NIS:
NIS即网络信息系统(Network Information Service),是对主机帐号等系统信息提供集中管理的网络服务。。用户登录任何一台NIS客户机都会从NIS服务器进行登录认证,可实现用户帐号的集中管理
1.先安装NIS所需的包
[root@teach ~]# yum install ypserv
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ypserv.x86_64 0:2.19-31.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================
Installing:
ypserv x86_64 2.19-31.el6 centos6 131 k
Transaction Summary
=============================================================================================================================
Install 1 Package(s)
Total download size: 131 k
Installed size: 319 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : ypserv-2.19-31.el6.x86_64 1/1
Verifying : ypserv-2.19-31.el6.x86_64 1/1
Installed:
ypserv.x86_64 0:2.19-31.el6
Complete!
2.设置NIS域名,特别注意的是,用这种重定向设置也可以达到目的,也可以用vim直接把/etc/sysconfig/network文件
[root@teach ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=teach
NISDOMAIN=teach
3.在/etc/rc.d/rc.local这个文件中写入这个域名
/bin/nisdomainname teach
4.设置域名解析
etc/hosts:记录主机和IP地址对应关系,如果没有DNS系统,则NIS服务器的hosts文件需要每一台NIS客户端的主机记录。
192.168.242.128 my-test1
172.16.10.1 salt
172.16.10.1 teach
5、编辑vim /etc/ypserv.conf配置文件,这个主要是设置客户访问NIS服务器的权限
vim /etc/ypserv.conf
在整个ypserv.conf主配置文件中,最为重要的就是限制客户端或从服务器的查询权限。
格式为:
Host : Domain : Map : Security
Host:指定客户端,可以指定具体IP地址,也可以指定一个网段
Domain:设置NIS域名,这里的NIS域名和DNS中的域名并没有关系哈~两者是两套不同系统哈~在同一个NIS域中,客户端可以从NIS服务器上查询用户名和密码,从NIS服务器可以与主服务器同步数据库内容
Map:设置可用数据库名称,可以用“*”代替所有数据库
Security:安全性设置。主要有none、port和deny三种参数设置。
none:没有任何安全限制,可以连接NIS服务器。
port:只允许小于1024以下的端口连接NIS服务器。
deny:拒绝连接NIS服务器。
通常设置思路是允许所有内网客户端连接NIS服务器,除此之外的客户端都拒绝连接哈~
ypserv.conf文件是逐行解释执行,所以要注意设置顺序
127.0.0.1/255.0.0.0 :* :* :none
192.168.1.0/255.255.255.0 :* :* :none
* :* :* :deny
[root@teach ~]# vim /etc/ypserv.conf
127.0.0.1/255.0.0.0:*:*:none
192.168.242.0/255.255.255.0:*:*:none
[root@teach ~]# /etc/init.d/ypserv start
Setting NIS domain name teach: [ OK ]
Starting YP server services: [ OK ]
6.用命令/usr/lib/yp/ypinit -m来构建NIS数据库
[root@teach ~]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. teach is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: teach
next host to add:
next host to add:
The current list of NIS servers looks like this:
teach
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/teach/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/teach'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/teach'
teach has been set up as a NIS master server.
Now you can run ypinit -s teach on all slave server.
