centos7.2 LDAP(TLS)+autofs+ssh

写前先祝福下勒布朗·詹姆斯




网上搜了很多关于centos7.2部署ldap的文章,这里也写一下自己的




实验环境
系统:CentOS Linux release 7.2.1511 (Core)
内核:3.10.0-327.el7.x86_64
服务端IP:192.168.10.16
客户端IP:192.168.10.17

第一步
selinux和firewalld
[[email protected] opt]# getenforce
Permissive
[[email protected] opt]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

第二步
服务端装包

[[email protected] openldap]# yum install -y openldap-servers openldap-clients openldap

如果不小心误删除了ldap的文件,会发现yum也用不了了,因为依赖模块被删掉了---解决方法
openldap-2.4.44-13.el7.x86_64.rpm(使用rpm把ldap装起来是一种方法)

第三步
服务端配置文件
[[email protected] openldap]# pwd
/etc/openldap
[[email protected] openldap]# vim ldap.conf
TLS_CACERTDIR   /etc/openldap/certs #这里很重要,指定你的TLS的文件放在那个目录下,默认此目录
TLS_REQCERT allow #这里是指可以切换TLS的文件存放目录

[[email protected] openldap]# slappasswd(生成密码)
New password:
Re-enter new password:
{SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA(这个加密字符串记录下来)

[[email protected] openldap]# vim slapd.conf(注意这个文件不是上面的ldap.conf)
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/pmi.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/misc.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
#TLS的几个文件很容易混淆,后面做CA的时候也会着重标明)
TLSCACertificateFile /etc/openldap/certs/ca.crt (这个是CA的公钥)
TLSCertificateFile /etc/openldap/certs/slapd.crt(这个是CA颁发的证书文件)
TLSCertificateKeyFile /etc/openldap/certs/slapd.key(这个是本地私钥)

database config
rootdn "cn=admin,cn=config"(超级用户)
rootpw {SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA (这里把上面的字符串写进来)
access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

database monitor
access to * by dn.exact="cn=admin,cn=config" read by * none

[[email protected] openldap]# rm -rf slapd.d/*
[[email protected] openldap]# slaptest -f slapd.conf -F slapd.d/ (转换成ldap识别的文件,这里一定看清楚是slapd.conf文件)
config file testing succeeded
[[email protected] openldap]# chown ldap. -R slapd.d/(加权限)
[[email protected] openldap]# cd slapd.d/
[[email protected] slapd.d]# ll
total 8
drwxr-x---. 3 ldap ldap 4096 Jun  1 07:50 cn=config
-rw-------. 1 ldap ldap 1272 Jun  1 07:50 cn=config.ldif

[[email protected] openldap]# grep TLS slapd.conf(使用之前的https的方式生成CA证书)
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/slapd.crt
TLSCertificateKeyFile /etc/openldap/certs/slapd.key

对于CA认证来说现在的服务器作为客户端

[[email protected] certs]# pwd
/etc/openldap/certs (这个目录是根据你之前ldap.conf文件里定义的)
[[email protected] certs]# openssl genrsa 2048 > slapd.key(这个文件毫无疑问就是上文对应的slapd.key文件)
Generating RSA private key, 2048 bit long modulus
........................................................................................+++
............................................+++
e is 65537 (0x10001)
[[email protected] certs]# ls
cert8.db  key3.db  password  secmod.db  slapd.key
(这里先别给最小权限,怕会ldap读取不了文件,使用/usr/sbin/sladp -d 256 也能看出问题)

[[email protected] keyes]# openssl req -new -key slapd.key -out siyao.csr  (创建证书办法请求)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    (国家)
State or Province Name (full name) []:shanghai  (省份)
Locality Name (eg, city) [Default City]:shanghai   (市区)
Organization Name (eg, company) [Default Company Ltd]:boke  (公司名)
Organizational Unit Name (eg, section) []:boke - cainiao  (部门)
Common Name (eg, your name or your server‘s hostname) []:192.168.10.16  (要加密的server)
Email Address []:[email protected]  (邮箱)

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:     (这里不要写密码,CA哪里一会解不开密码,自签名。。)
An optional company name []:  (这里也跳过)

[[email protected] certs]# ls
cert8.db  key3.db  password  secmod.db  siyao.csr (这里可不是公钥哦) slapd.key

现在客户端作为CA服务器
[[email protected] certs]# scp siyao.csr 192.168.10.17:/root/
[email protected]‘s password:
siyao.csr                                                                                      100% 1009     1.0KB/s   00:00

[[email protected] ~]# openssl genrsa -des3 -out ca.key 4096  (生成公私钥,做自签名)
Generating RSA private key, 4096 bit long modulus
............................++
.......................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:                  (自签名密码要记住,一会自签名过程要用到)
Verifying - Enter pass phrase for ca.key:
[[email protected] ~]# ls
anaconda-ks.cfg  ca.key  siyao.csr

