openldap配置以及与ssh集成
####################################################################################################
Red Hat Enterprise Linux Server release 6.0
####################################################################################################
1.安装rpm包: openldap, openldap-clients, openldap-servers;
1.安装rpm包: openldap, openldap-clients, openldap-servers;
[root@localhost Desktop]# rpm -qa |grep openldap openldap-clients-2.4.19-15.el6.i686 openldap-devel-2.4.19-15.el6.i686 openldap-servers-2.4.19-15.el6.i686 openldap-2.4.19-15.el6.i686
2.删除slapd.d目录:rm -rf slapd.d/
3.拷贝配置文件:cp slapd.conf.bak slapd.conf ,修改权限:chmod 644 slapd.conf
4.通过ldappasswd创建密码,并粘贴到编辑配置文件slapd.conf
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}4Y08KJDfylBY2PEgG7nhbJm2ccUt17sA
5.拷贝数据库配置文件: cp /usr/share/doc/ openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
修改数据库文件owner: chown -R ldap:ldap /var/lib/ldap/
6.进入/var/lib/ldap/并创建文件example.ldif
dn:dc=example,dc=com objectclass:dcObject objectclass:organization o:Example Company dc:example
dn:cn=Manager, dc=example,dc=com objectclass:organizationalRole cn:Manager
7.将以上条目添加到ldap数据库中:ldapadd -x -D 'cn=Manager,dc=example,dc=com' -W -f example.ldif
8.验证数据是否正确添加: ldapsearch -x -b 'dc=example,dc=com'
[root@localhost ldap]# ldapsearch -x -b 'dc=example,dc=com' # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# example.com dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Example Company dc: example
# Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager
# search result search: 2 result: 0 Success
# numResponses: 3
# numEntries: 2
ssh集成ldap认证
1.开启ldap认证:运行命令authconfig-tui并选中以下选项
[*] Use LDAP [*] Use LDAP Authentication
2.修改/etc/ssh/sshd_config以下项目,使ssh通过pam认证账户
UsePAM yes
3.查看/etc/pam.d/sshd文件,以确认调用的pam认证文件(本例为password_auth)
[root@localhost pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session required pam_mkhomedir.so # 加入此行后,在通过ssh首次登陆服务器时将创建home目录
4.修改/etc/pam.d/password-auth文件
[root@localhost pam.d]# cat password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass # 加入此行 auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_ldap.so # 加入此行 account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok # 加入此行 password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so # 加入此行