1. 環境信息介紹
1.1 實現場景
- 客戶端服務器可以通過openldap賬戶實現登錄
- 客戶端服務器可以通過openldap賬戶實現祕鑰登錄
- 可以通過openldap控制指定賬戶允許登錄的主機列表
- 客戶端服務可以通過openldap管理賬戶的sudo權限
- 基於瀏覽器的openldap管理工具phpldapadmin配置
- windows下的局域網內管理openldap的工具ldapadmin
1.2 環境信息
| 主機名稱 | 地址 | 版本 | 角色 | 備註 |
|---|---|---|---|---|
| sysldap-shylf-1 | 10.116.72.11 | CentOS7.6 min | openLdap, httpd, phpldapadmin | |
| sysldap-shylf-2 | 10.116.72.12 | CentOS7.6 min | openLdap, httpd, phpldapadmin | 本文沒有用到 |
| systerm-shylf-1 | 10.116.72.15 | CentOS7.6 min | openLdap client |
前提條件,爲了方便配置防火牆以及禁用selinux
配置示例:dc=example,dc=com
2. OpenLDAP服務端配置
創建一個配置目錄,將相關配置文件放在這個目錄下面
openldap
├── base.ldif
├── config.ldif
├── demo.ldif
├── loglevel.ldif
├── schema
│ ├── sudo.ldif
│ └── sudo.schema
├── sudo_ops_role.ldif
└── SUODers.ldif
cd openldap
2.1 安裝LDAP組件並啓動服務
yum -y install openldap openldap-clients openldap-servers
# 3. 建立Ldap數據庫
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*
systemctl start slapd.service
systemctl enable slapd.service
netstat -antup | grep -i 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 16349/slapd
tcp6 0 0 :::389 :::* LISTEN 16349/slapd
2.2 配置OpenLDAP服務
# 1. 生成Ldap root密碼
~]# slappasswd
New password: openldap
Re-enter new password: openldap
{SSHA}npo7WhvpY+s4+p584zAnoduStQzeTxHE
#-------------------------------------------
# 2. 添加需要的schemas [可以根據需要添加更多]
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
#-------------------------------------------
# 3. 配置openLDAP服務
vi config.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=example,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}npo7WhvpY+s4+p584zAnoduStQzeTxHE
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read
# 發送配置到LDAP服務
ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif
#-------------------------------------------
# 4. 域example.com配置
vi base.ldif
dn: dc=example,dc=com
o: example com
dc: example
objectClass: top
objectClass: dcObject
objectClass: organization
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Manager
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
# 發送配置到LDAP服務
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
# 5. 配置ldap log
vi loglevel.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
# 發送配置到LDAP服務
ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif
vi /etc/rsyslog.conf
...
local4.* /var/log/openldap.log
vi /etc/logrotate.d/slapd
/var/log/openldap.log {
rotate 14
size 10M
missingok
compress
copytruncate
}
systemctl restart rsyslog
# 如果有需要還可以配置日誌輪轉
# 6. 創建一個測試用戶
vi demo.ldif
dn: uid=800001,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: demo
uid: 800001
uidNumber: 3000
gidNumber: 100
homeDirectory: /home/ldapusers
loginShell: /bin/bash
gecos: Demo [Demo user (at) example]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
dn: cn=ops,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ops
gidNumber: 80001
memberUid: 800001
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f demo.ldif
ldappasswd -s 'passwd@123' -W -D "cn=Manager,dc=example,dc=com" -x "uid=800001,ou=People,dc=example,dc=com"
ldapsearch -x uid=800001 -b dc=example,dc=com
//刪除使用如下命令
ldapdelete -W -D "cn=Manager,dc=example,dc=com" -x "uid=800001,ou=People,dc=example,dc=com"
3. ldap客戶端配置
# 1. 安裝組件
yum install -y openldap-clients nss-pam-ldapd
# 2. 添加client服務器到LDAP服務
authconfig --enableldap --enableldapauth --ldapserver="10.116.72.11" --ldapbasedn="dc=example,dc=com" --update
