环境:
ldap node1:192.168.100.151 ldap node2:192.168.100.152 client ip:192.168.100.153
===========================服务端===========================
1、安装
安装DB
[root@localhost openldap]# yum install -y libtool-ltdl-devel.x86_64 libtool-ltdl.x86_64 [root@localhost tarbag]#tar -xzvf db-4.8.26.tar.gz -C ../software/ [root@localhost tarbag]# cd ../software/db-4.8.26/build_unix/ [root@localhost build_unix]# ../dist/configure [root@localhost build_unix]#make install [root@localhost build_unix]#echo "/usr/local/BerkeleyDB.4.8/lib/" >> /etc/ld.so.conf [root@localhost build_unix]#ldconfig -vv
安装openldap
[root@localhost tarbag]#tar zxvf openldap-2.4.21.tgz -C ../software/ [root@localhost tarbag]# cd ../software/openldap-2.4.21/ [root@localhost openldap-2.4.21]# ./configure --prefix=/usr/local/openldap-2.4.21 --enable-syslog --enable-modules --with-tls CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include/ LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib/ [root@localhost openldap-2.4.21]#make depend [root@localhost openldap-2.4.21]#make [root@localhost openldap-2.4.21]#make test 这个需要比较长的时间.如果觉得没必要执行这一步的可以跳过.直接make install [root@localhost openldap-2.4.21]#make install [root@localhost openldap-2.4.21]# cd /usr/local/openldap-2.4.21/ [root@localhost openldap-2.4.21]# ls bin etc include lib libexec sbin share var
2、openldap配置
下载openssh-lpk_openldap.schema
[root@localhost ~]# cd /usr/local/openldap-2.4.21/etc/openldap/schema [root@localhost schema]#wget http://openssh-lpk.googlecode.com/files/openssh-lpk_openldap.schema [root@localhost schema]#cp openssh-lpk_openldap.schema openssh-lpk.schema
生成密码:
[root@localhost ~]# cd /usr/local/openldap-2.4.21/sbin/ [root@localhost sbin]# ./slappasswd New password: Re-enter new password: {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ //密码是123456 这个密码写到slapd.conf里面的rootpw位置
配置slapd.conf
[root@localhost openldap]# cat /usr/local/openldap-2.4.21/etc/openldap/slapd.conf include /usr/local/openldap-2.4.21/etc/openldap/schema/core.schema include /usr/local/openldap-2.4.21/etc/openldap/schema/cosine.schema include /usr/local/openldap-2.4.21/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap-2.4.21/etc/openldap/schema/nis.schema include /usr/local/openldap-2.4.21/etc/openldap/schema/openssh-lpk.schema loglevel 256 pidfile /usr/local/openldap-2.4.21/var/run/slapd.pid argsfile /usr/local/openldap-2.4.21/var/run/slapd.args ####################################################################### # database definition ####################################################################### database bdb suffix "dc=hsf,dc=com" rootdn "cn=Manager,dc=hsf,dc=com" rootpw {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ directory /opt/openldap_data/ # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index sudoUser eq [root@localhost openldap]#cd /usr/local/openldap-2.4.21/etc/openldap
拷贝DB_CONFIG到Ldap数据目录.
