参考
https://mp.weixin.qq.com/s/tx88D3bAOZzhKUfVWtGCGQ
安装ldap
安装ldap工具
yum install -y openldap-servers openldap-clients migrationtools
slappasswd #据提示输入密码会返回加密的密码字符串,保存好这个字符串
{SSHA}2rKFWm+/sKutKmb6HHruUefSc+ETnztk
配置数据库缓存
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/
测试配置文件
slaptest -u #出现configfile testing successed 说明成功了
启动ldap
systemctl start slapd.service
systemctl enable slapd.service
创建管理员配置文件
cat <<EOF>root_pass.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}2rKFWm+/sKutKmb6HHruUefSc+ETnztk
EOF
cat <<EOF>root_pass.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}eH4KblvoCn3C1I3svaJsD+787uKLbpkY #注意这里使用的是11111加密后的密码,千万不要直接复制过来直接用。
EOF
添加默认域配置
这里我的管理员是cn=admin,dc=demo,dc=com;每次dn:前面都要有一个空行
cat <<EOF>domain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=admin,dc=demo,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=demo,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=demo,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}2rKFWm+/sKutKmb6HHruUefSc+ETnztk
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=demo,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=demo,dc=com" write by * read
EOF
cat <<EOF>domain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Admin,dc=demo,dc=com" read by * none #这一行的dn.base后面的内容要修改你自己的
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=demo,dc=com#这里要修改
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Admin,dc=demo,dc=com #这里要修改
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}eH4KblvoCn3C1I3svaJsD+787uKLbpkY #这里要写之前加密后的密码
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Admin,dc=demo,dc=com" write by anonymous auth by self write by * none #这里要修改
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Admin,dc=demo,dc=com" write by * read #这里要修改
EOF
创建基本信息
cat <<EOF> base_domain.ldif
dn: dc=demo,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: demo com
dc: demo
dn: cn=admin,dc=demo,dc=com
objectClass: organizationalRole
cn: admin
description: Directory admin
dn: ou=People,dc=demo,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=demo,dc=com
objectClass: organizationalUnit
ou: Group
EOF
cat <<EOF> base_domain.ldif
dn: dc=demo,dc=com #这里要修改
objectClass: top
objectClass: dcObject
objectclass: organization
o: demo com #这里要修改
dc: demo #这里要修改
dn: cn=Admin,dc=demo,dc=com #这里要修改
objectClass: organizationalRole
cn: Admin #这里要修改
description: Directory Admin
dn: ou=People,dc=demo,dc=com #这里要修改
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=demo,dc=com #这里要修改
objectClass: organizationalUnit
ou: Group
EOF
将以上基本信息文件导入到openldap
ldapadd -Y EXTERNAL -H ldapi:/// -f root_pass.ldif
ls /etc/openldap/schema/*.ldif | while read i; do ldapadd -Y EXTERNAL -H ldapi:/// -f $i; done
ldapmodify -Y EXTERNAL -H ldapi:/// -f domain.ldif
ldapadd -x -D cn=admin,dc=demo,dc=com -w 123456 -f base_domain.ldif
ldap查询
ldapsearch -x -D "cn=admin,dc=demo,dc=com" -w 123456 -b "dc=demo,dc=com" -H ldap://x.x.x.x:389
添加组织
vim basedomain.ldif
dn: cn=manager,dc=xxxxxx,dc=com,dc=cn
objectClass: organizationalRole
cn: manager
ldapadd -x -D cn=admin,dc=xxxxxx,dc=com,dc=cn -W -f basedomain.ldif
添加用户
vim adduser.ldif
dn: cn=readonly,cn=manager,dc=xxxxxx,dc=com,dc=cn
cn: readonly
objectClass: person
sn: readonly
userPassword: {SSHA}9FD+ur9v9kqAzA5j989W77BMLk8aciNM
dn: cn=writeuser,cn=manager,dc=xxxxxx,dc=com,dc=cn
cn: writeuser
objectClass: person
sn: writeuser
userPassword: {SSHA}9FD+ur9v9kqAzA5j989W77BMLk8aciNM
ldapadd -x -D cn=admin,dc=xxxxxx,dc=com,dc=cn -W -f adduser.ldif
设置用户权限
vim addaccess.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=xxxxxx,dc=com,dc=cn" write
by dn="cn=readonly,cn=manager,dc=xxxxxx,dc=com,dc=cn" read
by dn="cn=writeuser,cn=manager,dc=xxxxxx,dc=com,dc=cn" write
by anonymous auth
by self write
by * none
olcAccess: {1}to dn.base=""
by * read
olcAccess: {2}to *
by dn="cn=admin,dc=xxxxxx,dc=com,dc=cn" write
by dn="cn=readonly,cn=manager,dc=xxxxxx,dc=com,dc=cn" read
by dn="cn=writeuser,cn=manager,dc=xxxxxx,dc=com,dc=cn" write
by * read