[[email protected] ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt  (自签名)
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:NSA
Organizational Unit Name (eg, section) []:FBI
Common Name (eg, your name or your server‘s hostname) []:192.168.10.17(指定你的server)
Email Address []:
[[email protected] ~]# ls
anaconda-ks.cfg  ca.crt (这个是我们的CA公钥和LDAP识别的ca.crt文件对应) ca.key  siyao.csr

[[email protected] ~]# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out slapd.crt
Signature ok
subject=/C=cn/ST=shanghai/L=shanghai/O=boke/OU=cainiao/CN=192.168.10.16
Getting CA Private Key
Enter pass phrase for ca.key:
[[email protected] ~]# ls
anaconda-ks.cfg  ca.crt  ca.key  siyao.csr  slapd.crt(这是证书,和LDAP识别的slapd.crt对应)

[[email protected] ~]# scp ca.crt slapd.crt 192.168.10.16:/etc/openldap/certs/(两个文件都传过去)
[email protected]‘s password:
ca.crt                                                                                         100% 2013     2.0KB/s   00:00
slapd.crt                                                                                      100% 1545     1.5KB/s   00:00

CA完毕,以下是正常的服务器和客户端
服务器16这里
[[email protected] certs]# ls
ca.crt(1)  cert8.db  key3.db  password  secmod.db  siyao.csr  slapd.crt (2) slapd.key(3) (1),(2),(3)三个文件分别代表上文定义的TLS文件,千万别搞乱了)

[[email protected] certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG.example(拷贝缓冲数据文件)
[[email protected] certs]# chown ldap. /var/lib/ldap/DB_CONFIG.example(授权)

[[email protected] certs]# vim /etc/sysconfig/slapd
LAPD_URLS="ldapi:/// ldap:/// ldaps:///"(添加上ldaps:///)

[[email protected] certs]# systemctl start slapd(起服务,如果上面没好好看的话,这里启动会报错的)
[[email protected] certs]# ps -ef|grep slapd
ldap       4413      1  0 22:07 ?        00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// ldaps:///
root       4672   2597  0 22:24 pts/0    00:00:00 grep --color=auto slapd
[[email protected] certs]# netstat -luntp|grep slap
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      4413/slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      4413/slapd
tcp6       0      0 :::636                  :::*                    LISTEN      4413/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      4413/slapd

定义用户数据库
[[email protected] certs]# mkdir /root/ldif
[[email protected] certs]# cd
[[email protected] ~]# cd ldif/
[[email protected] ldif]# ls
[[email protected] ldif]# vim bdb.ldif

dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb(数据库)
olcSuffix: dc=example,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=Manager,dc=example,dc=org(用户)
olcRootPW: 456 (密码)
olcLimits: dn.exact="cn=Manager,dc=example,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,displayName pres,eq,approx,sub
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: objectClass eq
olcDbIndex: entryUUID pres,eq
olcDbIndex: entryCSN pres,eq
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=org" write by * none
olcAccess: to * by self write by dn.children="ou=admins,dc=example,dc=org" write by * read

[[email protected] ldif]# ldapadd -x -D "cn=admin,cn=config" -w 123 -f ~/ldif/bdb.ldif -h localhost(添加条目,这个是超级用户和超级用户的免密123)
adding new entry "olcDatabase=bdb,cn=config"

[[email protected] openldap]# cd slapd.d/
[[email protected] slapd.d]# ls
cn=config  cn=config.ldif
[[email protected] slapd.d]# cd cn\=config/
[[email protected] cn=config]# ls
cn=schema       olcDatabase={0}config.ldif     olcDatabase={1}monitor.ldif
cn=schema.ldif  olcDatabase={-1}frontend.ldif  olcDatabase={2}bdb.ldif(这个bdb数据文件被生成出来了)

ssh  ----》ldap(实验)
使我们的系统用户转变为ldap用户
[[email protected] cn=config]# yum search migrationtools
[[email protected] cn=config]# yum install -y migrationtools.noarch(下载工具)

[[email protected] cn=config]# cd /usr/share/migrationtools/
[[email protected] migrationtools]# groupadd -g 100001 ldap1(生成系统用户)
[[email protected] migrationtools]# mkdir /ldapuser
[[email protected] migrationtools]# useradd -u 100001 -g 100001 -d /ldapuser/ldap1 ldap1
[[email protected] migrationtools]# id ldap1
uid=100001(ldap1) gid=100001(ldap1) groups=100001(ldap1)

[[email protected] migrationtools]# groupadd -g 100002 ldap2(之前说过65535只是限制个数)
[[email protected] migrationtools]# useradd -u 100002 -g 100002 -d /ldapuser/ldap2 ldap2

