搭建一套OpenLDAP系统,实现账号的统一管理
可实现的功能:
1:OpenLDAP服务端的搭建
3: OpenLDAP服务端配置分组管理用户sudo权限分配;
(1)默认没有sudo权限;
(2)运维具有sudo到任何用户执行任何命令权限;
(3)研发具有相应的配置执行命令权限
4:OpenLDAP客户端的配置
5:OpenLDAP与SSH
7:OpenLDAP加入密码策略
(2)密码最小设置长度
(3)密码设置强度
(4)密码过期前警告天数
(5)密码过期后不能登录的天数
(6)密码尝试次数,被锁定
(7)密码失败后恢复时间
8:MirrorMode同步实现OpenLDAP双主模式
9,Keepalived+OpenLDAP实现OpenLDAP高可用
10,TCP Warppers
账号集中管理系统访问和维护流程:
实验环境:
系统:
主:CentOS6.5 64位 192.168.9.225
主:CentOS6.5 64 位 192.168.9.168
VIP: 192.168.9.253
客户端: CentoOS6.5 64位 192.168.9.176
软件包:
openldap-2.4.45
db-4.6.21
PHPldapadmin-1.2.3
ltb-project-openldap-initscript-2.2
资料链接:
https://ltb-project.org/download
http://www.openldap.org/
http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/
http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
一,安装OpenLDAP服务端
(俩台主安装方法一样)
1.1 基础环境配置
(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)
(2)关闭防火墙与SElinux
serviceiptablesstop chkconfigiptablesoff sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config
(3)时间同步
yum-yinstallntp /usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov echo"12***/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov">>/var/spool/cron/root
1.2 源码安装OpenLDAP
(1)yum安装依赖包
yum-yinstallgccgcc-c++unzipgzipbzip2openssl-develcyrus-sasl-develkrb5-develtcp_wrappers-devellibtool-ltdl-developenslp-develunixODBC-develMysqL-devel
(2)源码安装Berkeley DB
cd/usr/local/src/ wgethttp://download.oracle.com/berkeley-db/db-4.6.21.tar.gz tarxfdb-4.6.21.tar.gz cddb-4.6.21/build_unix/ ../dist/configure--prefix=/usr/local/BDB4 make&&makeinstall echo"/usr/local/BDB4/lib">>/etc/ld.so.conf.d/bdb.conf ldconfig ln-sv/usr/local/BDB4/include/usr/local/bdb
(3)源码安装OpenLDAP
cd/usr/local/src/ wgetftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.45.tgz gunzip-copenldap-2.4.45.tgz|tarxf- cdopenldap-2.4.45 ./configure--prefix=/usr/local/openldap2.4\ --enable-slapd\ --enable-dynacl\ --enable-aci\ --enable-cleartext\ --enable-crypt\ --enable-lmpasswd\ --enable-spasswd\ --enable-modules\ --enable-rewrite\ --enable-rlookups\ --enable-slapi\ --enable-wrappers\ --enable-backends\ --enable-ndb=no\ --enable-perl=no\ --enable-overlays\ CPPFLAGS="-I/usr/local/BDB4/include"\ LDFLAGS="-L/usr/local/BDB4/lib" makedepend make maketest makeinstall echo"/usr/local/openldap2.4/lib">>/etc/ld.so.conf.d/ldap.conf ldconfig ln-sv/usr/local/openldap2.4/include/usr/include/ldap2.4 ln-sv/usr/local/openldap2.4/bin/*/usr/local/bin/ ln-sv/usr/local/openldap2.4/sbin/*/usr/local/sbin/
1.4 配置实现功能
(1)配置文件模板
#grep-v^#slapd.conf|grep-v^$
include/usr/local/openldap2.4/etc/openldap/schema/corba.schema
include/usr/local/openldap2.4/etc/openldap/schema/core.schema
include/usr/local/openldap2.4/etc/openldap/schema/cosine.schema
include/usr/local/openldap2.4/etc/openldap/schema/duaconf.schema
include/usr/local/openldap2.4/etc/openldap/schema/dyngroup.schema
include/usr/local/openldap2.4/etc/openldap/schema/inetorgperson.schema
include/usr/local/openldap2.4/etc/openldap/schema/java.schema
include/usr/local/openldap2.4/etc/openldap/schema/misc.schema
include/usr/local/openldap2.4/etc/openldap/schema/nis.schema
include/usr/local/openldap2.4/etc/openldap/schema/openldap.schema
include/usr/local/openldap2.4/etc/openldap/schema/ppolicy.schema
include/usr/local/openldap2.4/etc/openldap/schema/collective.schema