[root@teach ~]# useradd yys1
[root@teach ~]# useradd yys2
7.重启这三个服务
[root@teach ~]# /etc/init.d/ypserv restart
Stopping YP server services: [ OK ]
Starting YP server services: [ OK ]
#允许客户端可以自行更改用户密码的服务
[root@teach ~]# /etc/init.d/yppasswdd restart
Stopping YP passwd service: [FAILED]
Starting YP passwd service: [ OK ]
[root@teach ~]# /etc/init.d/yppasswdd restart
Stopping YP passwd service: [ OK ]
Starting YP passwd service: [ OK ]
[root@teach ~]# passwd yys1
Changing password for user yys1.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:
Sorry, passwords do not match.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@teach ~]# passwd yys2
Changing password for user yys2.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
8.建立信任群
可以使用/etc/netgroup文件来建立NIS服务器所信任的客户端
[root@teach yp]# touch /etc/netgroup
[root@teach yp]# ll /etc/netgroup
-rw-r--r--. 1 root root 0 Sep 9 14:54 /etc/netgroup
9.客户端
[root@client01 ~]# yum install ypbind yp-tools
[root@client01 ~]# nisdomainname teach
[root@client01 ~]# vim /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=client01
NISDOMAIN=teach
[root@client01 ~]# vim /etc/rc.local
/bin/nisdomainname teach
[root@client01 ~]# vim /etc/hosts
172.16.10.1 nis
[root@client01 ~]# vim /etc/yp.conf
domain teach server nis
[root@client01 ~]# vim /etc/nsswitch.conf
passwd: files nis
shadow: files nis
group: files nis
#hosts: db files nisplus nis dns
hosts: files nis dns
automount: files nis
netgroup: files nis
[root@client01 ~]# /etc/init.d/rpcbind restart
Stopping rpcbind service: [ OK ]
Starting rpcbind service: [ OK ]
[root@client01 ~]# /etc/init.d/ypbind restart
Stopping NIS service: [ OK ]
Starting NIS service: [ OK ]
ypwhich 显示NIS主机名
[root@client01 ~]# ypwhich
nis
ypwhich -x 则显示NIS客户端与服务器通信使用了哪些数据库文件
[root@client01 ~]# ypwhich -x
Use "ethers" for map "ethers.byname"
Use "aliases" for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd" for map "passwd.byname"
ypcat
ypcat命令可以查看NIS服务器上使用者帐号及密码信息,也可以查看NIS服务器上的/etc/hosts文件记录哪些主机信息
ypcat passwd:查看NIS服务器上帐号密码等信息
[root@client01 ~]# ypcat hosts
172.16.10.1 salt
192.168.242.128 my-test1
172.16.10.1 teach
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
ypcat hosts:查看NIS服务器上的/etc/hosts文件记录哪些主机信息
[root@client01 ~]# ypcat passwd
salt:!!:501:501::/home/salt:/bin/bash
yys1:$6$BYlFSaUy$O1QfCL2vs08fjw9CwjqpbMHy0hYZUj1MafJnBgBnuJGpstu3EYPzAfKeUo1rK4zhQNVnjCc6yBK9uWdcAYIVt0:502:502::/home/yys1:/bin/bash
eddy:!!:500:500::/home/eddy:/bin/bash
yys2:$6$Acd.0uc9$5lICHuW6O.vdwNz5cem9bRvwAQm/vouG5tX48cexjIvUHYTVw8R5Jow6YkVbc1qfTWF7yzfxXSHtMwzjjCRR9.:503:503::/home/yys2:/bin/bash
test1:$6$M.CukPhT$tX8fmebBu0FelqylkLxYJwxopUNQygWCnUuN21yeHlHNyWEhPoYBHWBcjT7FAZ78OzhqKXFGpynQTigqER40t1:504:504::/home/test1:/bin/bash
10.验证
[root@teach ~]# ssh yys1@192.168.242.128
yys1@192.168.242.128's password:
Last login: Fri Sep 9 15:13:02 2016
Could not chdir to home directory /home/yys1: No such file or directory
-bash-4.1$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
如果想要使用家目录就需要在服务端那/home nfs共享出现客户端使用autofs实现自动挂载
vim /etc/auto.master
/- /etc/auto.nis
vim /etc/auto.nis
/home -fstype=nfs 192.168.1.201:/home
11.注意
11.1 当一切正常启动后,就可以用 yptest 进行测试了,如果输出到 Test 9: yp_all 且只有一项错误,即Test 3: yp_match
WARNING: No such key in map (Map passwd.byname, key nobody)的话, 则不用管它,说明一切正常,NIS 可以正常使用了。此时在服务器上新建个用户并设好密码后,在客户端就能以此用户登录了
11.2 创建用户后重新到 /var/yp 下 make 更新数据库即可
客户端无论是用 passwd 还是用 yppasswd 修改密码,结果都一样,即通过 yppasswdd 服务修改的是NIS服务器上的密码。但在服务器端,如果只通过 passwd 修改密码,客户端密码暂时没有修改,需通过 root 在 /var/yp 下 make 一下更新数据库才有效;如果在服务器端用 yppasswd 修改密码,则客户端即时生效
最好都用yppasswd
rhel6中,原来的 portmap 服务由 rpcbind 服务取代(protmap包改名为rpcbind包)。若 rpcbind 服务重启了,ypxxx 的服务最好也重启一下
就介绍到这里了,大家也能看出其实这个服务安全性是比较差的
1.知道服务器上用户有那些
2.能看到密码
2.要完全使用的话需要把服务器上的home共享出来
建议生产上不要使用NIS
LDAP:
服务端配置准备
[root@salt-minion ~]# vim /etc/hosts
192.168.1.200 ldap-server.test.com
192.168.1.201 ldap-client.test.com
[root@salt-minion ~]# /etc/init.d/iptables stop
[root@salt-master ~]# ping ldap-client
PING ldap-client (192.168.1.201) 56(84) bytes of data.