[[email protected] migrationtools]# vim migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.org";(这里可不是主机名哦)

# Default base
$DEFAULT_BASE = "dc=example,dc=org";

[[email protected] migrationtools]# ./migrate_base.pl > ~/ldif/base.ldif
[[email protected] migrationtools]# vim /root/ldif/base.ldif(留三组信息即可)
dn: dc=example,dc=org(顶级域)
dc: example
objectClass: top
objectClass: domain

dn: ou=People,dc=example,dc=org(条目)
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=example,dc=org(条目)
ou: Group
objectClass: top
objectClass: organizationalUnit

[[email protected] migrationtools]# cat -A /root/ldif/base.ldif(检查格式是否有问题)
dn: dc=example,dc=org$
dc: example$
objectClass: top$
objectClass: domain$
$
dn: ou=People,dc=example,dc=org$
ou: People$
objectClass: top$
objectClass: organizationalUnit$
$
dn: ou=Group,dc=example,dc=org$
ou: Group$
objectClass: top$
objectClass: organizationalUnit$
$

[[email protected] migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/base.ldif -h localhost(将条目加入到数据库里,这里是用的是数据库的用户和密码)
adding new entry "dc=example,dc=org"

adding new entry "ou=People,dc=example,dc=org"

adding new entry "ou=Group,dc=example,dc=org"

[[email protected] certs]# passwd ldap1
[[email protected] certs]# passwd ldap2

[[email protected] migrationtools]# ./migrate_passwd.pl /etc/passwd > /root/ldif/user.ldif(将用户和组添加条目)
[[email protected] migrationtools]# ./migrate_group.pl /etc/group > /root/ldif/group.ldif

[[email protected] migrationtools]# vim /root/ldif/user.ldif(只留两个即可,做实验)

dn: uid=ldap1,ou=People,dc=example,dc=org
uid: ldap1
cn: ldap1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17683
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 100001
gidNumber: 100001
homeDirectory: /ldapuser/ldap1

dn: uid=ldap2,ou=People,dc=example,dc=org
uid: ldap2
cn: ldap2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17683
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 100002
gidNumber: 100002
homeDirectory: /ldapuser/ldap2

[[email protected] migrationtools]# vim /root/ldif/group.ldif(和用户相同)

[[email protected] migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/group.ldif -h localhost
adding new entry "cn=ldap1,ou=Group,dc=example,dc=org"

adding new entry "cn=ldap2,ou=Group,dc=example,dc=org"

[[email protected] migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/user.ldif -h localhost
adding new entry "uid=ldap1,ou=People,dc=example,dc=org"

adding new entry "uid=ldap2,ou=People,dc=example,dc=org"

[[email protected] conf.d]# cp /etc/openldap/certs/ca.crt /var/www/html/(共享公钥)
[[email protected] html]# systemctl restart httpd

终于到客户端了
[[email protected] ~]# vim /etc/hosts
192.168.10.16   ldap

[[email protected] html]# yum install -y openldap openldap-clients nss-pam-ldapd

[[email protected] html]# yum install -y authconfig.x86_64 authconfig-gtk.x86_64

[[email protected] openldap]# authconfig --enableldap --enableldapauth --ldapserver=ldap --ldapbasedn="dc=example,dc=org" --enableldaptls --ldaploadcacert=http://ldap/ca.crt --update
*(上面的命令执行完毕,本地应该有ldap1和ldap2用户,但是我这次不行了,之前一台机器是可以的,大家试下,今晚我在看看到底哪出问题了)

[[email protected] openldap]# ssh [email protected](这里是登陆不了的,应为上一条命令执行不成功)
[email protected]‘s password:
Last login: Fri Jun  1 22:29:45 2018 from ldapfu
Could not chdir to home directory /ldapuser/ldap1: No such file or directory
-bash-4.2$(缺少家目录)

[[email protected] ~]# mkdir /ldapuser
[[email protected] ~]# yum install -y autofs

服务端这里
[[email protected] ldapuser]# vim /etc/exports
/ldapuser 192.168.10.0/24(rw)

[[email protected] ldapuser]# systemctl start nfs(启动不了,先启动rpcbind)

客户端
[[email protected] ~]# vim /etc/auto.master
# For details of the format look at auto.master(5).
/ldapuser       /etc/ldap.misc(添加此条)
#
/misc   /etc/auto.misc

[[email protected] ~]# cp /etc/auto.misc /etc/ldap.misc

[[email protected] ~]# vim /etc/ldap.misc
#removable      -fstype=ext2            :/dev/hdd
*               -fstype=nfs             192.168.10.16:/ldapuser/&(添加此条)

