ldap快速搭建步骤版

步骤版:

==================================服务器的设置=======================================
yum install -y openldap openldap-servers openldap-clients openldap-devel
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf && cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG      
sed -ri 's/(suffix.*)"dc=my-domain,dc=com"/\1"dc=youyuan,dc=com"/g' /etc/openldap/slapd.conf && sed -ri 's/(rootdn.*)"cn=Manager,dc=my-domain,dc=com"/\1"cn=admin,dc=youyuan,dc=com"/g' /etc/openldap/slapd.conf && sed -ri 's/# (rootpw.*)secret/\112345678/g' /etc/openldap/slapd.conf

sed -i '/local7.*/a\#by openldap\nlocal4.*          /var/log/ldap.log' /etc/rsyslog.conf && service rsyslog restart

service slapd start && rm -rf /etc/openldap/slapd.d/* && slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d && chown -R ldap:ldap /etc/openldap/slapd.d/* && service slapd restart

yum -y install migrationtools && sed -i 's/padl/youyuan/g' /usr/share/migrationtools/migrate_common.ph
/usr/share/migrationtools/migrate_base.pl >/tmp/base.ldif ;; /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >/tmp/passwd.ldif ;; /usr/share/migrationtools/migrate_group.pl /etc/group >/tmp/group.ldif

ldapadd -x -D "cn=admin,dc=youyuan,dc=com" -w 12345678 -f /tmp/base.ldif
ldapadd -x -D "cn=admin,dc=youyuan,dc=com" -w 12345678 -f /tmp/passwd.ldif
ldapadd -x -D "cn=admin,dc=youyuan,dc=com" -w 12345678 -f /tmp/group.ldif
service slapd restart

=====================start设置sudoer==============
cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo.schema && echo "include/etc/openldap/schema/sudo.schema" >> /etc/openldap/slapd.conf
rm -rf /etc/openldap/slapd.d/* ;  slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d; chown -R ldap:ldap /etc/openldap/slapd.d/*;service slapd restart

cat >>/www/sudo.ldif<<eof
dn: ou=Sudoers,dc=youyuan,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Sudoers

dn: cn=defaults,ou=Sudoers,dc=youyuan,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: requiretty

dn: cn=wangyl,ou=Sudoers,dc=youyuan,dc=com
objectClass: top
objectClass: sudoRole
cn: wangyl
sudoCommand: ALL
sudoHost: ALL
sudoOption: !authenticate
sudoRunAsUser: ALL
sudoUser: wangyl
eof
ldapadd -x -D "cn=admin,dc=youyuan,dc=com" -w 12345678 -f /www/sudo.ldif
=====================end设置sudoer==============

安装jumpserver
数据库配置:
create database jumpserver charset='utf8';
grant all on jumpserver.* to 'jumpserver'@'192.168.%' identified by 'youyuanops';
server配置:
192.168.3.146 [/var/lib/ldap] 2014-12-22 12:06:42
root@pts/0 # yum -y install xz gcc automake autoconf
192.168.3.146 [~] 2014-12-22 13:04:23
root@pts/0 # tar -xvf Python-2.7.6.tar.xz
192.168.3.146 [~] 2014-12-22 13:04:23
root@pts/0 # cd Python-2.7.6
192.168.3.146 [~/Python-2.7.6] 2014-12-22 13:05:06
root@pts/0 # ./configure && make && make install
root@pts/0 # mv /usr/bin/python /usr/bin/python.bak
root@pts/0 # ln -s /usr/local/bin/python /usr/bin/python
root@pts/0 # yum search setuptools