[root@localhost openldap]# cp DB_CONFIG.example /opt/openldap_data/
修改syslog.conf
[root@localhost www]# vi /etc/syslog.conf #Save ldap messages to ldap.log local4.* /var/log/ldap.log
重启syslog
[root@localhost openldap]# service syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ]
启动ldap
启动方法1:
# /usr/local/openldap-2.4.21/libexec/slapd # 直接进入后台工作
启动方法2:
# /usr/local/openldap-2.4.21/libexec/slapd -d 256 # 依旧在前端,有debug信息 [root@localhost run]# /usr/local/openldap-2.4.21/libexec/slapd [root@localhost run]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 22917/slapd tcp 0 0 :::389 :::* LISTEN 22917/slapd tcp 0 0 :::22 :::* LISTEN 1987/sshd
3、生成公私密钥对(任何一台机器都行)
# ssh-keygen -t rsa .....不断回车 # cd /root/.ssh/ # sz id_rsa.pub 公钥(导入ldap的sshPublicKey字段) # sz id_rsa 私钥(放在crt,putty,linux的/root/.ssh/下)
4、导入ldap数据
根:
[root@localhost ~]# cat passwd.ldif #version: 1 dn: dc=hsf,dc=com objectClass: top objectClass: domain dc: hsf dn: ou=groups,dc=hsf,dc=com objectClass: top objectClass: organizationalUnit ou: groups dn: cn=root,ou=groups,dc=hsf,dc=com objectClass: posixGroup objectClass: top cn: root gidNumber: 0 memberUid: root dn: ou=users,dc=hsf,dc=com objectClass: organizationalPerson objectClass: person objectClass: top cn: users sn: users ou: users dn: uid=root,ou=users,dc=hsf,dc=com objectClass: organizationalPerson objectClass: person objectClass: top objectClass: ldapPublicKey objectClass: posixAccount cn: root gidNumber: 0 homeDirectory: /root/ sn: root uid: root uidNumber: 0 sshPublicKey: ssh-rsa testAAgQDl+WA5jQja/BDfBSwo3dJ78uaaaaaILbNEEbHGqbXXL74S2HUHkGJ5UH1RHd9AzH1bzgEfP3CU7wHeghG5co576xRUrZw5BolybBz+3q1GxRfqfoZGxZP6/fyYogSrjaR+pT3MxBx91vt+OK61uBhuOCzIe8gDOpxAeZP6SRAJw== [email protected] [root@localhost openldap]# /usr/local/openldap-2.4.21/bin/ldapadd -x -D "cn=Manager,dc=hsf,dc=com" -W -f passwd.ldif
====================客户端====================
IP地址:192.168.100.153
1、安装openssh补丁包:
[root@localhost tarbag]# gunzip openssh-lpk-5.9p1-0.3.14.patch.gz [root@localhost tarbag]# tar zxvf openssh-5.9p1.tar.tar [root@localhost tarbag]# cd openssh-5.9p1 [root@localhost openssh-5.9p1]# patch -Np1 -i /usr/local/src/tarbag/openssh-lpk-5.9p1-0.3.14.patch patching file auth2-pubkey.c patching file auth-rsa.c patching file config.h.in patching file configure.ac patching file ldapauth.c patching file ldapauth.h patching file lpk-user-example.txt patching file Makefile.in patching file openssh-lpk_openldap.schema patching file openssh-lpk_sun.schema patching file README.lpk patching file servconf.c patching file servconf.h patching file sshd.c patching file sshd_config patching file sshd_config.5 patching file version.h [root@localhost tarbag]#./configure \ --prefix=/usr \ --sysconfdir=/etc/ssh \ --libexecdir=/usr/sbin \ --with-md5-passwords \ --with-pam \ --with-libs="-lldap" \ --with-cppflags="-DWITH_LDAP_PUBKEY" \ [root@localhost tarbag]#make [root@localhost tarbag]#make install
2、修改sshd配置文件
# cat /etc/ssh/sshd_config | grep -v '#' | grep -v '^$' SyslogFacility AUTHPRIV PasswordAuthentication no UsePAM no X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server UseLPK yes LpkServers ldap://192.168.100.151:389 LpkUserDN ou=users,dc=hsf,dc=com LpkGroupDN ou=groups,dc=hsf,dc=com LpkBindDN cn=Manager,dc=hsf,dc=com LpkBindPw {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ LpkForceTLS no LpkSearchTimelimit 3 LpkBindTimelimit 3
修改:nsswitch.conf
[root@localhost openssh-5.9p1]# vi /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap
修改authconfig
[root@localhost etc]# cat /etc/sysconfig/authconfig | grep yes USELDAPAUTH=yes USESHADOW=yes USELOCAUTHORIZE=yes USELDAP=yes USECRACKLIB=yes
3、重启sshd
# service sshd restart
4、增加文件/etc/pam.d/common-session
session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so
===========================Autofs配置===========================
(也可以用ldap里面的auto.schema来配置.我觉得没有这个来得方便.)
