標籤:openldap sudo
當機器成千上百台增加的時候,如果需要對機器內一台一台的使用密碼或者密鑰登入,也是一件痛苦的事情,今天分享下使用OpenLDAP實現一個帳號任何機器及應用都可登入。
一.OpenLDAP安裝及配置
1.安裝依賴包及軟體安裝
yum install -y openldap openldap-servers openldap-clients openldap-devel
2.設定檔配置
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.confcp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo.schema#修改/etc/openldap/slapd.conf檔案找到include /etc/openldap/schema/core.schema在下面增加include /etc/openldap/schema/sudo.schema#找到database bdb修改下面的幾行database bdbsuffix "dc=abc,dc=com"checkpoint 1024 15rootdn "cn=admin,dc=abc,dc=com"rootpw adminloglevel 1#說明: database bdb 說明使用Berkeley DB suffix "dc=abc,dc=com" 網域名稱就是abc.com checkpoint 1024 15 就是每1M或者每15分鐘將緩衝刷進磁碟 rootdn "cn=admin,db=abc,dc=com" 管理員是adnin rootpw admin 管理員的密碼就是admin loglevel 1 記錄層級是1 #記錄層級Any (-1, 0xffffffff) //開啟所有的dug 資訊 Trace (1, 0x1) //跟蹤trace 函數調用 Packets (2, 0x2) //與軟體包的處理相關的dug 資訊 Args (4, 0x4) //全面的debug 資訊 Conns (8, 0x8) //連結數管理的相關資訊 BER (16, 0x10) //記錄包發送和接收的資訊 Filter (32, 0x20) //記錄過濾處理的過程 Config (64, 0x40) //記錄設定檔的相關資訊 ACL (128, 0x80) //記錄存取控制清單的相關資訊 Stats (256, 0x100) //記錄連結、操作以及統計資訊 Stats2 (512, 0x200) //記錄向用戶端響應的統計資訊 Shell (1024, 0x400) //記錄與shell 後端的通訊資訊 Parse (2048, 0x800) //記錄條目的分析結果資訊 Sync (16384, 0x4000) //記錄資料同步資源消耗的資訊 None (32768, 0x8000) //不記錄 #在檔案最後增加如下,允許使用者自行修改密碼access to attrs=shadowLastChange,userPassword by self write by * authaccess to * by * read
3.配置OpenLDAP日誌
echo "local4.* /var/log/sldap.log" >>/etc/rsyslog.conf/etc/init.d/rsyslog restart
4.初始化OpenLDAP
service slapd startrm -rf /etc/openldap/slapd.d/*slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d/service slapd restart
5.檢查服務
netstat -ntlup |grep :389
二.遷移使用者(將本地的使用者和組遷移到OpenLDAP)
1.安裝遷移工具
yum install migrationtools -ycd /usr/share/migrationtools/[[email protected] migrationtools]# lsmigrate_aliases.pl migrate_all_offline.sh migrate_group.pl migrate_profile.plmigrate_all_netinfo_offline.sh migrate_all_online.sh migrate_hosts.pl migrate_protocols.plmigrate_all_netinfo_online.sh migrate_automount.pl migrate_netgroup_byhost.pl migrate_rpc.plmigrate_all_nis_offline.sh migrate_base.pl migrate_netgroup_byuser.pl migrate_services.plmigrate_all_nis_online.sh migrate_common.ph migrate_netgroup.pl migrate_slapd_conf.plmigrate_all_nisplus_offline.sh migrate_common.ph.ori migrate_networks.plmigrate_all_nisplus_online.sh migrate_fstab.pl migrate_passwd.pl
2.配置遷移工具,修改migrate_common.ph 71、73行
$DEFAULT_MAIL_DOMAIN = "abc.com";# Default base $DEFAULT_BASE = "dc=abc,dc=com";
3.匯出使用者,我這裡只匯出user1
cd /usr/share/migrationtools/grep ‘user1‘ /etc/passwd > passwd.ingrep ‘user1‘ /etc/group > group.in./migrate_base.pl > /tmp/base.ldif./migrate_passwd.pl passwd.in > /tmp/passwd.ldif./migrate_group.pl group.in > /tmp/group.ldif#這裡產生了3個OpenLDAP資料/tmp/base.ldif /tmp/passwd.ldif /tmp/group.ldif匯入資料:ldapadd -x -D "cn=admin,dc=abc,dc=com" -W -f /tmp/base.ldifldapadd -x -D "cn=admin,dc=abc,dc=com" -W -f /tmp/passwd.ldifldapadd -x -D "cn=admin,dc=abc,dc=com" -W -f /tmp/group.ldif
4.匯入sudo基礎庫
vim /tmp/sudo.ldif
dn: ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass: organizationalUnitdescription: SUDO Configuration Subtreeou: SUDOersdn: cn=defaults,ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass: sudoRolecn: defaultsdescription: Default sudoOption‘s go heresudoOption: visiblepwsudoOption: always_set_homesudoOption: env_resetdn: cn=root,ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass: sudoRolecn: rootsudoUser: rootsudoHost: ALLsudoRunAsUser: ALLsudoCommand: ALLsudoOption: !visiblepwsudoOption: always_set_homesudoOption: env_resetdn: cn=%wheel,ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass: sudoRolecn: %wheelsudoUser: %wheelsudoHost: ALLsudoRunAsUser: ALLsudoCommand: ALLsudoOption: !authenticatesudoOption: !visiblepwsudoOption: always_set_homesudoOption: env_resetsudoOption: requirettydn: cn=%confops,ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass: sudoRolecn: %confopssudoUser: %confopssudoHost: ALLsudoRunAsUser: ALLsudoOption: !authenticatesudoOption: !visiblepwsudoOption: always_set_homesudoOption: env_resetsudoCommand: ALLsudoCommand: !