OpenLDAP+Openssh-LPK+Sudo+TLS用户管理系统

环境:

ldap node1:192.168.100.151
ldap node2:192.168.100.152

client ip:192.168.100.153

 

===========================服务端===========================

1、安装

安装DB

[root@localhost openldap]# yum install -y libtool-ltdl-devel.x86_64  libtool-ltdl.x86_64  
[root@localhost tarbag]#tar -xzvf db-4.8.26.tar.gz -C ../software/
[root@localhost tarbag]# cd ../software/db-4.8.26/build_unix/
[root@localhost build_unix]# ../dist/configure 
[root@localhost build_unix]#make install
[root@localhost build_unix]#echo "/usr/local/BerkeleyDB.4.8/lib/" >> /etc/ld.so.conf
[root@localhost build_unix]#ldconfig -vv

安装openldap

[root@localhost tarbag]#tar zxvf openldap-2.4.21.tgz -C ../software/
[root@localhost tarbag]# cd ../software/openldap-2.4.21/
[root@localhost openldap-2.4.21]# ./configure --prefix=/usr/local/openldap-2.4.21 --enable-syslog --enable-modules --with-tls  CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include/ LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib/ 
[root@localhost openldap-2.4.21]#make depend
[root@localhost openldap-2.4.21]#make
[root@localhost openldap-2.4.21]#make test  这个需要比较长的时间.如果觉得没必要执行这一步的可以跳过.直接make install
[root@localhost openldap-2.4.21]#make install
[root@localhost openldap-2.4.21]# cd /usr/local/openldap-2.4.21/
[root@localhost openldap-2.4.21]# ls
bin  etc  include  lib  libexec  sbin  share  var

2、openldap配置

下载openssh-lpk_openldap.schema

[root@localhost ~]# cd /usr/local/openldap-2.4.21/etc/openldap/schema
[root@localhost schema]#wget http://openssh-lpk.googlecode.com/files/openssh-lpk_openldap.schema
[root@localhost schema]#cp openssh-lpk_openldap.schema openssh-lpk.schema

生成密码:

[root@localhost ~]# cd /usr/local/openldap-2.4.21/sbin/
[root@localhost sbin]# ./slappasswd 
New password: 
Re-enter new password: 
{SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ    //密码是123456 这个密码写到slapd.conf里面的rootpw位置

配置slapd.conf

[root@localhost openldap]# cat /usr/local/openldap-2.4.21/etc/openldap/slapd.conf
include         /usr/local/openldap-2.4.21/etc/openldap/schema/core.schema
include         /usr/local/openldap-2.4.21/etc/openldap/schema/cosine.schema
include         /usr/local/openldap-2.4.21/etc/openldap/schema/inetorgperson.schema
include         /usr/local/openldap-2.4.21/etc/openldap/schema/nis.schema
include         /usr/local/openldap-2.4.21/etc/openldap/schema/openssh-lpk.schema 
loglevel        256
pidfile         /usr/local/openldap-2.4.21/var/run/slapd.pid
argsfile        /usr/local/openldap-2.4.21/var/run/slapd.args

#######################################################################
# database definition
#######################################################################
database        bdb
suffix          "dc=hsf,dc=com"
rootdn          "cn=Manager,dc=hsf,dc=com"
rootpw          {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ
directory       /opt/openldap_data/

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index sudoUser                          eq

[root@localhost openldap]#cd /usr/local/openldap-2.4.21/etc/openldap

拷贝DB_CONFIG到Ldap数据目录.

