一、搭建Openldap
1、安装openldap 服务
[root@node3 ~]# yum install -y epel-release openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
2、初始化openldap服务管理权限
[root@node3 ~]# slappasswd -s 123456
{SSHA}gn0ZWIBguTeY2n/AVaTxuNc1tn/kxiiW
[root@node3 ~]# sed -i 's/cn=Manager/cn=admin/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
[root@node3 ~]# sed -i 's/dc=my-domain,dc=com/dc=ldaptest,dc=com,dc=cn/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
[root@node3 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
olcSuffix: dc=ldaptest,dc=com,dc=cn
olcRootDN: cn=admin,dc=ldaptest,dc=com,dc=cn
olcRootPW: {SSHA}gn0ZWIBguTeY2n/AVaTxuNc1tn/kxiiW
[root@node3 ~]# sed -i 's/cn=Manager,dc=my-domain,dc=com/cn=admin,dc=ldaptest,dc=com,dc=cn/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
[root@node3 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" read by * none
[root@node3 ~]# slaptest -u
5bea3013 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5bea3013 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
[root@node3 ~]#
[root@node3 ~]# systemctl restart slapd
3、配置Openldap数据库
[root@node3 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@node3 ~]# chown ldap.ldap -R /var/lib/ldap/
[root@node3 ~]# chmod 700 -R /var/lib/ldap/
[root@node3 ~]# ll /var/lib/ldap/
total 324
-rwx------. 1 ldap ldap 2048 Nov 13 09:59 alock
-rwx------. 1 ldap ldap 262144 Nov 13 09:59 __db.001
-rwx------. 1 ldap ldap 32768 Nov 13 09:59 __db.002
-rwx------. 1 ldap ldap 49152 Nov 13 09:59 __db.003
-rwx------. 1 ldap ldap 845 Nov 13 10:00 DB_CONFIG
-rwx------. 1 ldap ldap 8192 Nov 13 09:59 dn2id.bdb
-rwx------. 1 ldap ldap 32768 Nov 13 09:59 id2entry.bdb
-rwx------. 1 ldap ldap 10485760 Nov 13 09:59 log.0000000001
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
You have mail in /var/spool/mail/root
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
4、初始化组织架构及添加初始用户和组
[root@node3 ~]# vim /usr/share/migrationtools/migrate_common.ph
$DEFAULT_MAIL_DOMAIN = "ldaptest.com.cn";
$DEFAULT_BASE = "dc=ldaptest,dc=com,dc=cn";
$EXTENDED_SCHEMA = 1;
[root@node3 ~]# groupadd OPS
[root@node3 ~]# groupadd HR
[root@node3 ~]# useradd -g OPS charles
[root@node3 ~]# useradd -g HR fiona
[root@node3 ~]# echo "123456" | passwd --stdin charles
Changing password for user charles.
passwd: all authentication tokens updated successfully.
[root@node3 ~]# echo "123456" | passwd --stdin fiona
Changing password for user fiona.
passwd: all authentication tokens updated successfully.
