1. 向dns服務器(192.168.89.128,與ldap服務器是同一臺)中添加解析:
# ktz.com -> 192.168.89.128
vim /etc/named.conf
zone "ktz.com" IN {
type master;
file "ktz.com.zone";
};
vim /var/named/ktz.com.zone
$TTL 1D
@ IN SOA @ ktz.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.89.128
www A 192.168.89.128
systemctl restart named
2. 禁用防火牆和selinux[客戶端],並修改dns服務器
vim /etc/resolv.conf
nameserver 192.168.89.128
vim /etc/selinux/config
SELINUX=disabled
3. 安裝客戶端軟件
yum install -y nss-pam-ldapd openldap-clients
4. 配置openLDAP-client
cp /etc/nsswitch.conf /etc/nsswitch.conf.old
#讓 NSS 服務使用 OpenLDAP 服務器
sed -i '/^passwd:.*$/s//& ldap/g' /etc/nsswitch.conf
sed -i '/^shadow:.*$/s//& ldap/g' /etc/nsswitch.conf
sed -i '/^group:.*$/s//& ldap/g' /etc/nsswitch.conf
#配置ldapclient 配置文件
cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.old
vim /etc/openldap/ldap.conf
#註釋掉上面的host和BASE字段,在結尾追加
host 192.168.85.129
BASE dc=ktz,dc=com
URI ldap://ktz.com ldap://ktz.com:389
ssl off
5. 啓用LDAP身份驗證機制
cp /etc/sysconfig/authconfig /etc/sysconfig/authconfig.old
vim /etc/sysconfig/authconfig
IPADOMAINJOINED=no
USEMKHOMEDIR=no
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
USEFPRINTD=yes
FORCESMARTCARD=no
PASSWDALGORITHM=sha512
USELDAPAUTH=yes
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESSSD=no
USEHESIOD=no
USEMD5=yes
FORCELEGACY=no
6. pam 認證
cp /etc/pam_ldap.conf /etc/pam_ldap.conf.old
vim /etc/pam_ldap.conf
#註釋掉上面的host和base字段,在結尾追加
host=192.168.89.128
base dc=ktz,dc=com
uri ldap://ktz.com
7. 編輯系統認證文件,保證使用LDAP來認證
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.old
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
8. 啓動並開機自啓
systemctl restart nslcd
systemctl enable nslcd
9. 測試登錄
ldap服務器上創建用戶: test5/123456
id test5
uid=1007(test5) gid=500(devops) groups=500(devops)
ssh [email protected]
[email protected]'s password:
Last login: Wed Mar 18 17:29:29 2020 from localhost
登錄成功,驗證完成,注意如果進入 -sh-42:模式,說明創建用戶時沒有使用/bin/bash解釋器,修改下即可
可以寫成腳本進行批量操作,後期就無需在不同服務器建不同用戶了