Centos 7 搭建Openldap,使用lam做web管理

一、搭建Openldap

1、安装openldap 服务

[root@node3 ~]# yum install -y epel-release openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

2、初始化openldap服务管理权限

[root@node3 ~]# slappasswd -s 123456

{SSHA}gn0ZWIBguTeY2n/AVaTxuNc1tn/kxiiW

[root@node3 ~]# sed -i 's/cn=Manager/cn=admin/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

[root@node3 ~]# sed -i 's/dc=my-domain,dc=com/dc=ldaptest,dc=com,dc=cn/g'  /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

[root@node3 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

olcSuffix: dc=ldaptest,dc=com,dc=cn

olcRootDN: cn=admin,dc=ldaptest,dc=com,dc=cn

olcRootPW: {SSHA}gn0ZWIBguTeY2n/AVaTxuNc1tn/kxiiW

[root@node3 ~]# sed -i 's/cn=Manager,dc=my-domain,dc=com/cn=admin,dc=ldaptest,dc=com,dc=cn/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif

[root@node3 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern

 al,cn=auth" read by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" read by * none

[root@node3 ~]# slaptest -u

5bea3013 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"

5bea3013 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"

config file testing succeeded

[root@node3 ~]# 

[root@node3 ~]# systemctl restart slapd

3、配置Openldap数据库

[root@node3 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@node3 ~]# chown ldap.ldap -R /var/lib/ldap/

[root@node3 ~]# chmod 700 -R /var/lib/ldap/

[root@node3 ~]# ll /var/lib/ldap/

total 324

-rwx------. 1 ldap ldap 2048 Nov 13 09:59 alock

-rwx------. 1 ldap ldap 262144 Nov 13 09:59 __db.001

-rwx------. 1 ldap ldap 32768 Nov 13 09:59 __db.002

-rwx------. 1 ldap ldap 49152 Nov 13 09:59 __db.003

-rwx------. 1 ldap ldap 845 Nov 13 10:00 DB_CONFIG

-rwx------. 1 ldap ldap 8192 Nov 13 09:59 dn2id.bdb

-rwx------. 1 ldap ldap 32768 Nov 13 09:59 id2entry.bdb

-rwx------. 1 ldap ldap 10485760 Nov 13 09:59 log.0000000001

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

You have mail in /var/spool/mail/root

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"

4、初始化组织架构及添加初始用户和组

[root@node3 ~]# vim /usr/share/migrationtools/migrate_common.ph

$DEFAULT_MAIL_DOMAIN = "ldaptest.com.cn";

$DEFAULT_BASE = "dc=ldaptest,dc=com,dc=cn";

$EXTENDED_SCHEMA = 1;

[root@node3 ~]# groupadd OPS

[root@node3 ~]# groupadd HR

[root@node3 ~]# useradd -g OPS charles

[root@node3 ~]# useradd -g HR fiona

[root@node3 ~]# echo "123456" | passwd --stdin charles

Changing password for user charles.

passwd: all authentication tokens updated successfully.

[root@node3 ~]# echo "123456" | passwd --stdin fiona

Changing password for user fiona.

passwd: all authentication tokens updated successfully.

[root@node3 ~]# grep "OPS" /etc/group > groups

[root@node3 ~]# grep "HR" /etc/group >> groups

[root@node3 ~]# grep "charles" /etc/passwd > users

[root@node3 ~]# grep "fiona" /etc/passwd >> users

[root@node3 ~]# /usr/share/migrationtools/migrate_passwd.pl users > users.ldif      

[root@node3 ~]# /usr/share/migrationtools/migrate_group.pl groups > groups.ldif

[root@node3 ~]# vim base.ldif

dn: dc=ldaptest,dc=com,dc=cn

o: ldaptest.com.cn

dc: ldaptest

objectClass: top

objectClass: dcObject

objectclass: organization

dn: cn=admin,dc=ldaptest,dc=com,dc=cn

cn: admin

objectClass: organizationalRole

description: Directory Manager

dn: ou=People,dc=ldaptest,dc=com,dc=cn

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc=ldaptest,dc=com,dc=cn

ou: Group

objectClass: top

objectClass: organizationalUnit

[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f base.ldif

[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f users.ldif 

[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f groups.ldif 

5、启用Openldap服务的日志记录功能

[root@node3 ~]# vim loglevel.ldif 

dn: cn=config

changetype: modify

replace: olcLogLevel

olcLogLevel: stats

[root@node3 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

[root@node3 ~]# vim /etc/rsyslog.conf

local4.* /var/log/slapd/slapd.log

[root@node3 ~]# systemctl restart rsyslog

[root@node3 ~]# systemctl restart slapd

6、禁止用户匿名登录

[root@node3 ~]# vim disable_anon.ldif 

dn: cn=config

changetype: modify

add: olcDisallows

olcDisallows: bind_anon

dn: cn=config

changetype: modify

add: olcRequires

olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config

changetype: modify

add: olcRequires

olcRequires: authc

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "olcDatabase={-1}frontend,cn=config"