ldap 共享家目录 client使用autofs自动挂载对应的家目录 做这个是解决Could not chdir to home directory /home/hsf: No such file or directory
ldap nfs配置:
[root@localhost home]# cat /etc/exports /home 192.168.100.0/255.255.255.0(rw,async,wdelay,root_squash,no_subtree_check,anonuid=65534,anongid=65534) [root@localhost home]# service portmap start [root@localhost home]# service nfs start [root@localhost home]# chkconfig nfs on [root@localhost home]# chkconfig portmap on
client配置:
[root@localhost ~]# cat /etc/auto.master # /home /etc/auto.nfs --timeout=100 [root@localhost ~]# cat /etc/auto.nfs * 192.168.100.151:/home/& [root@localhost ~]# service autofs start [root@localhost ~]# service portmap start
测试.client端:
[root@localhost ~]# cd /home/ [root@localhost home]# ls [root@localhost home]# [root@localhost home]# su - test -sh-3.00$ pwd /home/test/ -sh-3.00$
===========================Ldap+sudoers配置===========================:
先添加sudoer.schema配置
[root@localhost log]#vi /etc/openldap/schema/sudoer.schema attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributetype ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ description $ou ) )
将这个sudoer.schema加到slapd.conf中
[root@localhost log]# cat /etc/openldap/slapd.conf | grep sudo include /etc/openldap/schema/sudoer.schema
sudoer默认Ldif数据.
[root@localhost ~]# cat sudo.ldif dn: ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: organizationalUnit description: SUDO Configuration Subtree ou: SUDOers dn: cn=defaults,ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: requiretty sudoOption: !visiblepw sudoOption: env_reset dn: cn=root,ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL dn: cn=%wheel,ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoUser: %wheel sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOption: !authenticate dn: cn=hsf,ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: sudoRole cn: hsf sudoUser: hsf sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOption: !authenticate
导入sudo数据到Ldap中.
[root@localhost ~]# ldapadd -x -D "cn=Manager,dc=hsf,dc=com" -W -f sudo.ldif
===========================sudo client配置===========================:
安装sudo: (默认安装的sudo不支持ldap)
下载:http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz
[root@localhost tarbag]# wget http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz [root@localhost tarbag]# tar zxvf sudo-1.7.2p1.tar.gz -C ../software/ [root@localhost tarbag]# cd ../software/sudo-1.7.2p1/ [root@localhost sudo-1.7.2p1]#./configure --with-ldap --with-pam [root@localhost sudo-1.7.2p1]#make [root@localhost sudo-1.7.2p1]#make install [root@localhost sudo-1.7.2p1]#mv /etc/pam.d/sudo /etc/pam.d/sudo.orig [root@localhost sudo-1.7.2p1]#mv /usr/bin/sudo /usr/bin/sudo.orig [root@localhost sudo-1.7.2p1]#ln -s /usr/local/bin/sudo /usr/bin/sudo [root@localhost sudo-1.7.2p1]#cp sample.pam /etc/pam.d/sudo
配置 ldap.conf
[root@localhost ~]# cat /etc/ldap.conf | grep -v '#' | grep -v '^$' host 192.168.100.151 URI ldap://192.168.100.151 BASE dc=hsf,dc=com SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com ssl no
修改nsswitch.conf
[root@localhost home]# cat /etc/nsswitch.conf | grep sudo sudoers: ldap
验证:
[root@localhost ~]# sudo -V | grep ldap ldap.conf path: /etc/ldap.conf ldap.secret path: /etc/ldap.secret
安装好后重启下ldap服务
测试:
-sh-3.00$ sudo -l Matching Defaults entries for test on this host: requiretty, !visiblepw, env_reset Runas and Command-specific defaults for test: User test may run the following commands on this host: (ALL) NOPASSWD: ALL (ALL) NOPASSWD: ALL -sh-3.00$ sudo su -
===========================openldap主主配置===========================
节点1:192.168.100.151 节点2:192.168.100.152
节点1(node1)配置
slapd.conf配置文件的最后一行追加如下配置