# 這個指令修改了/etc/nsswitch.conf 以及/etc/openldap/ldap.conf文件
# 3. 啓動ldap客戶端服務
systemctl restart nslcd
# 4. 驗證
getent passwd 800001
800001:3000:100:Demo [Demo user (at) example]:/home/demo:/bin/bash
# 5. 遠程ssh登錄驗證
ssh [email protected]
[email protected]'s password: demopassword
-bash-4.2$ id 800001
uid=3000(800001) gid=100(users) groups=100(users),80001(ops)
-bash-4.2$
# 這裏可以看到沒有配置自動生成賬戶的家目錄,在實際的運維過程中,也不會去生成家目錄(不然一堆的賬戶加目錄),而是讓運維賬戶統一一個家目錄,並且設置爲只讀。
# 不過如果有需要配置配置家目錄自動生成,需要修改pam模塊
4. 配置LDAP使用公鑰(publicKey)遠程ssh登錄客戶主機
4.1 openldap服務端配置
# 1. 安裝openssh-ldap
yum install openssh-ldap
rpm -aql |grep openssh-ldap
/usr/share/doc/openssh-ldap-7.4p1
/usr/share/doc/openssh-ldap-7.4p1/HOWTO.ldap-keys
/usr/share/doc/openssh-ldap-7.4p1/ldap.conf
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.ldif
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-sun.ldif
/usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-sun.schema
# 2. 配置添加相關schema
cp /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.ldif /etc/openldap/schema/
cp /usr/share/doc/openssh-ldap-7.4p1/openssh-lpk-openldap.schema /etc/openldap/schema/
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openssh-lpk-openldap.ldif
# 3. 賬戶添加objectClass: ldapPublicKey 並添加屬性sshPublicKey
# 具體修改流程,可以使用下面安裝的ldapadmin或者phpldapadmin進行配置
objectClass: ldapPublicKey
sshPublicKey: 值是具體的publickey
4.2 客戶主機配置
yum install openssh-ldap
cp /usr/share/doc/openssh-ldap-7.4p1/ldap.conf /etc/ssh/
# 如果使用TLS 配置TLS,這裏不使用
vi /etc/ssh/ldap.conf
ssl no
uri ldap://10.116.72.11/
vi /etc/ssh/sshd_config
# 腳本將從LDAP獲取密鑰並將其提供給SSH服務器
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandUser nobody
PubkeyAuthentication yes
4.3 登錄驗證
ssh -i ~/.ssh/id_rsa [email protected]
Last login: Thu Jul 4 16:15:30 2019 from 10.116.71.200
Could not chdir to home directory /home/demo: No such file or directory
-bash-4.2$
5. 配置LDAP賬戶可以登錄的主機列表
測試使用的遠程ssh服務器是10.116.72.15,我們驗證如下
- 添加賬戶主機列表(host屬性)不包含116.116.72.15 測試是否可以正常登錄
- 添加賬戶主機列表(host屬性)包含116.116.72.15 測試是否可以正常登錄
5.1 需要通過Ldap遠程登錄的客戶機配置
vi /etc/nsswitch.conf
# 添加如下過濾配置,包含本機主機名稱。表示過濾匹配包括本機IP或者允許任意IP地址的賬戶授權信息
filter passwd (|(host=10.116.72.15)(host=\*))(host=ALL)
備註:如果遠程主機是centos6,配置稍有不同
vi /etc/pam_ldap.conf
pam_filter |(host=10.116.72.16)(host=\*)(host=ALL)
5.2 LDAP賬戶配置
ldap命令或者ldapadmin管理工具爲賬戶添加屬性host,這個屬性可以添加多次。
- 第一次配置不包含測試主機10.116.72.15
ldapsearch -x uid=800001 -b 'ou=People,dc=example,dc=com'
dn: uid=800001,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: demo
uid: 800001
uidNumber: 3000
gidNumber: 100
homeDirectory: /home/demo
loginShell: /bin/bash
gecos: Demo [Admin (at) eju]
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
host: 10.116.72.12
host: 10.116.72.16
測試登錄
# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
- 第二次配置包含測試主機10.116.72.15
ldapsearch -x uid=800001 -b 'ou=People,dc=example,dc=com'
dn: uid=800001,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: demo
uid: 800001
uidNumber: 3000
gidNumber: 100
homeDirectory: /home/demo
loginShell: /bin/bash
gecos: Demo [Admin (at) eju]
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
host: 10.116.72.12
host: 10.116.72.15
host: 10.116.72.16
測試登錄
# ssh [email protected]
[email protected]'s password:
Last login: Thu Jul 4 16:15:30 2019 from 10.116.71.200
Could not chdir to home directory /home/demo: No such file or directory
-bash-4.2$
以上,測試通過。
