Centos7搭建openldap+phpldapadmin
一、基础配置
配置yum源
[root@ldapserver ~]# wget http://mirrors.aliyun.com/repo/Centos-7.repo
[root@ldapserver ~]# cd /etc/yum.repos.d/
[root@ldapserver ~]# mv CentOS-Base.repo CentOS-Base.repo.bak && mv Centos-7.repo CentOS-Base.repo
[root@ldapserver ~]# yum clean all yum makecache
关闭selinux和防火墙firewalld
[root@ldapserver ~]# sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config && setenforce 0 && systemctl disable firewalld.service && systemctl stop firewalld.service && shutdown -r now
二、安装OpenLDAP
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
三、配置OpenLDAP
注意:从OpenLDAP2.4.23版本开始所有配置数据都保存在/etc/openldap/slapd.d/中,建议不再使用slapd.conf作为配置文件。
1.配置管理员密码
通过slappasswd生成加密密码,记录下生成的加密字符串
[root@ldapserver ~]# slappasswd
New password:
Re-enter new password:
{SSHA}3bUhBF/9JhkJEwStvs6BPKTxAk8siFBS
2.配置OpenLDAP数据库管理员-olcDatabase={2}hdb.ldif
[root@ldapserver ~]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 f5f0ce38
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
#配置LDAP服务器根域记录zs.com
olcSuffix: dc=zs,dc=com
#配置数据库管理员记录
olcRootDN: cn=xhb,dc=zs,dc=com
#管理员记录对应的密码
olcRootPW: {SSHA}eR/BvymXcfaaICO70o5RYUh/R+R65z1i
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: ca4b1d6a-38a0-1039-9756-2735ca6c2f55
creatorsName: cn=config
createTimestamp: 20190712032758Z
entryCSN: 20190712032758.735053Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190712032758Z
注意:
- olcRootDN:cn=xhb表示OpenLDAP管理员的用户名
- olcRootPW:管理员账号(cn=xhb,dc=zs,dc=com)的密码,填写步骤一种生成的加密字符串
3.配置数据库访问权限-olcDatabase={1}monitor.ldif
[root@ldapserver ~]# cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0c5348ad
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
# 配置数据库允许被管理员cn=xhb,dc=zs,dc=com访问
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=xhb,dc=zs,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: ca4b15ea-38a0-1039-9755-2735ca6c2f55
creatorsName: cn=config
createTimestamp: 20190712032758Z
entryCSN: 20190712032758.734861Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190712032758Z
验证OpenLDAP的基本配置
[root@ldapserver ~]# slaptest -u
5d2ed7e7 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5d2ed7e7 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
注意:checksum error可以不用管,当提示config file testing succeeded即OK
启动slapd服务
[root@ldapserver ~]# systemctl enable slapd
[root@ldapserver ~]# systemctl start slapd
[root@ldapserver ~]# systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2019-07-17 15:04:18 HKT; 1h 13min ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
file:///usr/share/doc/openldap-servers/guide.html
Main PID: 79746 (slapd)
CGroup: /system.slice/slapd.service
└─79746 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
Jul 17 15:59:20 ldapserver slapd[79746]: conn=1032 op=7 ABANDON msg=7
Jul 17 15:59:20 ldapserver slapd[79746]: conn=1032 op=8 do_search: invalid dn: "dzsen,...m"
Jul 17 15:59:20 ldapserver slapd[79746]: conn=1032 op=8 SEARCH RESULT tag=101 err=34 n...DN
Jul 17 15:59:20 ldapserver slapd[79746]: conn=1032 op=9 ABANDON msg=9
Jul 17 16:01:01 ldapserver slapd[79746]: conn=1034 op=6 do_search: invalid dn: "dzsen,...m"
Jul 17 16:01:01 ldapserver slapd[79746]: conn=1034 op=6 SEARCH RESULT tag=101 err=34 n...DN
Jul 17 16:01:01 ldapserver slapd[79746]: conn=1034 op=7 ABANDON msg=7
Jul 17 16:01:01 ldapserver slapd[79746]: conn=1034 op=8 do_search: invalid dn: "dzsen,...m"
Jul 17 16:01:01 ldapserver slapd[79746]: conn=1034 op=8 SEARCH RESULT tag=101 err=34 n...DN
Jul 17 16:01:01 ldapserver slapd[79746]: conn=1034 op=9 ABANDON msg=9
Hint: Some lines were ellipsized, use -l to show in full.