[root@localhost openldap]# cp DB_CONFIG.example  /opt/openldap_data/

修改syslog.conf 

[root@localhost www]# vi /etc/syslog.conf 
#Save ldap messages to ldap.log
local4.*                                                /var/log/ldap.log

重启syslog

[root@localhost openldap]# service syslog restart
Shutting down kernel logger: [  OK  ]
Shutting down system logger: [  OK  ]
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]

启动ldap

启动方法1:

# /usr/local/openldap-2.4.21/libexec/slapd # 直接进入后台工作

启动方法2:

 
 
# /usr/local/openldap-2.4.21/libexec/slapd -d 256 # 依旧在前端,有debug信息
[root@localhost run]# /usr/local/openldap-2.4.21/libexec/slapd 
[root@localhost run]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      22917/slapd         
tcp        0      0 :::389                      :::*                        LISTEN      22917/slapd         
tcp        0      0 :::22                       :::*                        LISTEN      1987/sshd  

 3、生成公私密钥对(任何一台机器都行)

# ssh-keygen -t rsa
.....不断回车
# cd /root/.ssh/
# sz id_rsa.pub 公钥(导入ldap的sshPublicKey字段)   
# sz id_rsa 私钥(放在crt,putty,linux的/root/.ssh/下)

 4、导入ldap数据

根:

[root@localhost ~]# cat passwd.ldif 
#version: 1
dn: dc=hsf,dc=com
objectClass: top
objectClass: domain
dc: hsf

dn: ou=groups,dc=hsf,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: cn=root,ou=groups,dc=hsf,dc=com
objectClass: posixGroup

objectClass: top
cn: root

gidNumber: 0
memberUid: root

dn: ou=users,dc=hsf,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: top

cn: users
sn: users
ou: users

dn: uid=root,ou=users,dc=hsf,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: ldapPublicKey
objectClass: posixAccount

cn: root
gidNumber: 0
homeDirectory: /root/
sn: root
uid: root
uidNumber: 0
sshPublicKey: ssh-rsa testAAgQDl+WA5jQja/BDfBSwo3dJ78uaaaaaILbNEEbHGqbXXL74S2HUHkGJ5UH1RHd9AzH1bzgEfP3CU7wHeghG5co576xRUrZw5BolybBz+3q1GxRfqfoZGxZP6/fyYogSrjaR+pT3MxBx91vt+OK61uBhuOCzIe8gDOpxAeZP6SRAJw== [email protected]
 
[root@localhost openldap]# /usr/local/openldap-2.4.21/bin/ldapadd -x -D "cn=Manager,dc=hsf,dc=com" -W -f passwd.ldif 

 ====================客户端====================

IP地址:192.168.100.153

 1、安装openssh补丁包:

[root@localhost tarbag]# gunzip openssh-lpk-5.9p1-0.3.14.patch.gz 
[root@localhost tarbag]# tar zxvf openssh-5.9p1.tar.tar 
[root@localhost tarbag]# cd openssh-5.9p1
[root@localhost openssh-5.9p1]# patch -Np1 -i /usr/local/src/tarbag/openssh-lpk-5.9p1-0.3.14.patch 
patching file auth2-pubkey.c
patching file auth-rsa.c
patching file config.h.in
patching file configure.ac
patching file ldapauth.c
patching file ldapauth.h
patching file lpk-user-example.txt
patching file Makefile.in
patching file openssh-lpk_openldap.schema
patching file openssh-lpk_sun.schema
patching file README.lpk
patching file servconf.c
patching file servconf.h
patching file sshd.c
patching file sshd_config
patching file sshd_config.5
patching file version.h

[root@localhost tarbag]#./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/sbin \
--with-md5-passwords \
--with-pam  \
--with-libs="-lldap" \
--with-cppflags="-DWITH_LDAP_PUBKEY" \

[root@localhost tarbag]#make 
[root@localhost tarbag]#make install

 2、修改sshd配置文件

# cat /etc/ssh/sshd_config  | grep -v '#' | grep -v '^$'
SyslogFacility AUTHPRIV
PasswordAuthentication no
UsePAM no
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
UseLPK  yes
LpkServers      ldap://192.168.100.151:389
LpkUserDN       ou=users,dc=hsf,dc=com
LpkGroupDN      ou=groups,dc=hsf,dc=com
LpkBindDN       cn=Manager,dc=hsf,dc=com
 