64 bytes from salt-minion (192.168.1.201): icmp_seq=1 ttl=64 time=0.647 ms
64 bytes from salt-minion (192.168.1.201): icmp_seq=2 ttl=64 time=0.415 ms
64 bytes from salt-minion (192.168.1.201): icmp_seq=3 ttl=64 time=0.412 ms
^C
--- ldap-client ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2256ms
rtt min/avg/max/mdev = 0.412/0.491/0.647/0.111 ms
[root@salt-master ~]# ping ldap-server
PING ldap-server (192.168.1.200) 56(84) bytes of data.
64 bytes from salt-master (192.168.1.200): icmp_seq=1 ttl=64 time=0.036 ms
64 bytes from salt-master (192.168.1.200): icmp_seq=2 ttl=64 time=0.044 ms
64 bytes from salt-master (192.168.1.200): icmp_seq=3 ttl=64 time=0.043 ms
配置yum源
[root@salt-master ~]# vim /etc/yum.repos.d/iso.repo
[epel]
name=epel
baseurl=http://mirrors.aliyun.com/epel/6Server/x86_64/
gpgcheck=0
enabled=0
[iso]
name=iso
baseurl=http://mirrors.aliyun.com/centos/6/os/x86_64/
gpgcheck=0
enabled=1
openldap安装配置
[root@salt-master ~]# yum install -y openldap openldap-servers openldap-clients
Loaded plugins: fastestmirror
Setting up Install Process
Package openldap-2.4.40-12.el6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package openldap-clients.x86_64 0:2.4.40-12.el6 will be installed
---> Package openldap-servers.x86_64 0:2.4.40-12.el6 will be installed
--> Processing Dependency: libltdl.so.7()(64bit) for package: openldap-servers-2.4.40-12.el6.x86_64
--> Running transaction check
---> Package libtool-ltdl.x86_64 0:2.2.6-15.5.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================================================================
Installing:
openldap-clients x86_64 2.4.40-12.el6 iso 165 k
openldap-servers x86_64 2.4.40-12.el6 iso 2.0 M
Installing for dependencies:
libtool-ltdl x86_64 2.2.6-15.5.el6 iso 44 k
Transaction Summary
===========================================================================================================================================================================================
Install 3 Package(s)
Total download size: 2.2 M
Installed size: 5.1 M
Downloading Packages:
(1/3): openldap-servers-2.4.40-12.el6.x86_64.rpm | 2.0 MB 00:02
(2/3): libtool-ltdl-2.2.6-15.5.el6.x86_64.rpm | 44 kB 00:00
(3/3): openldap-clients-2.4.40-12.el6.x86_64.rpm | 165 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 835 kB/s | 2.2 MB 00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : libtool-ltdl-2.2.6-15.5.el6.x86_64 1/3
Installing : openldap-servers-2.4.40-12.el6.x86_64 2/3
Installing : openldap-clients-2.4.40-12.el6.x86_64 3/3
Verifying : openldap-servers-2.4.40-12.el6.x86_64 1/3
Verifying : libtool-ltdl-2.2.6-15.5.el6.x86_64 2/3
Verifying : openldap-clients-2.4.40-12.el6.x86_64 3/3
Installed:
openldap-clients.x86_64 0:2.4.40-12.el6 openldap-servers.x86_64 0:2.4.40-12.el6
Dependency Installed:
libtool-ltdl.x86_64 0:2.2.6-15.5.el6
Complete!