Slapd服务默认监听端口为389
[root@ldapserver ~]# netstat -lntp | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 79746/slapd
tcp6 0 0 :::389 :::* LISTEN 79746/slapd
4.配置数据库
OpenLDAP默认使用的数据库是BerkeleyDB
[root@ldapserver ~]# ll /usr/share/openldap-servers/
total 8
-rw-r--r--. 1 root root 845 Jan 30 01:43 DB_CONFIG.example
-rw-r--r--. 1 root root 3717 Jan 30 01:43 slapd.ldif
[root@ldapserver ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@ldapserver ~]# chown -R ldap:ldap -R /var/lib/ldap/
注意:/var/lib/ldap/就是BerkeleyDB数据库默认存储的路径
5.导入基本Schema
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
6.配置migrationtools迁移工具
Migrationtools工具目录在/usr/share/migrationtools/目录下,其中主要的配置文件是migrate_common.ph,用来生成ldif迁移配置文件,配置migrate_common.ph文件中一下配置
[root@ldapserver ~]# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "zs.com";
# Default base
$DEFAULT_BASE = "dc=zs,dc=com";
$EXTENDED_SCHEMA = 0;
四.用Migrationtools工具生成ldif文件给LDAP服务器添加用户与组记录
1.提取需要添加的用户和组
[root@ldapserver ~]# grep ldap /etc/passwd > users
[root@ldapserver ~]# grep ldap /etc/group > groups
[root@ldapserver ~]# cat users
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
ldap1:x:1000:1000::/home/ldap1:/bin/bash
[root@ldapserver ~]# cat groups
ldap:x:55:
ldap1:x:1000:
2.使用migrationtools中提供的migrate_passwd.pl文件生成用户ldif文件
[root@ldapserver ~]# /usr/share/migrationtools/migrate_passwd.pl users > users.ldif
[root@ldapserver ~]# cat users.ldif
dn: uid=ldap,ou=People,dc=zs,dc=com
uid: ldap
cn: OpenLDAP server
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 18089
loginShell: /sbin/nologin
uidNumber: 55
gidNumber: 55
homeDirectory: /var/lib/ldap
gecos: OpenLDAP server
dn: uid=ldap1,ou=People,dc=zs,dc=com
uid: ldap1
cn: ldap1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$LYJeDWfJ$Tyz8u9u7w.ZbWwioGokh7horIHsfFBiozYxKwz9EyXbo829SAC8H3b0izNbF2sRjIgeb24RKY589GBVp74OFP/
shadowLastChange: 18089
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/ldap1
3.使用migrationtools中提供的migrate_group.pl文件生成用户组ldif文件
[root@ldapserver ~]# /usr/share/migrationtools/migrate_group.pl groups > groups.ldif
[root@ldapserver ~]# cat groups.ldif
dn: cn=ldap,ou=Group,dc=zs,dc=com
objectClass: posixGroup
objectClass: top
cn: ldap
userPassword: {crypt}x
gidNumber: 55
dn: cn=ldap1,ou=Group,dc=zs,dc=com
objectClass: posixGroup
objectClass: top
cn: ldap1
userPassword: {crypt}x
gidNumber: 1000
注意:在后期我们如果需要添加新的用户或者用户组时可以修改以上的users.ldif和groups.ldif文件即可
4.使用migrationtools工具迁移本地用户到LDAP服务器
生成迁移文件
[root@ldapserver migrationtools]# cd /usr/share/migrationtools/
[root@ldapserver migrationtools]# ./migrate_base.pl > base.ldif
[root@ldapserver migrationtools]# ./migrate_group.pl /etc/group > group.ldif
[root@ldapserver migrationtools]# ./migrate_passwd.pl /etc/passwd > user.ldif
[root@ldapserver migrationtools]# ll
total 148
-rw-r--r-- 1 root root 1172 Jul 12 15:06 base.ldif #生成的base.ldif
-rw-r--r-- 1 root root 5259 Jul 12 15:10 group.ldif #生成的group.ldif
-rwxr-xr-x 1 root root 2652 Jun 10 2014 migrate_aliases.pl
-rwxr-xr-x 1 root root 2950 Jun 10 2014 migrate_all_netinfo_offline.sh
-rwxr-xr-x 1 root root 2946 Jun 10 2014 migrate_all_netinfo_online.sh
-rwxr-xr-x 1 root root 3011 Jun 10 2014 migrate_all_nis_offline.sh
-rwxr-xr-x 1 root root 3006 Jun 10 2014 migrate_all_nis_online.sh
-rwxr-xr-x 1 root root 3164 Jun 10 2014 migrate_all_nisplus_offline.sh
-rwxr-xr-x 1 root root 3146 Jun 10 2014 migrate_all_nisplus_online.sh
-rwxr-xr-x 1 root root 5267 Jun 10 2014 migrate_all_offline.sh
-rwxr-xr-x 1 root root 7468 Jun 10 2014 migrate_all_online.sh
-rwxr-xr-x 1 root root 3278 Jun 10 2014 migrate_automount.pl
-rwxr-xr-x 1 root root 2608 Jun 10 2014 migrate_base.pl
-rw-r--r-- 1 root root 8876 Jul 12 15:06 migrate_common.ph
-rwxr-xr-x 1 root root 2952 Jun 10 2014 migrate_fstab.pl
-rwxr-xr-x 1 root root 2714 Jun 10 2014 migrate_group.pl
-rwxr-xr-x 1 root root 3087 Jun 10 2014 migrate_hosts.pl
-rwxr-xr-x 1 root root 2856 Jun 10 2014 migrate_netgroup_byhost.pl
-rwxr-xr-x 1 root root 2856 Jun 10 2014 migrate_netgroup_byuser.pl
-rwxr-xr-x 1 root root 3879 Jun 10 2014 migrate_netgroup.pl
-rwxr-xr-x 1 root root 2840 Jun 10 2014 migrate_networks.pl
-rwxr-xr-x 1 root root 5635 Jun 10 2014 migrate_passwd.pl
-rwxr-xr-x 1 root root 2428 Jun 10 2014 migrate_profile.pl
-rwxr-xr-x 1 root root 2873 Jun 10 2014 migrate_protocols.pl
-rwxr-xr-x 1 root root 2854 Jun 10 2014 migrate_rpc.pl
-rwxr-xr-x 1 root root 11465 Jun 10 2014 migrate_services.pl
-rwxr-xr-x 1 root root 3419 Jun 10 2014 migrate_slapd_conf.pl
-rw-r--r-- 1 root root 7434 Jul 12 15:08 user.ldif #生成的user.ldif
利用生成的ldif文件将用户和用户组导入LDAP服务器
[root@ldapserver migrationtools]# ldapadd -D "cn=xhb,dc=zs,dc=com" -W -x -f /usr/share/migrationtools/base.ldif
[root@ldapserver migrationtools]# ldapadd -D "cn=xhb,dc=zs,dc=com" -W -x -f /usr/share/migrationtools/user.ldif
[root@ldapserver migrationtools]# ldapadd -D "cn=xhb,dc=zs,dc=com" -W -x -f /usr/share/migrationtools/group.ldif
可以通过一下命令查看导入的记录
[root@ldapserver migrationtools]# ldapsearch -x -b "dc=zs,dc=com"
五.将ldif文件导入OpenLDAP数据库中
导入ldif文件可以使用ldifadd命令
[root@ldapserver ~]# ldapadd -x -D "cn=xhb,dc=zs,dc=com" -f users.ldif -W
Enter LDAP Password:
adding new entry "uid=ldap,ou=People,dc=zs,dc=com"
ldap_add: Already exists (68)
[root@ldapserver ~]# ldapadd -x -D "cn=xhb,dc=zs,dc=com" -f groups.ldif -W
Enter LDAP Password:
adding new entry "cn=ldap,ou=Group,dc=zs,dc=com"
ldap_add: Already exists (68)
注意:
- -x:开启简单验证
- -D:绑定的DN记录
- -W:使用交互式密码验证
六.绑定用户和用户组
尽管我们已经把用户和用户组信息,导入到OpenLDAP数据库中了。但实际上目前OpenLDAP用户和用户组之间是没有任何关联的。
如果我们要把OpenLDAP数据库中的用户和用户组关联起来的话,我们还需要做另外单独的配置。
现在我们要把ldap用户加入到ldap1用户组,需要新建添加用户到用户组的ldif文件,如下:
[root@ldapserver ~]# cat add_user_to_group.ldif
dn: cn=ldap1,ou=Group,dc=zs,dc=com #操作的记录为ldap1用户组
changetype: modify #操作类型为modify:修改
add: memberuid #modify操作:增加一个memberuid记录
memberuid: ldap #memberuid记录的值为ldap
[root@ldap_server ldif]# ldapmodify -a -H ldapi:/// -D "cn=xhb,dc=tianloo,dc=com" -W -f add_user_to_group.ldif
Enter LDAP Password:
modifying entry "cn=www,ou=Group,dc=tianloo,dc=com"
注意:文件内容代表在ldap1用户组中增加一个值为ldap的memberuid,即将用户ldap添加进组ldap1中
七.开启OpenLDAP日志访问功能
默认情况下OpenLDAP是没有启用日志记录功能的,但是在实际使用过程中,我们为了定位问题需要使用到OpenLDAP日志。
[root@ldapserver openldap]# cat loglevel.ldif
dn: cn=config #操作的记录为cn=config,即修改OpenLDAP配置
changetype: modify
replace: olcLogLevel #modify操作:修改记录olcLogLevel
olcLogLevel: stats #将olcLogLevel修改为stats
[root@ldapserver openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
修改后需要重启服务
[root@ldapserver openldap]# systemctl restart slapd
OpenLDAP的日志访问需要和Rsyslog配合,配置并重启rsyslog服务
