搭建一套OpenLDAP系统,实现账号的统一管理

可实现的功能:

1:OpenLDAP服务端的搭建

2PhpLDAPAdmin的搭建(便于web页面管理)

3: OpenLDAP服务端配置分组管理用户sudo权限分配;

    1)默认没有sudo权限;

    2)运维具有sudo到任何用户执行任何命令权限;

         3)研发具有相应的配置执行命令权限

4OpenLDAP客户端的配置

5OpenLDAPSSH

6OpenLDAP结合客户端PAM,限制用户登录主机

7OpenLDAP加入密码策略

    1)强制用户首次登录系统更改密码

    2)密码最小设置长度

    3)密码设置强度

    4)密码过期前警告天数

    5)密码过期后不能登录的天数

    6)密码尝试次数,被锁定

    7)密码失败后恢复时间

    8)是否允许用户修改密码

    9)账号锁定后,不能自动解锁,需管理员解锁

8MirrorMode同步实现OpenLDAP双主模式

9Keepalived+OpenLDAP实现OpenLDAP高可用

      10TCP Warppers


账号集中管理系统访问和维护流程:

账号集中管理系统设计与实现----OpenLDAP_第1张图片




实验环境:

系统:

主:CentOS6.5 64位 192.168.9.225

主:CentOS6.5 64 位 192.168.9.168

VIP: 192.168.9.253

客户端: CentoOS6.5 64位 192.168.9.176

软件包:

    openldap-2.4.45

    db-4.6.21

    phpldapadmin-1.2.3

    ltb-project-openldap-initscript-2.2

资料链接:

https://ltb-project.org/download
http://www.openldap.org/
http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/
http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz


一,安装OpenLDAP服务端

(俩台主安装方法一样)

1.1 基础环境配置

(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)

(2)关闭防火墙与SElinux

service iptables stop
chkconfig iptables off
sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config

(3)时间同步

yum -y install ntp
/usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov
echo "1 2 * * * /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov" >> /var/spool/cron/root

1.2 源码安装OpenLDAP

(1)yum安装依赖包

yum -y install gcc gcc-c++ unzip gzip bzip2 openssl-devel cyrus-sasl-devel krb5-devel tcp_wrappers-devel libtool-ltdl-devel openslp-devel unixODBC-devel mysql-devel

(2)源码安装Berkeley DB

cd /usr/local/src/
wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
tar xf db-4.6.21.tar.gz 
cd db-4.6.21/build_unix/
../dist/configure --prefix=/usr/local/BDB4
make && make install
echo "/usr/local/BDB4/lib" >> /etc/ld.so.conf.d/bdb.conf
ldconfig 
ln -sv /usr/local/BDB4/include /usr/local/bdb

(3)源码安装OpenLDAP

cd /usr/local/src/
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.45.tgz
gunzip -c openldap-2.4.45.tgz  | tar xf -
cd openldap-2.4.45
./configure --prefix=/usr/local/openldap2.4 \
--enable-slapd \
--enable-dynacl \
--enable-aci \
--enable-cleartext \
--enable-crypt  \
--enable-lmpasswd \
--enable-spasswd \
--enable-modules \
--enable-rewrite \
--enable-rlookups \
--enable-slapi \
--enable-wrappers \
--enable-backends \
--enable-ndb=no \
--enable-perl=no \
--enable-overlays \
CPPFLAGS="-I/usr/local/BDB4/include" \
LDFLAGS="-L/usr/local/BDB4/lib"
make depend
make
make test
make install
echo "/usr/local/openldap2.4/lib" >> /etc/ld.so.conf.d/ldap.conf
ldconfig
ln -sv /usr/local/openldap2.4/include /usr/include/ldap2.4
ln -sv /usr/local/openldap2.4/bin/* /usr/local/bin/
ln -sv /usr/local/openldap2.4/sbin/* /usr/local/sbin/