root@pts/0 # yum install python-setuptools.noarch
root@pts/0 # yum install python-pip.noarch
192.168.3.146 [/opt/jumpserver/scripts] 2014-12-22 13:15:34
root@pts/0 # wget --no-check-certificate https://bootstrap.pypa.io/ez_setup.py -O - | python
root@pts/0 # wget --no-check-certificate https://pypi.python.org/packages/source/p/pip/pip-1.5.6.tar.gz#md5=01026f87978932060cc86c1dc527903e
root@pts/0 # tar -zxvf pip-1.5.6.tar.gz
root@pts/0 # cd pip-1.5.6
root@pts/0 # python setup.py install
root@pts/0 # cd /opt/jumpserver/scripts
root@pts/0 # pip2.7 install -r requirements.txt -i http://pypi.douban.com/simple
192.168.3.146 [/opt/jumpserver/scripts] 2014-12-22 13:21:08
root@pts/0 # cat requirements.txt
pexpect==3.3
sphinx-me==0.3
django==1.7.1
python-ldap==2.4.18
paramiko==1.15.1
pycrypto==2.6.1
ecdsa>=0.11
MySQL-python==1.2.5
192.168.3.146 [/opt/jumpserver/scripts] 2014-12-22 13:21:20
root@pts/0 #
192.168.3.146 [/opt/jumpserver/scripts] 2014-12-22 13:22:03
root@pts/0 # pip2.7 list
Django (1.7.1)
ecdsa (0.11)
MySQL-python (1.2.5)
paramiko (1.15.1)
pexpect (3.3)
pip (1.5.6)
pycrypto (2.6.1)
python-ldap (2.4.18)
setuptools (8.2.1)
sphinx-me (0.3)
wsgiref (0.1.2)
192.168.3.146 [/opt/jumpserver/scripts] 2014-12-22 13:22:07
root@pts/0 #
配置文件:
192.168.3.146 [/opt/jumpserver] 2014-12-22 13:24:34
root@pts/0 # cat jumpserver.conf
#coding:utf-8
[db]
host = 192.168.3.40
port = 3306
user = jumpserver
password = youyuanops
db = jumpserver
[jumpserver]
key = 88aaaf7ffe3c6c04
ldap_host = ldap://127.0.0.1:389
ldap_base_dn = dc=youyuan,dc=com
admin_cn = cn=admin,dc=youyuan,dc=com
admin_pass = VNLqNCjpNBIetEoCA2h3
web_socket_host = 172.10.10.9:3000
192.168.3.146 [/opt/jumpserver] 2014-12-22 13:24:38
root@pts/0 #
最后变为:
192.168.3.146 [~] 2014-12-22 13:49:12
root@pts/4 # cat /opt/jumpserver/jumpserver.conf
#coding:utf-8
[db]
host = 192.168.3.40
port = 3306
user = jumpserver
password = youyuanops
db = jumpserver
[jumpserver]
key = 88aaaf7ffe3c6c04
ldap_host = ldap://127.0.0.1:389
ldap_base_dn = dc=youyuan,dc=com
admin_cn = cn=admin,dc=youyuan,dc=com
admin_pass = 12345678(不改会报错的)
web_socket_host = 172.10.10.9:3000
192.168.3.146 [~] 2014-12-22 13:49:15
root@pts/4 #
修改logs目录权限
root@pts/0 # chmod 777 logs
django sync db 到数据库
192.168.3.146 [/opt/jumpserver/webroot/AutoSa] 2014-12-22 13:27:29
root@pts/0 # python manage.py syncdb
Operations to perform:
Synchronize unmigrated apps: Assets, UserManage
Apply all migrations: admin, contenttypes, auth, sessions
Synchronizing apps without migrations:
Creating tables...
Creating table UserManage_group
Creating table UserManage_user_group
Creating table UserManage_user
Creating table UserManage_logs
Creating table UserManage_pid
Creating table Assets_idc
Creating table Assets_assets
Creating table Assets_assetsuser
Installing custom SQL...
Installing indexes...
Running migrations:
Applying contenttypes.0001_initial... OK
Applying auth.0001_initial... OK
Applying admin.0001_initial... OK
Applying sessions.0001_initial... OK
You have installed Django's auth system, and don't have any
superusers defined.
Would you like to create one now? (yes/no): no
192.168.3.146 [/opt/jumpserver/webroot/AutoSa] 2014-12-22 13:27:50
root@pts/0 #
运行两个窗口:
192.168.3.146 [/opt/jumpserver/webroot/AutoSa] 2014-12-22 13:28:44
root@pts/0 # python manage.py runserver 0.0.0.0:81
Performing system checks...
System check identified no issues (0 silenced).
December 22, 2014 - 13:28:59
Django version 1.7.1, using settings 'AutoSa.settings'
Starting development server at http://0.0.0.0:81/
