1、环境:
操作系统:CentOS release 6.8 (Final)
ip:192.168.31.155
操作系统:CentOS Linux release 7.2.1511 (Core)
ip:192.168.31.156
2、操作过程:
客户端配置文件
2.1、CentOS5
/etc/nsswitch.conf
/etc/ldap.conf
/etc/pam.d/system-auth
2.2、CentOS6
安装依赖包:
yum install nss-pam-ldap
/etc/nslcd.conf
/etc/pam_ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
操作过程:
[root@client01-centos6 ~]# yum install nss-pam-ldapd [root@client01-centos6 ~]# rpm -ql nss-pam-ldapd /etc/nslcd.conf /etc/rc.d/init.d/nslcd /lib64/libnss_ldap.so.2 /usr/lib64/libnss_ldap.so /usr/sbin/nslcd /usr/share/doc/nss-pam-ldapd-0.7.5 /usr/share/doc/nss-pam-ldapd-0.7.5/AUTHORS /usr/share/doc/nss-pam-ldapd-0.7.5/COPYING /usr/share/doc/nss-pam-ldapd-0.7.5/ChangeLog /usr/share/doc/nss-pam-ldapd-0.7.5/HACKING /usr/share/doc/nss-pam-ldapd-0.7.5/NEWS /usr/share/doc/nss-pam-ldapd-0.7.5/README /usr/share/doc/nss-pam-ldapd-0.7.5/TODO /usr/share/man/man5/nslcd.conf.5.gz /usr/share/man/man8/nslcd.8.gz /var/run/nslcd [root@client01-centos6 ~]#
备份配置文件:
[root@client01-centos6 ~]# mkdir configback [root@client01-centos6 ~]# cp /etc/nsswitch.conf configback/nsswitch.conf.bak [root@client01-centos6 ~]# cp /etc/pam.d/system-auth configback/system-auth.bak [root@client01-centos6 ~]# cp /etc/nslcd.conf configback/nslcd.conf.bak [root@client01-centos6 ~]# cp /etc/pam_ldap.conf configback/pam_ldap.conf.bak [root@client01-centos6 ~]#
备份当前涉及的配置文件:
[root@client01-centos6 ~]# authconfig --savebackup=openldap.bak
还原当前的配置文件:
[root@client01-centos6 ~]# authconfig --restorebackup=openldap.bak
注意:authconfig命令可以很迅速的将文件恢复到初始状态,相比手动逐一修改配置文件效率要高,准确性更好
CentOS6采用图形界面配置,具体配置步骤如下:
setup--->Run Tool-->Authentication configuration--->Use LDAP && Use LDAP Authentication --->netx-->
Server: ldap:192.168.31.153
Base DN: dc=ldap,dc=com
---->OK--->quit
配置好之后重启nslcd服务即可
[root@client01-centos6 ~]# /etc/init.d/nslcd restart Stopping nslcd: [ OK ] Starting nslcd: [ OK ] [root@client01-centos6 ~]# id user01 uid=1000(user01) gid=1010(Host) groups=1010(Host) [root@client01-centos6 ~]# [root@client01-centos6 ~]# [root@client01-centos6 ~]# grep user01 /etc/passwd [root@client01-centos6 ~]#
用user01测试登录:
[root@ldapclient01 ~]# ssh [email protected] [email protected]'s password: Last login: Wed Oct 25 17:19:16 2017 from 192.168.31.154 Could not chdir to home directory /home/user01: No such file or directory -bash-4.1$ id uid=1000(user01) gid=1010(Host) groups=1010(Host) -bash-4.1$ hostname client01-centos6 -bash-4.1$
发现登录成功,但是不能创建家目录,接下来解决创建家目录问题(用参数--enablemkhomedir)
[root@client01-centos6 ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
[root@client01-centos6 ~]#
提示:如果执行上述命令没效果,可以执行authconfig --restorebackup=openldap.bak恢复初始配置,再执行“authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update”命令,具体操作如下:
[root@client01-centos6 ~]# authconfig --restorebackup=openldap.bak [root@client01-centos6 ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update Starting nslcd: [ OK ] [root@client01-centos6 ~]# id user01 uid=1000(user01) gid=1010(Host) groups=1010(Host) [root@client01-centos6 ~]# [root@client01-centos6 ~]# getent passwd user01 user01:x:1000:1010:user01:/hoome/user01:/bin/bash [root@client01-centos6 ~]#
查看文件/etc/pam.d/system-auth,其中增加了如下一行:
session optional pam_mkhomedir.so umask=0077
再测试获取ldap账户user01:
[user01@client01-centos6 ~]$ id uid=1000(user01) gid=1010(Host) groups=1010(Host) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [user01@client01-centos6 ~]$ pwd /hoome/user01 [user01@client01-centos6 ~]$ [user01@client01-centos6 ~]$ whoami user01 [user01@client01-centos6 ~]$
继续登陆测试:
[root@ldapclient01 ~]# ssh [email protected] [email protected]。155's password: Creating directory '/home/user01'. Last login: Wed Oct 25 17:24:43 2017 from 192.168.31.154 [user01@client01-centos6 ~]$ pwd /home/user01 [user01@client01-centos6 ~]$ whoami user01 [user01@client01-centos6 ~]$