1.4 配置实现功能

(1)配置文件模板

# grep -v ^# slapd.conf | grep -v ^$
include        /usr/local/openldap2.4/etc/openldap/schema/corba.schema
include        /usr/local/openldap2.4/etc/openldap/schema/core.schema
include        /usr/local/openldap2.4/etc/openldap/schema/cosine.schema
include        /usr/local/openldap2.4/etc/openldap/schema/duaconf.schema
include        /usr/local/openldap2.4/etc/openldap/schema/dyngroup.schema
include        /usr/local/openldap2.4/etc/openldap/schema/inetorgperson.schema
include        /usr/local/openldap2.4/etc/openldap/schema/java.schema
include        /usr/local/openldap2.4/etc/openldap/schema/misc.schema
include        /usr/local/openldap2.4/etc/openldap/schema/nis.schema
include        /usr/local/openldap2.4/etc/openldap/schema/openldap.schema
include        /usr/local/openldap2.4/etc/openldap/schema/ppolicy.schema
include        /usr/local/openldap2.4/etc/openldap/schema/collective.schema
include         /usr/local/openldap2.4/etc/openldap/schema/sudo.schema
pidfile        /usr/local/openldap2.4/var/run/slapd.pid
argsfile    /usr/local/openldap2.4/var/run/slapd.args
modulepath    /usr/local/openldap2.4/libexec/openldap
moduleload accesslog.la
moduleload auditlog.la
moduleload ppolicy.la
moduleload syncprov.la
moduleload  back_mdb.la
moduleload  back_ldap.la
access to attrs=shadowLastChange,userPassword
        by self write
        by anonymous auth
        by dn.base="cn=admin,dc=dabayouxi,dc=com" write
        by * none
access to *
        by self write
        by * read
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by dn.base="cn=admin,dc=dabayouxi,dc=com" write
        by * none
database    mdb
suffix        "dc=dabayouxi,dc=com"
rootdn        "cn=admin,dc=dabayouxi,dc=com"
rootpw        {SSHA}jnN16Laklfzlm4hCrob1nhUgUloLpvnm
directory    /data0/openldap-data
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
loglevel 256
logfile /data0/logs/slapd/slapd.log
checkpoint 2048 10
overlay ppolicy
ppolicy_default cn=default,ou=pwpolicies,dc=dabayouxi,dc=com

(2)添加sudo.schema

cp -f /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /usr/local/openldap2.4/etc/openldap/schema/sudo.schema
restorecon /usr/local/openldap2.4/etc/openldap/schema/sudo.schema

(3)创建ldap用户和组

groupadd -r ldap
useradd -r -g ldap -s /sbin/nologin ldap

(4)配置日志

mkdir -p /data0/logs/slapd
touch /data0/logs/slapd/slapd.log
echo "local4.* /data0/logs/slapd/slapd.log" >> /etc/rsyslog.d/openldap.conf
service rsyslog restart
echo "/data0/logs/slapd/*log {
missingok
compress
notifempty
daily
rotate 5
create 0600 root root
}" >> /etc/logrotate.d/slapd

(5)配置数据存放路径

mkdir -p /data0/openldap-data
chmod 700 /data0/openldap-data/
cp /usr/local/openldap2.4/etc/openldap/DB_CONFIG.example /data0/openldap-data/DB_CONFIG
chown -R ldap.ldap /data0/openldap-data/
mkdir -p /usr/local/openldap2.4/etc/openldap/slapd.d
cd /usr/local/openldap2.4/etc/openldap/
slaptest -f slapd.conf -F slapd.d/
echo "BASE    dc=dabayouxi,dc=com
URI     ldap://192.168.9.168" >> /usr/local/openldap2.4/etc/openldap/ldap.conf

(6)启动脚本下载,修改配置

cd /usr/local/src/
wget https://ltb-project.org/archives/ltb-project-openldap-initscript-2.2.tar.gz
tar -xvf ltb-project-openldap-initscript-2.2.tar.gz
mv ltb-project-openldap-initscript-2.2/slapd /etc/init.d
vim /etc/init.d/slapd
SLAPD_PATH="/usr/local/openldap2.4"
DATA_PATH="/data0/openldap-data"
BDB_PATH="/usr/local/BDB4"

chmod +x /etc/init.d/slapd
chkconfig slapd on
service slapd restart

1.5 OpenLDAP目录树规划
# 将规划的dn导入,将以下内容写入ldif文件中使用ldapadd 命令添加到数据库

mkdir -p /data0/ldapldif/{users,groups,sudoers,policy}

(1)base.ldif

vim /data0/ldapldif/base.ldif
dn: dc=dabayouxi,dc=com
dc: dabayouxi
objectClass: top
objectClass: domain

dn: ou=users,dc=dabayouxi,dc=com
ou: users
objectClass: top
objectClass: organizationalUnit

dn: ou=groups,dc=dabayouxi,dc=com
ou: groups
objectClass: top
objectClass: organizationalUnit

dn: ou=sudoers,dc=dabayouxi,dc=com
ou: sudoers
objectClass: top
objectClass: organizationalUnit

dn: ou=pwpolicies,dc=dabayouxi,dc=com
ou: pwpolicies
objectClass: top
objectClass: organizationalUnit


ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/base.ldif 
Enter LDAP Password: 
adding new entry "dc=dabayouxi,dc=com"
adding new entry "ou=users,dc=dabayouxi,dc=com"
adding new entry "ou=groups,dc=dabayouxi,dc=com"
adding new entry "ou=sudoers,dc=dabayouxi,dc=com"
adding new entry "ou=pwpolicies,dc=dabayouxi,dc=com"
-x    使用简单认证,不使用加密协议
-D    指定查找的dn,类似操作系统中的根目录
-W    输入密码,不想输入密码使用-w passwd,不推荐容易暴露密码
-f     指定ldif文件

# 通过 ldapsearch查看当前目录树结构
ldapsearch -x -LLL      # -LLL    禁止输出不匹配的消息

(2)groups.ldif

echo "dn: cn=web,ou=groups,dc=dabayouxi,dc=com
objectClass: posixGroup
objectClass: top
cn: web
gidNumber: 1501" >> /data0/ldapldif/groups/web.ldif

echo "dn: cn=core,ou=groups,dc=dabayouxi,dc=com
objectClass: posixGroup
objectClass: top
cn: core
gidNumber: 1502" >> /data0/ldapldif/groups/core.ldif

ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/groups/web.ldif 
Enter LDAP Password: 
adding new entry "cn=web,ou=groups,dc=dabayouxi,dc=com"

ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/groups/core.ldif 
Enter LDAP Password: 
adding new entry "cn=core,ou=groups,dc=dabayouxi,dc=com"

(3)users.ldif

echo "dn: uid=webuser,ou=users,dc=dabayouxi,dc=com
uid: webuser
cn: webuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange: 17412
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 2501
gidNumber: 1501
homeDirectory: /home/webuser
pwdReset: TRUE" >> /data0/ldapldif/users/webuser.ldif

echo "dn: uid=coreuser,ou=users,dc=dabayouxi,dc=com
uid: coreuser
cn: coreuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange: 17412
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 2502
gidNumber: 1502
homeDirectory: /home/coreuser
pwdReset: TRUE" >> /data0/ldapldif/users/coreuser.ldif

ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/users/webuser.ldif 
Enter LDAP Password: 
adding new entry "uid=webuser,ou=users,dc=dabayouxi,dc=com"

ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/users/coreuser.ldif 
Enter LDAP Password: 
adding new entry "uid=coreuser,ou=users,dc=dabayouxi,dc=com"

(4)sudoers.ldif

vim /data0/ldapldif/sudoers/defaults.ldif
dn: cn=defaults,ou=sudoers,dc=dabayouxi,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset 

vim /data0/ldapldif/sudoers/web.ldif
dn: cn=%web,ou=sudoers,dc=dabayouxi,dc=com
objectClass: top
objectClass: sudoRole
cn: %web
sudoHost: ALL
sudoRunAsUser: www
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoCommand: ALL
sudoUser: %web

vim /data0/ldapldif/sudoers/core.ldif
dn: cn=%core,ou=sudoers,dc=dabayouxi,dc=com
objectClass: top
objectClass: sudoRole
cn: %core
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoCommand: ALL
sudoUser: %core

ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/sudoers/defaults.ldif 
Enter LDAP Password: 
adding new entry "cn=defaults,ou=sudoers,dc=dabayouxi,dc=com"

ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/sudoers/web.ldif 
Enter LDAP Password: 
adding new entry "cn=%web,ou=sudoers,dc=dabayouxi,dc=com"

ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/sudoers/core.ldif 
Enter LDAP Password: 
adding new entry "cn=%core,ou=sudoers,dc=dabayouxi,dc=com"

(5)pwpolicies.ldif

echo "dn: cn=default,ou=pwpolicies,dc=dabayouxi,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 259200
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 2592000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: TRUE
sn: dummy value" >> /data0/ldapldif/policy/default.ldif

ldapadd -x -D cn=admin,dc=dabayouxi,dc=com -W -f /data0/ldapldif/policy/default.ldif 
Enter LDAP Password: 
adding new entry "cn=default,ou=pwpolicies,dc=dabayouxi,dc=com"