index entryCSN,entryUUID eq # 新增索引,提高同步速度,同步需要使用到这二个字段 overlay syncprov # 复制引擎 syncprov-checkpoint 100 10 # 操作100次同步一次,或者10分钟同步一次 syncprov-sessionlog 100 serverID 1 # 节点ID,唯一 syncrepl rid=123 provider=ldap://192.168.100.152 # 对端IP地址 bindmethod=simple binddn="cn=Manager,dc=hsf,dc=com" # Bind DN credentials=123456 # 密码 searchbase="dc=hsf,dc=com" # 起始域 schemachecking=off type=refreshAndPersist retry="60 +" mirrormode on # 开启mirrormode模式
节点2(node2)配置
slapd.conf配置文件的最后一行追加如下配置
index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 2 syncrepl rid=123 provider=ldap://192.168.100.151 bindmethod=simple binddn="cn=Manager,dc=hsf,dc=com" credentials=123456 searchbase="dc=hsf,dc=com" schemachecking=off type=refreshAndPersist retry="60 +" mirrormode on
===========================配置 TLS 安全性===========================
[root@localhost ~]#mkdir /usr/local/openldap-2.4.21/etc/openldap/ssl/ [root@localhost ~]#cd /usr/local/openldap-2.4.21/etc/openldap/ssl/ [root@localhost ssl]# /etc/pki/tls/misc/CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ........................................++++++ ......................................................++++++ writing new private key to '../../CA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:beijing Locality Name (eg, city) [Newbury]:beijing Organization Name (eg, company) [My Company Ltd]:hsf Organizational Unit Name (eg, section) []:hsf Common Name (eg, your name or your server's hostname) []: 192.168.100.152 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Dec 28 06:27:46 2011 GMT Not After : Dec 27 06:27:46 2014 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = hsf organizationalUnitName = hsf commonName = 192.168.100.152 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD X509v3 Authority Key Identifier: keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD Certificate is to be certified until Dec 27 06:27:46 2014 GMT (1095 days) Write out database with 1 new entries Data Base Updated [root@localhost ssl]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem //如果是主主ldap的话.这个要执行两次.第一次Common Name 填主主ldap node1的Hostname 第一次Common Name 填node2的hostname// Generating a 1024 bit RSA private key .........++++++ .++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:beijing Locality Name (eg, city) [Newbury]:beijing Organization Name (eg, company) [My Company Ltd]:hsf Organizational Unit Name (eg, section) []:hsf Common Name (eg, your name or your server's hostname) []:192.168.100.152 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]# ls newreq.pem [root@localhost ssl]# /etc/pki/tls/misc/CA -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 28 06:29:44 2011 GMT Not After : Dec 27 06:29:44 2012 GMT Subject: countryName = CN stateOrProvinceName = beijing localityName = beijing organizationName = hsf organizationalUnitName = hsf commonName = 192.168.100.152 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16 X509v3 Authority Key Identifier: keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=beijing, O=hsf, OU=hsf, CN= 192.168.100.152 Validity Not Before: Dec 28 06:29:44 2011 GMT Not After : Dec 27 06:29:44 2012 GMT Subject: C=CN, ST=beijing, L=beijing, O=hsf, OU=hsf, CN=192.168.100.152 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cf:ac:a6:5f:6a:de:42:71:87:32:c9:10:1f:3a: 72:ce:a2:0b:f9:e9:89:d2:ac:fa:b3:b3:09:f9:c6: 60:d7:7f:12:37:4b:04:0c:23:5a:1a:98:52:df:6b: 02:30:d6:a7:0e:f6:6a:3a:6d:9a:db:2b:c7:77:68: 88:a3:b8:7e:29:3e:d3:6d:8b:d1:46:01:71:48:da: 17:de:dc:dd:59:ad:b4:5e:45:ff:9d:e5:19:94:2d: e4:d9:d5:c3:71:d0:1d:73:f8:7f:70:16:c4:78:62: ec:7f:a7:61:f7:00:c2:c7:85:f2:17:43:73:d9:ec: 2b:9b:ae:c0:c5:74:04:c0:9f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16 