6. 配置LDAP sudo權限管理
6.1 服務配置
CentOS7.6下more安裝的OpenLDAP是2.4.44 ,schema目錄下並沒有sudo.ldif以及sudo.schema文件,需要單獨處理。 sudo是默認安裝的,sudo相關目錄下有sudo.schema模板文件schema.OpenLDAP
find / -name schema.OpenLDAP -exec cp {} /etc/openldap/schema/sudo.schema \;
# 生成sudo.ldif
echo 'include /etc/openldap/schema/sudo.schema' > /tmp/sudo.conf
mkdir /tmp/sudo
slaptest -f /tmp/sudo.conf -F /tmp/sudo
vi /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif
替換(前3行)
dn: cn={0}sudo
objectClass: olcSchemaConfig
cn: {0}sudo
爲
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
刪除(最後7行)
structuralObjectClass: olcSchemaConfig
entryUUID: ec3b659a-31a9-1039-90ae-87c69280e4a2
creatorsName: cn=config
createTimestamp: 20190703064542Z
entryCSN: 20190703064542.945991Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190703064542Z
cp /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif /etc/openldap/schema/sudo.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/sudo.ldif
rm -f /tmp/sudo.conf /tmp/sudo
6.2 權限配置
vi SUODers.ldif
dn: ou=SUDOers,dc=example,dc=com
ou: SUDOers
objectClass: top
objectClass: organizationalUnit
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: sudoRole
cn: defaults
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
sudoOption: logfile = /var/log/sudo
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f SUODers.ldif
6.3 將上面的demo(800001)賬戶配置爲sudo權限
這裏配置一個運維sudo role,名稱爲sudo_ops_role,簡單配置爲sudo 到root所有權限,並將800001加入該role
vi sudo_ops_role.ldif
dn: cn=sudo_ops_role,ou=SUDOers,dc=example,dc=com
objectClass: sudoRole
cn: sudo_ops_role
sudoOption: !authenticate
sudoRunAsUser: root
sudoCommand: ALL
sudoHost: ALL
sudoUser: 800001
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f sudo_ops_role.ldif
6.4 客戶端增加如下配置
vi /etc/nsswitch.conf
# 追加內存
sudoers: files ldap
mv /etc/sudo-ldap.conf{,.bak}
vi /etc/sudo-ldap.conf
uri ldap://10.116.72.11/
base dc=example,dc=com
sudoers_base ou=SUDOers,dc=example,dc=com
測試
# ssh [email protected]
[email protected]'s password:
Could not chdir to home directory /home/ldapusers: No such file or directory
-bash-4.2$ sudo su -
Last login: Wed Jul 3 15:09:21 CST 2019 from 10.116.71.200 on pts/0
[root@systerm-shylf-1 ~]#
7. 基於web的OpenLDAP管理工具phpldapadmin
實例在openldap安裝,實際使用中可以部署在其他服務器上通過網絡訪問。前端還可以配置一個nginx去代理實現高可用
7.1 安裝配置phpldapadmin
# 1. 安裝組件
yum -y install epel-release
yum -y install httpd phpldapadmin
# yum安裝後的項目文件位置/usr/share/phpldapadmin/htdocs,配置文件位置/etc/phpldapadmin/config.php
# 2. phpldapadmin修改
vi /etc/phpldapadmin/config.php
# 註釋掉
//$servers->setValue('login','attr','uid');
# 或者修改爲
$servers->setValue('login','attr','dn');
$servers->newServer('ldap_pla');
$servers->setValue('server','name','LDAP Server');
$servers->setValue('server','host','127.0.0.1'); //根據需要修改爲實際地址,這個部署到openldap本機直接保留127.0.0.1
$servers->setValue('server','port',389);
$servers->setValue('server','base',array('dc=example,dc=com')); //
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
$servers->setValue('login','bind_pass','');
$servers->setValue('server','tls',false);
# 3. httpd修改
vi /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
# Require local
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
# 根據需要配置許可
Allow from 10.116
</IfModule>
</Directory>
# 4. 啓動httpd服務
systemctl restart httpd
7.2 使用phpldapadmin
備註,如果報錯如下
Forbidden
You don't have permission to access /ldapadmin/ on this server.
