletimeout 5
writetimeout 5

access to attrs=userPassword
    by self read
    by dn.exact="cn=ops,ou=Control,dc=lishen,dc=com" write
    by anonymous auth

access to dn.subtree="cn=Kerberos,dc=lishen,dc=com"
    by dn.exact="cn=kdc-adm,ou=Control,dc=lishen,dc=com" write
    by dn.exact="cn=kdc-srv,ou=Control,dc=lishen,dc=com" read
    by * none

access to dn.base=""
    by * read

access to *
    by self write
    by dn.base="cn=ops,ou=Control,dc=lishen,dc=com" write
    by users read
    by anonymous read

#TLSCipherSuite        HIGH:MEDIUM:-SSLv2
#TLSVerifyClient       never
TLSCertificateFile    /etc/openldap/certs/server.pem
TLSCertificateKeyFile /etc/openldap/certs/server.pem
TLSCACertificateFile  /etc/openldap/certs/server.pem

#######################################################################
# BDB database definitions
#######################################################################
database    hdb
suffix      "dc=lishen,dc=com"
checkpoint  32    30
rootdn      "cn=root,ou=Control,dc=lishen,dc=com"
rootpw      {SSHA}ifM5X6pQS2eO8hODguTPmjRLFyCnVWvP
directory   /var/lib/ldap/
dbconfig    set_cachesize  0 268435456 1
dbconfig    set_lg_regionmax 262144
dbconfig    set_lg_bsize 2097152
index       objectClass,entryCSN,entryUUID eq
index       uid,uidNumber,gidNumber eq,pres
index       ou,krbPrincipalName eq,pres,sub
複製代碼


說明:
1. rootpw 後面的密碼是由命令 slappasswd -s 123456 生成
2. 證書使用命令生成:openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 36500 


3. 啓動openldap服務:slapdgit

service slapd restart


4. 測試:如今數據庫是空的github

slapcat
ldapsearch -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=lishen,dc=com'


5. 初始化數據庫
準備ldif文件:web

複製代碼

cat init.ldif 
dn: dc=lishen,dc=com
dc: lishen
objectClass: domain
objectClass: dcObject

dn: ou=Group,dc=lishen,dc=com
ou: Group
objectClass: organizationalUnit

dn: ou=Aliases,dc=lishen,dc=com
ou: Aliases
objectClass: organizationalUnit

dn: ou=People,dc=lishen,dc=com
ou: People
objectClass: organizationalUnit

dn: cn=Kerberos,dc=lishen,dc=com
cn: Kerberos
objectClass: organizationalRole

dn: ou=Control,dc=lishen,dc=com
ou: Control
objectClass: organizationalUnit

dn: cn=kdc-srv,ou=Control,dc=lishen,dc=com
cn: kdc-srv
userPassword:: e1NTSEF9cUNhclpCYXN1SWhGRExkQ1o4bUxTbkMyZXg3bXQ2UTMK
objectClass: simpleSecurityObject
objectClass: organizationalRole

dn: cn=kdc-adm,ou=Control,dc=lishen,dc=com
cn: kdc-adm
userPassword:: e1NTSEF9cUNhclpCYXN1SWhGRExkQ1o4bUxTbkMyZXg3bXQ2UTMK
objectClass: simpleSecurityObject
objectClass: organizationalRole

dn: cn=root,ou=Control,dc=lishen,dc=com
cn: root
userPassword:: e1NTSEF9cUNhclpCYXN1SWhGRExkQ1o4bUxTbkMyZXg3bXQ2UTMK
objectClass: simpleSecurityObject
objectClass: organizationalRole

dn: cn=demo_users,ou=Group,dc=lishen,dc=com
cn: demo_users
gidNumber: 20000
objectClass: posixGroup

dn: uid=test,ou=People,dc=lishen,dc=com
uid: test
uidNumber: 10000
gidNumber: 20000
sn: Test
cn: Test User
loginShell: /bin/bash
homeDirectory: /home/users/test
objectClass: person
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson

複製代碼


說明:文件中的userPassword由命令slappasswd  -s 123456 | base64生成

執行命令導入數據:ldapadd -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -f init.ldif

執行命令驗證數據導入是否成功: ldapsearch -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=lishen,dc=com'

6. 去掉配置文件中配置的rootdn密碼,由於ldif文件中已經配置了密碼
註釋掉slapd.conf文件中的rootpw      {SSHA}J/6iFFDlPhucaupBEI9V//gkIFTZBNrr
重啓slapd:service slapd restart
測試是否密碼正確:ldapsearch -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=lishen,dc=com'

7. 如今若是要使用LDAP做爲用戶認證,只須要給用戶(uid=test)添加userPassword屬性便可
準備ldif文件:數據庫

cat add.ldif
dn: uid=test,ou=People,dc=lishen,dc=com
changetype: modify
add: userPassword
userPassword:: e1NTSEF9Ym0rZXloV1ExalB1aWNEVU1BaHlNM0hZVHh3REIrWU4K