Quit the server with CONTROL-C.
root@pts/1 # cd /opt/jumpserver/webroot/AutoSa/
192.168.3.146 [/opt/jumpserver/webroot/AutoSa] 2014-12-22 13:29:51
root@pts/1 # ls
Assets AutoSa __init__.py log_handler.py manage.py sta
tic templates UserManage websocket
192.168.3.146 [/opt/jumpserver/webroot/AutoSa] 2014-12-22 13:29:52
root@pts/1 # pwd
/opt/jumpserver/webroot/AutoSa
192.168.3.146 [/opt/jumpserver/webroot/AutoSa] 2014-12-22 13:29:53
root@pts/1 # python log_handler.py
打开:
http://192.168.3.146:81/install/
成功:安装成功
用户名及密码:
http://192.168.3.146:81
admin
admin
安装Nodejs,功能实时刷新
root@pts/2 # wget http://nodejs.org/dist/v0.10.34/node-v0.10.34.tar.gz
root@pts/2 # tar -zxvf node-v0.10.34.tar.gz
192.168.3.146 [~/node-v0.10.34] 2014-12-22 14:12:30
root@pts/0 # cd node-v0.10.34/;./configure --prefix=/opt/node/ && make && make install
相关配置
192.168.3.146 [/opt/node/bin] 2014-12-22 14:13:46
root@pts/0 # touch /etc/profile.d/node.sh
192.168.3.146 [/opt/node/bin] 2014-12-22 14:16:16
root@pts/0 # vim /etc/profile.d/node.sh
192.168.3.146 [/opt/node/bin] 2014-12-22 14:16:36
root@pts/0 # vim /etc/profile.d/node.sh
192.168.3.146 [/opt/node/bin] 2014-12-22 14:16:39
root@pts/0 # source /etc/profile.d/node.sh
192.168.3.146 [/opt/node/bin] 2014-12-22 14:16:47
root@pts/0 #
root@pts/0 # cat /etc/profile.d/node.sh
export PATH=$PATH:/opt/node/bin
192.168.3.146 [/opt/node/bin] 2014-12-22 14:17:23
root@pts/0 #
安装项目依赖module,或使用下载好的
192.168.3.146 [/opt/jumpserver/webroot/AutoSa/websocket] 2014-12-22 14:18:25
root@pts/0 # pwd
/opt/jumpserver/webroot/AutoSa/websocket
192.168.3.146 [/opt/jumpserver/webroot/AutoSa/websocket] 20
14-12-22 14:18:27
root@pts/0 # ll
总用量 8
-rw-r--r-- 1 root root 2832 12月 22 07:40 index.js
-rw-r--r-- 1 root root 219 12月 22 07:40 package.json
192.168.3.146 [/opt/jumpserver/webroot/AutoSa/websocket] 2014-12-22 14:18:28
root@pts/0 # cat package.json
{
"name": "web-socket",
"version": "0.0.1",
"description": "my first realtime server",
"dependencies": {
"express": "~4.10.1",
"socket.io": "~1.2.0",
"node-tail": "0.0.4",
"tail": "~0.4.0"
}}
192.168.3.146 [/opt/jumpserver/webroot/AutoSa/websocket] 2014-12-22 14:18:33
root@pts/0 # npm install
192.168.3.146 [/opt/jumpserver/webroot/AutoSa/websocket] 2014-12-22 14:19:17
测试启动websocket
root@pts/0 # node index.js
listening on *:3000
让用户登录jumpserver自动运行系统
# cd /opt/jumpserver/scripts
# vim jumpserver.sh
...
if [ $USER == 'guanghongwei' ];then # 修改特殊用户,结束后不
退出
...
# cp jumpserver.sh /etc/profile.d/
正常运行jumpserver系统
# cd /opt/jumpserver/
# ./runserver#
说明:如果想结束系统#
./stopserver
脚本:
192.168.3.146 [/opt/jumpserver] 2014-12-22 14:23:36
root@pts/1 # cat runserver
#!/bin/bash
manage_file="./webroot/AutoSa/manage.py"
log_handler_file="./webroot/AutoSa/log_handler.py"
websocket_file="./webroot/AutoSa/websocket/index.js"
which node &> /dev/null
if [ $? != '0' ];then
echo "Please define the node.js binary file 'node' in the PATH."
exit
fi
node $websocket_file &
if [ -f $manage_file -a -e $manage_file ] && [ -f $log_handler_file -a -e $log_handler_file ];then
$manage_file runserver 0.0.0.0:80 &> logs/access.log &
$log_handler_file &> logs/handler.log &
else
echo "manage.py or log_handler.py isn't exist or executable."
fi
192.168.3.146 [/opt/jumpserver] 2014-12-22 14:23:38
stopserver
root@pts/1 # cat stopserver
#!/bin/bash
pids=$(ps axu | grep -E '(manage.py|log_handler|index.js)'| grep -v 'grep' | awk '{ print $2 }')
for pid in $pids;do
kill -15 $pid
done
192.168.3.146 [/opt/jumpserver] 2014-12-22 14:23:41
root@pts/1 #
WEB具体操作:
http://laoguang.blog.51cto.com/6013350/1576502