[root@salt-master ~]# cd /etc/openldap/
[root@salt-master openldap]# mv slapd.d slapd.d-bak
[root@salt-master openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@salt-master openldap]# slappasswd
New password:
Re-enter new password:
{SSHA}TBTcFPv0xSleidqCsaW4Ku22OWEJfFRk
[root@salt-master openldap]# vim /etc/openldap/slapd.conf
database bdb
suffix "dc=ldap,dc=com"
checkpoint 1024 15
rootdn "cn=ldap-server,dc=ldap,dc=com"
rootpw {SSHA}TBTcFPv0xSleidqCsaW4Ku22OWEJfFRk
directory /var/lib/ldap
[root@salt-master openldap]# vim /etc/openldap/ldap.conf
base dc=ldap,dc=com
uri ldap://192.168.1.200
[root@salt-master openldap]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@salt-master openldap]# chown ldap.ldap /var/lib/ldap/DB_CONFIG*
[root@salt-master openldap]# ll /var/lib/ldap/
total 4
-rw-r--r--. 1 ldap ldap 845 Sep 10 13:03 DB_CONFIG
[root@salt-master openldap]# /etc/init.d/slapd start
Starting slapd: [ OK ]
[root@salt-master openldap]#
[root@salt-master openldap]# ldapsearch -x -b "dc=test.com"
# extended LDIF
#
# LDAPv3
# base <dc=test.com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
[root@salt-master openldap]# mkdir /ldaphome
[root@salt-master openldap]# useradd -d /ldaphome/ldapuser1 ldapuser1
[root@salt-master openldap]# useradd -d /ldaphome/ldapuser2 ldapuser2
[root@salt-master openldap]# echo "123456"|passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
[root@salt-master openldap]# echo "123456"|passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
[root@salt-master openldap]# ll /ldaphome/
total 8
drwx------. 2 ldapuser1 ldapuser1 4096 Sep 10 13:47 ldapuser1
drwx------. 2 ldapuser2 ldapuser2 4096 Sep 10 13:47 ldapuser2
[root@salt-master openldap]# yum install -y migrationtools
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package migrationtools.noarch 0:47-7.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================================================================
Installing:
migrationtools noarch 47-7.el6 iso 25 k
Transaction Summary
===========================================================================================================================================================================================
Install 1 Package(s)
Total download size: 25 k
Installed size: 104 k
Downloading Packages:
migrationtools-47-7.el6.noarch.rpm | 25 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : migrationtools-47-7.el6.noarch 1/1
Verifying : migrationtools-47-7.el6.noarch 1/1
Installed:
migrationtools.noarch 0:47-7.el6
Complete!
[root@salt-master openldap]# cd /usr/share/migrationtools/
[root@salt-master migrationtools]# vim migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "ldap.com";
$DEFAULT_BASE = "dc=ldap,dc=com";
$EXTENDED_SCHEMA = 1;
[root@salt-master migrationtools]# ./migrate_base.pl > base.ldif
[root@salt-master migrationtools]# vim base.ldif
dn: dc=ldap,dc=com
dc: ldap
objectClass: top
objectClass: domain
associatedDomain: ldap.com
dn: ou=Hosts,dc=ldap,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
associatedDomain: ldap.com
dn: ou=Rpc,dc=ldap,dc=com
ou: Rpc
objectClass: top
objectClass: organizationalUnit
associatedDomain: ldap.com
dn: ou=Services,dc=ldap,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
associatedDomain: ldap.com
dn: nisMapName=netgroup.byuser,dc=ldap,dc=com
nismapname: netgroup.byuser
objectClass: top
objectClass: nisMap
associatedDomain: ldap.com
dn: ou=Mounts,dc=ldap,dc=com
ou: Mounts
objectClass: top
objectClass: organizationalUnit
associatedDomain: ldap.com
dn: ou=Networks,dc=ldap,dc=com
ou: Networks
objectClass: top
objectClass: organizationalUnit
associatedDomain: ldap.com
dn: ou=People,dc=ldap,dc=com
ou: People
objectClass: top
associatedDomain: ldap.com
修改保留以下内容
dn: dc=ldap,dc=com
dc: ldap
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: ldap.com
dn: ou=People,dc=ldap,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: ldap.com
