1. 程式人生 > >08-OpenLDAP主機控制策略

08-OpenLDAP主機控制策略

apt att ati servers 問控制 use min img pad

OpenLDAP主機控制策略

閱讀視圖

  1. 參考
  2. 環境準備
  3. openldap服務端配置
  4. openldap客戶端配置
  5. 客戶端測試登錄
  6. 故障處理

1. 參考

本文基本轉載博客openldap主機訪問控制(基於hostname)

該博主另一篇文檔,還沒測試openldap主機訪問控制(基於ip)

2. 環境準備

因為本文與其他文檔屬性不沖突,所以完全可以使用以前的環境做實驗。

3. openldap服務端配置

  1. 導入ldapns.schema方案,(hostObject類屬性)

    https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/nssov/ldapns.schema

    cat > /etc/openldap/schema/ldapns.schema << _EOF_
    # $OpenLDAP$
    # $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $
    # LDAP Name Service Additional Schema
    # http://www.iana.org/assignments/gssapi-service-names
    
    #
    # Not part of the distribution: this is a workaround!
    #
    
    attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME ‘authorizedService‘
            DESC ‘IANA GSS-API authorized service name‘
            EQUALITY caseIgnoreMatch
            SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
    
    attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME ‘loginStatus‘
            DESC ‘Currently logged in sessions for a user‘
            EQUALITY caseIgnoreMatch
            SUBSTR caseIgnoreSubstringsMatch
            ORDERING caseIgnoreOrderingMatch
            SYNTAX OMsDirectoryString )
    
    objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME ‘authorizedServiceObject‘
            DESC ‘Auxiliary object class for adding authorizedService attribute‘
            SUP top
            AUXILIARY
            MAY authorizedService )
    
    objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME ‘hostObject‘
            DESC ‘Auxiliary object class for adding host attribute‘
            SUP top
            AUXILIARY
            MAY host )
    
    objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME ‘loginStatusObject‘
            DESC ‘Auxiliary object class for login status attribute‘
            SUP top
            AUXILIARY
            MAY loginStatus )
    _EOF_

    復制到/etc/openldap/schema/ldapns.schema

  2. 配置slapd.conf配置文件

    include         /etc/openldap/schema/ldapns.schema
    include         /etc/openldap/schema/dyngroup.schema
    
    modulepath /usr/lib64/openldap
    moduleload dynlist.la
    
    overlay dynlist
    dynlist-attrset inetOrgPerson labeledURI
    rm -rf /etc/openldap/slapd.d/*
    slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
    chown -R ldap:ldap /etc/openldap/slapd.d
    systemctl restart slapd
  3. 驗證服務端是否正常加載

    技術分享圖片

    技術分享圖片

  4. 定義主機列表組

    cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com
    dn: ou=servers,dc=gdy,dc=com
    objectClass: organizationalUnit
    ou: servers
    
    dn: ou=apphost,ou=servers,dc=gdy,dc=com
    objectClass: organizationalUnit
    objectClass: hostObject
    ou: apphost
    host: test01.gdy.com
    
    dn: ou=dbhost,ou=servers,dc=gdy,dc=com
    objectClass: organizationalUnit
    objectClass: hostObject
    ou: dbhost
    host: test02.gdy.com
    _EOF_
  5. 定義用戶

    cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com
    dn: uid=lisi,ou=people,dc=gdy,dc=com
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: hostObject
    cn: lisi
    sn: lisi
    uid: lisi
    userPassword: {CRYPT}$6$AgFUbww9$Pa70MIDhUT2z3.Sg83VRnWnaDRubTHJsSxYMzbD3LQlMmXX0VeqHRHd2usrJbId.oFOeoMKi3GC60qjIHUKqK.
    uidNumber: 10006
    gidNumber: 10010
    gecos: App Manager
    homeDirectory: /home/lisi
    loginShell: /bin/bash
    shadowLastChange: 15000
    shadowMin: 0
    shadowMax: 999999
    shadowWarning: 7
    shadowExpire: -1
    mobile: 13900001001
    mail: [email protected]
    labeledURI: ldap:///ou=apphost,ou=servers,dc=gdy,dc=com?host
    _EOF_
    cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com
    dn: uid=zhangsan,ou=people,dc=gdy,dc=com
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: person
    objectClass: inetOrgPerson
    objectClass: hostObject
    cn: zhangsan
    sn: zhangsan
    uid: zhangsan
    userPassword: {CRYPT}$6$0hM3RIS/$omCj0x/ggD.zy3pNNjVo80nhiYHbUvdQaBKsawBBTQ/r/KY2PD77NHDqEPgzZ1Wz2/ZiL./pL65BuNyZ1SHC41
    uidNumber: 10007
    gidNumber: 10011
    gecos: opteam
    homeDirectory: /home/zhangsan
    loginShell: /bin/bash
    shadowLastChange: 15000
    shadowMin: 0
    shadowMax: 999999
    shadowWarning: 7
    shadowExpire: -1
    mobile: 13900001002
    mail: [email protected]
    labeledURI: ldap:///ou=devhost,ou=servers,dc=gdy,dc=com?host
    _EOF_

4. openldap客戶端配置

  1. 定義FQDN解析, 已測試過如果不定義會登錄不成功

    cat >> /etc/hosts << EOF
    192.168.244.17    mldap01.gdy.com    mldap01
    192.168.244.18    test01.gdy.com     test01
  2. pam_ldap.conf參數規劃

    cat >> /etc/pam_ldap.conf  << EOF
    pam_check_host_attr yes
    EOF

5. 客戶端測試登錄

  1. 正確實例

    [root@test01 ~]# ssh [email protected]    
    [email protected]‘s password: 
    Last login: Fri Jun  1 16:24:12 2018 from localhost
    [lisi@test01 ~]$ hostname
    test01.gdy.com
  2. 失敗實例

    [root@test01 ~]# ssh [email protected]
    [email protected]‘s password: 
    Access denied for this host
    Connection closed by 127.0.0.1
  3. 如果用戶沒有配置好登錄屬性,服務器基本就全部登錄不了。

6. 故障處理

  1. PS1變量失效,錯誤如下

    [root@test01 home]# ssh [email protected]
    [email protected]‘s password: 
    Permission denied, please try again.
    [email protected]‘s password: 
    Last login: Fri Jun  1 14:10:53 2018 from localhost
    -sh-4.1$      # 發現顯示不正常

    解決方法:重新配置了一遍,發現loginShell忘記定義或者定義有問題導致loginShell屬性不存在。所以會產生如上bug。

08-OpenLDAP主機控制策略