LpkBindPw {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ
LpkForceTLS     no
LpkSearchTimelimit      3
LpkBindTimelimit        3

 修改:nsswitch.conf 

[root@localhost openssh-5.9p1]# vi /etc/nsswitch.conf 
passwd:     files ldap
shadow:     files ldap
group:      files ldap

 修改authconfig

[root@localhost etc]# cat /etc/sysconfig/authconfig  | grep yes
USELDAPAUTH=yes
USESHADOW=yes
USELOCAUTHORIZE=yes
USELDAP=yes
USECRACKLIB=yes

3、重启sshd

# service sshd restart

 4、增加文件/etc/pam.d/common-session 

session required        pam_unix.so 
session required        pam_mkhomedir.so skel=/etc/skel/ 
session optional        pam_ldap.so

 ===========================Autofs配置=========================== 

(也可以用ldap里面的auto.schema来配置.我觉得没有这个来得方便.)

 ldap 共享家目录 client使用autofs自动挂载对应的家目录 做这个是解决Could not chdir to home directory /home/hsf: No such file or directory

 ldap nfs配置:

[root@localhost home]# cat /etc/exports 
/home           192.168.100.0/255.255.255.0(rw,async,wdelay,root_squash,no_subtree_check,anonuid=65534,anongid=65534)
 
[root@localhost home]# service portmap start 
[root@localhost home]# service nfs start 
[root@localhost home]# chkconfig nfs on
[root@localhost home]# chkconfig portmap on 

 client配置:

[root@localhost ~]# cat /etc/auto.master 
#
/home   /etc/auto.nfs   --timeout=100

[root@localhost ~]# cat /etc/auto.nfs 
*       192.168.100.151:/home/&

[root@localhost ~]# service autofs start
[root@localhost ~]# service portmap start

 测试.client端:

[root@localhost ~]# cd /home/
[root@localhost home]# ls
[root@localhost home]#
[root@localhost home]# su - test
-sh-3.00$ pwd
/home/test/
-sh-3.00$ 

 ===========================Ldap+sudoers配置===========================:

先添加sudoer.schema配置

[root@localhost log]#vi /etc/openldap/schema/sudoer.schema 
attributetype ( 1.3.6.1.4.1.15953.9.1.1
    NAME 'sudoUser'
    DESC 'User(s) who may  run sudo'
    EQUALITY caseExactIA5Match
    SUBSTR caseExactIA5SubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.2
    NAME 'sudoHost'
    DESC 'Host(s) who may run sudo'
    EQUALITY caseExactIA5Match
    SUBSTR caseExactIA5SubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 
 attributetype ( 1.3.6.1.4.1.15953.9.1.3
    NAME 'sudoCommand'
    DESC 'Command(s) to be executed by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 

 attributetype ( 1.3.6.1.4.1.15953.9.1.4
    NAME 'sudoRunAs'
    DESC 'User(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )


 attributetype ( 1.3.6.1.4.1.15953.9.1.5
    NAME 'sudoOption'
    DESC 'Options(s) followed by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )


 attributetype ( 1.3.6.1.4.1.15953.9.1.6
    NAME 'sudoRunAsUser'
    DESC 'User(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 
 attributetype ( 1.3.6.1.4.1.15953.9.1.7
    NAME 'sudoRunAsGroup'
    DESC 'Group(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
 

 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
 

 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
 

 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
 

 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
    DESC 'Sudoer Entries'
    MUST ( cn )
    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
          sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
          sudoOrder $ description $ou )
    )
 

将这个sudoer.schema加到slapd.conf中

[root@localhost log]# cat /etc/openldap/slapd.conf  | grep sudo
include         /etc/openldap/schema/sudoer.schema 

 sudoer默认Ldif数据.