dn: ou=Group,dc=ldap,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: ldap.com
[root@salt-master migrationtools]# cat /etc/passwd|grep ldap > /usr/share/migrationtools/passwd
[root@salt-master migrationtools]# cat /etc/group |grep ldap > /usr/share/migrationtools/group
[root@salt-master migrationtools]# ./migrate_passwd.pl passwd user.ldif
[root@salt-master migrationtools]# vim user.ldif
[root@salt-master migrationtools]# ./migrate_group.pl group group.ldif
[root@salt-master migrationtools]# ldapadd -D "cn=ldap-server,dc=ldap,dc=com" -W -x -f base.ldif
Enter LDAP Password:
adding new entry "dc=ldap,dc=com"
adding new entry "ou=People,dc=ldap,dc=com"
adding new entry "ou=Group,dc=ldap,dc=com"
[root@salt-master migrationtools]# ldapadd -D "cn=ldap-server,dc=ldap,dc=com" -W -x -f user.ldif
Enter LDAP Password:
adding new entry "uid=ldap,ou=People,dc=ldap,dc=com"
adding new entry "uid=ldapuser1,ou=People,dc=ldap,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=ldap,dc=com"
[root@salt-master migrationtools]# ldapadd -D "cn=ldap-server,dc=ldap,dc=com" -W -x -f group.ldif
Enter LDAP Password:
adding new entry "cn=ldap,ou=Group,dc=ldap,dc=com"
adding new entry "cn=ldapuser1,ou=Group,dc=ldap,dc=com"
adding new entry "cn=ldapuser2,ou=Group,dc=ldap,dc=com"
[root@salt-master migrationtools]# ldapsearch -x -b "dc=ldap,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=ldap,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ldap.com
dn: dc=ldap,dc=com
dc: ldap
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: ldap.com
# People, ldap.com
dn: ou=People,dc=ldap,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: ldap.com
# Group, ldap.com
dn: ou=Group,dc=ldap,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: ldap.com
# ldap, People, ldap.com
dn: uid=ldap,ou=People,dc=ldap,dc=com
uid: ldap
cn: LDAP User
givenName: LDAP
sn: User
mail: ldap@ldap.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSEh
shadowLastChange: 17054
loginShell: /sbin/nologin
uidNumber: 55
gidNumber: 55
homeDirectory: /var/lib/ldap
gecos: LDAP User
# ldapuser1, People, ldap.com
dn: uid=ldapuser1,ou=People,dc=ldap,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@ldap.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JENwSTE0Mk9uJG1kOS5pRDFlY0lOQjdKN1lnU1hYLkVtcENrTjd
DSjRYVHk5Z3Z3VllhdFZ2UU5aenhQWkxmZElINWJma3dPOUQwanBWNVoyVERVcjlJcUV6ZFhOMngv
shadowLastChange: 17054
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /ldaphome/ldapuser1
# ldapuser2, People, ldap.com
dn: uid=ldapuser2,ou=People,dc=ldap,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@ldap.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JGUxdEFVTlNMJE5INTVvcElrZk00eU9zaHpQVkNNdGguLzExVll
UWGV1WUhENUFtVnFrdFJNcm5YRlZKZUxmc1hXOTBPNXNFNUd4U0RXUDhWUFlESkpJSS9sSW05OEQx
shadowLastChange: 17054
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 502
gidNumber: 502
homeDirectory: /ldaphome/ldapuser2
# ldap, Group, ldap.com
dn: cn=ldap,ou=Group,dc=ldap,dc=com
objectClass: posixGroup
objectClass: top
cn: ldap
userPassword:: e2NyeXB0fXg=
gidNumber: 55
# ldapuser1, Group, ldap.com
dn: cn=ldapuser1,ou=Group,dc=ldap,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser1
userPassword:: e2NyeXB0fXg=
gidNumber: 501
# ldapuser2, Group, ldap.com
dn: cn=ldapuser2,ou=Group,dc=ldap,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser2
userPassword:: e2NyeXB0fXg=
gidNumber: 502
# search result
search: 2
result: 0 Success
# numResponses: 10
# numEntries: 9
相关信息导入数据库成功
[root@salt-master ~]# cd
[root@salt-master ~]# yum install -y nfs-utils
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package nfs-utils.x86_64 1:1.2.3-70.el6 will be installed
