內容簡介
在centos6系統中安裝配置openldap服務,通過migrationtools工具生成基於linux系統賬戶相關的ldap賬戶信息以及通過nfs共享方式在客戶端自動掛接ldap用戶的家目錄
環境準備
1,準備兩臺及以上centos6操作系統主機,一臺用於部署服務端其它用於部署客戶端接入ldap認證
2,關閉selinux
3,清空iptables規則
4,配置好yum源,推薦使用阿里雲yum源
ldap服務端安裝與配置
[root@ldap-server ~]# yum list | grep openldap [root@ldap-server ~]# yum install openldap openldap-clients openldap-servers openldap-devel -y
#openldap配置主目錄在/etc/openldap下,默認文件目錄如下
[root@ldap-server ~]# ll /etc/openldap/ total 28 drwxr-xr-x 2 root root 4096 Jan 10 11:07 certs -rw-r----- 1 root ldap 121 Nov 10 2015 check_password.conf -rw-r--r-- 1 root root 280 Nov 10 2015 ldap.conf drwxr-xr-x 2 root root 4096 Jan 10 11:07 schema drwx------ 2 ldap ldap 4096 Jan 10 11:10 slapd.d
#生成hash密碼稍後用於配置ldap管理員密碼,此處設置的密碼爲123456
[root@ldap-server ~]# slappasswd
New password:
Re-enter new password:
{SSHA}SpiJ+uf0d1j7bRm6XoLJo9EX3Gk5uzzH#拷貝服務端配置模版至/etc/openldap並配置,主要修改dc=my-domain,dc=com爲自己的域名以及配置rootpw用於後續導入系統帳號信息,如下圖所示
[root@ldap-server ~]# /bin/cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
參考與
#拷貝DB_SAMPLE模版文件文件至/var/lib/ldap
[root@ldap-server ~]# /bin/cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@ldap-server ~]# chown ldap. /var/lib/ldap/ -R
#刪除默認的ldap配置信息並重新生成相關配置
[root@ldap-server ~]# rm -rf /etc/openldap/slapd.d/* [root@ldap-server ~]# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d config file testing succeeded [root@ldap-server ~]# chown ldap. /etc/openldap/ -R
至此服務配置已經完成,啓動ldap服務
[root@ldap-server ~]# service slapd start
Starting slapd: [ OK ]
[root@ldap-server ~]#
生成系統賬戶並導入ldap
創建/home/ldapuser爲ldap用戶家目錄的上級目錄
創建teacher及student組,gid分別爲2000和3000(根據實際情況而定) 生成user01-user10歸屬teacher組
生成user11-users0歸屬student組
[root@ldap-server ~]# mkdir -p /home/ldapuser
[root@ldap-server ~]# groupadd teacher -g 2000
[root@ldap-server ~]# groupadd student -g 3000
[root@ldap-server ~]# for i in {01..10};do useradd -g teacher -d /home/ldapuser/user$i user$i;done
[root@ldap-server ~]# for i in {11..20};do useradd -g student -d /home/ldapuser/user$i user$i;done
[root@ldap-server ~]# for i in {01..20};do echo user$i | passwd --stdin user$i;done提取上述用戶在/etc/passwd及/etc/group中的信息至臨時文件
[root@ldap-server ~]# mkdir /tmp/ldap
[root@ldap-server ~]# cat /etc/passwd | grep -E 'user[0-9]{2}' > /tmp/ldap/passwd
[root@ldap-server ~]# cat /etc/group | grep -E 'teacher|student' > /tmp/ldap/group
[root@ldap-server ~]# cat /tmp/ldap/passwd安裝migrationtools工具生成相應的ldap信息文件
[root@ldap-server ~]# yum install migrationtools -y
修改/usr/share/migrationtools/migrate_common.ph文件第71和74行信息爲自己對應的域名信息,如下圖所示
[root@ldap-server ~]#vim /usr/share/migrationtools/migrate_common.ph
注意:
根據自己的域名修改
通過migrate_bash.pl生成帳號基礎信息文件
通過migrate_passwd.pl和/tmp/ldap/passwd文件生成用戶信息文件
通過migrate_group.pl和/tmp/ldap/group文件生成用戶信息文件
[root@ldap-server ~]# /usr/share/migrationtools/migrate_base.pl > /tmp/ldap/base.ldif [root@ldap-server ~]# /usr/share/migrationtools/migrate_passwd.pl /tmp/ldap/passwd > /tmp/ldap/passwd.ldif [root@ldap-server ~]# /usr/share/migrationtools/migrate_group.pl /tmp/ldap/group > /tmp/ldap/group.ldif
通過ldapadd命令添加上述生成的信息,主要用過下述參數;其中
-D 參數即爲/etc/openldap/slapd.conf中定義的rootdn信息
-w password 中的password爲上述使用slappasswd命令時的明文密碼(能從命令行看見),不能與-W同時使用
-W 後不跟參數密碼在敲下命令後根據提示輸入(別人看不見),不能與-w同時使用
-x 使用不加密的協議與ldap服務端通信
-X 使用加密的協議與ldap服務端通信
-f 指定要添加的ldif文件路徑
[root@ldap-server ~]#ldapadd -D "cn=admin,dc=bj,dc=uplooking,dc=com" -W -x -f /tmp/ldap/base.ldif [root@ldap-server ~]#ldapadd -D "cn=admin,dc=bj,dc=uplooking,dc=com" -W -x -f /tmp/ldap/passwd.ldif [root@ldap-server ~]#ldapadd -D "cn=admin,dc=bj,dc=uplooking,dc=com" -W -x -f /tmp/ldap/group.ldif
注意:
如果有密碼可以這樣執行
ldapadd -D "cn=admin,dc=bj,dc=uplooking,dc=com" -w 123456 -f /tmp/ldap/group.ldif
通過ldapsearch查詢ldap中的用戶組信息
[root@ldap-server ~]#ldapsearch -b "dc=bj,dc=uplooking,dc=com" -x 或者 [root@ldap-server ~]# ldapsearch -b "ou=Group,dc=uplooking,dc=com" -x
安裝nfs設置ldap用戶家目錄爲共享