include/usr/local/openldap2.4/etc/openldap/schema/sudo.schema
pidfile/usr/local/openldap2.4/var/run/slapd.pid
argsfile/usr/local/openldap2.4/var/run/slapd.args
modulepath/usr/local/openldap2.4/libexec/openldap
moduleloadaccesslog.la
moduleloadauditlog.la
moduleloadppolicy.la
moduleloadsyncprov.la
moduleloadback_mdb.la
moduleloadback_ldap.la
accesstoattrs=shadowLastChange,userPassword
byselfwrite
byanonymousauth
bydn.base="cn=admin,dc=dabayouxi,dc=com"write
by*none
accessto*
byselfwrite
by*read
databaseconfig
accessto*
bydn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"manage
bydn.base="cn=admin,dc=com"write
by*none
databasemdb
suffix"dc=dabayouxi,dc=com"
rootdn"cn=admin,dc=com"
rootpw{SSHA}jnN16Laklfzlm4hCrob1nhUgUloLpvnm
directory/data0/openldap-data
indexobjectClasseq,pres
indexou,cn,mail,surname,givennameeq,pres,sub
indexuidNumber,gidNumber,loginShelleq,pres
indexuid,memberUideq,sub
indexnisMapName,nisMapEntryeq,sub
loglevel256
logfile/data0/logs/slapd/slapd.log
checkpoint204810
overlayppolicy
ppolicy_defaultcn=default,ou=pwpolicies,dc=com
(2)添加sudo.schema
cp-f/usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP/usr/local/openldap2.4/etc/openldap/schema/sudo.schema restorecon/usr/local/openldap2.4/etc/openldap/schema/sudo.schema
(3)创建ldap用户和组
groupadd-rldap useradd-r-gldap-s/sbin/nologinldap
(4)配置日志
mkdir-p/data0/logs/slapd
touch/data0/logs/slapd/slapd.log
echo"local4.*/data0/logs/slapd/slapd.log">>/etc/rsyslog.d/openldap.conf
servicersyslogrestart
echo"/data0/logs/slapd/*log{
missingok
compress
notifempty
daily
rotate5
create0600rootroot
}">>/etc/logrotate.d/slapd
(5)配置数据存放路径
mkdir-p/data0/openldap-data chmod700/data0/openldap-data/ cp/usr/local/openldap2.4/etc/openldap/DB_CONFIG.example/data0/openldap-data/DB_CONFIG chown-Rldap.ldap/data0/openldap-data/ mkdir-p/usr/local/openldap2.4/etc/openldap/slapd.d cd/usr/local/openldap2.4/etc/openldap/ slaptest-fslapd.conf-Fslapd.d/ echo"BASEdc=dabayouxi,dc=com URIldap://192.168.9.168">>/usr/local/openldap2.4/etc/openldap/ldap.conf
(6)启动脚本下载,修改配置
cd/usr/local/src/ wgethttps://ltb-project.org/archives/ltb-project-openldap-initscript-2.2.tar.gz tar-xvfltb-project-openldap-initscript-2.2.tar.gz mvltb-project-openldap-initscript-2.2/slapd/etc/init.d vim/etc/init.d/slapd SLAPD_PATH="/usr/local/openldap2.4" DATA_PATH="/data0/openldap-data" BDB_PATH="/usr/local/BDB4" chmod+x/etc/init.d/slapd chkconfigslapdon serviceslapdrestart
1.5 OpenLDAP目录树规划
# 将规划的dn导入,将以下内容写入ldif文件中使用ldapadd 命令添加到数据库
mkdir-p/data0/ldapldif/{users,groups,sudoers,policy}
(1)base.ldif
vim/data0/ldapldif/base.ldif dn:dc=dabayouxi,dc=com dc:dabayouxi objectClass:top objectClass:domain dn:ou=users,dc=com ou:users objectClass:top objectClass:organizationalUnit dn:ou=groups,dc=com ou:groups objectClass:top objectClass:organizationalUnit dn:ou=sudoers,dc=com ou:sudoers objectClass:top objectClass:organizationalUnit dn:ou=pwpolicies,dc=com ou:pwpolicies objectClass:top objectClass:organizationalUnit ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/base.ldif EnterLDAPPassword: addingnewentry"dc=dabayouxi,dc=com" addingnewentry"ou=users,dc=com" addingnewentry"ou=groups,dc=com" addingnewentry"ou=sudoers,dc=com" addingnewentry"ou=pwpolicies,dc=com" -x使用简单认证,不使用加密协议 -D指定查找的dn,类似操作系统中的根目录 -W输入密码,不想输入密码使用-wpasswd,不推荐容易暴露密码 -f指定ldif文件 #通过ldapsearch查看当前目录树结构 ldapsearch-x-LLL#-LLL禁止输出不匹配的消息