说明:登陆成功,顺利创建家目录.创建家目录参数是"--enablemkhomedir"
2.3、CentOS7
/etc/nslcd.conf
/etc/pam_ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
安装配置文件和相应的工具包
[root@client01-centos7 ~]# yum install nss-pam-ldapd setuptool
备份配置文件:
[root@client01-centos7 ~]# authconfig --savebackup=openldap.bak [root@client01-centos7 ~]# id user01 id: user01: no such user [root@client01-centos7 ~]# getent passwd user01 [root@client01-centos7 ~]# getent shadow user01
恢复配置文件:
[root@client01-centos7 ~]# authconfig --restorebackup=openldap.bak
运行添加命令:
[root@client01-centos7 ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update [root@client01-centos7 ~]# getent shadow user01 user01:*:::::::0 [root@client01-centos7 ~]# getent passwd user01 user01:x:1000:1010:user01:/hoome/user01:/bin/bash [root@client01-centos7 ~]# [root@client01-centos7 ~]# id user01 uid=1000(user01) gid=1010(Host) groups=1010(Host) [root@client01-centos7 ~]#
同样进行登录测试:
[root@client01-centos6 ~]# ssh [email protected] [email protected]'s password: Creating directory '/home/user01'. Last login: Tue Oct 24 13:04:39 2017 from 192.168.31.100 [user01@client01-centos7 ~]$ whoami user01 [user01@client01-centos7 ~]$ id uid=1000(user01) gid=1010(Host) groups=1010(Host) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [user01@client01-centos7 ~]$ pwd /home/user01 [user01@client01-centos7 ~]$ -bash-4.2$ cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) -bash-4.2$
总结:
ldap客户端配置方法有如下三种:
1、修改配置文件
2、authconfig
3、setup配置
说明:第1种方法修改最复杂,也是最不可靠,很容易出错,所以一般不建议使用,第2、3种方法可以根据请考虑,个人建议用第2种,操作便捷准确性搞,另外在进行任何配置的时候切记要进行备份(即:authconfig --savebackup=)
一、无论是CentOS6还是CentOS7都要装一个组件 nss-pam-ldapd
yum install nss-pam-ldapd -y
在进行配置之前切记要将文件进行备份,这里推荐用"authconfig --savebackup=openldap.bak"命令
authconfig --savebackup=openldap.bak(备份)
如果想快速还原配置文件至初始状态,则进行如下操作:
authconfig --restorebackup=openldap.bak(还原)
将客户端加入ldap服务进行统一管理,运行以下命令,切记服务器地址和对应参数必须保持正确:
authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
在实际工作中由于自己的疏忽漏掉了参数"--enableldapauth",结果导致无法远程ssh登陆服务器,后来不得不跑到机房将配置文件恢复回来,然后添加该参数重新执行。
二、环境上需要注意的问题
①确保selinux和iptables必须是关闭状态,即getenforce返回结果为disabled,iptables状态为stop
②确保客户端连接服务端的地址要正确
三、修改用户初始密码的方法:
默认情况下用户是不能修改用户密码的,示例如下:
[user01@client01-centos7 ~]$ id
uid=1000(user01) gid=1010(Host) groups=1010(Host) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user01@client01-centos7 ~]$ passwd
Changing password for user user01.
(current) LDAP Password:
New password:
Retype new password:
password change failed: Insufficient access
passwd: Authentication token manipulation error
[user01@client01-centos7 ~]$
如果要想用户可以修改初始化密码,则需要到ldapserver中进行修改授权,操作如下:
[root@localhost cn=config]# cat << EOF |ldapmodify -Y EXTERNAL -H ldapi:///
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> add: olcAccess
> olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=ldap,dc=com" write by anonymous auth by self write by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to by dn="cn=Manager,dc=ldap,dc=com" write by * read
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
[root@localhost cn=config]#
操作代码:
cat << EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=ldap,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to by dn="cn=Manager,dc=ldap,dc=com" write by * read
EOF
退出登录,重新执行修改命令:
[user01@client01-centos7 ~]$ exit logout Connection to 192.168.31.156 closed. [root@client01-centos6 ~]# ssh [email protected] [email protected]'s password: Last login: Tue Oct 24 13:07:36 2017 from 192.168.31.155 [user01@client01-centos7 ~]$ passwd Changing password for user user01. (current) LDAP Password: New password: Retype new password: passwd: all authentication tokens updated successfully. [user01@client01-centos7 ~]$