centos7.2 LDAP(TLS)+autofs+ssh
写前先祝福下勒布朗·詹姆斯网上搜了很多关于centos7.2部署ldap的文章,这里也写一下自己的
实验环境
系统:CentOS Linux release 7.2.1511 (Core)
内核:3.10.0-327.el7.x86_64
服务端IP:192.168.10.16
客户端IP:192.168.10.17
第一步
selinux和firewalld
# getenforce
Permissive
# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
第二步
服务端装包
# yum install -y openldap-servers openldap-clients openldap
如果不小心误删除了ldap的文件,会发现yum也用不了了,因为依赖模块被删掉了---解决方法
openldap-2.4.44-13.el7.x86_64.rpm(使用rpm把ldap装起来是一种方法)
第三步
服务端配置文件
# pwd
/etc/openldap
# vim ldap.conf
TLS_CACERTDIR /etc/openldap/certs #这里很重要,指定你的TLS的文件放在那个目录下,默认此目录
TLS_REQCERT allow #这里是指可以切换TLS的文件存放目录
# slappasswd(生成密码)
New password:
Re-enter new password:
{SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA(这个加密字符串记录下来)
# vim slapd.conf(注意这个文件不是上面的ldap.conf)
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/misc.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#TLS的几个文件很容易混淆,后面做CA的时候也会着重标明)
TLSCACertificateFile /etc/openldap/certs/ca.crt (这个是CA的公钥)
TLSCertificateFile /etc/openldap/certs/slapd.crt(这个是CA颁发的证书文件)
TLSCertificateKeyFile /etc/openldap/certs/slapd.key(这个是本地私钥)
database config
rootdn "cn=admin,cn=config"(超级用户)
rootpw {SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA (这里把上面的字符串写进来)
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
database monitor
access to * by dn.exact="cn=admin,cn=config" read by * none
# rm -rf slapd.d/*
# slaptest -f slapd.conf -F slapd.d/ (转换成ldap识别的文件,这里一定看清楚是slapd.conf文件)
config file testing succeeded
# chown ldap. -R slapd.d/(加权限)
# cd slapd.d/
# ll
total 8
drwxr-x---. 3 ldap ldap 4096 Jun1 07:50 cn=config
-rw-------. 1 ldap ldap 1272 Jun1 07:50 cn=config.ldif
# grep TLS slapd.conf(使用之前的https的方式生成CA证书)
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/slapd.crt
TLSCertificateKeyFile /etc/openldap/certs/slapd.key
对于CA认证来说现在的服务器作为客户端
# pwd
/etc/openldap/certs (这个目录是根据你之前ldap.conf文件里定义的)
# openssl genrsa 2048 > slapd.key(这个文件毫无疑问就是上文对应的slapd.key文件)
Generating RSA private key, 2048 bit long modulus
........................................................................................+++
............................................+++
e is 65537 (0x10001)
# ls
cert8.dbkey3.dbpasswordsecmod.dbslapd.key
(这里先别给最小权限,怕会ldap读取不了文件,使用/usr/sbin/sladp -d 256 也能看出问题)
# openssl req -new -key slapd.key -out siyao.csr(创建证书办法请求)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN (国家)
State or Province Name (full name) []:shanghai(省份)
Locality Name (eg, city) :shanghai (市区)
Organization Name (eg, company) :boke(公司名)
Organizational Unit Name (eg, section) []:boke - cainiao(部门)
Common Name (eg, your name or your server's hostname) []:192.168.10.16(要加密的server)
Email Address []:boke@boke.com(邮箱)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (这里不要写密码,CA哪里一会解不开密码,自签名。。)
An optional company name []:(这里也跳过)
# ls
cert8.dbkey3.dbpasswordsecmod.dbsiyao.csr (这里可不是公钥哦) slapd.key
现在客户端作为CA服务器
# scp siyao.csr 192.168.10.17:/root/
root@192.168.10.17's password:
siyao.csr 100% 1009 1.0KB/s 00:00
# openssl genrsa -des3 -out ca.key 4096(生成公私钥,做自签名)
Generating RSA private key, 4096 bit long modulus
............................++
.......................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (自签名密码要记住,一会自签名过程要用到)