/bin/passwddn: cn=%confdev,ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass: sudoRolecn: %confdevsudoUser: %confdevsudoHost: ALLsudoRunAsUser: ALLsudoOption: !authenticatesudoOption: !visiblepwsudoOption: always_set_homesudoOption: env_resetsudoCommand: /sbin/servicesudoCommand: !/bin/passwdsudoCommand: /etc/init.d/tomcatsudoCommand: /bin/killsudoCommand: /usr/bin/pkillsudoCommand: /usr/bin/killallsudoCommand: /etc/init.d/confservicesudoCommand: /bin/su - app -s /bin/bashsudoCommand: /bin/su - tomcat -s /bin/bashdn: cn=%confqa,ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass: sudoRolecn: %confqasudoUser: %confqasudoHost: ALLsudoRunAsUser: ALLsudoOption: !authenticatesudoOption: !visiblepwsudoOption: always_set_homesudoOption: env_resetsudoCommand: /sbin/servicesudoCommand: !/bin/passwdsudoCommand: /etc/init.d/confservicesudoCommand: /bin/killsudoCommand: /usr/bin/pkillsudoCommand: /usr/bin/killallsudoCommand: /bin/su - app -s /bin/bashsudoCommand: /bin/su - tomcat -s /bin/bashsudoCommand: /etc/init.d/tomcatdn: cn=zabbix,ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass: sudoRolecn: zabbixsudoHost: ALLsudoUser: zabbixsudoOption: !authenticatesudoOption: !visiblepwsudoOption: always_set_homesudoOption: env_resetsudoRunAsUser: rootsudoCommand: !/bin/passwdsudoCommand: /etc/init.d/tomcatsudoCommand: /etc/init.d/confservicesudoCommand: /usr/bin/nmapsudoCommand: /usr/local/zabbix-ztc/bin/sudo-*dn: cn=admin,ou=SUDOers,dc=abc,dc=comobjectClass: topobjectClass: sudoRolecn: adminsudoHost: ALLsudoRunAsUser: ALLsudoOption: !authenticatesudoOption: !visiblepwsudoOption: always_set_homesudoOption: env_resetsudoCommand: ALLsudoCommand: !/bin/passwdsudoUser: admin
匯入sudo.ldif
ldapadd -x -D "cn=admin,dc=abc,dc=com" -W -f /tmp/sudo.ldif
從上面可以看到會產生
SUDOers (OU)
%confdev (cn)
%confops (cn)
%confqa (cn)
%wheel (cn)
admin (cn)
defaults (cn)
root (cn)
zabbix (cn)
650) this.width=650;" src="http://s2.51cto.com/wyfs02/M01/86/DA/wKioL1fNM96zWwo8AADimxVC-lk718.png" title="1.png" alt="wKioL1fNM96zWwo8AADimxVC-lk718.png" />
因此只需要建立組confdev,然後將使用者拉入confdev組即可有相應的許可權,同理zabbix使用者也有zabbix相應的許可權
二.用戶端部署
CentOS 6
yum -y install openldap openldap-clients nss-pam-ldapd pam_ldap echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/system-authauthconfig --savebackup=auth.bakauthconfig --enablemkhomedir --disableldaptls --enableldap --enableldapauth --ldapserver=ldap://192.168.10.242 --ldapbasedn="dc=abc,dc=com" --updateecho -e "uri ldap://192.168.10.242\nSudoers_base ou=SUDOers,dc=abc,dc=com" > /etc/sudo-ldap.confecho "Sudoers: files ldap" >> /etc/nsswitch.conf
CentOS 5
yum -y install openldap openldap-clients nss_ldapecho "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/system-authauthconfig --savebackup=auth.bakauthconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=192.168.10.242 --ldapbasedn="dc=abc,dc=com" --updateecho "Sudoers_base ou=SUDOers,dc=abc,dc=com" >> /etc/ldap.confecho "Sudoers: files ldap" >> /etc/nsswitch.conf
本文出自 “楓林晚” 部落格,請務必保留此出處http://fengwan.blog.51cto.com/508652/1846487
CentOS 6.8 OpenLDAP實現SSO並對sudo許可權管控