[root@ldapserver openldap]# cat /etc/rsyslog.conf
# 在文件最后添加配置
local4.* /var/log/slapd.log
[root@ldapserver openldap]# systemctl restart rsyslog
[root@ldapserver openldap]# tail -f /var/log/slapd.log
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 op=0 RESULT oid= err=0 text=
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 op=1 BIND dn="" method=128
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 op=1 RESULT tag=97 err=0 text=
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 op=2 do_search: invalid dn: "dzsen,dc=com"
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 op=2 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 op=3 ABANDON msg=3
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 op=4 do_search: invalid dn: "dzsen,dc=com"
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 op=4 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
Jul 17 17:01:01 ansible slapd[85656]: conn=1000 op=5 ABANDON msg=5
八.安装LDAP管理工具phpldapadmin
1.Phpldapadmin需要apache和php环境
[root@ldapserver openldap]# yum -y install httpd php php-ldap php-gd php-mbstring php-pear php-bcmath php-xml
2.安装phpldapadmin
[root@ldapserver openldap]# yum install -y phpldapadmin
3.配置phpldapadmin
[root@ldapserver openldap]# vim /etc/phpldapadmin/config.php
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
注意:开启使用完整DN记录进行登录,关闭使用uid进行登录
其余参数可以按需配置
4.配置apache虚拟主机phpldapadmin
[root@ldapserver openldap]# cat /etc/httpd/conf.d/phpldapadmin.conf
#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require local
# 必须手动自己添加,否则无法运行
Require ip 192.168.1.160
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
#Deny from all
Allow from all
#Allow from 127.0.0.1
#Allow from ::1
</IfModule>
</Directory>
注意:配置允许访问的主机范围
Apache 2.4和Apache 2.2语法有区别,如上所示
5.设置apache的开机自启并启动apache
[root@ldapserver openldap]# systemctl enable httpd
[root@ldapserver openldap]# systemctl start httpd
然后便可以在浏览器访问phpldapadmin:http://192.168.1.155/phpldapadmin
用户名:cn=xhb,dc=zs,dc=com(一开始设置的数据库管理员dn记录)
密码:最初设置的数据库管理员加密密码
九.安装OpenLDAP客户端
1.安装OpenLDAP客户端
[root@ldapserver ~]# yum install -y openldap-clients nss-pam-ldapd
2.使用authconfig命令来配置OpenLDAP客户端
[root@ldapserver]# authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --disablesssd --disablesssdauth --disableldaptls --enablelocauthorize --ldapserver=192.168.1.155 --ldapbasedn="dc=zs,dc=com" --enableshadow --update
注意:一般情况下使用上述命令基本上已经可以使用OpenLDAP认证服务器,但是最好还是按照一下步骤检查配置是否生效
3.Nslcd配置文件
[root@ldapserver ~]# cat /etc/nslcd.conf
uri ldap://192.168.1.155
base dc=zs,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
4.System-auth配置文件
[root@ldapserver ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass #auth块新增ldap配置
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so #account新增ldap配置
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok #password块新增ldap配置
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
#session optional pam_mkhomedir.so umask=0077
#首次登陆时自动创建家目录
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_ldap.so #session块新增ldap配置
session required pam_unix.so
5.Password-auth配置文件
[root@k8master ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass #新增内容
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so #新增内容
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok #新增内容
