CentOS 6.8 OpenLDAP Enable SSO and control over sudo permissions

When the machine hundreds of thousands of times, if you need to use a machine inside a password or key to login, it is also a painful thing, today sharing under the use of OPENLDAP to achieve an account of any machine and applications can log on.

I. OPENLDAP installation and Configuration

1. Install dependent packages and software installation

Yum install-y openldap openldap-servers openldap-clients openldap-devel

2. configuration file Configuration

Cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.confcp /usr/share/ openldap-servers/db_config.example /var/lib/ldap/db_config cp /usr/share/doc/sudo-1.8.6p3/ Schema. openldap  /etc/openldap/schema/sudo.schema# Modify/etc/openldap/slapd.conf file to find include          /etc/openldap/schema/core.schema to add include      below     /etc/openldap/schema/sudo.schema# found database       .  BDB Modify the following lines database        bdbsuffix            "Dc=abc,dc=com" checkpoint      1024  15rootdn           "Cn=admin,dc=abc,dc=com" rootpw           adminloglevel        1 #说明:    &NBsp;database      bdb   instructions for using berkeley db     suffix         "dc=abc,dc=com"    domain name is abc.com     checkpoint    1024 15  is to swipe the cache into disk every 1M or every 15 minutes     rootdn          "cn=admin,db=abc,dc=com"    Administrator is adnin     rootpw        admin         Administrator's password is admin    loglevel      1              log level is 1     #日志级别Any   ( -1,  0xFFFFFFFF)  //Open all dug  info   Trace  (1, 0x1)  //trace trace  function call    packets  (2, 0x2)  //dug  information related to package handling   Args  (4, 0x4)  //full Debug   Information   Conns  (8,&NBsp;0x8)  //link count Management information   BER  (16, 0x10)  //record packet send and receive information   Filter  (32,  0x20)  //records the process of filtering processing   Config  (64, 0x40)  //records information about the profile   ACL  ( 128, 0x80)  //record access Control list information   Stats  (256, 0x100)  //record links, actions, and statistics    stats2  (512, 0x200)  //record statistics to client response   Shell  (1024, 0x400)  //record with Shell   Back-end communication information   Parse  (2048, 0x800)  //Record Entry analysis results information   Sync  (16384,  0x4000)  //Record Data Synchronization resource consumption information   None  (32768, 0x8000)  //do not record    #在文件最后增加如下, Allow users to modify their own passwords access to attrs=shadowlastchange,userpassword         by self write        by * authaccess to  *        by * read

3. Configuring the OpenLDAP Log

echo "local4.*/var/log/sldap.log" >>/etc/rsyslog.conf/etc/init.d/rsyslog restart

4. Initialize OpenLDAP

Service SLAPD startrm-rf/etc/openldap/slapd.d/*slaptest-f/etc/openldap/slapd.conf-f/etc/openldap/slapd.d chown-r L Dap:ldap/etc/openldap/slapd.d/service SLAPD Restart

5. Inspection services

Netstat-ntlup |grep:389

Two. Migrating users (migrating Local Users and groups to OpenLDAP)

1. Install the Migration Tool

yum install migrationtools -ycd /usr/share/migrationtools/[[email protected]  migrationtools]# lsmigrate_aliases.pl               migrate_all_offline.sh  migrate_group.pl             migrate_profile.plmigrate_all_netinfo_offline.sh  migrate_all_ online.sh   migrate_hosts.pl             migrate_protocols.plmigrate_all_netinfo_online.sh   migrate_automount.pl     migrate_netgroup_byhost.pl  migrate_rpc.plmigrate_all_nis_offline.sh       migrate_base.pl         migrate_netgroup_ byuser.pl  migrate_services.plmigrate_all_nis_online.sh        migrate_common.ph        migrate_netgroup.pl         migrate_slapd_ Conf.plmigrate_all_nisplus_offline.sh  migrate_common.ph.ori   migrate_ networks.plmigrate_all_nisplus_online.sh   migrate_fstab.pl         migrate_passwd.pl

2. Configure the Migration tool, modify migrate_common.ph 71, 73 lines

$DEFAULT _mail_domain = "abc.com"; # DEFAULT base $DEFAULT _base = "dc=abc,dc=com";

3. Export user, I only export user1 here

Cd/usr/share/migrationtools/grep ' user1 '/etc/passwd > Passwd.ingrep ' user1 '/etc/group > Group.in./migrate_ base.pl >/tmp/base.ldif./migrate_passwd.pl passwd.in >/tmp/passwd.ldif./migrate_group.pl group.in >/tmp/ group.ldif# generates 3 OPENLDAP data/tmp/base.ldif/tmp/passwd.ldif/tmp/group.ldif Import data: Ldapadd-x-D "cn=admin,dc=abc,dc= com "-w-f/tmp/base.ldifldapadd-x-D" cn=admin,dc=abc,dc=com "-w-f/tmp/passwd.ldifldapadd-x-D" Cn=admin,dc=abc,dc=co M "-w-f/tmp/group.ldif