二、搭建ldap account manager 管理Openldap服务

本例中我安装的是lam 6.5 的版本,从官网的changelog上来看,此版本已经不支持使用httpd 2.2 ,且要求的php版本为7.2或以上,详情可查看:https://www.ldap-account-manager.org/lamcms/changelog

1、安装httpd服务及php 7.2

[root@node3 src]# yum install -y httpd

#移除当前系统中安装的php版本

[root@node3 src]# yum -y remove php*

[root@node3 src]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 

[root@node3 src]# rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm 

[root@node3 src]# yum install -y php72w php72w-ldap php72w-gd php72w-common

1、下载安装lam

[root@node3 ~]# cd /usr/local/src/

[root@node3 src]# wget https://nchc.dl.sourceforge.net/project/lam/LAM/6.5/ldap-account-manager-6.5.tar.bz2

[root@node3 src]# tar jxf ldap-account-manager-6.5.tar.bz2

[root@node3 src]# mv ldap-account-manager-6.5 /var/www/html/ldap

[root@node3 src]# cd /var/www/html/ldap/config

[root@node3 config]# cp config.cfg.sample config.cfg

[root@node3 config]# cp unix.conf.sample lam.conf

[root@node3 config]# sed -i "s/dc=my-domain,dc=com/dc=ldaptest,dc=com,dc=cn/g" lam.conf

[root@node3 config]# sed -i "s/cn=Manager/cn=admin/g" lam.conf 

[root@node3 config]# sed -i "s/dc=yourdomain,dc=org/dc=ldaptest,dc=com,dc=cn/g" lam.conf 

[root@node3 config]# chown -R apache.apache /var/www/html/ldap/

[root@node3 config]# systemctl start httpd

Centos 7 搭建Openldap,使用lam做web管理_第1张图片
image.png

三、配置Centos 7 使用openldap服务作为认证源

1、安装openldap 客户端软件

[root@localhost ~]# yum install -y openldap-clients nss-pam-ldapd

2、修改nslcd配置文件

[root@localhost ~]# vim /etc/nslcd.conf

uri ldap://10.10.10.11/

base dc=ldaptest,dc=com,dc=cn

binddn cn=admin,dc=ldaptest,dc=com,dc=cn #若服务器开启了禁止匿名用户访问,需要在客户端配置具有读权限的账号和密码才能验证成功。

bindpw 123456 #同上

rootpwmoddn cn=admin,dc=ldaptest,dc=com,dc=cn

rootpwmodpw 123456

ssl no

tls_cacertdir /etc/openldap/cacerts

3、修改system-auth配置文件

[root@localhost ~]# vim /etc/pam.d/system-auth

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth sufficient pam_ldap.so use_first_pass #新增

auth required pam_deny.so

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account [default=bad success=ok user_unknown=ignore] pam.ldap.so #新增

account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password sufficient pam_ldap.so use_authtok #新增

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session optional pam_ldap.so #新增

session required pam_unix.so

4、修改nsswitch.conf 配置文件

[root@localhost ~]# vim /etc/nsswitch.conf

passwd: files ldap

shadow: files ldap

group: files ldap

5、修改authconfig配置文件

[root@localhost ~]# vim /etc/sysconfig/authconfig

USELOCAUTHORIZE=yes

USELDAPAUTH=yes

USELDAP=yes

USESHADOW=yes

6、启动nslcd服务

[root@localhost ~]# systemctl restart nslcd

#可通过下述命令,获取openldap认证用户的相关信息的话,说明配置成功。

[root@localhost ~]# getent passwd charles

charles:x:1000:1000:charles:/home/charles:/bin/bash

7、配置客户端登录自动创建家目录

[root@localhost ~]# vim /etc/pam.d/system-auth

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_ldap.so

#添加创建家目录的模块

session optional pam__mkhomedir.so skel=/etc/skel umask=077

[root@localhost ~]# vim /etc/pam.d/sshd 

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session required pam_namespace.so

session optional pam_keyinit.so force revoke

session include password-auth

#添加模块

session required pam_mkhomedir.so

#重启相应的服务

[root@localhost ~]# service sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