執行命令:ldapmodify -x -D  'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -f add.ldif 

若是須要更改密碼,ldif例子以下:apache

複製代碼

# cat /tmp/change.ldif 
dn: cn=kdc-adm,ou=Control,dc=demo,dc=local
changetype: modify
replace: userPassword
userPassword: e1NTSEF9aGc5OGh0OGVlbiszaGk3OFhkRVlWc0MzNWJ2SWRCcG8K


dn: cn=kdc-srv,ou=Control,dc=demo,dc=local
changetype: modify
replace: userPassword
userPassword: e1NTSEF9aGc5OGh0OGVlbiszaGk3OFhkRVlWc0MzNWJ2SWRCcG8K
複製代碼


執行命令:ldapmodify -x -D  'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -f change.ldif 


第二部分:kerberos

1. 安裝kerberosubuntu

yum install krb5-server krb5-libs


2. 配置Kerberosapi

複製代碼
cat /etc/krb5.conf 
[libdefaults]
    debug = false
    default_realm = LISHEN.COM

[realms]
    LISHEN.COM = {
        kdc = 127.0.0.1
        admin_server = 127.0.0.1
        default_domain = lishen.com
        database_module = openldap_ldapconf
        key_stash_file = /etc/krb5.LISHEN.COM
        max_life = 1d 0h 0m 0s
        max_renewable_life = 90d 0h 0m 0s
        dict_file = /usr/share/dict/words
    }

[domain_realm]
    .lishen.com = LISHEN.COM
     lishen.com = LISHEN.COM

[logging]
    default = SYSLOG
    admin_server = FILE:/var/log/kadmind.log
    kdc = FILE:/var/log/kdc.log

[dbdefaults]
    ldap_kerberos_container_dn = cn=Kerberos,dc=lishen,dc=com

[dbmodules]
    openldap_ldapconf = {
        db_library = kldap
        ldap_servers = ldapi://
        ldap_kerberos_container_dn = cn=Kerberos,dc=lishen,dc=com
        ldap_kdc_dn = cn=kdc-srv,ou=Control,dc=lishen,dc=com
        ldap_kadmind_dn = cn=kdc-adm,ou=Control,dc=lishen,dc=com
        ldap_service_password_file = /etc/krb5.ldap
        ldap_conns_per_server = 5

    }bash

複製代碼

    
說明: ldap_kerberos_container_dn must start with a 'cn'.    

4. 生成訪問ldap的服務密碼文件

kdb5_ldap_util -D cn=root,ou=Control,dc=lishen,dc=com  -w 123456 stashsrvpw -f /etc/krb5.ldap  cn=kdc-srv,ou=Control,dc=lishen,dc=com
kdb5_ldap_util -D cn=root,ou=Control,dc=lishen,dc=com  -w 123456 stashsrvpw -f /etc/krb5.ldap  cn=kdc-adm,ou=Control,dc=lishen,dc=com


5. 建立kerberos數據庫

kdb5_ldap_util -D cn=root,ou=Control,dc=lishen,dc=com -H ldap://  create  -r LISHEN.COM


6. 啓動kerberos
#

service krb5kdc restart


7. 測試:添加用戶

複製代碼
# kadmin.local 
Authenticating as principal root/admin@LISHEN.COM with password.
kadmin.local:  addprinc test
WARNING: no policy specified for test@LISHEN.COM; defaulting to no policy
Enter password for principal "test@LISHEN.COM": 
Re-enter password for principal "test@LISHEN.COM": 
Principal "test@LISHEN.COM" created.

#slapcat |grep "test"
dn: uid=test,ou=People,dc=lishen,dc=com
uid: test
homeDirectory: /home/users/test
dn: krbPrincipalName=test@LISHEN.COM,cn=LISHEN.COM,cn=Kerberos,dc=lishen,dc=co
krbPrincipalName: test@LISHEN.COM

複製代碼

添加用戶成功

測試獲取憑證:

複製代碼
# kinit test
Password for test@LISHEN.COM: 
# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@LISHEN.COM

Valid starting       Expires              Service principal
10/16/2016 02:11:55  10/17/2016 02:11:55  krbtgt/LISHEN.COM@LISHEN.COM


複製代碼

幫助:1. http://blog.clanzx.net/2013/09/27/ldap-kerberos.html2. http://web.mit.edu/KERBEROS/krb5-1.12/doc/admin/conf_ldap.html3. http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm4. http://secfree.github.io/blog/2015/06/29/kerberos-ldap-deploy.html#kdc--kadmin--dn--acl5. http://ian.wang/69.htm6. https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html#kerberos-ldap-openldapldap使用工具:http://directory.apache.org/studio/

相關文章
相關標籤/搜索