OpenLDAP Restricting User Login hosts

After using OPENLDAP as a centralized authentication, you will find that all users under OpenLDAP can log on to the server, which is quite dangerous. So you see someone using a group to implement a user access server under OpenLDAP.

1. First set up the corresponding group on the OPENLDAP server

I set up a opsgroup,opsgroup gid under the OU for group 23794

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/86/E5/wKioL1fOXCvgDaXbAAEA5yK4gUY610.png "title=" Qq20160906140155.png "alt=" Wkiol1foxcvgdaxbaaea5yk4guy610.png "/>

2. I set up a user, or directly modify the primary group (primary group) of an account.

Notice here that the user's primary group is opsgroup.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/86/E5/wKioL1fOXfjAZztGAAHlMdxcXkc915.png "title=" 32.png "alt=" Wkiol1foxfjazztgaahlmdxcxkc915.png "/>

3. Create a User2 user does not belong to this group, is unable to log on to the server to do the comparison

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/86/E7/wKiom1fOXsiBW2d-AACXC6cqwTk058.png "title=" 2.png " alt= "Wkiom1foxsibw2d-aacxc6cqwtk058.png"/>

4. Test now

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/86/E6/wKioL1fOX4jRLyPeAACb0lIuChE128.png "title=" 111. PNG "alt=" Wkiol1fox4jrlypeaacb0liuche128.png "/>

Now User1 and User2 can log in to the client

5. Note that my client is CentOS 6.8, if it is a slightly different version of CentOS 5.x

echo "Filter passwd (gidnumber=23794)" >>/ETC/NSLCD.CONF/ETC/INIT.D/NSLCD restart

The group configured as GID 23794 can log on to the server, that is, the Opsgroup group user can log in

Note: Users who can log on to the server must be the primary group Opsgroup, or the user below the group will not be able to log in.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/86/E6/wKioL1fOYSDCj3FnAACTNtvGBng576.png "title=" 22.png "alt=" Wkiol1foysdcj3fnaactntvgbng576.png "/>

From the above test can see User1 can log on normally, and the primary group is not opsgroup User2 is unable to log in, through the control group to restrict the user to log on to the server

6. Script Automatic implementation of judgment

#!/bin/bashfunction get_gid ()  {    ldapsearch -x gidnumber -b   "cn=$1,ou=group,dc=vxuepin,dc=com"  2>/dev/null | grep  "^gidnumber"  |  awk  ' {print $2} '}function filter_on_centos5 ()  {     #samples:      #nss_base_passwd     dc=vxuepin,dc=com?sub?gidNumber=1000      #nss_base_passwd     dc=vxuepin,dc=com?sub?| (gidnumber=1000) (gidnumber=1003)     cp /etc/ldap.conf /etc/ldap.conf. ' date +%Y%m%d '      local groups= "$"     echo  "***** getting filter"  ***** "    n=$ (echo  $groups  | awk -f ', '   ' {PRINT NF} ')     if [  $n  -eq 1 ];then         gid=$ (get_gid  $groups)         [ -z  $gid  ] && { echo  "Can ' t  Find group $1 ";  exit 3; }        filter=" gidnumber= $gid "    else        filter=" | "         for group in $ (echo  $groups  |  sed  ' s/,/ /g ');  do            gid=$ (get_gid  $group)             [ -z $ gid ] && { echo  "Can ' t find group  $group"; exit 3;  }            filter= "$filter" "(gidNumber=$ GID) "        done    fi     Filter= "Nss_base_passwd dc=vxuePin,dc=com?sub? "" $filter "    echo  $filter     echo " ***** config  ldap.conf ***** "    echo  $filter  >> /etc/ldap.conf}function  FILTER_ON_CENTOS6 ()  {     #samples:     #filter  passwd   (gidnumber=1000)      #filter  passwd  (| ( gidnumber=1000) (gidnumber=1003))     cp /etc/nslcd.conf /etc/nslcd.conf. ' Date  +%y%m%d '     local groups= '     echo  ' *****  getting filter ***** "    n=$ (echo  $groups  | awk -f ', '   ' {PRINT NF} ')     if [  $n  -eq 1 ];then         gid=$ (get_gid  $groups)         [ -z   $gid  ] && { echo  "Can ' t find group $1"; exit 3; }         filter= "(gidnumber= $gid)"     else         filter= "(|"         for group in $ (echo  $groups  |  sed  ' s/,/ /g ');  do            gid=$ (get_gid  $group)             [ -z $ gid ] && { echo  "Can ' t find group  $group"; exit 3;  }            filter= "$filter" "(gidNumber=$ GID) "        done         Filter= "$filter" ")"     fi    filter= "filter passwd  $filter"     echo  $filter     echo  "***** restart nslcd *****"      echo  $filter  >> /etc/nslcd.conf    service  nslcd restart}if [ -z $1 ];thenecho  "Please input groupname"; exit  1fiif [  ' Uname -r|grep el6|wc -l '  -eq 1 ]; thenfilter_on_ centos6 $1;elif [  ' Uname -r|grep el5|wc -l '  -eq 1 ];  thenfilter_on_centos5 $1;elseecho  "os unsupport!"; Fi

The above script reference http://opjasee.com/2016/01/24/openldap-group-filter.html, slightly changed

This article is from "Maple Night" blog, please be sure to keep this source http://fengwan.blog.51cto.com/508652/1846879

OpenLDAP Restricting User Login hosts