[root@localhost ~]# service nslcd restart

Stopping nslcd: [ OK ]

Starting nslcd: [ OK ]

配置完成后,初次使用openldap认证用户登录系统时,系统会自动创建改用户的家目录。


Centos 7 搭建Openldap,使用lam做web管理_第2张图片
image.png

四、配置Openldap服务的sudo权限管理

1、在openldap服务器上导入相应的sudo schema
[root@node3 ~]# cp -f /usr/share/doc/sudo-1.8.19p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema
[root@node3 ~]# restorecon /etc/openldap/schema/sudo.schema
[root@node3 ~]# mkdir ~/sudo
[root@node3 ~]# echo "include /etc/openldap/schema/sudo.schema" > ~/sudo/sudoSchema.conf
[root@node3 ~]# slapcat -f ~/sudo/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudo/sudo.ldif
[root@node3 ~]# sed -i "s/{0}sudo/{12}sudo/g" ~/sudo/sudo.ldif
[root@node3 ~]# head -n-8 ~/sudo/sudo.ldif > ~/sudo/sudo-config.ldif
[root@node3 ~]# vim ~/sudo/sudo-config.ldif
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f ~/sudo/sudo-config.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn={12}sudo,cn=schema,cn=config"
[root@node3 ~]# ls /etc/openldap/slapd.d/cn\=config/cn\=schema
cn={0}core.ldif cn={1}cosine.ldif cn={2}nis.ldif cn={3}inetorgperson.ldif cn={4}sudo.ldif
2、定义sudo组及规则
[root@node3 ~]# vim sudoenv.ldif 

dn: ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: organizationalUnit
ou: sudoers

dn: cn=defaults,ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: sudoRole
cn: defaults
description: Default suduOption's go here
sudoOption: requiretty
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMBERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path=/sbin:/bin:/usr/sbin/:/usr/bin

[root@node3 ~]# vim sudorules.ldif

dn: cn=%admin,ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoOption: authenticate
sudoCommand: /bin/rm
sudoCommand: /bin/rmdir
sudoCommand: /bin/chmod
sudoCommand: /bin/chown
sudoCommand: /bin/dd
sudoCommand: /bin/mv
sudoCommand: /bin/cp
sudoCommand: /sbin/fsck*
sudoCommand: /sbin/*remove
sudoCommand: /usr/bin/chattr
sudoCommand: /sbin/mkfs*
sudoCommand: !/usr/bin/passwd
sudoOrder: 0

dn: cn=%app,ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: sudoRole
cn: %app
sudoUser: %app
sudoHost: ALL
sudoRunAsUser: appman
sudoOption: !authenticate
sudoCommand: /bin/bash


[root@node3 ~]# ldapadd -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -x -W -f sudoenv.ldif 
Enter LDAP Password: 
adding new entry "ou=sudoers,dc=ldaptest,dc=com,dc=cn"

adding new entry "cn=defaults,ou=sudoers,dc=ldaptest,dc=com,dc=cn"

[root@node3 ~]# ldapadd -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -x -W -f sudorules.ldif 
Enter LDAP Password: 
adding new entry "cn=%admin,ou=sudoers,dc=ldaptest,dc=com,dc=cn"

adding new entry "cn=%app,ou=sudoers,dc=ldaptest,dc=com,dc=cn"

配置完成后,新增一个用户组为admin,并把相应的管理员用户添加为该组成员,在配置了读取openldap上的sudo配置的系统中登录时,该用户就能获取相应的sudo权限。

3、在Centos 7 客户端上配置相关的sudo配置
[root@localhost ~]# vim /etc/nsswitch.conf 
#在文件末尾添加
sudoers: ldap files

[root@localhost ~]# vim /etc/sudo-ldap.conf
binddn cn=admin,dc=ldaptest,dc=com,dc=cn 
bindpw 123456
uri ldap://10.10.10.35
#在文件末尾添加
sudoers_base ou=sudoers,dc=ldaptest,dc=com,dc=cn

配置完成后,可以使用指定用户登录客户端系统验证其对应的sudo权限,类似如下:

[charles@localhost ~]$ sudo -l
[sudo] password for charles: 
Matching Defaults entries for charles on localhost:
    requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMBERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin/:/usr/bin, !visiblepw,
    always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User charles may run the following commands on localhost:
    (root) PASSWD: /bin/rm, /bin/rmdir, /bin/chmod, /bin/chown, /bin/dd, /bin/mv, /bin/cp, /sbin/fsck*, /sbin/*remove,
        /usr/bin/chattr, /sbin/mkfs*, !/usr/bin/passwd