Verifying - Enter pass phrase for ca.key:
# ls
anaconda-ks.cfgca.keysiyao.csr
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt(自签名)
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) :shanghai
Organization Name (eg, company) :NSA
Organizational Unit Name (eg, section) []:FBI
Common Name (eg, your name or your server's hostname) []:192.168.10.17(指定你的server)
Email Address []:
# ls
anaconda-ks.cfgca.crt (这个是我们的CA公钥和LDAP识别的ca.crt文件对应) ca.keysiyao.csr
# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out slapd.crt
Signature ok
subject=/C=cn/ST=shanghai/L=shanghai/O=boke/OU=cainiao/CN=192.168.10.16
Getting CA Private Key
Enter pass phrase for ca.key:
# ls
anaconda-ks.cfgca.crtca.keysiyao.csrslapd.crt(这是证书,和LDAP识别的slapd.crt对应)
# scp ca.crt slapd.crt 192.168.10.16:/etc/openldap/certs/(两个文件都传过去)
root@192.168.10.16's password:
ca.crt 100% 2013 2.0KB/s 00:00
slapd.crt 100% 1545 1.5KB/s 00:00
CA完毕,以下是正常的服务器和客户端
服务器16这里
# ls
ca.crt(1)cert8.dbkey3.dbpasswordsecmod.dbsiyao.csrslapd.crt (2) slapd.key(3) (1),(2),(3)三个文件分别代表上文定义的TLS文件,千万别搞乱了)
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG.example(拷贝缓冲数据文件)
# chown ldap. /var/lib/ldap/DB_CONFIG.example(授权)
# vim /etc/sysconfig/slapd
LAPD_URLS="ldapi:/// ldap:/// ldaps:///"(添加上ldaps:///)
# systemctl start slapd(起服务,如果上面没好好看的话,这里启动会报错的)
# ps -ef|grep slapd
ldap 4413 10 22:07 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// ldaps:///
root 4672 25970 22:24 pts/0 00:00:00 grep --color=auto slapd
# netstat -luntp|grep slap
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 4413/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4413/slapd
tcp6 0 0 :::636 :::* LISTEN 4413/slapd
tcp6 0 0 :::389 :::* LISTEN 4413/slapd
定义用户数据库
# mkdir /root/ldif
# cd
# cd ldif/
# ls
# vim bdb.ldif
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb(数据库)
olcSuffix: dc=example,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=example,dc=org(用户)
olcRootPW: 456 (密码)
olcLimits: dn.exact="cn=Manager,dc=example,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,displayName pres,eq,approx,sub
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: objectClass eq
olcDbIndex: entryUUID pres,eq
olcDbIndex: entryCSN pres,eq
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=org" write by * none
olcAccess: to * by self write by dn.children="ou=admins,dc=example,dc=org" write by * read
# ldapadd -x -D "cn=admin,cn=config" -w 123 -f ~/ldif/bdb.ldif -h localhost(添加条目,这个是超级用户和超级用户的免密123)
adding new entry "olcDatabase=bdb,cn=config"
# cd slapd.d/
# ls
cn=configcn=config.ldif
# cd cn\=config/
# ls
cn=schema olcDatabase={0}config.ldif olcDatabase={1}monitor.ldif
cn=schema.ldifolcDatabase={-1}frontend.ldifolcDatabase={2}bdb.ldif(这个bdb数据文件被生成出来了)
ssh----》ldap(实验)
使我们的系统用户转变为ldap用户
# yum search migrationtools
# yum install -y migrationtools.noarch(下载工具)
# cd /usr/share/migrationtools/
# groupadd -g 100001 ldap1(生成系统用户)
# mkdir /ldapuser
# useradd -u 100001 -g 100001 -d /ldapuser/ldap1 ldap1
# id ldap1
uid=100001(ldap1) gid=100001(ldap1) groups=100001(ldap1)
# groupadd -g 100002 ldap2(之前说过65535只是限制个数)
# useradd -u 100002 -g 100002 -d /ldapuser/ldap2 ldap2
# vim migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.org";(这里可不是主机名哦)
# Default base
$DEFAULT_BASE = "dc=example,dc=org";
