账号集中管理系统设计与实现----OpenLDAP
搭建一套OpenLDAP系统,实现账号的统一管理
可实现的功能:
1:OpenLDAP服务端的搭建
2:PhpLDAPAdmin的搭建(便于web页面管理)
3: OpenLDAP服务端配置分组管理用户sudo权限分配;
(1)默认没有sudo权限;
(2)运维具有sudo到任何用户执行任何命令权限;
(3)研发具有相应的配置执行命令权限
4:OpenLDAP客户端的配置
5:OpenLDAP与SSH
6:OpenLDAP结合客户端PAM,限制用户登录主机
7:OpenLDAP加入密码策略
(1)强制用户首次登录系统更改密码
(2)密码最小设置长度
(3)密码设置强度
(4)密码过期前警告天数
(5)密码过期后不能登录的天数
(6)密码尝试次数,被锁定
(7)密码失败后恢复时间
(8)是否允许用户修改密码
(9)账号锁定后,不能自动解锁,需管理员解锁
8:MirrorMode同步实现OpenLDAP双主模式
9,Keepalived+OpenLDAP实现OpenLDAP高可用
10,TCP Warppers
账号集中管理系统访问和维护流程:
实验环境:
系统:
主:CentOS6.5 64位 192.168.9.225
主:CentOS6.5 64 位 192.168.9.168
VIP: 192.168.9.253
客户端: CentoOS6.5 64位 192.168.9.176
软件包:
openldap-2.4.45
db-4.6.21
phpldapadmin-1.2.3
ltb-project-openldap-initscript-2.2
资料链接:
https://ltb-project.org/download
http://www.openldap.org/
http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/
http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
一,安装OpenLDAP服务端
(俩台主安装方法一样)
1.1 基础环境配置
(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)
(2)关闭防火墙与SElinux
service iptables stop chkconfig iptables off sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config
(3)时间同步
yum -y install ntp /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov echo "1 2 * * * /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov" >> /var/spool/cron/root
1.2 源码安装OpenLDAP
(1)yum安装依赖包
yum -y install gcc gcc-c++ unzip gzip bzip2 openssl-devel cyrus-sasl-devel krb5-devel tcp_wrappers-devel libtool-ltdl-devel openslp-devel unixODBC-devel mysql-devel
(2)源码安装Berkeley DB
cd /usr/local/src/ wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz tar xf db-4.6.21.tar.gz cd db-4.6.21/build_unix/ ../dist/configure --prefix=/usr/local/BDB4 make && make install echo "/usr/local/BDB4/lib" >> /etc/ld.so.conf.d/bdb.conf ldconfig ln -sv /usr/local/BDB4/include /usr/local/bdb
(3)源码安装OpenLDAP
cd /usr/local/src/ wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.45.tgz gunzip -c openldap-2.4.45.tgz | tar xf - cd openldap-2.4.45 ./configure --prefix=/usr/local/openldap2.4 \ --enable-slapd \ --enable-dynacl \ --enable-aci \ --enable-cleartext \ --enable-crypt \ --enable-lmpasswd \ --enable-spasswd \ --enable-modules \ --enable-rewrite \ --enable-rlookups \ --enable-slapi \ --enable-wrappers \ --enable-backends \ --enable-ndb=no \ --enable-perl=no \ --enable-overlays \ CPPFLAGS="-I/usr/local/BDB4/include" \ LDFLAGS="-L/usr/local/BDB4/lib" make depend make make test make install echo "/usr/local/openldap2.4/lib" >> /etc/ld.so.conf.d/ldap.conf ldconfig ln -sv /usr/local/openldap2.4/include /usr/include/ldap2.4 ln -sv /usr/local/openldap2.4/bin/* /usr/local/bin/ ln -sv /usr/local/openldap2.4/sbin/* /usr/local/sbin/
1.4 配置实现功能
(1)配置文件模板
# grep -v ^# slapd.conf | grep -v ^$ include /usr/local/openldap2.4/etc/openldap/schema/corba.schema include /usr/local/openldap2.4/etc/openldap/schema/core.schema include /usr/local/openldap2.4/etc/openldap/schema/cosine.schema include /usr/local/openldap2.4/etc/openldap/schema/duaconf.schema include /usr/local/openldap2.4/etc/openldap/schema/dyngroup.schema include /usr/local/openldap2.4/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap2.4/etc/openldap/schema/java.schema include /usr/local/openldap2.4/etc/openldap/schema/misc.schema include /usr/local/openldap2.4/etc/openldap/schema/nis.schema include /usr/local/openldap2.4/etc/openldap/schema/openldap.schema include /usr/local/openldap2.4/etc/openldap/schema/ppolicy.schema include /usr/local/openldap2.4/etc/openldap/schema/collective.schema include /usr/local/openldap2.4/etc/openldap/schema/sudo.schema pidfile /usr/local/openldap2.4/var/run/slapd.pid argsfile /usr/local/openldap2.4/var/run/slapd.args modulepath /usr/local/openldap2.4/libexec/openldap moduleload accesslog.la moduleload auditlog.la moduleload