08-OpenLDAP主機控制策略

OpenLDAP主機控制策略

閱讀視圖

1. 參考
2. 環境準備
3. openldap服務端配置
4. openldap客戶端配置
5. 客戶端測試登錄
6. 故障處理

1. 參考

本文基本轉載博客openldap主機訪問控制（基於hostname）

該博主另一篇文檔，還沒測試openldap主機訪問控制（基於ip）

2. 環境準備

因爲本文與其他文檔屬性不衝突，所以完全可以使用以前的環境做實驗。

3. openldap服務端配置

1. 導入ldapns.schema方案，（hostObject類屬性）

   https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/nssov/ldapns.schema
   ```shell
   cat > /etc/openldap/schema/ldapns.schema << EOF
   # \(OpenLDAP\)
   # $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $
   # LDAP Name Service Additional Schema
   # http://www.iana.org/assignments/gssapi-service-names

   #
   # Not part of the distribution: this is a workaround!
   #

   attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
   DESC 'IANA GSS-API authorized service name'
   EQUALITY caseIgnoreMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

   attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus'
   DESC 'Currently logged in sessions for a user'
   EQUALITY caseIgnoreMatch
   SUBSTR caseIgnoreSubstringsMatch
   ORDERING caseIgnoreOrderingMatch
   SYNTAX OMsDirectoryString )

   objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
   DESC 'Auxiliary object class for adding authorizedService attribute'
   SUP top
   AUXILIARY
   MAY authorizedService )

   objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
   DESC 'Auxiliary object class for adding host attribute'
   SUP top
   AUXILIARY
   MAY host )

   objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject'
   DESC 'Auxiliary object class for login status attribute'
   SUP top
   AUXILIARY
   MAY loginStatus )
   EOF
   ```

   複製到/etc/openldap/schema/ldapns.schema

2. 配置slapd.conf配置文件

   include         /etc/openldap/schema/ldapns.schema
   include         /etc/openldap/schema/dyngroup.schema
   
   modulepath /usr/lib64/openldap
   moduleload dynlist.la
   
   overlay dynlist
   dynlist-attrset inetOrgPerson labeledURI

   rm -rf /etc/openldap/slapd.d/*
   slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
   chown -R ldap:ldap /etc/openldap/slapd.d
   systemctl restart slapd

3. 驗證服務端是否正常加載

4. 定義主機列表組

   cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com
   dn: ou=servers,dc=gdy,dc=com
   objectClass: organizationalUnit
   ou: servers
   
   dn: ou=apphost,ou=servers,dc=gdy,dc=com
   objectClass: organizationalUnit
   objectClass: hostObject
   ou: apphost
   host: test01.gdy.com
   
   dn: ou=dbhost,ou=servers,dc=gdy,dc=com
   objectClass: organizationalUnit
   objectClass: hostObject
   ou: dbhost
   host: test02.gdy.com
   _EOF_

5. 定義用戶

   cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com
   dn: uid=lisi,ou=people,dc=gdy,dc=com
   objectClass: posixAccount
   objectClass: shadowAccount
   objectClass: person
   objectClass: inetOrgPerson
   objectClass: hostObject
   cn: lisi
   sn: lisi
   uid: lisi
   userPassword: {CRYPT}$6$AgFUbww9$Pa70MIDhUT2z3.Sg83VRnWnaDRubTHJsSxYMzbD3LQlMmXX0VeqHRHd2usrJbId.oFOeoMKi3GC60qjIHUKqK.
   uidNumber: 10006
   gidNumber: 10010
   gecos: App Manager
   homeDirectory: /home/lisi
   loginShell: /bin/bash
   shadowLastChange: 15000
   shadowMin: 0
   shadowMax: 999999
   shadowWarning: 7
   shadowExpire: -1
   mobile: 13900001001
   mail: [email protected]
   labeledURI: ldap:///ou=apphost,ou=servers,dc=gdy,dc=com?host
   _EOF_

   cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com
   dn: uid=zhangsan,ou=people,dc=gdy,dc=com
   objectClass: posixAccount
   objectClass: shadowAccount
   objectClass: person
   objectClass: inetOrgPerson
   objectClass: hostObject
   cn: zhangsan
   sn: zhangsan
   uid: zhangsan
   userPassword: {CRYPT}$6$0hM3RIS/$omCj0x/ggD.zy3pNNjVo80nhiYHbUvdQaBKsawBBTQ/r/KY2PD77NHDqEPgzZ1Wz2/ZiL./pL65BuNyZ1SHC41
   uidNumber: 10007
   gidNumber: 10011
   gecos: opteam
   homeDirectory: /home/zhangsan
   loginShell: /bin/bash
   shadowLastChange: 15000
   shadowMin: 0
   shadowMax: 999999
   shadowWarning: 7
   shadowExpire: -1
   mobile: 13900001002
   mail: [email protected]
   labeledURI: ldap:///ou=devhost,ou=servers,dc=gdy,dc=com?host
   _EOF_

4. openldap客戶端配置

1. 定義FQDN解析, 已測試過如果不定義會登錄不成功

   cat >> /etc/hosts << EOF
   192.168.244.17    mldap01.gdy.com    mldap01
   192.168.244.18    test01.gdy.com     test01

2. pam_ldap.conf參數規劃
   shell cat >> /etc/pam_ldap.conf << EOF pam_check_host_attr yes EOF

5. 客戶端測試登錄

1. 正確實例

   [root@test01 ~]# ssh [email protected]    
   [email protected]'s password: 
   Last login: Fri Jun  1 16:24:12 2018 from localhost
   [lisi@test01 ~]$ hostname
   test01.gdy.com

2. 失敗實例

   [root@test01 ~]# ssh [email protected]
   [email protected]'s password: 
   Access denied for this host
   Connection closed by 127.0.0.1

3. 如果用戶沒有配置好登錄屬性，服務器基本就全部登錄不了。

6. 故障處理

1. PS1變量失效，錯誤如下

   [root@test01 home]# ssh [email protected]
   [email protected]'s password: 
   Permission denied, please try again.
   [email protected]'s password: 
   Last login: Fri Jun  1 14:10:53 2018 from localhost
   -sh-4.1$      # 發現顯示不正常

   解決方法：重新配置了一遍，發現loginShell忘記定義或者定義有問題導致loginShell屬性不存在。所以會產生如上bug。