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
#首次登陆时自动创建家目录
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so #新增内容
5.Nsswitch.conf
[root@k8master ~]# cat /etc/nsswitch.conf
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
#initgroups: files sss
#hosts: db files nisplus nis dns
hosts: files dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
6.Authconfig配置文件
[root@ldapserver ~]# cat /etc/sysconfig/authconfig
USELOCAUTHORIZE=yes
USELDAPAUTH=yess
USELDAP=yes
USESHADOW=yes
7.sshd文件
[root@ldapserver ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
# 新增内容,创建家目录模块
session required pam_mkhomedir.so
8.也可以配置限制主机登录用户
[root@ldapserver ~]# vim /etc/nslcd.conf
#在文件末尾添加下述命令语句,此语句表示仅匹配gidNumber为50896的用户进行登录认证
filter passwd (gidNumber=50896)
9.启动nslcd服务
[root@ldapserver ~]# systemctl enable nslcd
[root@ldapserver ~]# systemctl start nslcd
10.验证客户端
注意:id、getent命令可以用来获取OpenLDAP认证用户的相关信息
[root@ldapserver ~]# id ldap1
uid=1000(ldap1) gid=1000(ldap1) groups=1000(ldap1)
[root@ldapserver ~]# getent passwd ldap1
ldap1:x:1000:1000::/home/ldap1:/bin/bash
十.配置sudo和ssh,为LDAP用户添加sudo权限
1.服务端
1.1.查找系统安装的sudo包中带来的schema.OpenLDAP文件
[root@ldapserver ~]# rpm -qal | grep sudo | grep -i OpenLDAP
/usr/share/doc/sudo-1.8.23/schema.OpenLDAP
1.2.拷贝该档案到LDAP schema中
[root@ldapserver ~]# cp /usr/share/doc/sudo-1.8.23/schema.OpenLDAP /etc/openldap/schema/sudo.schema
1.3.再配置ssh部分
OpenLDAP支持ssh验证需要openssh-dalp包提供
[root@ldapserver ~]# yum -y install openssh-ldap
查找openssh-ldap提供的schema模型
[root@ldapserver ~]# rpm -qal | grep openssh-ldap
/usr/share/doc/openssh-ldap-7.4p1
/usr/share/doc/openssh-ldap-7.4p1/HOWTO.ldap-keys
/usr/share/doc/openssh-ldap-7.4p1/ldap.conf
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.ldif
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-sun.ldif
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-sun.schema
我们需要的是openssh-lpk-openldap.schema,将该模型拷贝到openldap的schema中
[root@ldapserver ~]# cp /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema /etc/openldap/schema
1.4.导入sudo.schema和openssh-lpk-openldap.schema
删除原模型中的配置文件
[root@ldapserver ~]# rm -rf /etc/openldap/slapd.d/cn\=config/cn\=schema/*
编辑新的模型需求文件
[root@ldapserver ~]# cat /etc/openldap/schema.conf
# include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
# include /etc/openldap/schema/duaconf.schema
# include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
# include /etc/openldap/schema/java.schema
# include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
# include /etc/openldap/schema/openldap.schema
# include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/collective.schema
# include /etc/openldap/schema/ppolicy.schema
# 导入sudo.schema和openssh-lpk-openldap.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/openssh-lpk-openldap.schema
注意:导入的模型可以根据自己的需求自定义要导入哪些模型
导入一定要注意以上顺序
重新导入新的LDAP模型
[root@ldapserver ~]# slaptest -f /etc/openldap/schema.conf -F /etc/openldap/slapd.d/
config file testing succeeded #导入成功
然后我们可以在看到重新生成的模型文件
[root@ldapserver ~]# ll /etc/openldap/slapd.d/cn\=config/cn\=schema
total 52
-rw------- 1 ldap ldap 15546 Jul 16 14:43 cn={0}core.ldif
-rw------- 1 ldap ldap 11363 Jul 16 14:43 cn={1}cosine.ldif
-rw------- 1 ldap ldap 2857 Jul 16 14:43 cn={2}inetorgperson.ldif
-rw------- 1 ldap ldap 6495 Jul 16 14:43 cn={3}nis.ldif