===========================客户端部分============================================

安装LDAP客户端及完成客户端设置。
yum -y install openldap openldap-clients
echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/system-auth
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=192.168.3.65 --ldapbasedn="dc=youyuan,dc=com" --update

从jumpserver连接testuser测试
ssh [email protected]  如果连接成功则继续

客户端sudoer设置
echo -e "uri ldap://192.168.3.65\nSudoers_base ou=Sudoers,dc=youyuan,dc=com" > /etc/sudo-ldap.conf 
echo "Sudoers: files ldap" >>  /etc/nsswitch.conf

检查
egrep -v "(^#|^$)" /etc/sudo-ldap.conf
grep -i sudo /etc/nsswitch.conf 
测试sudo
# ssh [email protected]
# sudo su  如果不提示输入密码,则成功。


==============================遇到的问题==================================
root@pts/0 # yum search setuptools
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

   No module named yum

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.7.6 (default, Dec 26 2014, 14:06:44) 
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)]

If you cannot solve this problem yourself, please go to 
the yum faq at:
  http://yum.baseurl.org/wiki/Faq
  

192.168.3.65 [~] 2014-12-26 14:22:21
解决:
python升级完yum不可用:
cat /usr/bin/yum
#!/usr/bin/python2.6

==============
root@pts/0 # vim jumpserver.conf 

#coding:utf-8

[db]
host = 127.0.0.1
port = 3306
user = root
password = redhat
db = jumpserver

[jumpserver]
key = 88aaaf7ffe3c6c04
ldap_host = ldap://127.0.0.1:389
ldap_base_dn = dc=yolu,dc=com
admin_cn = cn=admin,dc=yolu,dc=com
admin_pass = VNLqNCjpNBIetEoCA2h3
web_socket_host = 172.10.10.9:3000

===================

python manage.py syncdb

问题;
ImportError: libmysqlclient.so.18: cannot open shared object file: No such file or directory
解决:
ln -s /usr/local/mysql/lib/libmysqlclient.so.18 /usr/lib64/libmysqlclient.so.18

问题:
django.db.utils.OperationalError: (1045, "Access denied for user 'jumpserver'@'192.168.3.65' (using password: YES)")
解决:
mysql -uroot -p12345678 -h127.1
GRANT ALL ON *.* TO 'jumpserver'192.168.%';set password for 'jumpserver'@'192.168.%' = PASSWORD('youyuanops');GRANT ALL ON *.* TO O 
'jumpserver'@'localhost';set password for 'jumpserver'@'localhost' = PASSWORD('youyuanops');  

flush privileges;


你可能感兴趣的:(LDAP,搭建配置,堡垒机)