五、Openldap的用户密码管理

1、Openldap服务端加载ppolicy schema
[root@node3 ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif 
adding new entry "cn=ppolicy,cn=schema,cn=config"
2、Openldap服务端加载平policy模块及相应的obejectClass
[root@node3 ~]# vim add_module.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la

[root@node3 ~]# vim add_objectClass.ldif 

dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE


[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_module.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

modifying entry "cn=module{0},cn=config"

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_objectClass.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config"

3、在服务端定义密码策略组
[root@node3 ~]# vim ppolicy.ldif 

dn: ou=policy,dc=ldaptest,dc=com,dc=cn
objectClass: organizationalUnit
ou: policy
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f ppolicy.ldif 
Enter LDAP Password: 
adding new entry "ou=policy,dc=ldaptest,dc=com,dc=cn"
4、在服务端定义默认的密码规则
[root@node3 ~]# vim ppolicy_rules.ldif

dn: cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: pwdPolicyChecker
pwdCheckModule: check_password.so                #调用密码复杂性检查模块
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 259200
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdCheckQuality: 1                    #默认为0不检测密码强度,1为检查密码强度,并调用相应的模块检查密码复杂性,如果模块不存在,则仅检测ppolicy设置的属性;2为强制检测,如果检测模块不存在,则认为检测失败。
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 259200
pwdMinAge: 0
pwdMaxFailure: 5
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: TRUE
pwdReset: TRUE
sn: dummy value
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f ppolicy_rules.ldif 
Enter LDAP Password: 
adding new entry "cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn"

[root@node3 ~]# vim /etc/openldap/check_password.conf                 #配置密码复杂性检查规则
# OpenLDAP pwdChecker library configuration
#useCracklib 1
minPoints 3        #至少满足三个规则,此5个规则之间的关系为与关系,会按顺序匹配检查,如果全启用,则密码必须全部匹配所有规则才算合法。
minUpper 1        #至少1个大写字母
minLower 1        #至少1个小写字母
minDigit 1            #至少一个数字
minPunct 1        #至少一个标点符号

5、定义用户登录修改密码
#定义用户自助修改密码的acl权限
[root@node3 ~]# vim pw_access.ldif 
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" write by * none
olcAccess: to * by self write by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" write by * read

dn: olcDatabase={-1}frontend,cn=config        #定义修改默认的密码hash算法
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {MD5}


[root@node3 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f pw_access.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"


[root@node3 ~]# vim pwreset.ldif
dn: uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn
changetype: modify
replace: pwdReset
pwdReset: TRUE

[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f pwreset.ldif 
Enter LDAP Password: 
modifying entry "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn"

[root@node3 ~]# ldapwhoami -x -D "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn" -W -e ppolicy -v
ldap_initialize(  )
Enter LDAP Password: 
ldap_bind: Success (0); Password must be changed (Password expires in 258868 seconds)
dn:uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn
Result: Success (0)

在某些情况下,使用pwReset 来让用户登录修改密码的话,有时候用户会无法成功登录。在这种情况下,我们可以通过修改用户的密码属性shadowLastChange 的时间为0,来主动使得用户的密码过期,以达到用户下一次登录后触发密码更改的机制。如:

[root@node3 ~]# vim pwExpire.ldif 

dn: uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn
changetype: modify
replace: shadowLastChange
shadowLastChange: 0
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f pwExpire.ldif 
Enter LDAP Password: 
modifying entry "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn"
6、在服务端配置密码审计
[root@node3 ~]# vim add_audit.ldif 

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la 

[root@node3 ~]# vim add_auditlog_objectClass.ldif 
dn: olcOverlay=auditlog,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log                    #配置密码审计记录的日志保存路径

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_audit.ldif
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_auditlog_objectClass.ldif
[root@node3 ~]# mkdir /var/log/slapd
[root@node3 ~]# touch /var/log/slapd/auditlog.log
[root@node3 ~]# chown -R ldap.ldap /var/log/slapd/auditlog.log
[root@node3 ~]# systemctl restart slapd
[root@node3 ~]# systemctl restart rsyslog

配置完成后,在用户修改密码的记录均会记录到指定的路径下。

你可能感兴趣的:(Centos 7 搭建Openldap,使用lam做web管理)