-rw------- 1 ldap ldap 1521 Jul 16 14:43 cn={4}collective.ldif
-rw------- 1 ldap ldap 2633 Jul 16 14:43 cn={5}sudo.ldif
-rw------- 1 ldap ldap 761 Jul 16 14:43 cn={6}openssh-lpk-openldap.ldif
注意:cn={5}与cn={6}即配置sudo与ssh需要的模型
最后更改所有模型文件的权限并重启服务
[root@ldapserver ~]# chown -R ldap.ldap /etc/openldap/slapd.d/
[root@ldapserver ~]# systemctl restart slapd
1.5.导入sudo策略模板
Phpldapadmin默认不支持sudo策略配置,需要前往一下网址抓取sudo策略template
http://phpldapadmin.sourceforge.net/wiki/index.php/TemplatesContributed:Sudo
导入的sudo策略template有两个,/usr/share/phpldapadmin/templates/creation/sudo.xml以及/usr/share/phpldapadmin/templates/modification/sudo.xml:
[root@ldapserver ~]# cat /usr/share/phpldapadmin/templates/creation/sudo.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<title>Sudo Policy</title>
<regexp>^ou=sudoers,dc=.*</regexp>
<icon>images/door.png</icon>
<description>New Sudo Policy</description>
<askcontainer>1</askcontainer>
<rdn>cn</rdn>
<visible>1</visible>
<objectClasses>
<objectClass id="sudoRole"></objectClass>
</objectClasses>
<attributes>
<attribute id="cn">
<display>Policy Name</display>
<order>1</order>
<page>1</page>
</attribute>
<attribute id="sudoCommand">
<display>Sudo Command</display>
<order>2</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoUser">
<display>Sudo Users</display>
<option>=php.MultiList(/,(objectClass=posixAccount),uid,%uid%
(%cn%),sudoUser)</option>
<order>3</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoHost">
<display>Sudo Hosts</display>
<array>10</array>
<order>3</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="description">
<type>textarea</type>
<display>Description</display>
<order>4</order>
<page>1</page>
</attribute>
</attributes>
</template>
[root@ldapserver ~]# cat /usr/share/phpldapadmin/templates/modification/sudo.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<title>Sudo Policy</title>
<regexp>^cn=.*,ou=sudoers,dc=.*</regexp>
<icon>images/door.png</icon>
<description>Sudo Policy</description>
<askcontainer>1</askcontainer>
<rdn>cn</rdn>
<visible>1</visible>
<objectClasses>
<objectClass id="sudoRole"></objectClass>
</objectClasses>
<attributes>
<attribute id="cn">
<display>Policy Name</display>
<order>1</order>
<page>1</page>
</attribute>
<attribute id="sudoCommand">
<display>Sudo Command</display>
<order>2</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoUser">
<display>Sudo Users</display>
<order>3</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoHost">
<display>Sudo Hosts</display>
<!-- <array>10</array> -->
<order>3</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="description">
<type>textarea</type>
<display>Description</display>
<order>4</order>
<page>1</page>
<cols>200</cols>
<rows>10</rows>
</attribute>
</attributes>
</template>
1.6.在phpldapadmin中配置sudoers策略
先创建sudoers组用来存储sudo策略(创建的OU必须名为sudoers)
在sudoers组中创建sudo策略
2.客户端
2.1.配置sudo-ldap.conf以支持使用LDAP服务端配置
[root@ldapserver ~]# cat /etc/sudo-ldap.conf
uri ldap://192.168.1.155
sudoers_base ou=sudoers,dc=zs,dc=com
注意:sudoers_base代表要验证的策略库
其中ou=sudoers策略组要与页面中配置的组名相同
2.2.配置nsswitch.conf文件,支持使用LDAP配置
[root@ldapserver ~]# cat /etc/nsswitch.conf
sudoers: files ldap #在/etc/nsswitch.conf文件中最后添加该行内容
2.3.验证
在客户端中切换到LDAP服务器中的认证用户,如果能sudo到root即代表配置成功
[root@ldapserver ~]# su - ldap2