X509v3 Authority Key Identifier: keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD Signature Algorithm: sha1WithRSAEncryption 75:ac:44:1f:af:ea:f0:d0:75:9b:77:3c:6f:7a:62:b4:9e:1d: 14:c5:ef:b5:88:a8:d7:c8:b3:43:b0:ba:39:36:e1:59:f6:d8: e4:bc:9a:22:57:ed:48:a4:57:13:62:bb:8a:04:75:42:5e:76: ca:e0:89:7e:e8:cd:da:0e:0d:2e:b8:62:94:4a:28:9a:c7:41: 47:17:08:b9:9e:1a:87:31:94:de:52:99:42:2a:5b:40:d0:a2: 20:79:0f:ea:ab:bf:e3:e1:cc:75:9c:cb:14:a6:59:a5:6c:a0: 50:bb:1a:e4:66:8d:89:20:fa:69:64:0f:31:80:68:68:17:6f: 9f:18 -----BEGIN CERTIFICATE----- MIICujCCAiOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJDTjEQ MA4GA1UECBMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T SEkxGTAXBgNVBAMTECAxOTIuMTY4LjEwMC4xNTIwHhcNMTExMjI4MDYyOTQ0WhcN MTIxMjI3MDYyOTQ0WjBtMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ MA4GA1UEBxMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T SEkxGDAWBgNVBAMTDzE5Mi4xNjguMTAwLjE1MjCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEAz6ymX2reQnGHMskQHzpyzqIL+emJ0qz6s7MJ+cZg138SN0sEDCNa GphS32sCMNanDvZqOm2a2yvHd2iIo7h+KT7TbYvRRgFxSNoX3tzdWa20XkX/neUZ lC3k2dXDcdAdc/h/cBbEeGLsf6dh9wDCx4XyF0Nz2ewrm67AxXQEwJ8CAwEAAaN7 MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg Q2VydGlmaWNhdGUwHQYDVR0OBBYEFGcF+ZsX4GOr7f1lvk5dfsRNUWMB8GA1Ud IwQYMBaAFLrS+eG7Flc+eJZeKSGkp0qu5CO9MA0GCSqGSIb3DQEBBQUAA4GBAHWs RB+v6vDQdZt3PG96YrSeHRTF77WIqNfIs0Owujk24Vn22OS8miJX7UikVxNiu4oE dUJedsrgiX7ozdoODS64YpRKKJrHQUcXCLmeGocxlN5SmUIqW0DQoiB5D+qrv+Ph zHWcyxSmWaVsoFC7GuRmjYkg+mlkDzGAaGgXb58Y -----END CERTIFICATE----- Signed certificate is in newcert.pem [root@localhost ssl]# ls newcert.pem newreq.pem [root@localhost ssl]# mkdir /usr/local/openldap-2.4.21/etc/openldap/cacerts [root@localhost ssl]#cp ../../CA/cacert.pem /usr/local/openldap-2.4.21/etc/openldap/cacerts/ [root@localhost ssl]#cp newcert.pem /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem [root@localhost ssl]#cp newreq.pem /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem [root@localhost ssl]#chmod 600 /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem [root@localhost openldap]# vi /usr/local/openldap-2.4.21/etc/openldap/slapd.conf TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/openldap-2.4.21/etc/openldap/cacerts/cacert.pem TLSCertificateFile /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem TLSCertificateKeyFile /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem
修改客户端/etc/openldap/ldap.conf
[root@localhost etc]# vi ldap.conf TLS_CACERT /etc/openldap/cacerts/cacert.pem
重启客户端sshd
[root@localhost etc]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
查看ldap服务器日志:
conn=1004 fd=14 ACCEPT from IP=192.168.100.153:58390 (IP=0.0.0.0:389) conn=1004 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1004 op=0 STARTTLS conn=1004 op=0 RESULT oid= err=0 text= conn=1004 fd=14 TLS established tls_ssf=256 ssf=256 conn=1004 op=1 BIND dn="cn=Manager,dc=hsf,dc=com" method=128 conn=1004 op=1 BIND dn="cn=Manager,dc=hsf,dc=com" mech=SIMPLE ssf=0 conn=1004 op=1 RESULT tag=97 err=0 text=
出现STARTTLS为 OK
配置ldap node2证书
将前面生成的cacert.pem newcert.pem newreq.pem抟到从服务器对应的位置上.修改权限
修改下slapd.conf 重启Ldap服务即可.
配置主主Ldap时.客户机配置需要增加两台主主的IP:
[root@localhost etc]# cat /etc/ldap.conf | grep -v '#' | grep -v '^$' host 192.168.100.151 192.168.100.152 URI ldap://192.168.100.151 ldap://192.168.100.152 BASE dc=hsf,dc=com SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com pam_password md5 [root@localhost etc]# cat /etc/openldap/ldap.conf | grep -v '#' | grep -v '^$' TIMELIMIT 30 BIND_TIMELIMT 30 BASE dc=hsf,dc=com SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem
重启client sshd
基于openldap+openssh-lpk+sudo+tls用户验证管理完成.