1. 向dns服务器(192.168.89.128,与ldap服务器是同一台)中添加解析:
# ktz.com -> 192.168.89.128
vim /etc/named.conf
zone "ktz.com" IN {
type master;
file "ktz.com.zone";
};
vim /var/named/ktz.com.zone
$TTL 1D
@ IN SOA @ ktz.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.89.128
www A 192.168.89.128
systemctl restart named
2. 禁用防火墙和selinux[客户端],并修改dns服务器
vim /etc/resolv.conf
nameserver 192.168.89.128
vim /etc/selinux/config
SELINUX=disabled
3. 安装客户端软件
yum install -y nss-pam-ldapd openldap-clients
4. 配置openLDAP-client
cp /etc/nsswitch.conf /etc/nsswitch.conf.old
#让 NSS 服务使用 OpenLDAP 服务器
sed -i '/^passwd:.*$/s//& ldap/g' /etc/nsswitch.conf
sed -i '/^shadow:.*$/s//& ldap/g' /etc/nsswitch.conf
sed -i '/^group:.*$/s//& ldap/g' /etc/nsswitch.conf
#配置ldapclient 配置文件
cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.old
vim /etc/openldap/ldap.conf
#注释掉上面的host和BASE字段,在结尾追加
host 192.168.85.129
BASE dc=ktz,dc=com
URI ldap://ktz.com ldap://ktz.com:389
ssl off
5. 启用LDAP身份验证机制
cp /etc/sysconfig/authconfig /etc/sysconfig/authconfig.old
vim /etc/sysconfig/authconfig
IPADOMAINJOINED=no
USEMKHOMEDIR=no
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
USEFPRINTD=yes
FORCESMARTCARD=no
PASSWDALGORITHM=sha512
USELDAPAUTH=yes
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESSSD=no
USEHESIOD=no
USEMD5=yes
FORCELEGACY=no
6. pam 认证
cp /etc/pam_ldap.conf /etc/pam_ldap.conf.old
vim /etc/pam_ldap.conf
#注释掉上面的host和base字段,在结尾追加
host=192.168.89.128
base dc=ktz,dc=com
uri ldap://ktz.com
7. 编辑系统认证文件,保证使用LDAP来认证
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.old
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
8. 启动并开机自启
systemctl restart nslcd
systemctl enable nslcd
9. 测试登录
ldap服务器上创建用户: test5/123456
id test5
uid=1007(test5) gid=500(devops) groups=500(devops)
ssh test5@127.0.0.1
test5@127.0.0.1's password:
Last login: Wed Mar 18 17:29:29 2020 from localhost
登录成功,验证完成,注意如果进入 -sh-42:模式,说明创建用户时没有使用/bin/bash解释器,修改下即可
可以写成脚本进行批量操作,后期就无需在不同服务器建不同用户了