搭建一套OpenLDAP系统,实现账号的统一管理
可实现的功能:
1:OpenLDAP服务端的搭建
2:PhpLDAPAdmin的搭建(便于web页面管理)
3: OpenLDAP服务端配置分组管理用户sudo权限分配;
(1)默认没有sudo权限;
(2)运维具有sudo到任何用户执行任何命令权限;
(3)研发具有相应的配置执行命令权限
4:OpenLDAP客户端的配置
5:OpenLDAP与SSH
6:OpenLDAP结合客户端PAM,限制用户登录主机
7:OpenLDAP加入密码策略
(1)强制用户首次登录系统更改密码
(2)密码最小设置长度
(3)密码设置强度
(4)密码过期前警告天数
(5)密码过期后不能登录的天数
(6)密码尝试次数,被锁定
(7)密码失败后恢复时间
(8)是否允许用户修改密码
(9)账号锁定后,不能自动解锁,需管理员解锁
8:MirrorMode同步实现OpenLDAP双主模式
9,Keepalived+OpenLDAP实现OpenLDAP高可用
10,TCP Warppers
账号集中管理系统访问和维护流程:
实验环境:
系统:
主:CentOS6.5 64位 192.168.9.225
主:CentOS6.5 64 位 192.168.9.168
VIP: 192.168.9.253
客户端: CentoOS6.5 64位 192.168.9.176
软件包:
openldap-2.4.45
db-4.6.21
phpldapadmin-1.2.3
ltb-project-openldap-initscript-2.2
资料链接:
https://ltb-project.org/download
http://www.openldap.org/
http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/
http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
一,安装OpenLDAP服务端
(俩台主安装方法一样)
1.1 基础环境配置
(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)
(2)关闭防火墙与SElinux
service iptables stop chkconfig iptables off sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config
(3)时间同步
yum -y install ntp /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov echo "1 2 * * * /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov" >> /var/spool/cron/root
1.2 源码安装OpenLDAP
(1)yum安装依赖包
yum -y install gcc gcc-c++ unzip gzip bzip2 openssl-devel cyrus-sasl-devel krb5-devel tcp_wrappers-devel libtool-ltdl-devel openslp-devel unixODBC-devel mysql-devel
(2)源码安装Berkeley DB
cd /usr/local/src/ wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz tar xf db-4.6.21.tar.gz cd db-4.6.21/build_unix/ ../dist/configure --prefix=/usr/local/BDB4 make && make install echo "/usr/local/BDB4/lib" >> /etc/ld.so.conf.d/bdb.conf ldconfig ln -sv /usr/local/BDB4/include /usr/local/bdb
(3)源码安装OpenLDAP
cd /usr/local/src/ wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.45.tgz gunzip -c openldap-2.4.45.tgz | tar xf - cd openldap-2.4.45 ./configure --prefix=/usr/local/openldap2.4 \ --enable-slapd \ --enable-dynacl \ --enable-aci \ --enable-cleartext \ --enable-crypt \ --enable-lmpasswd \ --enable-spasswd \ --enable-modules \ --enable-rewrite \ --enable-rlookups \ --enable-slapi \ --enable-wrappers \ --enable-backends \ --enable-ndb=no \ --enable-perl=no \ --enable-overlays \ CPPFLAGS="-I/usr/local/BDB4/include" \ LDFLAGS="-L/usr/local/BDB4/lib" make depend make make test make install echo "/usr/local/openldap2.4/lib" >> /etc/ld.so.conf.d/ldap.conf ldconfig ln -sv /usr/local/openldap2.4/include /usr/include/ldap2.4 ln -sv /usr/local/openldap2.4/bin/* /usr/local/bin/ ln -sv /usr/local/openldap2.4/sbin/* /usr/local/sbin/
1.4 配置实现功能
(1)配置文件模板
# grep -v ^# slapd.conf | grep -v ^$ include /usr/local/openldap2.4/etc/openldap/schema/corba.schema include /usr/local/openldap2.4/etc/openldap/schema/core.schema include /usr/local/openldap2.4/etc/openldap/schema/cosine.schema include /usr/local/openldap2.4/etc/openldap/schema/duaconf.schema include /usr/local/openldap2.4/etc/openldap/schema/dyngroup.schema include /usr/local/openldap2.4/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap2.4/etc/openldap/schema/java.schema include /usr/local/openldap2.4/etc/openldap/schema/misc.schema include /usr/local/openldap2.4/etc/openldap/schema/nis.schema include /usr/local/openldap2.4/etc/openldap/schema/openldap.schema include /usr/local/openldap2.4/etc/openldap/schema/ppolicy.schema include /usr/local/openldap2.4/etc/openldap/schema/collective.schema include /usr/local/openldap2.4/etc/openldap/schema/sudo.schema pidfile /usr/local/openldap2.4/var/run/slapd.pid argsfile /usr/local/openldap2.4/var/run/slapd.args modulepath /usr/local/openldap2.4/libexec/openldap moduleload accesslog.la moduleload auditlog.la moduleload ppolicy.la moduleload syncprov.la moduleload back_mdb.la moduleload back_ldap.la access to attrs=shadowLastChange,userPassword by self write by anonymous auth by dn.base="cn=admin,dc=dabayouxi,dc=com" write by * none access to * by self write by * read database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base="cn=admin,dc=dabayouxi,dc=com" write by * none database mdb suffix "dc=dabayouxi,dc=com" rootdn "cn=admin,dc=dabayouxi,dc=com" rootpw {SSHA}jnN16Laklfzlm4hCrob1nhUgUloLpvnm directory /data0/openldap-data index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub loglevel 256 logfile /data0/logs/slapd/slapd.log checkpoint 2048 10 overlay ppolicy ppolicy_default cn=default,ou=pwpolicies,dc=dabayouxi,dc=com
(2)添加sudo.schema
cp -f /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /usr/local/openldap2.4/etc/openldap/schema/sudo.schema restorecon /usr/local/openldap2.4/etc/openldap/schema/sudo.schema
(3)创建ldap用户和组
groupadd -r ldap useradd -r -g ldap -s /sbin/nologin ldap
(4)配置日志
mkdir -p /data0/logs/slapd touch /data0/logs/slapd/slapd.log echo "local4.* /data0/logs/slapd/slapd.log" >> /etc/rsyslog.d/openldap.conf service rsyslog restart echo "/data0/logs/slapd/*log { missingok compress notifempty daily rotate 5 create 0600 root root }" >> /etc/logrotate.d/slapd
(5)配置数据存放路径
mkdir -p /data0/openldap-data chmod 700 /data0/openldap-data/ cp /usr/local/openldap2.4/etc/openldap/DB_CONFIG.example /data0/openldap-data/DB_CONFIG chown -R ldap.ldap /data0/openldap-data/ mkdir -p /usr/local/openldap2.4/etc/openldap/slapd.d cd /usr/local/openldap2.4/etc/openldap/ slaptest -f slapd.conf -F slapd.d/ echo "BASE dc=dabayouxi,dc=com URI ldap://192.168.9.168" >> /usr/local/openldap2.4/etc/openldap/ldap.conf
(6)启动脚本下载,修改配置
cd /usr/local/src/ wget https://ltb-project.org/archives/ltb-project-openldap-initscript-2.2.tar.gz tar -xvf ltb-project-openldap-initscript-2.2.tar.gz mv ltb-project-openldap-initscript-2.2/slapd /etc/init.d vim /etc/init.d/slapd SLAPD_PATH="/usr/local/openldap2.4" DATA_PATH="/data0/openldap-data" BDB_PATH="/usr/local/BDB4" chmod +x /etc/init.d/slapd chkconfig slapd on service slapd restart
1.5 OpenLDAP目录树规划
# 将规划的dn导入,将以下内容写入ldif文件中使用ldapadd 命令添加到数据库
mkdir -p /data0/ldapldif/{users,groups,sudoers,policy}
(1)base.ldif
vim /data0/ldapldif/base.ldif dn: dc=dabayouxi,dc=com dc: dabayouxi objectClass: top objectClass: domain dn: ou=users,dc=dabayouxi,dc=com ou: users objectClass: top objectClass: organizationalUnit dn: ou=groups,dc=dabayouxi,dc=com ou: groups objectClass: top objectClass: organizationalUnit dn: ou=sudoers,dc=dabayouxi,dc=com ou: sudoers objectClass: top objectClass: organizationalUnit dn: ou=pwpolicies,dc=dabayouxi,dc=com ou: pwpolicies objectClass: top objectClass: organizationalUnit ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/base.ldif Enter LDAP Password: adding new entry "dc=dabayouxi,dc=com" adding new entry "ou=users,dc=dabayouxi,dc=com" adding new entry "ou=groups,dc=dabayouxi,dc=com" adding new entry "ou=sudoers,dc=dabayouxi,dc=com" adding new entry "ou=pwpolicies,dc=dabayouxi,dc=com" -x 使用简单认证,不使用加密协议 -D 指定查找的dn,类似操作系统中的根目录 -W 输入密码,不想输入密码使用-w passwd,不推荐容易暴露密码 -f 指定ldif文件 # 通过 ldapsearch查看当前目录树结构 ldapsearch -x -LLL # -LLL 禁止输出不匹配的消息
(2)groups.ldif