--> Processing Dependency: nfs-utils-lib >= 1.1.0-3 for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Processing Dependency: libtirpc >= 0.2.1-11 for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Processing Dependency: keyutils >= 1.4-4 for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Processing Dependency: rpcbind for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Processing Dependency: python-argparse for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Processing Dependency: libgssglue.so.1(libgssapi_CITI_2)(64bit) for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Processing Dependency: libgssglue for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Processing Dependency: libtirpc.so.1()(64bit) for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Processing Dependency: libnfsidmap.so.0()(64bit) for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Processing Dependency: libgssglue.so.1()(64bit) for package: 1:nfs-utils-1.2.3-70.el6.x86_64
--> Running transaction check
---> Package keyutils.x86_64 0:1.4-5.el6 will be installed
---> Package libgssglue.x86_64 0:0.1-11.el6 will be installed
---> Package libtirpc.x86_64 0:0.2.1-11.el6 will be installed
---> Package nfs-utils-lib.x86_64 0:1.1.5-11.el6 will be installed
---> Package python-argparse.noarch 0:1.2.1-2.1.el6 will be installed
---> Package rpcbind.x86_64 0:0.2.0-12.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================================================================
Installing:
nfs-utils x86_64 1:1.2.3-70.el6 iso 334 k
Installing for dependencies:
keyutils x86_64 1.4-5.el6 iso 39 k
libgssglue x86_64 0.1-11.el6 iso 23 k
libtirpc x86_64 0.2.1-11.el6 iso 82 k
nfs-utils-lib x86_64 1.1.5-11.el6 iso 68 k
python-argparse noarch 1.2.1-2.1.el6 iso 48 k
rpcbind x86_64 0.2.0-12.el6 iso 51 k
Transaction Summary
===========================================================================================================================================================================================
Install 7 Package(s)
Total download size: 645 k
Installed size: 1.7 M
Downloading Packages:
(1/7): nfs-utils-1.2.3-70.el6.x86_64.rpm | 334 kB 00:00
(2/7): keyutils-1.4-5.el6.x86_64.rpm | 39 kB 00:00
(3/7): rpcbind-0.2.0-12.el6.x86_64.rpm | 51 kB 00:00
(4/7): nfs-utils-lib-1.1.5-11.el6.x86_64.rpm | 68 kB 00:00
(5/7): libgssglue-0.1-11.el6.x86_64.rpm | 23 kB 00:00
(6/7): libtirpc-0.2.1-11.el6.x86_64.rpm | 82 kB 00:00
(7/7): python-argparse-1.2.1-2.1.el6.noarch.rpm | 48 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 340 kB/s | 645 kB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : libgssglue-0.1-11.el6.x86_64 1/7
Installing : libtirpc-0.2.1-11.el6.x86_64 2/7
Installing : rpcbind-0.2.0-12.el6.x86_64 3/7
Installing : python-argparse-1.2.1-2.1.el6.noarch 4/7
Installing : keyutils-1.4-5.el6.x86_64 5/7
Installing : nfs-utils-lib-1.1.5-11.el6.x86_64 6/7
Installing : 1:nfs-utils-1.2.3-70.el6.x86_64 7/7
Verifying : 1:nfs-utils-1.2.3-70.el6.x86_64 1/7
Verifying : keyutils-1.4-5.el6.x86_64 2/7
Verifying : rpcbind-0.2.0-12.el6.x86_64 3/7
Verifying : nfs-utils-lib-1.1.5-11.el6.x86_64 4/7
Verifying : libgssglue-0.1-11.el6.x86_64 5/7
Verifying : libtirpc-0.2.1-11.el6.x86_64 6/7
Verifying : python-argparse-1.2.1-2.1.el6.noarch 7/7
Installed:
nfs-utils.x86_64 1:1.2.3-70.el6
Dependency Installed:
keyutils.x86_64 0:1.4-5.el6 libgssglue.x86_64 0:0.1-11.el6 libtirpc.x86_64 0:0.2.1-11.el6 nfs-utils-lib.x86_64 0:1.1.5-11.el6 python-argparse.noarch 0:1.2.1-2.1.el6
rpcbind.x86_64 0:0.2.0-12.el6
Complete!
[root@salt-master ~]# /etc/init.d/rpcbind start
Starting rpcbind: [ OK ]
[root@salt-master ~]# /etc/init.d/nfs restart
Shutting down NFS daemon: [ OK ]
Shutting down NFS mountd: [ OK ]
Shutting down RPC idmapd: [ OK ]
Starting NFS services: [ OK ]
Starting NFS mountd: [ OK ]
Starting NFS daemon: [ OK ]
Starting RPC idmapd: [ OK
[root@salt-master ~]# vim /etc/exports
/ldaphome *(rw,sync)
[root@salt-master ~]# /etc/init.d/nfs restart
Shutting down NFS daemon: [ OK ]
Shutting down NFS mountd: [ OK ]
Shutting down RPC idmapd: [ OK ]
Starting NFS services: [ OK ]
Starting NFS mountd: [ OK ]
Starting NFS daemon: [ OK ]
Starting RPC idmapd: [ OK ]
可选
上传phpldapadmin
[root@salt-master ~]# rz -E
rz waiting to receive.
