open***通过ldap或ad统一认证解决方案思路分享

缘起：成百上千台服务器，上千人的公司，对于账户统一认证的需求非常强烈，一个人入职开账号太繁琐了，走了删除也费劲，最近给一个公司做了AD+LDAP账户统一认证解决方案，两个公司内部网络和几个机房的IDC网络做统一账户认证，其中包括SVN,POSFIX,***，FTP,SAMBA, LINUX登录等等。实际部署实施过程涉及了lvs,haproxy,ha,keepalived等，其中，大家普遍对于***(OPEN*** OR PPTP)通过LDAP或AD认证比较困惑。这里老男孩把***，通过本地文件授权，通过LDAP统一认证的脚本发出来和大家分享。

1）open***配置文件调用的脚本开发思路（配置文件里调用）

#!/usr/bin/python
################################################
#this scripts is created by oldboy
#oldboy QQ:49000448
#site:http://www.etiantian.org
#blog:http://oldboy.blog.51cto.com
#oldboy trainning QQ group: 208160987 226199307  44246017
################################################

import sys
import os
import logging
import ldap

# settings for ldap
ldap_uri = "ldap://127.0.0.1:389"
ldap_starttls = True
ldap_dn = "cn=%s,ou=users,ou=accounts,dc=intra,dc=etiantian,dc=org"

# settings for logging
log_filename = "/tmp/check_old1boy.log"
log_format = "%(asctime)s %(levelname)s %(message)s"
log_level = logging.DEBUG

# settings for authorization
auth_filename = "/etc/open***/old-boy-users.conf"

def get_users(fpath):
    fp = open(fpath, "rb")
    lines = fp.readlines()
    fp.close()
    users = {}
    for line in lines:
        line = line.strip()
        if len(line) <= 0 or line.startswith('#'):
            continue
        users[line] = True
    return users

def get_credits(fpath):
    fp = open(fpath, "rb")
    lines = fp.readlines()
    fp.close()
    assert len(lines)>=2, "invalid credit file"
    username = lines[0].strip()
    password = lines[1].strip()
    return (username, password)

def check_credits(username, password):
    passed = False
    ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
    l = ldp.initialize(ldap_uri)
    if ldap_starttls:
        l.start_tls_s()
    try:
        l.simple_bind_s(ldap_dn % (username,), password)
        passed = True
    except ldap.INVALID_CREDENTIALS, e:
        logging.error("username/password failed verifying")
    l.unbind()
    return passed

def main(argv):
    credit_fpath = argv[1]
    (username,password) = get_credits(credit fpath)
    if len(username) <= 0  or len(password) <= 0
        logging.error("invalid creadits for user '%s'" % username)
        return 1
    logging.info("user '%s' request logining" % username)
    if check_credits(username, password):
        users = get_users(auth_filename)
        if not username in users:
            logging.error("user '%s' not authorized to access" % username)
            return 1
        logging.info("access of user '%s' granted" % username)
        return 0
    else:
        logging.error("access of user '%s' denied" % username)
        return 1

if __name__ = "__main__":
    logging.Config(format=logformat,filename=log_filename,level=log_level)
    if len(sys.argv) != 2:
        logging.fatal("usage: %s " % sys.argv[0])
        sys.exit(1)
    rcode = 1
    try:
        rcode = main(sys.argv)
    except Exception   :
        logging.fatal("exception happened: %s" % str())
        rcode = 1
    sys.exit(rcode)
提示：在***配置中通过auth-user...参数调用脚本，简单配置下就可以实现通过LDAP认证了。效果很好，可以写PHP页面授权给行政人员管理（邮件），
网管来管理（内部***,SAMBA,FTP,SVN）,小运维（外部，服务器账户，SVN,***等）。

 2)授权用户通过LDAP验证登录***的脚本（可以给公司的初级运维维护）

#!/bin/sh
################################################
#this scripts is created by oldboy
#oldboy QQ:49000448
#site:http://www.etiantian.org
#blog:http://oldboy.blog.51cto.com
#oldboy trainning QQ group: 208160987 226199307  44246017
################################################
# Source function library.
. /etc/init.d/functions
#config file path
FILE_PATH=/etc/open***/oldboy_users.conf
[ ! -f $FILE_PATH ] && exit;
usage(){
    cat <
        USAGE: `basename $0` {-add|-del|-search} username
EOF
}

#judge run user
if [ $UID -ne 0 ] ;then
         echo "Yore not supper user,please call root!"
         exit 1;
fi

#judge arg numbers.
if [ $# -ne 2 ] ;then
   usage
   exit
fi

RETVAL=0
case "$1" in
  -a|-add)
         shift
     if grep "^$1$" ${FILE_PATH} >>/dev/null 2>&1;then
            action $"***user,$1 is exist" /bin/false
        exit
         else
            chattr -i ${FILE_PATH}
            /bin/cp ${FILE_PATH} ${FILE_PATH}.$(date +%F%T)
        echo "$1" >> ${FILE_PATH}
            [ $? -eq 0 ] && action $"Add $1" /bin/true
        chattr +i ${FILE_PATH}
     fi
      ;;
  -d|-del)
         shift
         if [ `grep "^$1$" ${FILE_PATH}|wc -l` -lt 1 ];then
             action $"***user,$1 is not exist." /bin/false
             exit
         else
             chattr -i ${FILE_PATH}
             /bin/cp ${FILE_PATH} ${FILE_PATH}.$(date +%F%T)
             sed -i "/^${1}$/d" ${FILE_PATH}
             [ $? -eq 0 ] && action $"Del $1" /bin/true
             chattr +i ${FILE_PATH}
             exit
     fi
      ;;
  -s|-search)
         shift
         if [ `grep "^$1$" ${FILE_PATH}|wc -l` -lt 1 ];then
             echo $"***user,$1 is not exist.";exit
         else
         echo $"***user,$1 is exist.";exit
     fi
     ;;
  *)
         usage
         exit
         ;;
esac
exit $RETVAL
提示：脚本内容长，实际上非常简单的。就是修改一个文件。

 说明：由于系统及配置环境的差异，本文内容仅供大家参考。