[root@ldap-server ~]# yum install nfs-utils -y [root@ldap-server ~]# cat /etc/exports /home/ldapuser *(rw,no_root_squash) [root@ldap-server ~]# service rpcbind start Starting rpcbind: [ OK ] [root@ldap-server ~]# service nfs start Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS mountd: [ OK ] Starting NFS daemon: [ OK ] [root@ldap-server ~]# chkconfig nfs on [root@ldap-server ~]# chkconfig rpcbind on #配置防火牆 vi /etc/sysconfig/iptables -A INPUT –p tcp –m state --state NEW –m tcp --dport 111 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 111 –j ACCEPT -A INPUT –p tcp –m state --state NEW –m tcp --dport 662 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 662 –j ACCEPT -A INPUT –p tcp –m state --state NEW –m tcp --dport 892 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 892 –j ACCEPT -A INPUT –p tcp –m state --state NEW –m tcp --dport 2049 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 2049 –j ACCEPT -A INPUT –p tcp –m state --state NEW –m tcp --dport 32803 –j ACCEPT -A INPUT –p udp –m state --state NEW –m udp --dport 32769 –j ACCEPT
ldap客戶端安裝與配置
安裝openldap客戶端軟件包並配置/etc/openldap/ldap.conf
[root@ldap-client ~]# yum install openldap-clients nss-pam-ldapd pam_ldap -y [root@ldap-client ~]# vim /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 BASE dc=uplooking,dc=com URI ldap://192.168.92.130 #此處爲ldap服務端ip #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/certs
#測試搜索ldap中的用戶組信息
[root@ldap-client ~]# ldapsearch -h 192.168.30.192 -x -b "ou=Group,dc=uplooking,dc=com"
配置客戶端啓動ldap驗證
配置/etc/sysconfig/authconfig
[root@ldap-client ~]# sed -i '/USESYSNETAUTH/s/no/yes/' /etc/sysconfig/authconfig [root@ldap-client ~]# sed -i '/USELDAPAUTH/s/no/yes/' /etc/sysconfig/authconfig [root@ldap-client ~]# sed -i '/USEMKHOMEDIR/s/no/yes/' /etc/sysconfig/authconfig [root@ldap-client ~]# sed -i '/PASSWDALGORITHM/s/md5/yes/' /etc/sysconfig/authconfig [root@ldap-client ~]# sed -i '/USELDAP/s/no/yes/' /etc/sysconfig/authconfig
配置/etc/nsswitch.conf,如下圖所示
配置pam新增ldap認證
[root@ldap-client ~]# vim /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session optional pam_ldap.so
使用autoconfig命令配置nscd服務,注意替換命令中的ldapserver的IP及basedb信息
[root@ldap-client ~]# authconfig --enableldap --enableldapauth --ldapserver=192.168.92.130 --ldapbasedn="dc=uplooking,dc=com" --enablemkhomedir --update Starting nslcd: [ OK ] [root@ldap-client ~]#service nslcd start
或者
#在字符界面下執行 [root@ldap-client ~]#authconfig-tui 1,步
2,
3,啓動服務
[root@ldap-client ~]#service nslcd start
檢查:
authconfig-tui會修改很多配置文件,先來檢查下
[root@ldap-cliet ~]# grep -v "#" /etc/nslcd.conf |grep -v "^$"
[root@ldap-cliet ~]# grep -v "#" /etc/nslcd.conf |grep -v "^$"
[root@ldap-cliet ~]# grep -v "#" /etc/pam_ldap.conf |grep -v "^$"
[root@ldap-cliet ~]# grep -v "#" /etc/nsswitch.conf |grep -v "^$"
[root@ldap-cliet ~]# grep "USELDAP" /etc/sysconfig/authconfig
安裝autofs掛載ldapserver端的用戶目錄;按圖示操作添加相關配置
[root@ldap-client ~]# yum install autofs -y [root@ldap-client ~]# vim /etc/auto.master # # Sample auto.master file # This is a 'master' automounter map and it has the following format: # mount-point [map-type[,format]:]map [options] # For details of the format look at auto.master(5). # /misc /etc/auto.misc /home/ldapuser /etc/auto.ldapuser # # NOTE: mounts done from a hosts map will be mounted with the # "nosuid" and "nodev" options unless the "suid" and "dev" # options are explicitly given. # /net -hosts # # Include central master map if it can be found using # nsswitch sources. # # Note that if there are entries for /net or /misc (as # above) in the included master map any keys that are the # same will not be seen as the first read key seen takes # precedence. # +auto.master
[root@ldap-client ~]# vim /etc/auto.ldapuser * -rw,soft,intr 192.168.92.130:/home/ldapuser/& [root@ldap-client ~]# service autofs start Loading autofs4: [ OK ] Starting automount: [ OK ] [root@ldap-client ~]# ls /home/ldapuser/ [root@ldap-client ~]# cd /home/ldapuser/user01 [root@ldap-client user01]# pwd /home/ldapuser/user01 [root@ldap-client ~]#
測試使用ldapuser登錄