1.6 安装PhpLDAPAdmin

yum install -y httpd php php-mbstring php-pear php-ldap
cd /usr/local/src/
wget https://jaist.dl.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.3/phpldapadmin-1.2.3.zip
unzip phpldapadmin-1.2.3.zip
mkdir -p /data0/web_root/
mv phpldapadmin-1.2.3 /data0/web_root/phpldapadmin
echo "
    ServerAdmin [email protected]
    DocumentRoot /data0/web_root/phpldapadmin
    ServerName openldap.dabayouxi.com
    ErrorLog /data0/logs/apache/openldap.dabayouxi.com-error_log
    CustomLog /data0/logs/apache/openldap.dabayouxi.com-access_log common
   
      Options FollowSymLinks
      AllowOverride all
      Require all granted
   
" >> /etc/httpd/conf/httpd.conf
mkdir -p /data0/logs/apache/
service httpd restart

cp /data0/web_root/phpldapadmin/config/config.php.example /data0/web_root/phpldapadmin/config/config.php
vim /data0/web_root/phpldapadmin/config/config.php
$servers->setValue('server','host','192.168.9.168');
$servers->setValue('server','port',389);

浏览器访问输入:http://192.168.9.168

账号集中管理系统设计与实现----OpenLDAP_第2张图片

1.7 MirrorMode同步实现OpenLDAP双主模式

(1)192.168.9.168上slapd.conf最后添加

vim /usr/local/openldap2.4/etc/openldap/slapd.conf
#添加以下内容
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID    1
syncrepl rid=123
         provider=ldap://192.168.9.225/
         bindmethod=simple
         binddn="cn=admin,dc=dabayouxi,dc=com"
         credentials=dabayouxi
         searchbase="dc=dabayouxi,dc=com"
         schemachecking=off
         type=refreshAndPersist
         retry="60 +"
mirrormode on

cd /usr/local/openldap2.4/etc/openldap/
slaptest -u
rm -rf slapd.d/*
slaptest -f slapd.conf -F slapd.d/
service slapd restart

(2)192.168.9.225上slapd.conf最后添加

vim /usr/local/openldap2.4/etc/openldap/slapd.conf
#添加以下内容
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID    2
syncrepl rid=123
         provider=ldap://192.168.9.168/
         bindmethod=simple
         binddn="cn=admin,dc=dabayouxi,dc=com"
         credentials=dabayouxi
         searchbase="dc=dabayouxi,dc=com"
         schemachecking=off
         type=refreshAndPersist
         retry="60 +"
mirrormode on

cd /usr/local/openldap2.4/etc/openldap/
slaptest -u
rm -rf slapd.d/*
slaptest -f slapd.conf -F slapd.d/
service slapd restart

(2)测试同步


1.8 Keepalived+OpenLDAP实现OpenLDAP高可用

(1)下载安装keepalive

cd /usr/local/src/
wget http://www.keepalived.org/software/keepalived-1.2.13.tar.gz
yum install -y pcre-devel openssl-devel popt-devel
tar xf keepalived-1.2.13.tar.gz 
cd keepalived-1.2.13
./configure --prefix=/usr/local/keepalived
make
make install

(2)配置keepalived配置成系统服务

cd /usr/local/keepalived/
cp etc/rc.d/init.d/keepalived /etc/init.d/
cp etc/sysconfig/keepalived /etc/sysconfig/
mkdir /etc/keepalived
cp etc/keepalived/keepalived.conf /etc/keepalived/
cp sbin/keepalived /usr/sbin/
chkconfig keepalived on
chkconfig --list keepalived

(3)配置OpenLDAP热备

Master 192.168.9.168

vim /etc/keepalived/keepalived.conf

! Configuration File for keepalived
global_defs {
        router_id OpenLDAP_HA
}

vrrp_instance OpenLDAP {
        state Backup               
        interface eth0
        virtual_router_id 53     
        priority 100                 
        advert_int 1
        nopreempt                  
        authentication {
                auth_type PASS
                auth_pass dabayouxi
        }
        virtual_ipaddress {
                192.168.9.253
         }
   }
   virtual_server 192.168.9.253 389 {
         delay_loop 6
         nat_mask 255.255.255.0
         persistence_timeout 50
         protocol TCP
         real_server 192.168.9.168 389 {
                  weight 3
                  notify_down "/etc/keepalived/openldap.sh"
                  TCP_CHECK {
                          connect_timeout 5
                          nb_get_retry 2
                          delay_before_retry 3
                  }
         }
 }


vim /etc/keepalived/openldap.sh
#!/bin/bash
/etc/init.d/keepalived stop

chmod +x /etc/keepalived/openldap.sh 

service keepalived start
Starting keepalived:                                       [  OK  ]

ip addr
1: lo:  mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:9b:55:ac:33:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.9.168/24 brd 192.168.9.255 scope global eth0
    inet 192.168.9.253/32 scope global eth0
    inet6 fe80::f89b:55ff:feac:3300/64 scope link 
       valid_lft forever preferred_lft forever