ppolicy.la moduleload syncprov.la moduleload back_mdb.la moduleload back_ldap.la access to attrs=shadowLastChange,userPasswordby self writeby anonymous authby dn.base="cn=admin,dc=dabayouxi,dc=com" writeby * none access to *by self writeby * read database config access to *by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manageby dn.base="cn=admin,dc=dabayouxi,dc=com" writeby * none database mdb suffix "dc=dabayouxi,dc=com" rootdn "cn=admin,dc=dabayouxi,dc=com" rootpw {SSHA}jnN16Laklfzlm4hCrob1nhUgUloLpvnm directory /data0/openldap-data index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub loglevel 256 logfile /data0/logs/slapd/slapd.log checkpoint 2048 10 overlay ppolicy ppolicy_default cn=default,ou=pwpolicies,dc=dabayouxi,dc=com
(2)添加sudo.schema
cp -f /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /usr/local/openldap2.4/etc/openldap/schema/sudo.schema restorecon /usr/local/openldap2.4/etc/openldap/schema/sudo.schema
(3)创建ldap用户和组
groupadd -r ldap useradd -r -g ldap -s /sbin/nologin ldap
(4)配置日志
mkdir -p /data0/logs/slapd touch /data0/logs/slapd/slapd.log echo "local4.* /data0/logs/slapd/slapd.log" >> /etc/rsyslog.d/openldap.conf service rsyslog restart echo "/data0/logs/slapd/*log { missingok compress notifempty daily rotate 5 create 0600 root root }" >> /etc/logrotate.d/slapd
(5)配置数据存放路径
mkdir -p /data0/openldap-data chmod 700 /data0/openldap-data/ cp /usr/local/openldap2.4/etc/openldap/DB_CONFIG.example /data0/openldap-data/DB_CONFIG chown -R ldap.ldap /data0/openldap-data/ mkdir -p /usr/local/openldap2.4/etc/openldap/slapd.d cd /usr/local/openldap2.4/etc/openldap/ slaptest -f slapd.conf -F slapd.d/ echo "BASE dc=dabayouxi,dc=com URI ldap://192.168.9.168" >> /usr/local/openldap2.4/etc/openldap/ldap.conf
(6)启动脚本下载,修改配置
cd /usr/local/src/ wget https://ltb-project.org/archives/ltb-project-openldap-initscript-2.2.tar.gz tar -xvf ltb-project-openldap-initscript-2.2.tar.gz mv ltb-project-openldap-initscript-2.2/slapd /etc/init.d vim /etc/init.d/slapd SLAPD_PATH="/usr/local/openldap2.4" DATA_PATH="/data0/openldap-data" BDB_PATH="/usr/local/BDB4"chmod +x /etc/init.d/slapd chkconfig slapd on service slapd restart
1.5 OpenLDAP目录树规划
# 将规划的dn导入,将以下内容写入ldif文件中使用ldapadd 命令添加到数据库
mkdir -p /data0/ldapldif/{users,groups,sudoers,policy}
(1)base.ldif
vim /data0/ldapldif/base.ldif dn: dc=dabayouxi,dc=com dc: dabayouxi objectClass: top objectClass: domaindn: ou=users,dc=dabayouxi,dc=com ou: users objectClass: top objectClass: organizationalUnitdn: ou=groups,dc=dabayouxi,dc=com ou: groups objectClass: top objectClass: organizationalUnitdn: ou=sudoers,dc=dabayouxi,dc=com ou: sudoers objectClass: top objectClass: organizationalUnitdn: ou=pwpolicies,dc=dabayouxi,dc=com ou: pwpolicies objectClass: top objectClass: organizationalUnitldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/base.ldif Enter LDAP Password: adding new entry "dc=dabayouxi,dc=com" adding new entry "ou=users,dc=dabayouxi,dc=com" adding new entry "ou=groups,dc=dabayouxi,dc=com" adding new entry "ou=sudoers,dc=dabayouxi,dc=com" adding new entry "ou=pwpolicies,dc=dabayouxi,dc=com" -x 使用简单认证,不使用加密协议 -D 指定查找的dn,类似操作系统中的根目录 -W 输入密码,不想输入密码使用-w passwd,不推荐容易暴露密码 -f 指定ldif文件# 通过 ldapsearch查看当前目录树结构 ldapsearch -x -LLL # -LLL 禁止输出不匹配的消息
(2)groups.ldif
echo "dn: cn=web,ou=groups,dc=dabayouxi,dc=com objectClass: posixGroup objectClass: top cn: web gidNumber: 1501" >> /data0/ldapldif/groups/web.ldifecho "dn: cn=core,ou=groups,dc=dabayouxi,dc=com objectClass: posixGroup objectClass: top cn: core gidNumber: 1502" >> /data0/ldapldif/groups/core.ldifldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/groups/web.ldif Enter LDAP Password: adding new entry "cn=web,ou=groups,dc=dabayouxi,dc=com"ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/groups/core.ldif Enter LDAP Password: adding new entry "cn=core,ou=groups,dc=dabayouxi,dc=com"