可以嘗試修改httpd.conf
vi /etc/httpd/conf/http.conf
修改
<Directory />
AllowOverride none
Require all denied
</Directory>
爲
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
systemctl restart httpd
7.3 爲phpldapadmin添加suorole配置模版
從這裏可以獲取到sudoRole模板,http://phpldapadmin.sourceforge.net/wiki/index.php/TemplatesContributed:Sudo 可以在這個基礎上進行修改
ll /usr/share/phpldapadmin/templates
# ll /usr/share/phpldapadmin/templates
total 8
drwxr-xr-x 2 root root 4096 Jul 4 15:32 creation
drwxr-xr-x 2 root root 69 Jul 4 15:31 modification
-rw-r--r-- 1 root root 2089 Oct 1 2012 template.dtd
vi /usr/share/phpldapadmin/templates/creation/sudo.xml 注意根據需要進行修改,我的sudo ou名稱是SUDOers
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<title>Sudo Policy</title>
<regexp>^ou=SUDOers,dc=.*</regexp>
<icon>images/door.png</icon>
<description>New Sudo Policy</description>
<askcontainer>1</askcontainer>
<rdn>cn</rdn>
<visible>1</visible>
<objectClasses>
<objectClass id="sudoRole"></objectClass>
</objectClasses>
<attributes>
<attribute id="cn">
<display>Policy Name</display>
<order>1</order>
<page>1</page>
</attribute>
<attribute id="sudoOption">
<display>Sudo Option</display>
<order>2</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoRunAsUser">
<display>Sudo Run As User</display>
<order>3</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoCommand">
<display>Sudo Command</display>
<order>4</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoUser">
<display>Sudo Users</display>
<option>=php.MultiList(/,(objectClass=posixAccount),uid,%uid%
(%cn%),sudoUser)</option>
<order>5</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoHost">
<display>Sudo Hosts</display>
<array>10</array>
<order>6</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="description">
<type>textarea</type>
<display>Description</display>
<order>7</order>
<page>1</page>
</attribute>
</attributes>
</template>
vi /usr/share/phpldapadmin/templates/modification/sudo.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<title>Sudo Policy</title>
<regexp>^cn=.*,ou=SUDOers,dc=.*</regexp>
<icon>images/door.png</icon>
<description>Sudo Policy</description>
<askcontainer>1</askcontainer>
<rdn>cn</rdn>
<visible>1</visible>
<objectClasses>
<objectClass id="sudoRole"></objectClass>
</objectClasses>
<attributes>
<attribute id="cn">
<display>Policy Name</display>
<order>1</order>
<page>1</page>
</attribute>
<attribute id="sudoOption">
<display>Sudo Option</display>
<order>2</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoRunAsUser">
<display>Sudo Run As User</display>
<order>3</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoCommand">
<display>Sudo Command</display>
<order>4</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoUser">
<display>Sudo Users</display>
<order>5</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="sudoHost">
<display>Sudo Hosts</display>
<!-- <array>10</array> -->
<order>6</order>
<page>1</page>
<spacer>1</spacer>
</attribute>
<attribute id="description">
<type>textarea</type>
<display>Description</display>
<order>7</order>
<page>1</page>
<cols>200</cols>
<rows>10</rows>
</attribute>
</attributes>
</template>
重啓httpd服務
systemctl restart httpd
瀏覽器查看(ou=SUODers,dc=example,dc=com 創建一條子目錄 sudoRole)
8. windows下的一個OpenLDAP管理工具 LdapAdmin
下載地址 LdapAdmin, 當前最新版本是1.8.3。 下載後直接解壓就是一個exe文件。
8.1 創建連接到openldap服務
8.2 配置一個運維組ops,然後將用戶800001加入到ops組
如上配置完成,還是比較簡單的,如果都研究明白還是很多東西的。本文的目的是使用單機配置的方式展示使用openldap作爲認證服務需要的功能與配置,之後如果遇到了其他場景再補充。其他文檔會涉及到高可用模式(主從,多主,鏡像等)的配置
參考文檔: