####################################################################################################
Red Hat Enterprise Linux Server release 6.0
####################################################################################################
1.安裝rpm包:openldap,openldap-clients,openldap-servers;
1.安裝rpm包:openldap,openldap-clients,openldap-servers;
[root@localhost Desktop]# rpm -qa |grep openldap openldap-clients-2.4.19-15.el6.i686 openldap-devel-2.4.19-15.el6.i686 openldap-servers-2.4.19-15.el6.i686 openldap-2.4.19-15.el6.i686
2.刪除slapd.d目錄:rm -rf slapd.d/
3.拷貝配置文件:cp slapd.conf.bak slapd.conf ,修改權限:chmod 644 slapd.conf
4.通過ldappasswd創建密碼,並粘貼到編輯配置文件slapd.conf
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}4Y08KJDfylBY2PEgG7nhbJm2ccUt17sA
5.拷貝數據庫配置文件: cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
修改數據庫文件owner: chown -R ldap:ldap /var/lib/ldap/
6.進入/var/lib/ldap/並創建文件example.ldif
dn:dc=example,dc=com objectclass:dcObject objectclass:organization o:Example Company dc:example
dn:cn=Manager, dc=example,dc=com objectclass:organizationalRole cn:Manager
7.將以上條目添加到ldap數據庫中:ldapadd -x -D 'cn=Manager,dc=example,dc=com' -W -f example.ldif
8.驗證數據是否正確添加: ldapsearch -x -b 'dc=example,dc=com'
[root@localhost ldap]# ldapsearch -x -b 'dc=example,dc=com' # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# example.com dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Example Company dc: example
# Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager
# search result search: 2 result: 0 Success
# numResponses: 3
# numEntries: 2
ssh集成ldap認證
1.開啓ldap認證:運行命令authconfig-tui並選中以下選項
[*] Use LDAP [*] Use LDAP Authentication
2.修改/etc/ssh/sshd_config以下項目,使ssh通過pam認證賬戶
UsePAM yes
3.查看/etc/pam.d/sshd文件,以確認調用的pam認證文件(本例爲password_auth)
[root@localhost pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session required pam_mkhomedir.so # 加入此行後,在通過ssh首次登陸服務器時將創建home目錄
4.修改/etc/pam.d/password-auth文件
[root@localhost pam.d]# cat password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass # 加入此行 auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_ldap.so # 加入此行 account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok # 加入此行 password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so # 加入此行