centos7.2 LDAP(TLS)+autofs+ssh
阿新 • • 發佈:2018-06-02
LDAP centos7.2 autofs TLS SSH 寫前先祝福下勒布朗·詹姆斯
網上搜了很多關於centos7.2部署ldap的文章,這裏也寫一下自己的
實驗環境
系統:CentOS Linux release 7.2.1511 (Core)
內核:3.10.0-327.el7.x86_64
服務端IP:192.168.10.16
客戶端IP:192.168.10.17
第一步 selinux和firewalld [root@ldap opt]# getenforce Permissive [root@ldap opt]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) 第二步 服務端裝包 [root@ldap openldap]# yum install -y openldap-servers openldap-clients openldap 如果不小心誤刪除了ldap的文件,會發現yum也用不了了,因為依賴模塊被刪掉了---解決方法 openldap-2.4.44-13.el7.x86_64.rpm(使用rpm把ldap裝起來是一種方法) 第三步 服務端配置文件 [root@ldap openldap]# pwd /etc/openldap [root@ldap openldap]# vim ldap.conf TLS_CACERTDIR /etc/openldap/certs #這裏很重要,指定你的TLS的文件放在那個目錄下,默認此目錄 TLS_REQCERT allow #這裏是指可以切換TLS的文件存放目錄 [root@ldap openldap]# slappasswd(生成密碼) New password: Re-enter new password: {SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA(這個加密字符串記錄下來) [root@ldap openldap]# vim slapd.conf(註意這個文件不是上面的ldap.conf) include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/pmi.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/misc.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args #TLS的幾個文件很容易混淆,後面做CA的時候也會著重標明) TLSCACertificateFile /etc/openldap/certs/ca.crt (這個是CA的公鑰) TLSCertificateFile /etc/openldap/certs/slapd.crt(這個是CA頒發的證書文件) TLSCertificateKeyFile /etc/openldap/certs/slapd.key(這個是本地私鑰) database config rootdn "cn=admin,cn=config"(超級用戶) rootpw {SSHA}Yh7b45nHZmNHuk+3gg8mtIsuGiWzb3gA (這裏把上面的字符串寫進來) access to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break database monitor access to * by dn.exact="cn=admin,cn=config" read by * none [root@ldap openldap]# rm -rf slapd.d/* [root@ldap openldap]# slaptest -f slapd.conf -F slapd.d/ (轉換成ldap識別的文件,這裏一定看清楚是slapd.conf文件) config file testing succeeded [root@ldap openldap]# chown ldap. -R slapd.d/(加權限) [root@ldap openldap]# cd slapd.d/ [root@ldap slapd.d]# ll total 8 drwxr-x---. 3 ldap ldap 4096 Jun 1 07:50 cn=config -rw-------. 1 ldap ldap 1272 Jun 1 07:50 cn=config.ldif [root@ldap openldap]# grep TLS slapd.conf(使用之前的https的方式生成CA證書) TLSCACertificateFile /etc/openldap/certs/ca.crt TLSCertificateFile /etc/openldap/certs/slapd.crt TLSCertificateKeyFile /etc/openldap/certs/slapd.key 對於CA認證來說現在的服務器作為客戶端 [root@ldap certs]# pwd /etc/openldap/certs (這個目錄是根據你之前ldap.conf文件裏定義的) [root@ldap certs]# openssl genrsa 2048 > slapd.key(這個文件毫無疑問就是上文對應的slapd.key文件) Generating RSA private key, 2048 bit long modulus ........................................................................................+++ ............................................+++ e is 65537 (0x10001) [root@ldap certs]# ls cert8.db key3.db password secmod.db slapd.key (這裏先別給最小權限,怕會ldap讀取不了文件,使用/usr/sbin/sladp -d 256 也能看出問題) [root@localhost keyes]# openssl req -new -key slapd.key -out siyao.csr (創建證書辦法請求) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN (國家) State or Province Name (full name) []:shanghai (省份) Locality Name (eg, city) [Default City]:shanghai (市區) Organization Name (eg, company) [Default Company Ltd]:boke (公司名) Organizational Unit Name (eg, section) []:boke - cainiao (部門) Common Name (eg, your name or your server‘s hostname) []:192.168.10.16 (要加密的server) Email Address []:[email protected] (郵箱) Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: (這裏不要寫密碼,CA哪裏一會解不開密碼,自簽名。。) An optional company name []: (這裏也跳過) [root@ldap certs]# ls cert8.db key3.db password secmod.db siyao.csr (這裏可不是公鑰哦) slapd.key 現在客戶端作為CA服務器 [root@ldap certs]# scp siyao.csr 192.168.10.17:/root/ [email protected]‘s password: siyao.csr 100% 1009 1.0KB/s 00:00 [root@localhost ~]# openssl genrsa -des3 -out ca.key 4096 (生成公私鑰,做自簽名) Generating RSA private key, 4096 bit long modulus ............................++ .......................++ e is 65537 (0x10001) Enter pass phrase for ca.key: (自簽名密碼要記住,一會自簽名過程要用到) Verifying - Enter pass phrase for ca.key: [root@localhost ~]# ls anaconda-ks.cfg ca.key siyao.csr [root@localhost ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt (自簽名) Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:NSA Organizational Unit Name (eg, section) []:FBI Common Name (eg, your name or your server‘s hostname) []:192.168.10.17(指定你的server) Email Address []: [root@localhost ~]# ls anaconda-ks.cfg ca.crt (這個是我們的CA公鑰和LDAP識別的ca.crt文件對應) ca.key siyao.csr [root@192 ~]# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out slapd.crt Signature ok subject=/C=cn/ST=shanghai/L=shanghai/O=boke/OU=cainiao/CN=192.168.10.16 Getting CA Private Key Enter pass phrase for ca.key: [root@192 ~]# ls anaconda-ks.cfg ca.crt ca.key siyao.csr slapd.crt(這是證書,和LDAP識別的slapd.crt對應) [root@192 ~]# scp ca.crt slapd.crt 192.168.10.16:/etc/openldap/certs/(兩個文件都傳過去) [email protected]‘s password: ca.crt 100% 2013 2.0KB/s 00:00 slapd.crt 100% 1545 1.5KB/s 00:00 CA完畢,以下是正常的服務器和客戶端 服務器16這裏 [root@ldap certs]# ls ca.crt(1) cert8.db key3.db password secmod.db siyao.csr slapd.crt (2) slapd.key(3) (1),(2),(3)三個文件分別代表上文定義的TLS文件,千萬別搞亂了) [root@ldap certs]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG.example(拷貝緩沖數據文件) [root@ldap certs]# chown ldap. /var/lib/ldap/DB_CONFIG.example(授權) [root@ldap certs]# vim /etc/sysconfig/slapd LAPD_URLS="ldapi:/// ldap:/// ldaps:///"(添加上ldaps:///) [root@ldap certs]# systemctl start slapd(起服務,如果上面沒好好看的話,這裏啟動會報錯的) [root@ldap certs]# ps -ef|grep slapd ldap 4413 1 0 22:07 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// ldaps:/// root 4672 2597 0 22:24 pts/0 00:00:00 grep --color=auto slapd [root@ldap certs]# netstat -luntp|grep slap tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 4413/slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4413/slapd tcp6 0 0 :::636 :::* LISTEN 4413/slapd tcp6 0 0 :::389 :::* LISTEN 4413/slapd 定義用戶數據庫 [root@ldap certs]# mkdir /root/ldif [root@ldap certs]# cd [root@ldap ~]# cd ldif/ [root@ldap ldif]# ls [root@ldap ldif]# vim bdb.ldif dn: olcDatabase=bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {1}bdb(數據庫) olcSuffix: dc=example,dc=org olcDbDirectory: /var/lib/ldap olcRootDN: cn=Manager,dc=example,dc=org(用戶) olcRootPW: 456 (密碼) olcLimits: dn.exact="cn=Manager,dc=example,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcDbIndex: uid pres,eq olcDbIndex: cn,sn,displayName pres,eq,approx,sub olcDbIndex: uidNumber,gidNumber eq olcDbIndex: memberUid eq olcDbIndex: objectClass eq olcDbIndex: entryUUID pres,eq olcDbIndex: entryCSN pres,eq olcAccess: to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=org" write by * none olcAccess: to * by self write by dn.children="ou=admins,dc=example,dc=org" write by * read [root@ldap ldif]# ldapadd -x -D "cn=admin,cn=config" -w 123 -f ~/ldif/bdb.ldif -h localhost(添加條目,這個是超級用戶和超級用戶的免密123) adding new entry "olcDatabase=bdb,cn=config" [root@ldap openldap]# cd slapd.d/ [root@ldap slapd.d]# ls cn=config cn=config.ldif [root@ldap slapd.d]# cd cn\=config/ [root@ldap cn=config]# ls cn=schema olcDatabase={0}config.ldif olcDatabase={1}monitor.ldif cn=schema.ldif olcDatabase={-1}frontend.ldif olcDatabase={2}bdb.ldif(這個bdb數據文件被生成出來了) ssh ----》ldap(實驗) 使我們的系統用戶轉變為ldap用戶 [root@ldap cn=config]# yum search migrationtools [root@ldap cn=config]# yum install -y migrationtools.noarch(下載工具) [root@ldap cn=config]# cd /usr/share/migrationtools/ [root@ldap migrationtools]# groupadd -g 100001 ldap1(生成系統用戶) [root@ldap migrationtools]# mkdir /ldapuser [root@ldap migrationtools]# useradd -u 100001 -g 100001 -d /ldapuser/ldap1 ldap1 [root@ldap migrationtools]# id ldap1 uid=100001(ldap1) gid=100001(ldap1) groups=100001(ldap1) [root@ldap migrationtools]# groupadd -g 100002 ldap2(之前說過65535只是限制個數) [root@ldap migrationtools]# useradd -u 100002 -g 100002 -d /ldapuser/ldap2 ldap2 [root@ldap migrationtools]# vim migrate_common.ph # Default DNS domain $DEFAULT_MAIL_DOMAIN = "example.org";(這裏可不是主機名哦) # Default base $DEFAULT_BASE = "dc=example,dc=org"; [root@ldap migrationtools]# ./migrate_base.pl > ~/ldif/base.ldif [root@ldap migrationtools]# vim /root/ldif/base.ldif(留三組信息即可) dn: dc=example,dc=org(頂級域) dc: example objectClass: top objectClass: domain dn: ou=People,dc=example,dc=org(條目) ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=example,dc=org(條目) ou: Group objectClass: top objectClass: organizationalUnit [root@ldap migrationtools]# cat -A /root/ldif/base.ldif(檢查格式是否有問題) dn: dc=example,dc=org$ dc: example$ objectClass: top$ objectClass: domain$ $ dn: ou=People,dc=example,dc=org$ ou: People$ objectClass: top$ objectClass: organizationalUnit$ $ dn: ou=Group,dc=example,dc=org$ ou: Group$ objectClass: top$ objectClass: organizationalUnit$ $ [root@ldap migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/base.ldif -h localhost(將條目加入到數據庫裏,這裏是用的是數據庫的用戶和密碼) adding new entry "dc=example,dc=org" adding new entry "ou=People,dc=example,dc=org" adding new entry "ou=Group,dc=example,dc=org" [root@ldap certs]# passwd ldap1 [root@ldap certs]# passwd ldap2 [root@ldap migrationtools]# ./migrate_passwd.pl /etc/passwd > /root/ldif/user.ldif(將用戶和組添加條目) [root@ldap migrationtools]# ./migrate_group.pl /etc/group > /root/ldif/group.ldif [root@ldap migrationtools]# vim /root/ldif/user.ldif(只留兩個即可,做實驗) dn: uid=ldap1,ou=People,dc=example,dc=org uid: ldap1 cn: ldap1 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}!! shadowLastChange: 17683 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 100001 gidNumber: 100001 homeDirectory: /ldapuser/ldap1 dn: uid=ldap2,ou=People,dc=example,dc=org uid: ldap2 cn: ldap2 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}!! shadowLastChange: 17683 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 100002 gidNumber: 100002 homeDirectory: /ldapuser/ldap2 [root@ldap migrationtools]# vim /root/ldif/group.ldif(和用戶相同) [root@ldap migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/group.ldif -h localhost adding new entry "cn=ldap1,ou=Group,dc=example,dc=org" adding new entry "cn=ldap2,ou=Group,dc=example,dc=org" [root@ldap migrationtools]# ldapadd -x -D "cn=Manager,dc=example,dc=org" -w 456 -f /root/ldif/user.ldif -h localhost adding new entry "uid=ldap1,ou=People,dc=example,dc=org" adding new entry "uid=ldap2,ou=People,dc=example,dc=org" [root@ldap conf.d]# cp /etc/openldap/certs/ca.crt /var/www/html/(共享公鑰) [root@ldap html]# systemctl restart httpd 終於到客戶端了 [root@192 ~]# vim /etc/hosts 192.168.10.16 ldap [root@l92 html]# yum install -y openldap openldap-clients nss-pam-ldapd [root@192 html]# yum install -y authconfig.x86_64 authconfig-gtk.x86_64 [root@192 openldap]# authconfig --enableldap --enableldapauth --ldapserver=ldap --ldapbasedn="dc=example,dc=org" --enableldaptls --ldaploadcacert=http://ldap/ca.crt --update *(上面的命令執行完畢,本地應該有ldap1和ldap2用戶,但是我這次不行了,之前一臺機器是可以的,大家試下,今晚我在看看到底哪出問題了) [root@192 openldap]# ssh [email protected](這裏是登陸不了的,應為上一條命令執行不成功) [email protected]‘s password: Last login: Fri Jun 1 22:29:45 2018 from ldapfu Could not chdir to home directory /ldapuser/ldap1: No such file or directory -bash-4.2$(缺少家目錄) [root@192 ~]# mkdir /ldapuser [root@192 ~]# yum install -y autofs 服務端這裏 [root@ldap ldapuser]# vim /etc/exports /ldapuser 192.168.10.0/24(rw) [root@ldap ldapuser]# systemctl start nfs(啟動不了,先啟動rpcbind) 客戶端 [root@192 ~]# vim /etc/auto.master # For details of the format look at auto.master(5). /ldapuser /etc/ldap.misc(添加此條) # /misc /etc/auto.misc [root@192 ~]# cp /etc/auto.misc /etc/ldap.misc [root@192 ~]# vim /etc/ldap.misc #removable -fstype=ext2 :/dev/hdd * -fstype=nfs 192.168.10.16:/ldapuser/&(添加此條) [root@192 ~]# systemctl start autofs.service(再次使用ldap1登錄客戶端即可
客戶端獲取不到ldap用戶這個我今晚再看看,大神也給下建議。
centos7.2 LDAP(TLS)+autofs+ssh