[root@salt-master ~]# unzip phpldapadmin-1.2.0.4.zip
[root@salt-master ~]# mv phpldapadmin-1.2.0.4 phpldapadmin
[root@salt-master ~]# cd phpldapadmin/config/
[root@salt-master config]# cp config.php.example config.php
[root@salt-master config]# vim config.php
$servers->newServer('ldap_pla');
$servers->setValue('server','name','LDAP Server');
$servers->setValue('server','host','192.168.1.200');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=ldap,dc=com'));
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=ldap-server,dc=ldap,dc=com');
$servers->setValue('login','bind_pass','123456');
$servers->setValue('server','tls',false);
[root@salt-master config]# yum install php php-ldap
[root@salt-master config]# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
服务端至此全部完成
LDAP 客户端配置
[root@salt-minion ~]# vim /etc/hosts
192.168.1.200 ldap-server ldap-server.test.com
192.168.1.201 ldap-client ldap-client.test.com
[root@salt-minion ~]# ping ldap-server
PING ldap-server (192.168.1.200) 56(84) bytes of data.
64 bytes from salt-master (192.168.1.200): icmp_seq=1 ttl=64 time=0.578 ms
64 bytes from salt-master (192.168.1.200): icmp_seq=2 ttl=64 time=0.424 ms
^C
--- ldap-server ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1334ms
rtt min/avg/max/mdev = 0.424/0.501/0.578/0.077 ms
[root@salt-minion ~]# ping ldap-client
PING ldap-client (192.168.1.201) 56(84) bytes of data.
64 bytes from salt-minion (192.168.1.201): icmp_seq=1 ttl=64 time=0.101 ms
64 bytes from salt-minion (192.168.1.201): icmp_seq=2 ttl=64 time=0.038 ms
^C
--- ldap-client ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1484ms
rtt min/avg/max/mdev = 0.038/0.069/0.101/0.032 ms
[root@salt-minion ~]# yum install autofs
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
epel | 4.3 kB 00:00
epel/primary_db | 5.9 MB 00:06
iso | 3.7 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package autofs.x86_64 1:5.0.5-122.el6 will be installed
--> Processing Dependency: libtirpc.so.1()(64bit) for package: 1:autofs-5.0.5-122.el6.x86_64
--> Processing Dependency: libhesiod.so.0()(64bit) for package: 1:autofs-5.0.5-122.el6.x86_64
--> Running transaction check
---> Package hesiod.x86_64 0:3.1.0-19.el6 will be installed
---> Package libtirpc.x86_64 0:0.2.1-11.el6 will be installed
--> Processing Dependency: libgssglue.so.1(libgssapi_CITI_2)(64bit) for package: libtirpc-0.2.1-11.el6.x86_64
--> Processing Dependency: libgssglue.so.1()(64bit) for package: libtirpc-0.2.1-11.el6.x86_64
--> Running transaction check
---> Package libgssglue.x86_64 0:0.1-11.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================================================================
Installing:
autofs x86_64 1:5.0.5-122.el6 iso 720 k
Installing for dependencies:
hesiod x86_64 3.1.0-19.el6 iso 20 k
libgssglue x86_64 0.1-11.el6 iso 23 k
libtirpc x86_64 0.2.1-11.el6 iso 82 k
Transaction Summary
===========================================================================================================================================================================================
Install 4 Package(s)
Total download size: 845 k
Installed size: 4.7 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): autofs-5.0.5-122.el6.x86_64.rpm | 720 kB 00:01
(2/4): hesiod-3.1.0-19.el6.x86_64.rpm | 20 kB 00:00
(3/4): libgssglue-0.1-11.el6.x86_64.rpm | 23 kB 00:00
(4/4): libtirpc-0.2.1-11.el6.x86_64.rpm | 82 kB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 473 kB/s | 845 kB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : libgssglue-0.1-11.el6.x86_64 1/4
Installing : libtirpc-0.2.1-11.el6.x86_64 2/4
Installing : hesiod-3.1.0-19.el6.x86_64 3/4
Installing : 1:autofs-5.0.5-122.el6.x86_64 4/4
Verifying : 1:autofs-5.0.5-122.el6.x86_64 1/4
Verifying : hesiod-3.1.0-19.el6.x86_64 2/4
Verifying : libgssglue-0.1-11.el6.x86_64 3/4
Verifying : libtirpc-0.2.1-11.el6.x86_64 4/4
Installed:
autofs.x86_64 1:5.0.5-122.el6
Dependency Installed:
hesiod.x86_64 0:3.1.0-19.el6 libgssglue.x86_64 0:0.1-11.el6 libtirpc.x86_64 0:0.2.1-11.el6
Complete!
