【防火墙关闭】
######关闭防火墙
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
######关闭SELinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
【安装】
yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss- pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl
【验证】
rpm -qa |grep openldap
【修改OpenLDAP的slapd.ldif配置文件】
cp /usr/share/openldap-servers/slapd.ldif /root/
vim /root/slapd.ldif
################################# slapd.ldif 内容如下 ##########
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
#olcTLSCACertificatePath: /etc/openldap/certs
#olcTLSCertificateFile: "OpenLDAP Server"
#olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
#include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none
#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=wangxing,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=wangxing,dc=com
olcRootDN: cn=Manager,dc=wangxing,dc=com
olcRootPW: 123456
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
#dn: olcDatabase=hdb,cn=config
#objectClass: olcDatabaseConfig
#objectClass: olcHdbConfig
#olcDatabase: hdb
#olcSuffix: dc=my-domain,dc=com
#olcRootDN: cn=Manager,dc=my-domain,dc=com
#olcDbDirectory: /var/lib/ldap
#olcDbIndex: objectClass eq,pres
#olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
################################# slapd.ldif 内容 end ##########
【重新生成OpenLDAP的配置】
rm -rf /etc/openldap/slapd.d/* #删除原来的配置
slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif #生成新配置
slaptest -u -F /etc/openldap/slapd.d #验证
chown -R ldap. /etc/openldap/slapd.d/ #修改属主
【安装OpenLDAP的数据库文件】
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG #拷贝
chown -R ldap. /var/lib/ldap/ #修改属主
【ldap启动】
systemctl enable slapd ##开机启动
systemctl start slapd ##启动
systemctl status slapd ##查看状态
systemctl stop slapd ##停止
【导入根域及管理员账号】
cd /root/
vim /root/root.ldif
########## /root/root.ldif #########
dn: dc=wangxing,dc=com
dc: wangxing
objectClass: top
objectClass: domain
dn: cn=Manager,dc=wangxing,dc=com
objectClass: organizationalRole
cn: Manager
########## /root/root.ldif end #########
##导入
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/root.ldif
or
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/root.ldif
##验证
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -W
ldapsearch -h 192.168.21.152 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -w 123456
【导入基础文件及用户和用户组】
vim /usr/share/migrationtools/migrate_common.ph
#########################修改域###################
# Default DNS domain
#$DEFAULT_MAIL_DOMAIN = "padl.com";
$DEFAULT_MAIL_DOMAIN = "wangxing.com";
# Default base
#$DEFAULT_BASE = "dc=padl,dc=com";
$DEFAULT_BASE = "dc=wangxing,dc=com";
#########################修改域 end ###################
/usr/share/migrationtools/migrate_base.pl > /root/base.ldif
vim /root/base.ldif
#####################导出基础文件###########
#dn: dc=wangxing,dc=com
#dc: wangxing
#objectClass: top
#objectClass: domain
dn: ou=People,dc=wangxing,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=wangxing,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
#####################导出基础文件 end###########
/usr/share/migrationtools/migrate_group.pl /etc/group > /root/group.ldif
vim /root/group.ldif
#####################导出基础用户组#############
dn: cn=root,ou=Group,dc=wangxing,dc=com
objectClass: posixGroup
objectClass: top
cn: root
userPassword: {crypt}x
gidNumber: 0
dn: cn=yangsonglin,ou=Group,dc=wangxing,dc=com
objectClass: posixGroup
objectClass: top
cn: yangsonglin
userPassword: {crypt}x
gidNumber: 1104
#####################导出基础用户组 end#############
/usr/share/migrationtools/migrate_passwd.pl /etc/passwd > /root/user.ldif
vim /root/user.ldif
#####################导出基础用户 #############
dn: uid=root,ou=People,dc=wangxing,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$txtiODdi$.vh7v9XVnvY.FitsxEZRI6E3PZ1AwiAxaaxjCELkBqCiJfo9YbfFuxzK3UiJaqsIqyXrr5VdLFZ8AgRKr0T5a.
shadowLastChange: 17926
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
dn: uid=yangsonglin,ou=People,dc=wangxing,dc=com
uid: yangsonglin
cn: yangsonglin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17898
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1104
gidNumber: 1104
homeDirectory: /home/yangsonglin
#####################导出基础用户 end#############
##导入
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/base.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/group.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -W -x -f /root/user.ldif
or
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/base.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/group.ldif
ldapadd -D "cn=Manager,dc=wangxing,dc=com" -w 123456 -x -f /root/user.ldif
##验证
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -W|grep dn
or
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -w 123456|grep dn
【OpenLDAP客户端配置】
yum -y install openldap-clients
vim /etc/openldap/ldap.conf
#################################
TLS_CACERTDIR /etc/openldap/certs
URI ldap://test02
BASE dc=wangxing,dc=com
#################################
#验证
ldapsearch -D "cn=Manager,dc=wangxing,dc=com" -w 123456 |grep dn
#否则
ldapsearch -h test02 -b "dc=wangxing,dc=com" -D "cn=Manager,dc=wangxing,dc=com" -w 123456|grep dn
【OpenLDAP客户端SSSD配置】
##客户端节点中操作
yum -y install openldap-clients sssd authconfig nss-pam-ldapd
(在如下参数中--enableldaptls 如果OpenLDAP服务未启用TLS则将此参数修改为--disableldaptls)
authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enableldap --enableldapauth --disableforcelegacy --disableldaptls --disablekrb5 --ldapserver ldap://test02 --ldapbasedn "dc=wangxing,dc=com" --update
vim /etc/sssd/sssd.conf
#############################sssd.conf (没有启动TLS ldap_id_use_start_tls = False)
[domain/default]
autofs_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=wangxing,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://test02
ldap_id_use_start_tls = False
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
#############################sssd.conf end
#修改权限
chmod 600 /etc/sssd/sssd.conf
systemctl start sssd #启动
systemctl enable sssd #开机启动
systemctl status sssd #状态
more /etc/passwd|grep wangxing
id wangxing
【OpenLdap与SSH集成】
vim /etc/ssh/sshd_config #查看 Userpam = yes
vim /etc/pam.d/sshd
########################### pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
session required pam_mkhomedir.so #加入此行后确保登录成功后创建用户的home目录
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
############################## pam.d/sshd end ########
vim /etc/pam.d/password-auth
#######################################password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
auth sufficient pam_ldap.so try_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
session optional pam_ldap.so
#######################################password-auth end ##########
vim /etc/pam.d/system-auth
######################################system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
#auth sufficient pam_ldap.so forward_pass
auth sufficient pam_ldap.so try_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
session optional pam_ldap.so
############################################## system-auth end############
##重启 sshd
systemctl restart sshd
systemctl start nslcd
systemctl status sshd
systemctl status nslcd