[root@node3 ~]# grep "OPS" /etc/group > groups
[root@node3 ~]# grep "HR" /etc/group >> groups
[root@node3 ~]# grep "charles" /etc/passwd > users
[root@node3 ~]# grep "fiona" /etc/passwd >> users
[root@node3 ~]# /usr/share/migrationtools/migrate_passwd.pl users > users.ldif
[root@node3 ~]# /usr/share/migrationtools/migrate_group.pl groups > groups.ldif
[root@node3 ~]# vim base.ldif
dn: dc=ldaptest,dc=com,dc=cn
o: ldaptest.com.cn
dc: ldaptest
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=admin,dc=ldaptest,dc=com,dc=cn
cn: admin
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=ldaptest,dc=com,dc=cn
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=ldaptest,dc=com,dc=cn
ou: Group
objectClass: top
objectClass: organizationalUnit
[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f base.ldif
[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f users.ldif
[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f groups.ldif
5、启用Openldap服务的日志记录功能
[root@node3 ~]# vim loglevel.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
[root@node3 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
[root@node3 ~]# vim /etc/rsyslog.conf
local4.* /var/log/slapd/slapd.log
[root@node3 ~]# systemctl restart rsyslog
[root@node3 ~]# systemctl restart slapd
6、禁止用户匿名登录
[root@node3 ~]# vim disable_anon.ldif
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={-1}frontend,cn=config"
二、搭建ldap account manager 管理Openldap服务
本例中我安装的是lam 6.5 的版本,从官网的changelog上来看,此版本已经不支持使用httpd 2.2 ,且要求的php版本为7.2或以上,详情可查看:https://www.ldap-account-manager.org/lamcms/changelog
1、安装httpd服务及php 7.2
[root@node3 src]# yum install -y httpd
#移除当前系统中安装的php版本
[root@node3 src]# yum -y remove php*
[root@node3 src]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[root@node3 src]# rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
[root@node3 src]# yum install -y php72w php72w-ldap php72w-gd php72w-common
1、下载安装lam
[root@node3 ~]# cd /usr/local/src/
[root@node3 src]# wget https://nchc.dl.sourceforge.net/project/lam/LAM/6.5/ldap-account-manager-6.5.tar.bz2
[root@node3 src]# tar jxf ldap-account-manager-6.5.tar.bz2
[root@node3 src]# mv ldap-account-manager-6.5 /var/www/html/ldap
[root@node3 src]# cd /var/www/html/ldap/config
[root@node3 config]# cp config.cfg.sample config.cfg
[root@node3 config]# cp unix.conf.sample lam.conf
[root@node3 config]# sed -i "s/dc=my-domain,dc=com/dc=ldaptest,dc=com,dc=cn/g" lam.conf
[root@node3 config]# sed -i "s/cn=Manager/cn=admin/g" lam.conf
[root@node3 config]# sed -i "s/dc=yourdomain,dc=org/dc=ldaptest,dc=com,dc=cn/g" lam.conf
[root@node3 config]# chown -R apache.apache /var/www/html/ldap/
[root@node3 config]# systemctl start httpd
image.png
三、配置Centos 7 使用openldap服务作为认证源
1、安装openldap 客户端软件
[root@localhost ~]# yum install -y openldap-clients nss-pam-ldapd
2、修改nslcd配置文件
[root@localhost ~]# vim /etc/nslcd.conf
uri ldap://10.10.10.11/
base dc=ldaptest,dc=com,dc=cn
binddn cn=admin,dc=ldaptest,dc=com,dc=cn #若服务器开启了禁止匿名用户访问,需要在客户端配置具有读权限的账号和密码才能验证成功。
bindpw 123456 #同上
rootpwmoddn cn=admin,dc=ldaptest,dc=com,dc=cn
rootpwmodpw 123456
ssl no
tls_cacertdir /etc/openldap/cacerts
3、修改system-auth配置文件
[root@localhost ~]# vim /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass #新增
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam.ldap.so #新增
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok #新增
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_ldap.so #新增
session required pam_unix.so
4、修改nsswitch.conf 配置文件
[root@localhost ~]# vim /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
5、修改authconfig配置文件
[root@localhost ~]# vim /etc/sysconfig/authconfig
USELOCAUTHORIZE=yes
USELDAPAUTH=yes
USELDAP=yes
USESHADOW=yes
6、启动nslcd服务
[root@localhost ~]# systemctl restart nslcd
#可通过下述命令,获取openldap认证用户的相关信息的话,说明配置成功。
[root@localhost ~]# getent passwd charles
charles:x:1000:1000:charles:/home/charles:/bin/bash
7、配置客户端登录自动创建家目录
[root@localhost ~]# vim /etc/pam.d/system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