使用autofs进行自动挂载
[root@salt-minion ~]# mkdir /ldaphome
[root@salt-minion ~]# vim /etc/auto.master
/- /etc/auto.nfs
[root@salt-minion ~]# vim /etc/auto.nfs
/ldaphome -fstype=nfs,rw,sync 192.168.1.200:/ldaphome/&
[root@salt-minion ~]# yum install -y openldap openldap-clients pam_ldap nss-pam-ldapd
[root@salt-minion ~]# vim /etc/openldap/ldap.conf
host 192.168.1.200
base dc=ldap,dc=com
uri ldap://192.168.1.200
[root@salt-minion ~]# cp /etc/openldap/ldap.conf /etc/
[root@salt-minion ~]# cat /etc/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
host 192.168.1.200
base dc=ldap,dc=com
uri ldap://192.168.1.200
[root@salt-minion ~]# vim /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
[root@salt-minion ~]# vim /etc/nslcd.conf
uri ldap://192.168.1.200/
base dc=ldap,dc=com
[root@salt-minion ~]# /etc/init.d/nslcd restart
[root@salt-minion ~]# vim /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so -----add
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so -----add
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authok -----add
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so -----add
[root@salt-minion ~]# getent passwd|grep ldapuser
ldapuser1:x:501:501:ldapuser1:/ldaphome/ldapuser1:/bin/bash
ldapuser2:x:502:502:ldapuser2:/ldaphome/ldapuser2:/bin/bash
[root@salt-minion ~]# getent shadow|grep ldapuser
ldapuser1:$6$CpI142On$md9.iD1ecINB7J7YgSXX.EmpCkN7CJ4XTy9gvwVYatVvQNZzxPZLfdIH5bfkwO9D0jpV5Z2TDUr9IqEzdXN2x/:17054:0:99999:7:::0
ldapuser2:$6$e1tAUNSL$NH55opIkfM4yOshzPVCMth./11VYTXeuYHD5AmVqktRMrnXFVJeLfsXW90O5sE5GxSDWP8VPYDJJII/lIm98D1:17054:0:99999:7:::0
[root@salt-minion ~]# su - ldapuser1
[root@salt-minion ~]# su - ldapuser1
[ldapuser1@salt-minion ~]$ ll
total 0
[ldapuser1@salt-minion ~]$ exit
logout
[root@salt-minion ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
nginx:x:498:498:Nginx web server:/var/lib/nginx:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
可以看到是没有ldapuser1的用户的
这样就完成ldap的功能
另外把家目录也是分开的
[root@salt-minion ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_saltmaster-lv_root
18G 1004M 16G 7% /
tmpfs 238M 0 238M 0% /dev/shm
/dev/sda1 477M 28M 425M 7% /boot
192.168.1.200:/ldaphome/ldapuser1
18G 3.8G 13G 23% /ldaphome/ldapuser1
[root@salt-minion ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_saltmaster-lv_root
18G 1004M 16G 7% /
tmpfs 238M 0 238M 0% /dev/shm
/dev/sda1 477M 28M 425M 7% /boot
192.168.1.200:/ldaphome/ldapuser1
18G 3.8G 13G 23% /ldaphome/ldapuser1
[root@salt-minion ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_saltmaster-lv_root
18G 1004M 16G 7% /
tmpfs 238M 0 238M 0% /dev/shm
/dev/sda1 477M 28M 425M 7% /boot
过一段时间没有使用目录会自动取消挂载