Last login: Thu Jul 18 13:43:29 HKT 2019 on pts/0
[ldap2@ldapserver ~]$ sudo -l
Matching Defaults entries for ldap2 on ldapserver:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2
QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User ldap2 may run the following commands on ldapserver:
(root) ALL
[ldap2@ldapserver ~]$ sudo -i
[root@ldapserver ~]#
十一.配置LDAP使用publickey实现免密登录
客户端需要安装openssh-ldap套件
[root@ansiclient ~]# yum install openssh-ldap
拷贝配置文件
[root@ansiclient ~]# cp /usr/share/doc/openssh-ldap-7.4p1/ldap.conf /etc/ssh/
1.服务端(自定义CA签名证书)
创建根密钥
[root@ldapserver tmp]# openssl genrsa -out xhbCA.key 2048
创建自签名根证书
[root@ldapserver tmp]# openssl req -x509 -new -nodes -key xhbCA.key -sha256 -days 1024 -out xhbCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:ZS
Organizational Unit Name (eg, section) []:ZS
Common Name (eg, your name or your server's hostname) []:192.168.1.155 #LDAP服务器IP
Email Address []:1214500255@qq.com
LDAP服务器创建私钥
[root@ldapserver tmp]# openssl genrsa -out xhbldap.key 2048
创建证书签名请求
[root@ldapserver tmp]# openssl req -new -key xhbldap.key -out xhbldap.csr
使用自定义CA签署证书请求
[root@ldapserver tmp]# openssl x509 -req -in xhbldap.csr -CA xhbCA.pem -CAkey xhbCA.key -CAcreateserial -out xhbldap.crt -days 1460 -sha256
2.配置LDAP服务器开启TLS
导入证书到配置文件
[root@ldapserver openldap]# cat certs.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/xhbldap.key
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/xhbldap.crt
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/certs/xhbCA.pem
导入文件命令
[root@ldapserver openldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif
注意:当导入报错时,可以尝试更改文件中的配置块顺序
更改服务端配置文件以配置认证方式
[root@ldapserver openldap]# cat /etc/openldap/ldap.conf
TLS_REQCERT never
测试StartTLS
#执行ldapsearch -x -ZZ,查看日志,内容有 TLS established tls_ssf=256 ssf=256, 服务端配置正常
[root@ldapserver openldap]# ldapsearch -x -ZZ
[root@ldapserver openldap]# tail -f /var/log/slapd.log
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 op=0 STARTTLS
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 op=0 RESULT oid= err=0 text=
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 fd=29 TLS established tls_ssf=256 ssf=256
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 op=1 BIND dn="" method=128
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 op=1 RESULT tag=97 err=0 text=
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 op=2 SRCH base="dc=zs,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 op=2 SEARCH RESULT tag=101 err=0 nentries=85 text=
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 op=3 UNBIND
Jul 23 11:08:01 ldapserver slapd[8574]: conn=1038 fd=29 closed
3.客户端配置
使用authconfig配置nslcd服务
[root@ansiclient ~]# authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=ldap://192.168.1.155 --ldapbasedn='dc=zs,dc=com' --enablemkhomedir --update
使用服务器证书,可以从服务端将之前生成的证书文件拷贝到客户端的cacerts目录中
[root@ldapserver openldap]# scp certs/xhbCA.pem root@192.168.1.197:/etc/openldap/cacerts/
#客户端上查看
[root@ansiclient openldap]# ll cacerts/
total 4
-r--r-----+ 1 root root 1346 Jul 23 11:13 xhbCA.pem
创建CA证书的c哈希
[root@ansiclient openldap]# /etc/pki/tls/misc/c_hash /etc/openldap/cacerts/xhbCA.pem
c3136c9c.0 => /etc/openldap/cacerts/xhbCA.pem
创建证书哈希链接
ln -s /etc/openldap/cacerts/xhbCA.pem
配置使用证书与验证方式