4. Import sudo base library

Vim/tmp/sudo.ldif

dn: ou=sudoers,dc=abc,dc=comobjectclass: topobjectclass: organizationalunitdescription:  Sudo configuration subtreeou: sudoersdn: cn=defaults,ou=sudoers,dc=abc,dc=comobjectclass:  topobjectclass: sudorolecn: defaultsdescription: default sudooption ' s go  heresudooption: visiblepwsudooption: always_set_homesudooption: env_resetdn: cn=root,ou= Sudoers,dc=abc,dc=comobjectclass: topobjectclass: sudorolecn: rootsudouser: rootsudohost:  allsudorunasuser: allsudocommand: allsudooption: !visiblepwsudooption: always_set_ Homesudooption: env_resetdn: cn=%wheel,ou=sudoers,dc=abc,dc=comobjectclass: topobjectclass:  sudoRolecn: %wheelsudoUser: %wheelsudoHost: ALLsudoRunAsUser: ALLsudoCommand:  allsudooption: !authenticatesudooption: !visiblepwsudooption: always_set_homesudooption:  env_resetsudooption:  REQUIRETTYDN: CN=%CONFOPS,OU=SUDOERS,DC=ABC,DC=COMOBJECTCLASS: TOPOBJECTCLASS: SUDOROLECN:  %confopssudouser: %confopssudohost: allsudorunasuser: allsudooption: ! Authenticatesudooption: !visiblepwsudooption: always_set_homesudooption: env_resetsudocommand:  ALLsudoCommand: !/bin/passwddn: cn=%confdev,ou=SUDOers,dc=abc,dc=comobjectClass:  topobjectclass: sudorolecn: %confdevsudouser: %confdevsudohost: allsudorunasuser:  allsudooption: !authenticatesudooption: !visiblepwsudooption: always_set_homesudooption:  env_resetsudocommand: /sbin/servicesudocommand: !/bin/passwdsudocommand: /etc/init.d/ Tomcatsudocommand: /bin/killsudocommand: /usr/bin/pkillsudocommand: /usr/bin/killallsudocommand :  /etc/init.d/confservicesudocommand: /bin/su - app -s /bin/bashsudocommand:  /bin/su - tomcat -s /bin/bashdn: cn=%confqa,ou=sudoers,dc=abc,dc=comobjectclass: topobjectclass: sudorolecn: % Confqasudouser: %confqasudohost: allsudorunasuser: allsudooption: !authenticatesudooption:  !visiblepwsudooption: always_set_homesudooption: env_resetsudocommand: /sbin/ servicesudocommand: !/bin/passwdsudocommand: /etc/init.d/confservicesudocommand: /bin/ killsudocommand: /usr/bin/pkillsudocommand: /usr/bin/killallsudocommand: /bin/su -  App -s /bin/bashsudocommand: /bin/su - tomcat -s /bin/bashsudocommand:  /etc/init.d/tomcatdn: cn=zabbix,ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass:  sudorolecn: zabbixsudohost: allsudouser: zabbixsudooption: !authenticatesudooption: ! visiblepwsudooption: always_set_homesudooption: env_resetsudorunasuser: rootsudocommand: ! /bin/passwdsudocommand: /etc/init.d/tomcatsudocommand: /etc/init.d/confservicesudocommand: /usr/bin/nmapsudocommand: /usr/local/zabbix-ztc/ bin/sudo-*dn: cn=admin,ou=sudoers,dc=abc,dc=comobjectclass: topobjectclass: sudorolecn:  adminsudohost: allsudorunasuser: allsudooption: !authenticatesudooption: ! visiblepwsudooption: always_set_homesudooption: env_resetsudocommand: allsudocommand: !/ Bin/passwdsudouser: admin

Import Sudo.ldif

Ldapadd-x-D "cn=admin,dc=abc,dc=com"-w-f/tmp/sudo.ldif

From the above you can see the generated

SUDOers (OU)

%confdev (CN)

%confops (CN)

%confqa (CN)

%wheel (CN)

Admin (CN)

Defaults (CN)

Root (CN)

Zabbix (CN)

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/86/DA/wKioL1fNM96zWwo8AADimxVC-lk718.png "title=" 1.png " alt= "Wkiol1fnm96zwwo8aadimxvc-lk718.png"/>

Therefore only need to establish the group Confdev, then pulls the user into the Confdev group to have the corresponding permission, similarly Zabbix user also has Zabbix corresponding permission

Two. Client deployment

CentOS 6

Yum-y Install OpenLDAP openldap-clients NSS-PAM-LDAPD Pam_ldap echo "session required pam_mkhomedir.so Skel=/etc/skel uma sk=0077 ">>/etc/pam.d/system-authauthconfig--savebackup=auth.bakauthconfig--enablemkhomedir-- Disableldaptls--enableldap--enableldapauth--ldapserver=ldap://192.168.10.242--ldapbasedn= "dc=abc,dc=com"-- Updateecho-e "uri ldap://192.168.10.242\nsudoers_base ou=sudoers,dc=abc,dc=com" >/etc/sudo-ldap.confecho " Sudoers:files LDAP ">>/etc/nsswitch.conf

CentOS 5

Yum-y Install OpenLDAP openldap-clients Nss_ldapecho "session required pam_mkhomedir.so Skel=/etc/skel umask=0077" >& Gt /etc/pam.d/system-authauthconfig--savebackup=auth.bakauthconfig--enableldap--enableldapauth--enablemkhomedir-- ldapserver=192.168.10.242--ldapbasedn= "dc=abc,dc=com"--updateecho "Sudoers_base ou=SUDOers,dc=abc,dc=com" > >/etc/ldap.confecho "sudoers:files LDAP" >>/etc/nsswitch.conf

This article is from "Maple Night" blog, please be sure to keep this source http://fengwan.blog.51cto.com/508652/1846487

CentOS 6.8 OpenLDAP Enable SSO and control over sudo permissions