echo "dn: cn=web,ou=groups,dc=dabayouxi,dc=com objectClass: posixGroup objectClass: top cn: web gidNumber: 1501" >> /data0/ldapldif/groups/web.ldif echo "dn: cn=core,ou=groups,dc=dabayouxi,dc=com objectClass: posixGroup objectClass: top cn: core gidNumber: 1502" >> /data0/ldapldif/groups/core.ldif ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/groups/web.ldif Enter LDAP Password: adding new entry "cn=web,ou=groups,dc=dabayouxi,dc=com" ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/groups/core.ldif Enter LDAP Password: adding new entry "cn=core,ou=groups,dc=dabayouxi,dc=com"
(3)users.ldif
echo "dn: uid=webuser,ou=users,dc=dabayouxi,dc=com uid: webuser cn: webuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc shadowLastChange: 17412 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 2501 gidNumber: 1501 homeDirectory: /home/webuser pwdReset: TRUE" >> /data0/ldapldif/users/webuser.ldif echo "dn: uid=coreuser,ou=users,dc=dabayouxi,dc=com uid: coreuser cn: coreuser objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc shadowLastChange: 17412 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 2502 gidNumber: 1502 homeDirectory: /home/coreuser pwdReset: TRUE" >> /data0/ldapldif/users/coreuser.ldif ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/users/webuser.ldif Enter LDAP Password: adding new entry "uid=webuser,ou=users,dc=dabayouxi,dc=com" ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/users/coreuser.ldif Enter LDAP Password: adding new entry "uid=coreuser,ou=users,dc=dabayouxi,dc=com"
(4)sudoers.ldif
vim /data0/ldapldif/sudoers/defaults.ldif dn: cn=defaults,ou=sudoers,dc=dabayouxi,dc=com objectClass: top objectClass: sudoRole cn: defaults sudoOption: requiretty sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset vim /data0/ldapldif/sudoers/web.ldif dn: cn=%web,ou=sudoers,dc=dabayouxi,dc=com objectClass: top objectClass: sudoRole cn: %web sudoHost: ALL sudoRunAsUser: www sudoOption: !authenticate sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset sudoCommand: ALL sudoUser: %web vim /data0/ldapldif/sudoers/core.ldif dn: cn=%core,ou=sudoers,dc=dabayouxi,dc=com objectClass: top objectClass: sudoRole cn: %core sudoHost: ALL sudoRunAsUser: ALL sudoOption: !authenticate sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset sudoCommand: ALL sudoUser: %core ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/sudoers/defaults.ldif Enter LDAP Password: adding new entry "cn=defaults,ou=sudoers,dc=dabayouxi,dc=com" ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/sudoers/web.ldif Enter LDAP Password: adding new entry "cn=%web,ou=sudoers,dc=dabayouxi,dc=com" ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/sudoers/core.ldif Enter LDAP Password: adding new entry "cn=%core,ou=sudoers,dc=dabayouxi,dc=com"
(5)pwpolicies.ldif
echo "dn: cn=default,ou=pwpolicies,dc=dabayouxi,dc=com cn: default objectClass: pwdPolicy objectClass: person pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdExpireWarning: 259200 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxAge: 2592000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: TRUE sn: dummy value" >> /data0/ldapldif/policy/default.ldif ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/policy/default.ldif Enter LDAP Password: adding new entry "cn=default,ou=pwpolicies,dc=dabayouxi,dc=com"
1.6 安装PhpLDAPAdmin
