freebsd-ldap-client+SSL/TLS
一、基本环境Jumpserver :Master1 192.168.20.128 Mysql 主 FQDN:Master1.jumpserver.org Centos6.5 x86Master2 192.168.20.129 Mysql 从 FQDN:Master2.jumpserver.org Centos6.5 x86注:Master1和Master2 相关配置在 http://bbs.jumpserver.org/read/111.htmlClient:FreeBSD:192.168.20.133 Client双主 FQDN:FreeBSD.jumpserver.org FreeBSD-10.1-RELEASE-amd64FreeBSD: 图片:20151125175644.jpg
二、FreeBSD更改默认shell为bash
2.1 查看是否已安装bash# cat /etc/shells# $FreeBSD: releng/10.1/etc/shells 59717 2000-04-27 21:58:46Z ache $## List of acceptable shells for chpass(1).# Ftpd will not allow users to connect who are not using# one of these shells.
/bin/sh/bin/csh/bin/tcsh/usr/local/bin/rbash
注:没有看到/usr/local/bin/bash,说明没装需要安装,从(2.2-2.3)开始。 有看到就执行一下 echo $SHELL 是否显示/usr/local/bin/bash 有就执行一下 ln -s /usr/local/bin/bash /bin/bash ,(2.2-2.3)请忽略。 没有就从2.3 开始。
2.2安装bashcd /usr/ports/shells/bashmake install clean图片:9_CI~IL9]YA4EMV%HC[CNA2.png
图片:9I2MR}H}(L86PPRBGUN8M@K.png
图片:2.png
图片:4.png
图片:3.png
图片:6.png
2.3使用bash安装完后执行:chsh -s /usr/local/bin/bash退出:exit在登录执行:echo $SHELL/usr/local/bin/bash // 说明更改成功创建软链接:ln -s /usr/local/bin/bash /bin/bash
三、安装
3.1 安装所需的软件包 cd /usr/ports/net/nss_ldapmake install clean图片:1.png
图片:3.png
图片:7.png
图片:8.png
cd /usr/ports/security/pam_ldapmake install clean
cd /usr/ports/security/pam_mkhomedirmake install clean
cd /usr/ports/security/sudo/make install clean
图片:1.png
安装完成后执行以下:
ln -s /usr/local/bin/sudo /bin/sudo
ln -s /usr/bin/su /bin/su
四、服务器端证书通过scp至客户端:
mkdir -p /etc/openldap/cacerts/
cd /etc/openldap/cacerts/
scp 192.168.20.128:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/cacert.pem
注:如果你的Jumpserver的OpenLDAP 没有使用 SSL/TLS 加密数据通信 ,也就是使用389端口,请忽略这一步。
五、修改配置文件
# cat /usr/local/etc/openldap/ldap.conf | grep -v ^# | grep -v ^$
TLS_REQCERT allow
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
BASE dc=jumpserver,dc=org
# cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf
# cat /usr/local/etc/ldap.conf| grep -v ^# | grep -v ^$
base dc=jumpserver,dc=org
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
ssl on
tls_cacertdir /etc/openldap/cacerts
pam_password md5
Sudoers_base ou=Sudoers,dc=jumpserver,dc=org
# cat /usr/local/etc/nss_ldap.conf | grep -v ^# | grep -v ^$
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
BASE dc=jumpserver,dc=org
Sudoers_base ou=Sudoers,dc=jumpserver,dc=org
注:1)注:如果你的Jumpserver是使用389端口通信,请把uri ldaps://xxx全部改成uri ldap://xxxx,就是把s去掉。
2)客户端的sudo版本会影响 ldap配置文件的位置,通过sudo -V | grep ldap查看,最后显示
ldap.conf path: /usr/local/etc/nss_ldap.conf这个来决定
sudo内容(Sudoers_base ou=Sudoers,dc=jumpserver,dc=org ) 在哪个文件上配置的。
# cat /etc/nsswitch.conf | grep -v ^# | grep -v ^$
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
shells: files
netgroup: nis
sudoers:files ldap
#cat /etc/pam.d/system| grep -v ^# | grep -v ^$
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn try_first_pass nullok
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth 追加后,登录要求输入LDAP Password ,想取消LDAP Password 就不追加。
图片:P3R9K](XQIGRR$ZUUAP$85L.png
account required pam_login_access.so
account required pam_unix.so
account sufficient pam_ldap.so
session required pam_lastlog.so no_fail
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session optionalpam_ldap.so
password required pam_unix.so no_warn try_first_pass
password sufficient pam_ldap.so
注:红色部分是追加的
#设置nscd_enable为YES
# cat /etc/rc.conf | grep -v ^# | grep -v ^$
hostname="FreeBSD.jumpserver.org"
ifconfig_em0="DHCP"
sshd_enable="YES"
nscd_enable="YES"
dumpdev="AUTO"
#重启服务使配置生效
# service nscd restart
Stopping nscd.
Starting nscd.
六、测试
6.1 测试是否已启用LDAP认证
# getent passwd xiaowang
xiaowang:$6$RnWDfg$Epd1.6QFBYhGHTcDRF3RTDC92DrxdqWY2pfIy2C9lY1jJbLrMjZwJswQUiY95F9RovIpakW/R6.eTWYGjXNCQ0:5034:5
034:xiaowang:/home/xiaowang:/bin/bash#id xiaowang
uid=5034(xiaowang) gid=5034(xiaowang) groups=5034(xiaowang)
6.2测试用户登录跳板机再登录后端Client
图片:Y2NN{IRG3ERSH6C)9~)N2DB.png
页:
[1]