一、前置准备
1、基础环境说明
客户端操作系统:CentOS 7.4 core
AD服务器:WinServer 2012 R2
2、AD证书导出
1).服务器管理
服务器管理→AD CS→证书颁发机构→所有任务→备份CA
2).证书备份(导出)
备份项目→设置密码(默认为空)→完成
二、OpenLDAP Client安装及配置
1、安装OpenLDAP Client
集群所有节点添加AD服务器hosts配置,并安装openldap-clients
# yum -y install openldap-clients
2、配置ldap.conf
1). 修改/etc/openldap/ldap.conf
# vim /etc/openldap/ldap.conf
BASE dc=bosch,dc=com
URI ldap://adserver.bosch.com
TLS_CACERTDIR /etc/openldap/certs
SASL_NOCANON on
2). 验证ldap配置
# ldapsearch -b "ou=Cloudera Users,dc=bosch,dc=com" -D "cn=cloudera-scm/admin,cn=Users,dc=bosch,dc=com" -W |grep dn
3、配置证书
1).上传CA证书
将导出的证书上传至Linux服务器的/etc/openldap/certs目录并拷贝至/etc/openldap/cacerts/
2).转换CA证书
# cd /etc/openldap/certs
# openssl pkcs12 -in bosch-ADSERVER-CA.p12 -out adserver.pem
密码默认为空
3).创建软连接
# cp adserver.pem /etc/openldap/cacerts/
# cacertdir_rehash /etc/openldap/cacerts/
三、SSSD服务安装及配置
1、安装sssd服务
# yum install -y sssd authconfig nss-pam-ldapd sssd-ad
2、配置sssd服务
# authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enableldap --enableldapauth --disableforcelegacy --enableldaptls --disablekrb5 --ldapserver ldap://adserver.bosch.com --ldapbasedn "dc=bosch,dc=com" --enablemkhomedir --update
# vi /etc/sssd/sssd.conf
[domain/BOSCH.COM]
autofs_provider = ldap
ldap_schema = ad
krb5_realm = BOSCH.COM
ldap_search_base = dc=bosch,dc=com
krb5_server = adserver.bosch.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://adserver.bosch.com
ldap_id_use_start_tls = True
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/certs
# General
debug_level = 7
enumerate = false
case_sensitive = false
cache_credentials = true
min_id = 100
# Providers
full_name_format = %1$s
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_id_mapping = True
# LDAP user search settings
ldap_user_search_base = ou=Cloudera Users,dc=bosch,dc=com
# LDAP group search settings
ldap_group_search_base = ou=Cloudera groups,dc=bosch,dc=com
# LDAP Class settings
ldap_user_object_class = user
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
# LDAP connection settings
ldap_uri = ldap://adserver.bosch.com
ldap_default_bind_dn = cn=cloudera-scm/admin,cn=Users,dc=bosch,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = UnionBigData@123.
[autofs]
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = default, BOSCH.COM
[nss]
#filter_groups = root
#filter_users = root
reconnection_retries = 3
[pam]
# systemctl restart sssd
# systemctl status sssd
四、验证SSSD和SSH集成
1、创建用户
在AD域中Cloudera Users组织创建用户
2、查看用户
在Linux服务器查看相应用户
# cat /etc/passwd|grep whtm
# id whtm
2、测试ssh登录
# ssh whtm@cdh03.domain