yum install -y httpd php php-mbstring php-pear php-ldap cd /usr/local/src/ wget https://jaist.dl.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.3/phpldapadmin-1.2.3.zip unzip phpldapadmin-1.2.3.zip mkdir -p /data0/web_root/ mv phpldapadmin-1.2.3 /data0/web_root/phpldapadmin echo "ServerAdmin [email protected] DocumentRoot /data0/web_root/phpldapadmin ServerName openldap.dabayouxi.com ErrorLog /data0/logs/apache/openldap.dabayouxi.com-error_log CustomLog /data0/logs/apache/openldap.dabayouxi.com-access_log common " >> /etc/httpd/conf/httpd.conf mkdir -p /data0/logs/apache/ service httpd restart cp /data0/web_root/phpldapadmin/config/config.php.example /data0/web_root/phpldapadmin/config/config.php vim /data0/web_root/phpldapadmin/config/config.php $servers->setValue('server','host','192.168.9.168'); $servers->setValue('server','port',389);Options FollowSymLinks AllowOverride all Require all granted
浏览器访问输入:http://192.168.9.168
1.7 MirrorMode同步实现OpenLDAP双主模式
(1)192.168.9.168上slapd.conf最后添加
vim /usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 1 syncrepl rid=123 provider=ldap://192.168.9.225/ bindmethod=simple binddn="cn=admin,dc=dabayouxi,dc=com" credentials=dabayouxi searchbase="dc=dabayouxi,dc=com" schemachecking=off type=refreshAndPersist retry="60 +" mirrormode on cd /usr/local/openldap2.4/etc/openldap/ slaptest -u rm -rf slapd.d/* slaptest -f slapd.conf -F slapd.d/ service slapd restart
(2)192.168.9.225上slapd.conf最后添加
vim /usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 2 syncrepl rid=123 provider=ldap://192.168.9.168/ bindmethod=simple binddn="cn=admin,dc=dabayouxi,dc=com" credentials=dabayouxi searchbase="dc=dabayouxi,dc=com" schemachecking=off type=refreshAndPersist retry="60 +" mirrormode on cd /usr/local/openldap2.4/etc/openldap/ slaptest -u rm -rf slapd.d/* slaptest -f slapd.conf -F slapd.d/ service slapd restart
(2)测试同步
1.8 Keepalived+OpenLDAP实现OpenLDAP高可用
(1)下载安装keepalive
cd /usr/local/src/ wget http://www.keepalived.org/software/keepalived-1.2.13.tar.gz yum install -y pcre-devel openssl-devel popt-devel tar xf keepalived-1.2.13.tar.gz cd keepalived-1.2.13 ./configure --prefix=/usr/local/keepalived make make install
(2)配置keepalived配置成系统服务
cd /usr/local/keepalived/ cp etc/rc.d/init.d/keepalived /etc/init.d/ cp etc/sysconfig/keepalived /etc/sysconfig/ mkdir /etc/keepalived cp etc/keepalived/keepalived.conf /etc/keepalived/ cp sbin/keepalived /usr/sbin/ chkconfig keepalived on chkconfig --list keepalived
(3)配置OpenLDAP热备
Master 192.168.9.168
vim /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id OpenLDAP_HA } vrrp_instance OpenLDAP { state Backup interface eth0 virtual_router_id 53 priority 100 advert_int 1 nopreempt authentication { auth_type PASS auth_pass dabayouxi } virtual_ipaddress { 192.168.9.253 } } virtual_server 192.168.9.253 389 { delay_loop 6 nat_mask 255.255.255.0 persistence_timeout 50 protocol TCP real_server 192.168.9.168 389 { weight 3 notify_down "/etc/keepalived/openldap.sh" TCP_CHECK { connect_timeout 5 nb_get_retry 2 delay_before_retry 3 } } } vim /etc/keepalived/openldap.sh #!/bin/bash /etc/init.d/keepalived stop chmod +x /etc/keepalived/openldap.sh service keepalived start Starting keepalived: [ OK ] ip addr 1: lo:mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether fa:9b:55:ac:33:00 brd ff:ff:ff:ff:ff:ff inet 192.168.9.168/24 brd 192.168.9.255 scope global eth0 inet 192.168.9.253/32 scope global eth0 inet6 fe80::f89b:55ff:feac:3300/64 scope link valid_lft forever preferred_lft forever
Master 192.168.9.225