#添加创建家目录的模块
session optional pam__mkhomedir.so skel=/etc/skel umask=077
[root@localhost ~]# vim /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
#添加模块
session required pam_mkhomedir.so
#重启相应的服务
[root@localhost ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@localhost ~]# service nslcd restart
Stopping nslcd: [ OK ]
Starting nslcd: [ OK ]
配置完成后,初次使用openldap认证用户登录系统时,系统会自动创建改用户的家目录。
image.png
四、配置Openldap服务的sudo权限管理
1、在openldap服务器上导入相应的sudo schema
[root@node3 ~]# cp -f /usr/share/doc/sudo-1.8.19p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema
[root@node3 ~]# restorecon /etc/openldap/schema/sudo.schema
[root@node3 ~]# mkdir ~/sudo
[root@node3 ~]# echo "include /etc/openldap/schema/sudo.schema" > ~/sudo/sudoSchema.conf
[root@node3 ~]# slapcat -f ~/sudo/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudo/sudo.ldif
[root@node3 ~]# sed -i "s/{0}sudo/{12}sudo/g" ~/sudo/sudo.ldif
[root@node3 ~]# head -n-8 ~/sudo/sudo.ldif > ~/sudo/sudo-config.ldif
[root@node3 ~]# vim ~/sudo/sudo-config.ldif
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f ~/sudo/sudo-config.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn={12}sudo,cn=schema,cn=config"
[root@node3 ~]# ls /etc/openldap/slapd.d/cn\=config/cn\=schema
cn={0}core.ldif cn={1}cosine.ldif cn={2}nis.ldif cn={3}inetorgperson.ldif cn={4}sudo.ldif
2、定义sudo组及规则
[root@node3 ~]# vim sudoenv.ldif
dn: ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: organizationalUnit
ou: sudoers
dn: cn=defaults,ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: sudoRole
cn: defaults
description: Default suduOption's go here
sudoOption: requiretty
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMBERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path=/sbin:/bin:/usr/sbin/:/usr/bin
[root@node3 ~]# vim sudorules.ldif
dn: cn=%admin,ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoOption: authenticate
sudoCommand: /bin/rm
sudoCommand: /bin/rmdir
sudoCommand: /bin/chmod
sudoCommand: /bin/chown
sudoCommand: /bin/dd
sudoCommand: /bin/mv
sudoCommand: /bin/cp
sudoCommand: /sbin/fsck*
sudoCommand: /sbin/*remove
sudoCommand: /usr/bin/chattr
sudoCommand: /sbin/mkfs*
sudoCommand: !/usr/bin/passwd
sudoOrder: 0
dn: cn=%app,ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: sudoRole
cn: %app
sudoUser: %app
sudoHost: ALL
sudoRunAsUser: appman
sudoOption: !authenticate
sudoCommand: /bin/bash
[root@node3 ~]# ldapadd -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -x -W -f sudoenv.ldif
Enter LDAP Password:
adding new entry "ou=sudoers,dc=ldaptest,dc=com,dc=cn"
adding new entry "cn=defaults,ou=sudoers,dc=ldaptest,dc=com,dc=cn"
[root@node3 ~]# ldapadd -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -x -W -f sudorules.ldif
Enter LDAP Password:
adding new entry "cn=%admin,ou=sudoers,dc=ldaptest,dc=com,dc=cn"
adding new entry "cn=%app,ou=sudoers,dc=ldaptest,dc=com,dc=cn"
配置完成后,新增一个用户组为admin,并把相应的管理员用户添加为该组成员,在配置了读取openldap上的sudo配置的系统中登录时,该用户就能获取相应的sudo权限。
3、在Centos 7 客户端上配置相关的sudo配置
[root@localhost ~]# vim /etc/nsswitch.conf
#在文件末尾添加
sudoers: ldap files
[root@localhost ~]# vim /etc/sudo-ldap.conf
binddn cn=admin,dc=ldaptest,dc=com,dc=cn
bindpw 123456
uri ldap://10.10.10.35
#在文件末尾添加
sudoers_base ou=sudoers,dc=ldaptest,dc=com,dc=cn
配置完成后,可以使用指定用户登录客户端系统验证其对应的sudo权限,类似如下:
[charles@localhost ~]$ sudo -l
[sudo] password for charles:
Matching Defaults entries for charles on localhost:
requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMBERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin/:/usr/bin, !visiblepw,
always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User charles may run the following commands on localhost:
(root) PASSWD: /bin/rm, /bin/rmdir, /bin/chmod, /bin/chown, /bin/dd, /bin/mv, /bin/cp, /sbin/fsck*, /sbin/*remove,
/usr/bin/chattr, /sbin/mkfs*, !/usr/bin/passwd
五、Openldap的用户密码管理
1、Openldap服务端加载ppolicy schema
[root@node3 ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
adding new entry "cn=ppolicy,cn=schema,cn=config"