[[email protected] ~]# systemctl start autofs.service(再次使用ldap1登录客户端即可

客户端获取不到ldap用户这个我今晚再看看,大神也给下建议。

原文地址:http://blog.51cto.com/13293172/2123421

时间: 2024-10-09 23:59:21

centos7.2 LDAP(TLS)+autofs+ssh的相关文章

CentOS6、CentOS7、Ubuntu 一键部署 ssh 免密登录

CentOS6.CentOS7.Ubuntu 一键部署 ssh 免密登录(ssh.py 文件) 192.168.1.5 为主机器,其他为控制机. vim /home/shad.py from fabric.api import run,env,parallel env.hosts = ['192.168.1.1', '192.168.1.2', '192.168.1.3'] env.user = 'root' env.parssword = '123456' #@parallel def nam

centos7搭建LDAP

centos7搭建LDAP 一.安装Openldap [[email protected] ~]# yum install -y openldap openldap-clients openldap-servers migrationtools 二.配置项 [[email protected] ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif # AUTO-GENERATED FILE - DO NOT EDI

Centos7 搭建LDAP并启用TLS加密

简介 LDAP(轻量级目录访问协议,Lightweight Directory Access Protocol)是为了实现目录服务的信息服务. 目录服务是一种特殊的数据库系统,其专门针对读取,浏览和搜索操作进行了特定的优化.在网络中应用了LDAP后,用户只需要使用一个账号和密码就可以轻松访问网络中的所有服务,实现用户身份的统一认证. 简单来说:拿LDAP来统一管理一些账号,例如: Gitlab,JenKins,Samba,SVN,Zabbix等. 关于SSL/TLS LDAP over SSL

CentOS7部署ldap认证Open***

一.说明 ***直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道,Open***无疑是Linux下开源***的先锋,提供了良好的性能和友好的用户GUI;平时同事出差在外面连接公司,获取公司资源;2020由于新型肺炎导致春节假期延长,有条件的公司都实行在家办公,那么请问怎么保证各部门同事能在家办公?如何保障同事出差在外也能连接公司获取需要的资源?答案显然是使用***,本文主要讲部署open***和windows客户端使用. 环境:需要有windows域环境做ldap认证s

19、LDAP TLS配置

LDAP模式是明文传输,为了安全起见,最好配置TLS加密方式传输.下面是配置过程(省略了LDAP SERVER的配置过程,前面的文档中有) 环境: LDAP SERVER1  172.16.42.136 LDAP SERVER2  172.16.42.137 CA SERVER & LDAP Client 172.16.42.135 CA Server配置: CA服务器创建私钥 #cd /etc/pki/CA #(umask 077; openssl genrsa -out private/ca

CentOS7防止CC攻击防止SSH爆破采取的措施

准备工作 1.检查firewalld是否启用 #如果您已经安装iptables建议先关闭 service iptables stop #查看Firewalld状态 firewall-cmd --state #启动firewalld systemctl start firewalld #设置开机启动 systemctl enable firewalld.service 启用firewalld后会禁止所有端口连接,因此请务必放行常用的端口,以免被阻挡在外,以下是放行SSH端口(22)示例,供参考:

第五篇:Centos7上配置docker容器ssh登录

1.查看httpd容器是否运行2.启动httpd容器3.默认情况下,我们只能在宿主机上通过如下方式连接容器说明:这是在宿主机连接容器直接有效的方法 我们能够通过容器的IP地址连接容器呢?需要了解Docker daemon的运行机制 Docker daemon是一个docker服务端组件,它是以Linux后台服务进程运行 Docker daemon程序运行在 Docker host 上,负责创建.运行.监控容器,构建.存储镜像 默认配置下,Docker daemon 只能响应来自本地 Host 的

CentOS7环境下SSH端口修改笔记

CentOS7环境下SSH端口修改笔记 说明: CentOS7服务器环境,默认SSH端口为22,考虑到安全方面问题,欲修改端口为62231(机器内网IP为192.168.1.31) ssh配置文件和iptables中端口开放配置调整时,原先的先不要移除,显式的同时打开22和62231端口,待配置完成确认62231端口访问正常后再逐个移除22端口的配置,防止配置过程中出现差错导致服务器访问不了. 一.SELinux配置修改 1.先检查SELinux状态,如果已关闭则无需相关修改 [[email p

Xshell和VirtualBox虚机CentOS7的连接

后面的不能连接问题,出处为 http://m.blog.csdn.net/article/details?id=52755571 1.centos7的ip ,这里的enp0s3相当于eth0,是一个默认的网络系统 查看一下 修改 ifcfg-enp0s3( ONROOT=yes)  重启网络: service network restart 再次ifconfig,查看ip enp0s3的ip是准确的.  2.这里就可以设置Xshell了 如果可以连接,就没有问题了 如果不行,看看一下的 在虚拟机