vim /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id OpenLDAP_HA } vrrp_instance OpenLDAP { state Backup interface eth0 virtual_router_id 53 priority 90 advert_int 1 authentication { auth_type PASS auth_pass dabayouxi } virtual_ipaddress { 192.168.9.253 } } virtual_server 192.168.9.253 389 { delay_loop 6 nat_mask 255.255.255.0 persistence_timeout 50 protocol TCP real_server 192.168.9.225 389 { weight 3 notify_down "/etc/keepalived/openldap.sh" TCP_CHECK { connect_timeout 5 nb_get_retry 2 delay_before_retry 3 } } } vim /etc/keepalived/openldap.sh #!/bin/bash /etc/init.d/keepalived stop chmod +x /etc/keepalived/openldap.sh service keepalived start
(4)验证
二,安装OpenLDAP客户端
2.1 基础环境配置
(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)
(2)关闭防火墙与SElinux
service iptables stop chkconfig iptables off sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config
(3)时间同步
yum -y install ntp /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov echo "1 2 * * * /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov" >> /var/spool/cron/root
1.2 源码安装OpenLDAP
(1)yum安装依赖包
yum -y install openldap openldap-devel compat-openldap nss-pam-ldapd
(2)备份源文件
cp /etc/nslcd.conf /etc/nslcd.conf_default cp /etc/nsswitch.conf /etc/nsswitch.conf_dafault cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac_default cp /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac_default cp /etc/pam.d/fingerprint-auth-ac /etc/pam.d/fingerprint-auth-ac_default cp /etc/pam.d/smartcard-auth-ac /etc/pam.d/smartcard-auth-ac_default cp /etc/pam.d/sshd /etc/pam.d/sshd_default cp /etc/pam.d/login /etc/pam.d/login_default cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf_defalut cp /etc/sudo-ldap.conf /etc/sudo-ldap.conf_default
(3)停用sssd服务
service sssd stop && chkconfig sssd off
(4)客户端文件配置修改
#/etc/nslcd.conf
vim /etc/nslcd.conf uri ldap://192.168.9.253 base dc=dabayouxi,dc=com ssl no tls_cacertdir /etc/openldap/cacerts
#/etc/pam_ldap.conf
vim /etc/pam_ldap.conf uri ldap://192.168.9.253 base dc=dabayouxi,dc=com ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 bind_policy soft pam_lookup_policy yes pam_password clear_remove_old
#/etc/pam.d/system-auth
vim /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
#/etc/pam.d/password-auth
vim /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
#/etc/pam.d/fingerprint-auth
vim /etc/pam.d/fingerprint-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
#/etc/pam.d/smartcard-auth
vim /etc/pam.d/smartcard-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password required pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
#/etc/pam.d/sshd
vim /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_access.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth
#/etc/pam.d/login
vim /etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session required pam_limits.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth -session optional pam_ck_connector.so
#/etc/nsswitch.conf
vim /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: ldap publickey: nisplus automount: files ldap sudoers: files ldap
#/etc/sysconfig/authconfig
vim /etc/sysconfig/authconfig IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no USESSSD=no PASSWDALGORITHM=sha512 FORCELEGACY=no USEFPRINTD=no USEHESIOD=no FORCESMARTCARD=no USELDAPAUTH=yes IPAV2NONTP=no USELDAP=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELOCAUTHORIZE=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no USEDB=no USEPASSWDQC=no
# /etc/sudo-ldap.conf
echo "uri ldap://192.168.9.253 sudoers_base ou=sudoers,dc=dabayouxi,dc=com" >> /etc/sudo-ldap.conf
#/etc/openldap/ldap.conf
vim /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/cacerts URI ldap://192.168.9.253 BASE dc=dabayouxi,dc=com
#/etc/security/access.conf
vim /etc/security/access.conf 添加内容 -:ALL EXCEPT root web : ALL
(5)启动服务
service nslcd restart
(6)测试