(3)users.ldif
echo "dn: uid=webuser,ou=users,dc=dabayouxi,dc=com uid: webuser cn: webuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc shadowLastChange: 17412 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 2501 gidNumber: 1501 homeDirectory: /home/webuser pwdReset: TRUE" >> /data0/ldapldif/users/webuser.ldifecho "dn: uid=coreuser,ou=users,dc=dabayouxi,dc=com uid: coreuser cn: coreuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc shadowLastChange: 17412 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 2502 gidNumber: 1502 homeDirectory: /home/coreuser pwdReset: TRUE" >> /data0/ldapldif/users/coreuser.ldifldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/users/webuser.ldif Enter LDAP Password: adding new entry "uid=webuser,ou=users,dc=dabayouxi,dc=com"ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/users/coreuser.ldif Enter LDAP Password: adding new entry "uid=coreuser,ou=users,dc=dabayouxi,dc=com"
(4)sudoers.ldif
vim /data0/ldapldif/sudoers/defaults.ldif dn: cn=defaults,ou=sudoers,dc=dabayouxi,dc=com objectClass: top objectClass: sudoRole cn: defaults sudoOption: requiretty sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset vim /data0/ldapldif/sudoers/web.ldif dn: cn=%web,ou=sudoers,dc=dabayouxi,dc=com objectClass: top objectClass: sudoRole cn: %web sudoHost: ALL sudoRunAsUser: www sudoOption: !authenticate sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset sudoCommand: ALL sudoUser: %webvim /data0/ldapldif/sudoers/core.ldif dn: cn=%core,ou=sudoers,dc=dabayouxi,dc=com objectClass: top objectClass: sudoRole cn: %core sudoHost: ALL sudoRunAsUser: ALL sudoOption: !authenticate sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset sudoCommand: ALL sudoUser: %coreldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/sudoers/defaults.ldif Enter LDAP Password: adding new entry "cn=defaults,ou=sudoers,dc=dabayouxi,dc=com"ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/sudoers/web.ldif Enter LDAP Password: adding new entry "cn=%web,ou=sudoers,dc=dabayouxi,dc=com"ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/sudoers/core.ldif Enter LDAP Password: adding new entry "cn=%core,ou=sudoers,dc=dabayouxi,dc=com"
(5)pwpolicies.ldif
echo "dn: cn=default,ou=pwpolicies,dc=dabayouxi,dc=com cn: default objectClass: pwdPolicy objectClass: person pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdExpireWarning: 259200 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxAge: 2592000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: TRUE sn: dummy value" >> /data0/ldapldif/policy/default.ldifldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/policy/default.ldif Enter LDAP Password: adding new entry "cn=default,ou=pwpolicies,dc=dabayouxi,dc=com"
1.6 安装PhpLDAPAdmin
yum install -y httpd php php-mbstring php-pear php-ldap cd /usr/local/src/ wget https://jaist.dl.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.3/phpldapadmin-1.2.3.zip unzip phpldapadmin-1.2.3.zip mkdir -p /data0/web_root/ mv phpldapadmin-1.2.3 /data0/web_root/phpldapadmin echo "<VirtualHost *:80>ServerAdmin openldap@dabayouxi.comDocumentRoot /data0/web_root/phpldapadminServerName openldap.dabayouxi.comErrorLog /data0/logs/apache/openldap.dabayouxi.com-error_logCustomLog /data0/logs/apache/openldap.dabayouxi.com-access_log common<Directory "/data/web_root/phpldapadmin">Options FollowSymLinksAllowOverride allRequire all granted</Directory> </VirtualHost>" >> /etc/httpd/conf/httpd.conf mkdir -p /data0/logs/apache/ service httpd restartcp /data0/web_root/phpldapadmin/config/config.php.example /data0/web_root/phpldapadmin/config/config.php vim /data0/web_root/phpldapadmin/config/config.php $servers->setValue('server','host','192.168.9.168'); $servers->setValue('server','port',389);