olcAccess: {3}to dn.subtree="dc=xxxxxx,dc=com,dc=cn" attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=xxxxxx,dc=com,dc=cn" write
by dn="cn=readonly,cn=manager,dc=xxxxxx,dc=com,dc=cn" read
by dn="cn=writeuser,cn=manager,dc=xxxxxx,dc=com,dc=cn" write
by * none
olcAccess: {4}to dn.subtree="dc=xxxxxx,dc=com,dc=cn"
by self write
by dn="cn=admin,dc=xxxxxx,dc=com,dc=cn" write
by dn="cn=readonly,cn=manager,dc=xxxxxx,dc=com,dc=cn" read
by dn="cn=writeuser,cn=manager,dc=xxxxxx,dc=com,dc=cn" write
by * read
ldapmodify -Y EXTERNAL -H ldapi:/// -f addaccess.ldif
添加测试用户
vim add-user.ldif
dn: uid=12345678,dc=xxxxxx,dc=com,dc=cn
uid: 12345678
cn: 12345678
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}9FD+ur9v9kqAzA5j989W77BMLk8aciNM
shadowLastChange: 17781
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/5004439
ldapadd -x -W -D cn=writeuser,cn=manager,dc=xxxxxx,dc=com,dc=cn -f add-user.ldif
自动删除db_log
vim /var/lib/ldap/DB_CONFIG
set_flags DB_LOG_AUTOREMOVE
重启ldap服务,重启两次
开启memberof支持
vim memberof.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: memberof.la
olcModulepath: /usr/lib64/openldap
ldapadd -Y EXTERNAL -H ldapi:/// -f memberof.ldif
安装LDAP控制台
安装apache
yum -y install httpd
修改配置文件
vim /etc/httpd/conf/httpd.conf
AllowOverride All
启动服务测试
systemctl start httpd
systemctl enable httpd
测试
curl 127.0.0.1
安装phpldapadmin
vim /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=https://mirrors.tuna.tsinghua.edu.cn/epel/7Server/x86_64/
enabled=1
gpgcheck=0
yum install phpldapadmin
修改配置文件
vim /etc/phpldapadmin/config.php
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=demo,dc=com'));
$servers->setValue('login','auth_type','session');
//$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
修改httpd配置文件
vim /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Require all granted
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
重启httpd服务
service restart httpd
访问测试
http://192.168.0.41/phpldapadmin
cn=admin,dc=demo,dc=com
123456
Linux用户认证
安装ldap客户端
yum install openldap-clients nss-pam-ldapd
修改nslcd.conf配置文件
vim /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://192.168.8.76/
base dc=demo,dc=com
binddn cn=admin,dc=demo,dc=com
bindpw 123456
ssl no
chmod 600 /etc/nslcd.conf
systemctl start nslcd.service
systemctl enable nslcd.service
修改system-auth认证文件
cd /etc/pam.d/
mv system-auth{,.bak}
ln -s system-auth-ac system-auth
vim /etc/pam.d/system-auth
#添加
auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so
修改nsswitch.conf配置文件
vim /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss
aliases: files nisplus
修改authconfig认证文件
vim /etc/sysconfig/authconfig
#修改
USESHADOW=yes
USELDAPAUTH=yes
USELOCAUTHORIZE=yes
USELDAP=yes
重启nslcd
systemctl restart nslcd.service
客户端验证
# xdz用户在ldap中已添加
getent passwd xdz
tty登录验证
ssh集成ldap认证
开启ldap认证:运行命令authconfig-tui并选中以下选项
[*] Use LDAP
[*] Use LDAP Authentication
sshd配置
vim /etc/ssh/sshd_config
#修改
UsePAM yes
vim /etc/pam.d/sshd
#添加
session required pam_mkhomedir.so
vim /etc/pam.d/password-auth
#添加
auth sufficient pam_ldap.so use_first_pass
account sufficient pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so
测试ssh登录xdz用户
附
查询ldap中的所有用户
ldapsearch -x -D "cn=admin,dc=wuxingge,dc=com" -w 密码 -b "dc=wuxingge,dc=com" -H ldap://x.x.x.x:389
添加用户
cat <<EOF> add_user.ldif
dn: uid=test1,ou=People,dc=wuxingge,dc=com
uid: test1
cn: test1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}v3JhII/kakSWAnAbaNXapasGLbL7/TMY
shadowLastChange: 17781
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/test1
EOF
ldapadd -x -D cn=admin,dc=wuxingge,dc=com -w 123456 -f add_user.ldif
添加组
cat <<EOF> add_group.ldif
dn: cn=jenkins,ou=Group,dc=wuxingge,dc=com
objectclass: groupOfNames
cn: jenkins
member: uid=test1,ou=People,dc=wuxingge,dc=com
EOF
ldapadd -x -D cn=admin,dc=wuxingge,dc=com -w 123456 -f add_group.ldif
已存在的组添加用户
cat <<EOF> group_add_user.ldif
dn: cn=jenkins,ou=Group,dc=wuxingge,dc=com
changetype: modify
add: member
member: uid=test1,ou=People,dc=wuxingge,dc=com
EOF
ldapmodify -x -D cn=admin,dc=wuxingge,dc=com -w 123456 -f group_add_user.ldif