# ./migrate_base.pl > ~/ldif/base.ldif
# vim /root/ldif/base.ldif(留三组信息即可)
dn: dc=example,dc=org(顶级域)
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=org(条目)
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=org(条目)
ou: Group
objectClass: top
objectClass: organizationalUnit
# cat -A /root/ldif/base.ldif(检查格式是否有问题)
dn: dc=example,dc=org$
dc: example$
objectClass: top$
objectClass: domain$
$
dn: ou=People,dc=example,dc=org$
ou: People$
objectClass: top$
objectClass: organizationalUnit$
$
dn: ou=Group,dc=example,dc=org$
ou: Group$
objectClass: top$
objectClass: organizationalUnit$
$
# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/base.ldif -h localhost(将条目加入到数据库里,这里是用的是数据库的用户和密码)
adding new entry "dc=example,dc=org"
adding new entry "ou=People,dc=example,dc=org"
adding new entry "ou=Group,dc=example,dc=org"
# passwd ldap1
# passwd ldap2
# ./migrate_passwd.pl /etc/passwd > /root/ldif/user.ldif(将用户和组添加条目)
# ./migrate_group.pl /etc/group > /root/ldif/group.ldif
# vim /root/ldif/user.ldif(只留两个即可,做实验)
dn: uid=ldap1,ou=People,dc=example,dc=org
uid: ldap1
cn: ldap1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17683
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 100001
gidNumber: 100001
homeDirectory: /ldapuser/ldap1
dn: uid=ldap2,ou=People,dc=example,dc=org
uid: ldap2
cn: ldap2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17683
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 100002
gidNumber: 100002
homeDirectory: /ldapuser/ldap2
# vim /root/ldif/group.ldif(和用户相同)
# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/group.ldif -h localhost
adding new entry "cn=ldap1,ou=Group,dc=example,dc=org"
adding new entry "cn=ldap2,ou=Group,dc=example,dc=org"
# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/user.ldif -h localhost
adding new entry "uid=ldap1,ou=People,dc=example,dc=org"
adding new entry "uid=ldap2,ou=People,dc=example,dc=org"
# cp /etc/openldap/certs/ca.crt /var/www/html/(共享公钥)
# systemctl restart httpd
终于到客户端了
# vim /etc/hosts
192.168.10.16 ldap
# yum install -y openldap openldap-clients nss-pam-ldapd
# yum install -y authconfig.x86_64 authconfig-gtk.x86_64
# authconfig --enableldap --enableldapauth --ldapserver=ldap --ldapbasedn="dc=example,dc=org" --enableldaptls --ldaploadcacert=http://ldap/ca.crt --update
*(上面的命令执行完毕,本地应该有ldap1和ldap2用户,但是我这次不行了,之前一台机器是可以的,大家试下,今晚我在看看到底哪出问题了)
# ssh ldap1@192.168.10.17(这里是登陆不了的,应为上一条命令执行不成功)
ldap1@192.168.10.17's password:
Last login: Fri Jun1 22:29:45 2018 from ldapfu
Could not chdir to home directory /ldapuser/ldap1: No such file or directory
-bash-4.2$(缺少家目录)
# mkdir /ldapuser
# yum install -y autofs
服务端这里
# vim /etc/exports
/ldapuser 192.168.10.0/24(rw)
# systemctl start nfs(启动不了,先启动rpcbind)
客户端
# vim /etc/auto.master
# For details of the format look at auto.master(5).
/ldapuser /etc/ldap.misc(添加此条)
#
/misc /etc/auto.misc
# cp /etc/auto.misc /etc/ldap.misc
# vim /etc/ldap.misc
#removable -fstype=ext2 :/dev/hdd
* -fstype=nfs 192.168.10.16:/ldapuser/&(添加此条)
# systemctl start autofs.service(再次使用ldap1登录客户端即可
客户端获取不到ldap用户这个我今晚再看看,大神也给下建议。
页:
[1]