[root@localhost ~]# cat sudo.ldif 
dn: ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: organizationalUnit
description: SUDO Configuration Subtree
ou: SUDOers
 

dn: cn=defaults,ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: env_reset

dn: cn=root,ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

 

dn: cn=%wheel,ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
 

dn: cn=hsf,ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: sudoRole
cn: hsf
sudoUser: hsf
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate

 导入sudo数据到Ldap中.

[root@localhost ~]# ldapadd -x -D "cn=Manager,dc=hsf,dc=com" -W -f sudo.ldif 

 ===========================sudo client配置===========================:

安装sudo: (默认安装的sudo不支持ldap)

下载:http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz

[root@localhost tarbag]# wget http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz
[root@localhost tarbag]# tar zxvf sudo-1.7.2p1.tar.gz  -C ../software/
[root@localhost tarbag]# cd ../software/sudo-1.7.2p1/
[root@localhost sudo-1.7.2p1]#./configure --with-ldap --with-pam
[root@localhost sudo-1.7.2p1]#make
[root@localhost sudo-1.7.2p1]#make install
[root@localhost sudo-1.7.2p1]#mv /etc/pam.d/sudo /etc/pam.d/sudo.orig
[root@localhost sudo-1.7.2p1]#mv /usr/bin/sudo /usr/bin/sudo.orig
[root@localhost sudo-1.7.2p1]#ln -s /usr/local/bin/sudo /usr/bin/sudo
[root@localhost sudo-1.7.2p1]#cp sample.pam /etc/pam.d/sudo

 配置 ldap.conf

[root@localhost ~]# cat /etc/ldap.conf | grep -v '#' | grep -v '^$'
host 	192.168.100.151
URI     ldap://192.168.100.151
BASE dc=hsf,dc=com
SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com
ssl no

修改nsswitch.conf 

[root@localhost home]# cat  /etc/nsswitch.conf  | grep sudo
sudoers:    ldap

 

验证:

[root@localhost ~]# sudo -V | grep ldap
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret

 安装好后重启下ldap服务

 测试:

-sh-3.00$ sudo -l
Matching Defaults entries for test on this host:
    requiretty, !visiblepw, env_reset

Runas and Command-specific defaults for test:

 
User test may run the following commands on this host:
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL

-sh-3.00$ sudo su -

 ===========================openldap主主配置===========================

节点1:192.168.100.151
节点2:192.168.100.152

 节点1(node1)配置

slapd.conf配置文件的最后一行追加如下配置

index entryCSN,entryUUID eq # 新增索引,提高同步速度,同步需要使用到这二个字段
overlay syncprov # 复制引擎
syncprov-checkpoint 100 10 # 操作100次同步一次,或者10分钟同步一次
syncprov-sessionlog 100

serverID     1 # 节点ID,唯一
syncrepl     rid=123
             provider=ldap://192.168.100.152 # 对端IP地址
             bindmethod=simple
             binddn="cn=Manager,dc=hsf,dc=com" # Bind DN
             credentials=123456 # 密码
             searchbase="dc=hsf,dc=com" # 起始域
             schemachecking=off
             type=refreshAndPersist
             retry="60 +"
mirrormode on # 开启mirrormode模式

 节点2(node2)配置

slapd.conf配置文件的最后一行追加如下配置

index entryCSN,entryUUID 		eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

serverID    2
syncrepl      rid=123
              provider=ldap://192.168.100.151
              bindmethod=simple
              binddn="cn=Manager,dc=hsf,dc=com"
              credentials=123456
              searchbase="dc=hsf,dc=com"
              schemachecking=off

              type=refreshAndPersist
              retry="60 +"
mirrormode on

 ===========================配置 TLS 安全性===========================

[root@localhost ~]#mkdir /usr/local/openldap-2.4.21/etc/openldap/ssl/
[root@localhost ~]#cd /usr/local/openldap-2.4.21/etc/openldap/ssl/
[root@localhost ssl]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
........................................++++++
......................................................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:hsf
Organizational Unit Name (eg, section) []:hsf
Common Name (eg, your name or your server's hostname) []: 192.168.100.152
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Dec 28 06:27:46 2011 GMT
            Not After : Dec 27 06:27:46 2014 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = hsf
            organizationalUnitName    = hsf
            commonName                =  192.168.100.152
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
            X509v3 Authority Key Identifier: 
                keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD


Certificate is to be certified until Dec 27 06:27:46 2014 GMT (1095 days)
 

Write out database with 1 new entries
Data Base Updated
 
[root@localhost ssl]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem  //如果是主主ldap的话.这个要执行两次.第一次Common Name 填主主ldap node1的Hostname 第一次Common Name 填node2的hostname//
Generating a 1024 bit RSA private key
.........++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:hsf
Organizational Unit Name (eg, section) []:hsf
Common Name (eg, your name or your server's hostname) []:192.168.100.152
Email Address []:
 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


[root@localhost ssl]# ls
newreq.pem
 
[root@localhost ssl]# /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 28 06:29:44 2011 GMT
            Not After : Dec 27 06:29:44 2012 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            localityName              = beijing
            organizationName          = hsf
            organizationalUnitName    = hsf
            commonName                = 192.168.100.152
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
            X509v3 Authority Key Identifier: 
                keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
 

Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days)
Sign the certificate? [y/n]:y
 

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, O=hsf, OU=hsf, CN= 192.168.100.152
        Validity
            Not Before: Dec 28 06:29:44 2011 GMT
            Not After : Dec 27 06:29:44 2012 GMT
        Subject: C=CN, ST=beijing, L=beijing, O=hsf, OU=hsf, CN=192.168.100.152
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:cf:ac:a6:5f:6a:de:42:71:87:32:c9:10:1f:3a:
                    72:ce:a2:0b:f9:e9:89:d2:ac:fa:b3:b3:09:f9:c6:
                    60:d7:7f:12:37:4b:04:0c:23:5a:1a:98:52:df:6b:
                    02:30:d6:a7:0e:f6:6a:3a:6d:9a:db:2b:c7:77:68:
                    88:a3:b8:7e:29:3e:d3:6d:8b:d1:46:01:71:48:da:
                    17:de:dc:dd:59:ad:b4:5e:45:ff:9d:e5:19:94:2d:
                    e4:d9:d5:c3:71:d0:1d:73:f8:7f:70:16:c4:78:62:
                    ec:7f:a7:61:f7:00:c2:c7:85:f2:17:43:73:d9:ec:
                    2b:9b:ae:c0:c5:74:04:c0:9f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
            X509v3 Authority Key Identifier: 
                keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD

    Signature Algorithm: sha1WithRSAEncryption
        75:ac:44:1f:af:ea:f0:d0:75:9b:77:3c:6f:7a:62:b4:9e:1d:
        14:c5:ef:b5:88:a8:d7:c8:b3:43:b0:ba:39:36:e1:59:f6:d8:
        e4:bc:9a:22:57:ed:48:a4:57:13:62:bb:8a:04:75:42:5e:76:
        ca:e0:89:7e:e8:cd:da:0e:0d:2e:b8:62:94:4a:28:9a:c7:41:
        47:17:08:b9:9e:1a:87:31:94:de:52:99:42:2a:5b:40:d0:a2:
        20:79:0f:ea:ab:bf:e3:e1:cc:75:9c:cb:14:a6:59:a5:6c:a0:
        50:bb:1a:e4:66:8d:89:20:fa:69:64:0f:31:80:68:68:17:6f:
        9f:18