(2)groups.ldif
echo"dn:cn=web,ou=groups,dc=com objectClass:posixGroup objectClass:top cn:web gidNumber:1501">>/data0/ldapldif/groups/web.ldif echo"dn:cn=core,dc=com objectClass:posixGroup objectClass:top cn:core gidNumber:1502">>/data0/ldapldif/groups/core.ldif ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/groups/web.ldif EnterLDAPPassword: addingnewentry"cn=web,dc=com" ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/groups/core.ldif EnterLDAPPassword: addingnewentry"cn=core,dc=com"
(3)users.ldif
echo"dn:uid=webuser,ou=users,dc=com
uid:webuser
cn:webuser
objectClass:account
objectClass:posixAccount
objectClass:top
objectClass:shadowAccount
userPassword:{SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange:17412
shadowMin:0
shadowMax:999999
shadowWarning:7
loginShell:/bin/bash
uidNumber:2501
gidNumber:1501
homeDirectory:/home/webuser
pwdReset:TRUE">>/data0/ldapldif/users/webuser.ldif
echo"dn:uid=coreuser,dc=com
uid:coreuser
cn:coreuser
objectClass:account
objectClass:posixAccount
objectClass:top
objectClass:shadowAccount
userPassword:{SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange:17412
shadowMin:0
shadowMax:999999
shadowWarning:7
loginShell:/bin/bash
uidNumber:2502
gidNumber:1502
homeDirectory:/home/coreuser
pwdReset:TRUE">>/data0/ldapldif/users/coreuser.ldif
ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/users/webuser.ldif
EnterLDAPPassword:
addingnewentry"uid=webuser,dc=com-W-f/data0/ldapldif/users/coreuser.ldif
EnterLDAPPassword:
addingnewentry"uid=coreuser,dc=com"
(4)sudoers.ldif
vim/data0/ldapldif/sudoers/defaults.ldif dn:cn=defaults,ou=sudoers,dc=com objectClass:top objectClass:sudoRole cn:defaults sudoOption:requiretty sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset vim/data0/ldapldif/sudoers/web.ldif dn:cn=%web,dc=com objectClass:top objectClass:sudoRole cn:%web sudoHost:ALL sudoRunAsUser:www sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:ALL sudoUser:%web vim/data0/ldapldif/sudoers/core.ldif dn:cn=%core,dc=com objectClass:top objectClass:sudoRole cn:%core sudoHost:ALL sudoRunAsUser:ALL sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:ALL sudoUser:%core ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/sudoers/defaults.ldif EnterLDAPPassword: addingnewentry"cn=defaults,dc=com-W-f/data0/ldapldif/sudoers/web.ldif EnterLDAPPassword: addingnewentry"cn=%web,dc=com-W-f/data0/ldapldif/sudoers/core.ldif EnterLDAPPassword: addingnewentry"cn=%core,dc=com"
(5)pwpolicies.ldif
echo"dn:cn=default,dc=com cn:default objectClass:pwdPolicy objectClass:person pwdAllowUserChange:TRUE pwdAttribute:userPassword pwdExpireWarning:259200 pwdFailureCountInterval:0 pwdGraceAuthNLimit:5 pwdInHistory:5 pwdLockout:TRUE pwdLockoutDuration:300 pwdMaxAge:2592000 pwdMaxFailure:5 pwdMinAge:0 pwdMinLength:8 pwdMustChange:TRUE pwdSafeModify:TRUE sn:dummyvalue">>/data0/ldapldif/policy/default.ldif ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/policy/default.ldif EnterLDAPPassword: addingnewentry"cn=default,dc=com"
1.6 安装PHPLDAPAdmin