浏览器访问输入:http://192.168.9.168
1.7 MirrorMode同步实现OpenLDAP双主模式
(1)192.168.9.168上slapd.conf最后添加
vim /usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 1 syncrepl rid=123provider=ldap://192.168.9.225/bindmethod=simplebinddn="cn=admin,dc=dabayouxi,dc=com"credentials=dabayouxisearchbase="dc=dabayouxi,dc=com"schemachecking=offtype=refreshAndPersistretry="60 +" mirrormode oncd /usr/local/openldap2.4/etc/openldap/ slaptest -u rm -rf slapd.d/* slaptest -f slapd.conf -F slapd.d/ service slapd restart
(2)192.168.9.225上slapd.conf最后添加
vim /usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 2 syncrepl rid=123provider=ldap://192.168.9.168/bindmethod=simplebinddn="cn=admin,dc=dabayouxi,dc=com"credentials=dabayouxisearchbase="dc=dabayouxi,dc=com"schemachecking=offtype=refreshAndPersistretry="60 +" mirrormode oncd /usr/local/openldap2.4/etc/openldap/ slaptest -u rm -rf slapd.d/* slaptest -f slapd.conf -F slapd.d/ service slapd restart
(2)测试同步
1.8 Keepalived+OpenLDAP实现OpenLDAP高可用
(1)下载安装keepalive
cd /usr/local/src/ wget http://www.keepalived.org/software/keepalived-1.2.13.tar.gz yum install -y pcre-devel openssl-devel popt-devel tar xf keepalived-1.2.13.tar.gz cd keepalived-1.2.13 ./configure --prefix=/usr/local/keepalived make make install
(2)配置keepalived配置成系统服务
cd /usr/local/keepalived/ cp etc/rc.d/init.d/keepalived /etc/init.d/ cp etc/sysconfig/keepalived /etc/sysconfig/ mkdir /etc/keepalived cp etc/keepalived/keepalived.conf /etc/keepalived/ cp sbin/keepalived /usr/sbin/ chkconfig keepalived on chkconfig --list keepalived
(3)配置OpenLDAP热备
Master 192.168.9.168
vim /etc/keepalived/keepalived.conf! Configuration File for keepalived global_defs {router_id OpenLDAP_HA }vrrp_instance OpenLDAP {state Backup interface eth0virtual_router_id 53 priority 100 advert_int 1nopreempt authentication {auth_type PASSauth_pass dabayouxi}virtual_ipaddress {192.168.9.253}}virtual_server 192.168.9.253 389 {delay_loop 6nat_mask 255.255.255.0persistence_timeout 50protocol TCPreal_server 192.168.9.168 389 {weight 3notify_down "/etc/keepalived/openldap.sh"TCP_CHECK {connect_timeout 5nb_get_retry 2delay_before_retry 3}}}vim /etc/keepalived/openldap.sh #!/bin/bash /etc/init.d/keepalived stopchmod +x /etc/keepalived/openldap.sh service keepalived start Starting keepalived: [ OK ]ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether fa:9b:55:ac:33:00 brd ff:ff:ff:ff:ff:ffinet 192.168.9.168/24 brd 192.168.9.255 scope global eth0inet 192.168.9.253/32 scope global eth0inet6 fe80::f89b:55ff:feac:3300/64 scope link valid_lft forever preferred_lft forever
Master 192.168.9.225
vim /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs {router_id OpenLDAP_HA }vrrp_instance OpenLDAP {state Backup interface eth0virtual_router_id 53 priority 90 advert_int 1authentication {auth_type PASSauth_pass dabayouxi }virtual_ipaddress {192.168.9.253}}virtual_server 192.168.9.253 389 {delay_loop 6nat_mask 255.255.255.0persistence_timeout 50protocol TCPreal_server 192.168.9.225 389 {weight 3notify_down "/etc/keepalived/openldap.sh"TCP_CHECK {connect_timeout 5nb_get_retry 2delay_before_retry 3}}}vim /etc/keepalived/openldap.sh #!/bin/bash /etc/init.d/keepalived stopchmod +x /etc/keepalived/openldap.shservice keepalived start
(4)验证
二,安装OpenLDAP客户端
2.1 基础环境配置
(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)
(2)关闭防火墙与SElinux
service iptables stop chkconfig iptables off sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config
(3)时间同步
yum -y install ntp /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov echo "1 2 * * * /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov" >> /var/spool/cron/root
1.2 源码安装OpenLDAP
(1)yum安装依赖包