-----BEGIN CERTIFICATE-----
MIICujCCAiOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T
SEkxGTAXBgNVBAMTECAxOTIuMTY4LjEwMC4xNTIwHhcNMTExMjI4MDYyOTQ0WhcN
MTIxMjI3MDYyOTQ0WjBtMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ
MA4GA1UEBxMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T
SEkxGDAWBgNVBAMTDzE5Mi4xNjguMTAwLjE1MjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAz6ymX2reQnGHMskQHzpyzqIL+emJ0qz6s7MJ+cZg138SN0sEDCNa
GphS32sCMNanDvZqOm2a2yvHd2iIo7h+KT7TbYvRRgFxSNoX3tzdWa20XkX/neUZ
lC3k2dXDcdAdc/h/cBbEeGLsf6dh9wDCx4XyF0Nz2ewrm67AxXQEwJ8CAwEAAaN7
MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFGcF+ZsX4GOr7f1lvk5dfsRNUWMB8GA1Ud
IwQYMBaAFLrS+eG7Flc+eJZeKSGkp0qu5CO9MA0GCSqGSIb3DQEBBQUAA4GBAHWs
RB+v6vDQdZt3PG96YrSeHRTF77WIqNfIs0Owujk24Vn22OS8miJX7UikVxNiu4oE
dUJedsrgiX7ozdoODS64YpRKKJrHQUcXCLmeGocxlN5SmUIqW0DQoiB5D+qrv+Ph
zHWcyxSmWaVsoFC7GuRmjYkg+mlkDzGAaGgXb58Y
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[root@localhost ssl]# ls
newcert.pem  newreq.pem
[root@localhost ssl]# mkdir /usr/local/openldap-2.4.21/etc/openldap/cacerts
[root@localhost ssl]#cp ../../CA/cacert.pem /usr/local/openldap-2.4.21/etc/openldap/cacerts/
[root@localhost ssl]#cp newcert.pem /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem 
[root@localhost ssl]#cp newreq.pem /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem 
[root@localhost ssl]#chmod  600 /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem 
[root@localhost openldap]# vi /usr/local/openldap-2.4.21/etc/openldap/slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/openldap-2.4.21/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem
TLSCertificateKeyFile /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem

 修改客户端/etc/openldap/ldap.conf

[root@localhost etc]# vi ldap.conf 
 TLS_CACERT /etc/openldap/cacerts/cacert.pem

 重启客户端sshd

[root@localhost etc]# service sshd restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]

 查看ldap服务器日志:

conn=1004 fd=14 ACCEPT from IP=192.168.100.153:58390 (IP=0.0.0.0:389)
conn=1004 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1004 op=0 STARTTLS
conn=1004 op=0 RESULT oid= err=0 text=
conn=1004 fd=14 TLS established tls_ssf=256 ssf=256
conn=1004 op=1 BIND dn="cn=Manager,dc=hsf,dc=com" method=128
conn=1004 op=1 BIND dn="cn=Manager,dc=hsf,dc=com" mech=SIMPLE ssf=0
conn=1004 op=1 RESULT tag=97 err=0 text=

出现STARTTLS为 OK

 配置ldap node2证书

将前面生成的cacert.pem newcert.pem newreq.pem抟到从服务器对应的位置上.修改权限

修改下slapd.conf 重启Ldap服务即可.

 配置主主Ldap时.客户机配置需要增加两台主主的IP:

[root@localhost etc]# cat /etc/ldap.conf  | grep -v '#' | grep -v '^$'
host  192.168.100.151 192.168.100.152
URI      ldap://192.168.100.151 ldap://192.168.100.152
BASE    dc=hsf,dc=com
SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com
pam_password md5


[root@localhost etc]# cat /etc/openldap/ldap.conf  | grep -v '#' | grep -v '^$'
TIMELIMIT       30
BIND_TIMELIMT   30
BASE dc=hsf,dc=com
SUDOERS_BASE    ou=SUDOers,dc=hsf,dc=com
TLS_CACERT /etc/openldap/cacerts/cacert.pem

 重启client sshd 

基于openldap+openssh-lpk+sudo+tls用户验证管理完成.

你可能感兴趣的:(tls,sudo,openLdap,openssh,lpk)