yuminstall-yhttpdPHPPHP-mbstringPHP-pearPHP-ldap cd/usr/local/src/ wgethttps://jaist.dl.sourceforge.net/project/PHPldapadmin/PHPldapadmin-PHP5/1.2.3/PHPldapadmin-1.2.3.zip unzipPHPldapadmin-1.2.3.zip mkdir-p/data0/web_root/ mvPHPldapadmin-1.2.3/data0/web_root/PHPldapadmin echo"<VirtualHost*:80> ServerAdminopenldap@dabayouxi.com DocumentRoot/data0/web_root/PHPldapadmin ServerNameopenldap.dabayouxi.com ErrorLog/data0/logs/apache/openldap.dabayouxi.com-error_log CustomLog/data0/logs/apache/openldap.dabayouxi.com-access_logcommon <Directory"/data/web_root/PHPldapadmin"> OptionsFollowSymLinks AllowOverrideall Requireallgranted </Directory> </VirtualHost>">>/etc/httpd/conf/httpd.conf mkdir-p/data0/logs/apache/ servicehttpdrestart cp/data0/web_root/PHPldapadmin/config/config.PHP.example/data0/web_root/PHPldapadmin/config/config.PHP vim/data0/web_root/PHPldapadmin/config/config.PHP $servers->setValue('server','host','192.168.9.168'); $servers->setValue('server','port',389);
浏览器访问输入:http://192.168.9.168
1.7 MirrorMode同步实现OpenLDAP双主模式
(1)192.168.9.168上slapd.conf最后添加
vim/usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlaysyncprov syncprov-checkpoint10010 syncprov-sessionlog100 serverID1 syncreplrid=123 provider=ldap://192.168.9.225/ bindmethod=simple binddn="cn=admin,dc=com" credentials=dabayouxi searchbase="dc=dabayouxi,dc=com" schemachecking=off type=refreshAndPersist retry="60+" mirrormodeon cd/usr/local/openldap2.4/etc/openldap/ slaptest-u rm-rfslapd.d/* slaptest-fslapd.conf-Fslapd.d/ serviceslapdrestart
(2)192.168.9.225上slapd.conf最后添加
vim/usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlaysyncprov syncprov-checkpoint10010 syncprov-sessionlog100 serverID2 syncreplrid=123 provider=ldap://192.168.9.168/ bindmethod=simple binddn="cn=admin,dc=com" schemachecking=off type=refreshAndPersist retry="60+" mirrormodeon cd/usr/local/openldap2.4/etc/openldap/ slaptest-u rm-rfslapd.d/* slaptest-fslapd.conf-Fslapd.d/ serviceslapdrestart
(2)测试同步
1.8 Keepalived+OpenLDAP实现OpenLDAP高可用
(1)下载安装keepalive
cd/usr/local/src/ wgethttp://www.keepalived.org/software/keepalived-1.2.13.tar.gz yuminstall-ypcre-developenssl-develpopt-devel tarxfkeepalived-1.2.13.tar.gz cdkeepalived-1.2.13 ./configure--prefix=/usr/local/keepalived make makeinstall
(2)配置keepalived配置成系统服务
cd/usr/local/keepalived/ cpetc/rc.d/init.d/keepalived/etc/init.d/ cpetc/sysconfig/keepalived/etc/sysconfig/ mkdir/etc/keepalived cpetc/keepalived/keepalived.conf/etc/keepalived/ cpsbin/keepalived/usr/sbin/ chkconfigkeepalivedon chkconfig--listkeepalived
(3)配置OpenLDAP热备
Master 192.168.9.168
vim/etc/keepalived/keepalived.conf
!ConfigurationFileforkeepalived
global_defs{
router_idOpenLDAP_HA
}
vrrp_instanceOpenLDAP{
stateBackup
interfaceeth0
virtual_router_id53
priority100
advert_int1
nopreempt
authentication{
auth_typePASS
auth_passdabayouxi
}
virtual_ipaddress{
192.168.9.253
}
}
virtual_server192.168.9.253389{
delay_loop6
nat_mask255.255.255.0
persistence_timeout50
protocolTCP
real_server192.168.9.168389{
weight3
notify_down"/etc/keepalived/openldap.sh"
TCP_CHECK{
connect_timeout5
nb_get_retry2
delay_before_retry3
}
}
}
vim/etc/keepalived/openldap.sh
#!/bin/bash
/etc/init.d/keepalivedstop
chmod+x/etc/keepalived/openldap.sh
servicekeepalivedstart
Startingkeepalived:[OK]
ipaddr
1:lo:<LOOPBACK,UP,LOWER_UP>mtu16436qdiscnoqueuestateUNKNOWN