yum -y install openldap openldap-devel compat-openldap nss-pam-ldapd
(2)备份源文件
cp /etc/nslcd.conf /etc/nslcd.conf_default cp /etc/nsswitch.conf /etc/nsswitch.conf_dafault cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac_default cp /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac_default cp /etc/pam.d/fingerprint-auth-ac /etc/pam.d/fingerprint-auth-ac_default cp /etc/pam.d/smartcard-auth-ac /etc/pam.d/smartcard-auth-ac_default cp /etc/pam.d/sshd /etc/pam.d/sshd_default cp /etc/pam.d/login /etc/pam.d/login_default cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf_defalut cp /etc/sudo-ldap.conf /etc/sudo-ldap.conf_default
(3)停用sssd服务
service sssd stop && chkconfig sssd off
(4)客户端文件配置修改
#/etc/nslcd.conf
vim /etc/nslcd.conf uri ldap://192.168.9.253 base dc=dabayouxi,dc=com ssl no tls_cacertdir /etc/openldap/cacerts
#/etc/pam_ldap.conf
vim /etc/pam_ldap.conf uri ldap://192.168.9.253 base dc=dabayouxi,dc=com ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 bind_policy soft pam_lookup_policy yes pam_password clear_remove_old
#/etc/pam.d/system-auth
vim /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.soaccount required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.sopassword requisite pam_cracklib.so minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.sosession optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
#/etc/pam.d/password-auth
vim /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.soaccount required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.sopassword requisite pam_cracklib.so minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.sosession optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
#/etc/pam.d/fingerprint-auth
vim /etc/pam.d/fingerprint-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth required pam_deny.soaccount required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.sopassword required pam_deny.sosession optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
#/etc/pam.d/smartcard-auth
vim /etc/pam.d/smartcard-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only auth required pam_deny.soaccount required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.sopassword required pam_pkcs11.sosession optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
#/etc/pam.d/sshd
vim /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_access.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth
#/etc/pam.d/login
vim /etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session required pam_limits.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth -session optional pam_ck_connector.so
#/etc/nsswitch.conf
vim /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: ldap publickey: nisplus automount: files ldap sudoers: files ldap
#/etc/sysconfig/authconfig
vim /etc/sysconfig/authconfig IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no USESSSD=no PASSWDALGORITHM=sha512 FORCELEGACY=no USEFPRINTD=no USEHESIOD=no FORCESMARTCARD=no USELDAPAUTH=yes IPAV2NONTP=no USELDAP=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELOCAUTHORIZE=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no USEDB=no USEPASSWDQC=no
# /etc/sudo-ldap.conf
echo "uri ldap://192.168.9.253 sudoers_base ou=sudoers,dc=dabayouxi,dc=com" >> /etc/sudo-ldap.conf
#/etc/openldap/ldap.conf
vim /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/cacerts URI ldap://192.168.9.253 BASE dc=dabayouxi,dc=com
#/etc/security/access.conf
vim /etc/security/access.conf 添加内容 -:ALL EXCEPT root web : ALL
(5)启动服务
service nslcd restart
(6)测试
转载于:https://blog.51cto.com/wupengfei/1964734
账号集中管理系统设计与实现----OpenLDAP相关推荐
- 基于Java端游账号销售管理系统设计实现(源码+lw+部署文档+讲解等)
博主介绍: ✌全网粉丝30W+,csdn特邀作者.博客专家.CSDN新星计划导师.java领域优质创作者,博客之星.掘金/华为云/阿里云/InfoQ等平台优质作者.专注于Java技术领域和毕业项目实战 ...