Master 192.168.9.225

vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
        router_id OpenLDAP_HA   
}

vrrp_instance OpenLDAP {
        state Backup               
        interface eth0
        virtual_router_id 53     
        priority 90                 
        advert_int 1
        authentication {
                auth_type PASS
                auth_pass dabayouxi 
        }
        virtual_ipaddress {
                192.168.9.253
         }
   }
   virtual_server 192.168.9.253 389 {
         delay_loop 6
         nat_mask 255.255.255.0
         persistence_timeout 50
         protocol TCP
         real_server 192.168.9.225 389 {
                  weight 3
                  notify_down "/etc/keepalived/openldap.sh"
                  TCP_CHECK {
                          connect_timeout 5
                          nb_get_retry 2
                          delay_before_retry 3
                  }
         }
 }
 
 vim /etc/keepalived/openldap.sh
#!/bin/bash
/etc/init.d/keepalived stop

chmod +x /etc/keepalived/openldap.sh

service keepalived start

(4)验证


二,安装OpenLDAP客户端

2.1 基础环境配置

(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)

(2)关闭防火墙与SElinux

service iptables stop
chkconfig iptables off
sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config

(3)时间同步

yum -y install ntp
/usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov
echo "1 2 * * * /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov" >> /var/spool/cron/root

1.2 源码安装OpenLDAP

(1)yum安装依赖包

yum -y install openldap  openldap-devel compat-openldap nss-pam-ldapd

(2)备份源文件

cp /etc/nslcd.conf /etc/nslcd.conf_default
cp /etc/nsswitch.conf  /etc/nsswitch.conf_dafault
cp /etc/pam.d/system-auth-ac  /etc/pam.d/system-auth-ac_default
cp /etc/pam.d/password-auth-ac  /etc/pam.d/password-auth-ac_default
cp /etc/pam.d/fingerprint-auth-ac /etc/pam.d/fingerprint-auth-ac_default
cp /etc/pam.d/smartcard-auth-ac /etc/pam.d/smartcard-auth-ac_default
cp /etc/pam.d/sshd /etc/pam.d/sshd_default
cp /etc/pam.d/login /etc/pam.d/login_default
cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf_defalut
cp /etc/sudo-ldap.conf /etc/sudo-ldap.conf_default

(3)停用sssd服务

service sssd stop && chkconfig sssd off

(4)客户端文件配置修改

#/etc/nslcd.conf

vim /etc/nslcd.conf
uri ldap://192.168.9.253
base dc=dabayouxi,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts

#/etc/pam_ldap.conf

vim /etc/pam_ldap.conf
uri ldap://192.168.9.253
base dc=dabayouxi,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
bind_policy soft
pam_lookup_policy yes
pam_password clear_remove_old

#/etc/pam.d/system-auth

vim /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

#/etc/pam.d/password-auth

vim /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

#/etc/pam.d/fingerprint-auth

vim /etc/pam.d/fingerprint-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

#/etc/pam.d/smartcard-auth

vim /etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

#/etc/pam.d/sshd

vim /etc/pam.d/sshd
#%PAM-1.0
auth       required    pam_sepermit.so
auth       include      password-auth
account    required     pam_access.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth

#/etc/pam.d/login

vim /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    required     pam_limits.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so

#/etc/nsswitch.conf

vim /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   ldap
publickey:  nisplus
automount:  files ldap
sudoers:    files ldap

#/etc/sysconfig/authconfig

vim /etc/sysconfig/authconfig  
IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USESSSD=no
PASSWDALGORITHM=sha512
FORCELEGACY=no
USEFPRINTD=no
USEHESIOD=no
FORCESMARTCARD=no
USELDAPAUTH=yes
IPAV2NONTP=no
USELDAP=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELOCAUTHORIZE=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USEDB=no
USEPASSWDQC=no

# /etc/sudo-ldap.conf

echo "uri ldap://192.168.9.253
sudoers_base ou=sudoers,dc=dabayouxi,dc=com" >> /etc/sudo-ldap.conf

#/etc/openldap/ldap.conf

vim /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://192.168.9.253
BASE dc=dabayouxi,dc=com

#/etc/security/access.conf

vim /etc/security/access.conf
添加内容
-:ALL EXCEPT root web : ALL

(5)启动服务

service nslcd restart

(6)测试