link/loopback00:00:00:00:00:00brd00:00:00:00:00:00
inet127.0.0.1/8scopehostlo
inet6::1/128scopehost
valid_lftforeverpreferred_lftforever
2:eth0:<BROADCAST,MULTICAST,LOWER_UP>mtu1500qdiscpfifo_faststateUPqlen1000
link/etherfa:9b:55:ac:33:00brdff:ff:ff:ff:ff:ff
inet192.168.9.168/24brd192.168.9.255scopeglobaleth0
inet192.168.9.253/32scopeglobaleth0
inet6fe80::f89b:55ff:feac:3300/64scopelink
valid_lftforeverpreferred_lftforever
Master 192.168.9.225
vim/etc/keepalived/keepalived.conf
!ConfigurationFileforkeepalived
global_defs{
router_idOpenLDAP_HA
}
vrrp_instanceOpenLDAP{
stateBackup
interfaceeth0
virtual_router_id53
priority90
advert_int1
authentication{
auth_typePASS
auth_passdabayouxi
}
virtual_ipaddress{
192.168.9.253
}
}
virtual_server192.168.9.253389{
delay_loop6
nat_mask255.255.255.0
persistence_timeout50
protocolTCP
real_server192.168.9.225389{
weight3
notify_down"/etc/keepalived/openldap.sh"
TCP_CHECK{
connect_timeout5
nb_get_retry2
delay_before_retry3
}
}
}
vim/etc/keepalived/openldap.sh
#!/bin/bash
/etc/init.d/keepalivedstop
chmod+x/etc/keepalived/openldap.sh
servicekeepalivedstart
(4)验证
二,安装OpenLDAP客户端
2.1 基础环境配置
(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)
(2)关闭防火墙与SElinux
serviceiptablesstop chkconfigiptablesoff sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config
(3)时间同步
yum-yinstallntp /usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov echo"12***/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov">>/var/spool/cron/root
1.2 源码安装OpenLDAP
(1)yum安装依赖包
yum-yinstallopenldapopenldap-develcompat-openldapnss-pam-ldapd
(2)备份源文件
cp/etc/nslcd.conf/etc/nslcd.conf_default cp/etc/nsswitch.conf/etc/nsswitch.conf_dafault cp/etc/pam.d/system-auth-ac/etc/pam.d/system-auth-ac_default cp/etc/pam.d/password-auth-ac/etc/pam.d/password-auth-ac_default cp/etc/pam.d/fingerprint-auth-ac/etc/pam.d/fingerprint-auth-ac_default cp/etc/pam.d/smartcard-auth-ac/etc/pam.d/smartcard-auth-ac_default cp/etc/pam.d/sshd/etc/pam.d/sshd_default cp/etc/pam.d/login/etc/pam.d/login_default cp/etc/openldap/ldap.conf/etc/openldap/ldap.conf_defalut cp/etc/sudo-ldap.conf/etc/sudo-ldap.conf_default
(3)停用sssd服务
servicesssdstop&&chkconfigsssdoff
#/etc/nslcd.conf
vim/etc/nslcd.conf urildap://192.168.9.253 basedc=dabayouxi,dc=com sslno tls_cacertdir/etc/openldap/cacerts
#/etc/pam_ldap.conf
vim/etc/pam_ldap.conf urildap://192.168.9.253 basedc=dabayouxi,dc=com sslno tls_cacertdir/etc/openldap/cacerts pam_passwordmd5 bind_policysoft pam_lookup_policyyes pam_passwordclear_remove_old
#/etc/pam.d/system-auth
vim/etc/pam.d/system-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.sonulloktry_first_pass authrequisitepam_succeed_if.souid>=500quiet authsufficientpam_ldap.souse_first_pass authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequisitepam_cracklib.sominlen=10ucredit=-1lcredit=-1dcredit=-1ocredit=-1try_first_passretry=3type= passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtok passwordsufficientpam_ldap.souse_authtok passwordrequiredpam_deny.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so
#/etc/pam.d/password-auth