- 《Linux/UNIX OpenLDAP实战指南》——1.8 自动化运维解决方案
本节书摘来自异步社区<Linux/UNIX OpenLDAP实战指南>一书中的第1章,第1.8节,作者:郭大勇著,更多章节内容可以访问云栖社区"异步社区"公众号查看 1 ...
- 集成OpenLDAP与Kerberos实现统一认证(三):基于SASL/GSSAPI深度集成
文章目录 1. 写作背景 2. 既定目标 3. 重要概念 3.1 SASL 3.2 GSSAPI 3.3 SASL与GSSAPI的关系 3.4 saslauthd 3.5 Kerberos化 4. 核 ...
- 企业如何管理特权账号?
什么是特权账号? 查阅相关资料,下述这一解释较符合特权账号的定义:特权账号就是在企业运营过程中,给相关业务运营.系统管理.系统运维等人员赋予的系统维护.权限增加.数据修改删除.导出等高级权限的系统账户 ...
- 中国移动规范学习——4A技术要求(账号管理)
[集中账号管理的目的] 随着信息系统复杂性的增加,对中国移动企业内部用户权限的管理要求,将大大超过手工管理跨异构系统的能力.管理上的复杂性还会导致出错机会和安全风险的增加.比如,人员的快速流转导致系统 ...
- 集成OpenLDAP与Kerberos实现统一认证(一):整合后台数据库
文章目录 1. 写作背景 2. 既定目标 3. 环境说明 4. 安装操作 4.1 安装OpenLDAP 4.1.1 安装软件包 4.1.2 启动服务 4.1.3 初始化 4.1.4 禁止匿名访问 4. ...
- 深信服连接openldap_完整版的OpenLDAP搭建全过程
总结: 先写总结,再写正文,嘿嘿嘿.这还是第一次认真的写个文档,写个总结,哈哈.大概在一个月前,第一次听说这个东西,完全没有概念,刚开始的时候看理论的知识,看了几次之后就没看了,看不懂啊.太抽象了,真 ...
- 等保三级网络安全相关设备加固笔记
三级安全加固 等保三级的技术要求 <中华人民共和国网络安全法>第二十七条 <中华人民共和国刑法>第一百一十条 相关设备作用/配置/介绍 边界拓扑图 FW应用防火墙 FW攻击拦截 ...
- 内网之工作组、域 分析
1 内网基础 内网/局域网(Local Area Network,LAN),是指在某一区域内有多台计算机互联而成的计算机组,组网范围通常在数千米以内.在局域网中,可以实现文件管理.应用软件共享.打印机 ...
最新文章
- nginx php动态编译加载模块.
- Leetcode: Top K Frequent Elements
- 网站的高性能架构--应用服务器优化
- c#和c++中枚举类型的区别(简)
- 前后端分离 跨域问题解决
- html列表滑动字母索引,js实现做通讯录的索引滑动显示效果和滑动显示锚点效果...
- 在opencv中实现中文输出
- linux 取消nologin_Linux中nologin的应用 转
- Python数据类型之元祖
- Ext JS学习第二天 我们所熟悉的javascript(一)
- SpringMvc-NativeWebRequest接口
- QVector、QList、QLinkedList类用法区别
- 最大似然参数估计的求解
- 《信息系统项目管理师教程》目录
- 企业收费邮箱如何选择及好处
- 规格型号、购方名称、地址备注等格式有误、特殊字符-无法开票?
- 特斯拉新汽车工厂拟落户美国德州,生产电动皮卡
- chrome 打印布局_Chrome 网页打印中的宽度控制
- Docker 之 Docker Machine
- 大学计算机课桌面弄毛玻璃,高校换上新课桌,同学表示“世界观被颠覆”,网友:黑科技的诞生...