[root@ansiclient openldap]# cat /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/xhbCA.pem
TLS_REQCERT never
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
URI ldap://192.168.1.155
BASE dc=zs,dc=com
配置nslcd启用start_tls
[root@ansiclient openldap]# cat /etc/nslcd.conf
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/xhbCA.pem
tls_reqcert never
配置nsswitch.conf文件指定LDAP检索顺序
[root@ansiclient openldap]# cat /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
测试TLS
[root@ansiclient openldap]# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
anonymous
Result: Success (0)
[root@ansiclient openldap]# ldapsearch -x -Z -H ldap://192.168.1.155 -b 'cn=ldap,ou=Group,dc=zs,dc=com'
# extended LDIF
#
# LDAPv3
# base <cn=ldap,ou=Group,dc=zs,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ldap, Group, zs.com
dn: cn=ldap,ou=Group,dc=zs,dc=com
objectClass: posixGroup
objectClass: top
cn: ldap
userPassword:: e2NyeXB0fXg=
gidNumber: 55
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
注意:TLS_REQCERT [never、allow、try、demand | hard] (用于设置是否在TLS会话中检查server证书)
Never:不检查任何证书。
Allow:检查server证书,没有证书或证书错误,都允许连接。
Try:检查server证书,没有证书(允许连接),证书错误(终止连接)。
Demand | hard:检查server证书,没有证书或证书错误都将立即终止连接。
配置客户端/etc/ssh/ldap.conf文件
[root@ansiclient openldap]# cat /etc/ssh/ldap.conf
# ldap 服务器
uri ldap://192.168.1.155/
# 开启 tls 认证,并且配置证书位置, 以及认证方式
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/xhbCA.pem
tls_reqcert never
ssh服务配置
#更改认证方式
[root@ansiclient openldap]# cat /etc/ssh/sshd_config
# 增加如下
# 脚本将从LDAP获取密钥并将其提供给SSH服务器
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandUser nobody
PubkeyAuthentication yes
验证登录
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-b3h00WlW-1598844840751)(E:\ZS-WORK\NEW_BASEDOC\Centos7搭建openldap+phpldapadmin.assets\1563862080172.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-X07sg61B-1598844840752)(E:\ZS-WORK\NEW_BASEDOC\Centos7搭建openldap+phpldapadmin.assets\1563862160788.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-GR7mZ2Nx-1598844840754)(E:\ZS-WORK\NEW_BASEDOC\Centos7搭建openldap+phpldapadmin.assets\1563862175143.png)]
注意:将本地连接用户的公钥id_rsa.pub文件内容复制为sshPublicKey,即可从本地通过ldap用户连接远程ldap客户端
十二.OpenLDAP基于用户组的访问控制
客户端配置nslcd服务
[root@ldapserver openldap]# cat /etc/nslcd.conf
# 添加一下内容
filter passwd (gidNumber=504)
注意:上述配置旨在指定控制本客户端只允许用户组id为504的用户登录
其他示例:
filter passwd (|(&(gidNumber=504)(|(uidNumber=1001)(uidNumber=1000)))(gidNumber=503))
重启nslcd服务
[root@ldapserver openldap]# systemctl restart nslcd
[root@ldapserver openldap]# systemctl status nslcd
● nslcd.service - Naming services LDAP client daemon.
Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2019-07-25 14:29:52 HKT; 4s ago
Docs: man:nslcd(8)
man:nslcd.conf(5)
Process: 25660 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
Main PID: 25662 (nslcd)
CGroup: /system.slice/nslcd.service
└─25662 /usr/sbin/nslcd
Jul 25 14:29:52 ldapserver systemd[1]: Starting Naming services LDAP client daemon....
Jul 25 14:29:52 ldapserver systemd[1]: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start.
Jul 25 14:29:52 ldapserver nslcd[25662]: version 0.8.13 starting
Jul 25 14:29:52 ldapserver systemd[1]: Started Naming services LDAP client daemon..
Jul 25 14:29:52 ldapserver nslcd[25662]: accepting connections