vim/etc/pam.d/password-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so authsufficientpam_unix.sonulloktry_first_pass authrequisitepam_succeed_if.souid>=500quiet authsufficientpam_ldap.souse_first_pass authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequisitepam_cracklib.sominlen=10ucredit=-1lcredit=-1dcredit=-1ocredit=-1try_first_passretry=3type= passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtok passwordsufficientpam_ldap.souse_authtok passwordrequiredpam_deny.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so
#/etc/pam.d/fingerprint-auth
vim/etc/pam.d/fingerprint-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so authsufficientpam_fprintd.so authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequiredpam_deny.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so
#/etc/pam.d/smartcard-auth
vim/etc/pam.d/smartcard-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so auth[success=doneignore=ignoredefault=die]pam_pkcs11.sowait_for_cardcard_only authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequiredpam_pkcs11.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so
#/etc/pam.d/sshd
vim/etc/pam.d/sshd #%PAM-1.0 authrequiredpam_sepermit.so authincludepassword-auth accountrequiredpam_access.so accountrequiredpam_nologin.so accountincludepassword-auth passwordincludepassword-auth #pam_selinux.socloseshouldbethefirstsessionrule sessionrequiredpam_selinux.soclose sessionrequiredpam_loginuid.so #pam_selinux.soopenshouldonlybefollowedbysessionstobeexecutedintheusercontext sessionrequiredpam_selinux.soopenenv_params sessionrequiredpam_namespace.so sessionoptionalpam_keyinit.soforcerevoke sessionincludepassword-auth
#/etc/pam.d/login
vim/etc/pam.d/login #%PAM-1.0 auth[user_unknown=ignoresuccess=okignore=ignoredefault=bad]pam_securetty.so authincludesystem-auth accountrequiredpam_nologin.so accountincludesystem-auth passwordincludesystem-auth #pam_selinux.socloseshouldbethefirstsessionrule sessionrequiredpam_selinux.soclose sessionrequiredpam_loginuid.so sessionrequiredpam_limits.so sessionoptionalpam_console.so #pam_selinux.soopenshouldonlybefollowedbysessionstobeexecutedintheusercontext sessionrequiredpam_selinux.soopen sessionrequiredpam_namespace.so sessionoptionalpam_keyinit.soforcerevoke sessionincludesystem-auth -sessionoptionalpam_ck_connector.so
#/etc/nsswitch.conf
vim/etc/nsswitch.conf passwd:filesldap shadow:filesldap group:filesldap hosts:filesdns bootparams:nisplus[NOTFOUND=return]files ethers:files netmasks:files networks:files protocols:files rpc:files services:files netgroup:ldap publickey:nisplus automount:filesldap sudoers:filesldap
#/etc/sysconfig/authconfig
vim/etc/sysconfig/authconfig IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no USESSSD=no PASSWDALGORITHM=sha512 FORCELEGACY=no USEFPRINTD=no USEHESIOD=no FORCESMARTCARD=no USELDAPAUTH=yes IPAV2NONTP=no USELDAP=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELOCAUTHORIZE=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no USEDB=no USEPASSWDQC=no
# /etc/sudo-ldap.conf
echo"urildap://192.168.9.253 sudoers_baSEOu=sudoers,dc=com">>/etc/sudo-ldap.conf
#/etc/openldap/ldap.conf
vim/etc/openldap/ldap.conf TLS_CACERTDIR/etc/openldap/cacerts URIldap://192.168.9.253 BASEdc=dabayouxi,dc=com
#/etc/security/access.conf
vim/etc/security/access.conf 添加内容 -:ALLEXCEPTrootweb:ALL
(5)启动服务
servicenslcdrestart
(6)测试
原文链接:https://www.f2er.com/bash/390821.html