2、Openldap服务端加载平policy模块及相应的obejectClass
[root@node3 ~]# vim add_module.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la
[root@node3 ~]# vim add_objectClass.ldif
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_module.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
modifying entry "cn=module{0},cn=config"
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_objectClass.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config"
3、在服务端定义密码策略组
[root@node3 ~]# vim ppolicy.ldif
dn: ou=policy,dc=ldaptest,dc=com,dc=cn
objectClass: organizationalUnit
ou: policy
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f ppolicy.ldif
Enter LDAP Password:
adding new entry "ou=policy,dc=ldaptest,dc=com,dc=cn"
4、在服务端定义默认的密码规则
[root@node3 ~]# vim ppolicy_rules.ldif
dn: cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: pwdPolicyChecker
pwdCheckModule: check_password.so #调用密码复杂性检查模块
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 259200
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdCheckQuality: 1 #默认为0不检测密码强度,1为检查密码强度,并调用相应的模块检查密码复杂性,如果模块不存在,则仅检测ppolicy设置的属性;2为强制检测,如果检测模块不存在,则认为检测失败。
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 259200
pwdMinAge: 0
pwdMaxFailure: 5
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: TRUE
pwdReset: TRUE
sn: dummy value
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f ppolicy_rules.ldif
Enter LDAP Password:
adding new entry "cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn"
[root@node3 ~]# vim /etc/openldap/check_password.conf #配置密码复杂性检查规则
# OpenLDAP pwdChecker library configuration
#useCracklib 1
minPoints 3 #至少满足三个规则,此5个规则之间的关系为与关系,会按顺序匹配检查,如果全启用,则密码必须全部匹配所有规则才算合法。
minUpper 1 #至少1个大写字母
minLower 1 #至少1个小写字母
minDigit 1 #至少一个数字
minPunct 1 #至少一个标点符号
5、定义用户登录修改密码
#定义用户自助修改密码的acl权限
[root@node3 ~]# vim pw_access.ldif
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" write by * none
olcAccess: to * by self write by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" write by * read
dn: olcDatabase={-1}frontend,cn=config #定义修改默认的密码hash算法
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {MD5}
[root@node3 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f pw_access.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
[root@node3 ~]# vim pwreset.ldif
dn: uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn
changetype: modify
replace: pwdReset
pwdReset: TRUE
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f pwreset.ldif
Enter LDAP Password:
modifying entry "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn"
[root@node3 ~]# ldapwhoami -x -D "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn" -W -e ppolicy -v
ldap_initialize( )
Enter LDAP Password:
ldap_bind: Success (0); Password must be changed (Password expires in 258868 seconds)
dn:uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn
Result: Success (0)
在某些情况下,使用pwReset 来让用户登录修改密码的话,有时候用户会无法成功登录。在这种情况下,我们可以通过修改用户的密码属性shadowLastChange 的时间为0,来主动使得用户的密码过期,以达到用户下一次登录后触发密码更改的机制。如:
[root@node3 ~]# vim pwExpire.ldif
dn: uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn
changetype: modify
replace: shadowLastChange
shadowLastChange: 0
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f pwExpire.ldif
Enter LDAP Password:
modifying entry "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn"
6、在服务端配置密码审计
[root@node3 ~]# vim add_audit.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la
[root@node3 ~]# vim add_auditlog_objectClass.ldif
dn: olcOverlay=auditlog,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log #配置密码审计记录的日志保存路径
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_audit.ldif
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_auditlog_objectClass.ldif
[root@node3 ~]# mkdir /var/log/slapd
[root@node3 ~]# touch /var/log/slapd/auditlog.log
[root@node3 ~]# chown -R ldap.ldap /var/log/slapd/auditlog.log
[root@node3 ~]# systemctl restart slapd
[root@node3 ~]# systemctl restart rsyslog
配置完成后,在用户修改密码的记录均会记录到指定的路径下。