CentOS操作系统上LDAP客户端配置
iso:centos7.9
-
配置DNS
vi /etc/resolv.conf
nameserver 192.168.10.43
2、挂载光盘
mount /dev/cdrom /mnt
3、配置YUM源
cd /etc/yum.repos.d/
mv CentOS-Media.repo CentOS-Media.repo.bak
mv CentOS-Base.repo CentOS-Base.repo.bak
vi CentOS-local.repo
[base-local]
name=CentOS7.6
baseurl=file:///mnt
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPS-KEY-CentOS-7
4、更新yum源
yum clean all
yum makecache
5、测试yum
yum list
6、安装ldap客户端相关软件
yum install -y openldap-clients
yum install -y nscd
yum install -y nss-pam-ldapd
7、关闭Selinux
vi /etc/selinux/config
SELINUX=disabled
8、关闭并禁用防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
9、一般来说直接配置了下述命令就可以直接使用相应的openldap 认证:
[root@client ~]# authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --disablesssd --disablesssdauth --disableldaptls --enablelocauthorize --ldapserver=192.168.10.43 --ldapbasedn="ou=HPC(自己局域网内可以不写),dc=nju,dc=hpc" --enableshadow --update
10、检索LDAP服务器上的相关用户信息
[root@client ~]# ldapsearch -H ldap://192.168.10.43 -x -b "dc=nju,dc=hpc" || grep dn
# extended LDIF
#
# LDAPv3
# base <dc=nju,dc=hpc> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# nju.hpc
dn: dc=nju,dc=hpc
dc: nju
objectClass: top
objectClass: domain
# admin, nju.hpc
dn: cn=admin,dc=nju,dc=hpc
objectClass: organizationalRole
cn: admin
description: LDAP Manager
# Group, nju.hpc
dn: ou=Group,dc=nju,dc=hpc
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapgroup, Group, nju.hpc
dn: cn=ldapgroup,ou=Group,dc=nju,dc=hpc
objectClass: posixGroup
objectClass: top
cn: ldapgroup
gidNumber: 1001
memberUid: ldaptest03
# ldaptest02, Group, nju.hpc
dn: uid=ldaptest02,ou=Group,dc=nju,dc=hpc
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
sn: ldaptest02
cn: ldaptest02
uid: ldaptest02
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldaptest02
loginShell: /bin/bash
userPassword:: cGFzc3dvcmQ=
shadowMin: 0
shadowMax: 99999
shadowWarning: 365
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
11、查看相关配置文件
/etc/nsswitch.conf 该文件主要用于名称转换服务,用于系统验证用户身份所读取本地文件或是远程验证服务器文件。
/etc/sysconfig/authconfig
主要用于提供身份验证之LDAP功能,该配置文件用来跟踪LDAP身份认证机制是否正确启用。
/etc/pam.d/system-auth 主要用于实现用户账户身份验证。
/etc/openldap/ldap.conf 主要用于查询OpenLDAP服务器所有条目信息。
(1)、查看配置文件 /etc/nslcd.conf
[root@client ~]# sed -e '/^#/d' /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://192.168.10.43/
base dc=nju,dc=hpc
ssl no
tls_cacertdir /etc/openldap/cacerts
(2)、查看配置文件 /etc/openldap/ldap.conf
[root@client ~]# sed -e '/^#/d' /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
SASL_NOCANON on
URI ldap://192.168.10.43/
BASE dc=nju,dc=hpc
(3)、查看配置文件 /etc/pam.d/system-auth
[root@client ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
(4)、查看配置文件 /etc/nsswitch.conf
[root@client ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# sss Use sssd (System Security Services Daemon)
# [NOTFOUND=return] Stop searching if not found so far
#
# WARNING: Running nscd with a secondary caching service like sssd may lead to
# unexpected behaviour, especially with how long entries are cached.
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#initgroups: files sss
#hosts: db files nisplus nis dns
hosts: files dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
(5)、查看配置文件 /etc/sysconfig/authconfig
[root@client ~]# cat /etc/sysconfig/authconfig
CACHECREDENTIALS=yes
FAILLOCKARGS="deny=4 unlock_time=1200"
FORCELEGACY=yes
FORCESMARTCARD=no
IPADOMAINJOINED=no
IPAV2NONTP=no
PASSWDALGORITHM=sha512
USEDB=no
USEECRYPTFS=no
USEFAILLOCK=no
USEFPRINTD=no
USEHESIOD=no
USEIPAV2=no
USEKERBEROS=no
USELDAP=yes
USELDAPAUTH=yes
USELOCAUTHORIZE=yes
USEMKHOMEDIR=yes
USENIS=no
USEPAMACCESS=no
USEPASSWDQC=no
USEPWQUALITY=yes
USESHADOW=yes
USESMARTCARD=no
USESSSD=no
USESSSDAUTH=no
USESYSNETAUTH=no
USEWINBIND=no
USEWINBINDAUTH=no
WINBINDKRB5=no
12、重启服务
(1)、重启nslcd服务
systemctl restart nslcd
(2)、查看nslcd服务状态
[root@localhost ~]# systemctl status nslcd
● nslcd.service - Naming services LDAP client daemon.
Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-12-28 15:05:07 CST; 1h 8min ago
Docs: man:nslcd(8)
man:nslcd.conf(5)
Process: 1879 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
Main PID: 1880 (nslcd)
CGroup: /system.slice/nslcd.service
└─1880 /usr/sbin/nslcd
Dec 28 15:05:07 client systemd[1]: Starting Naming services LDAP client daemon....
Dec 28 15:05:07 client nslcd[1880]: version 0.8.13 starting
Dec 28 15:05:07 client systemd[1]: Started Naming services LDAP client daemon..
Dec 28 15:05:07 client nslcd[1880]: accepting connections
Dec 28 15:24:04 client nslcd[1880]: [7b23c6] <passwd(all)> (re)loading /etc/nsswitch.conf
13、验证LDAP相关信息(添加用户后在验证)
(1)、获取ldap认证用户的相关信息
[root@client ~]# getent passwd
ldaptest02:x:1002:1002:ldaptest02:/home/ldaptest02:/bin/bash