08-OpenLDAP主機控制策略
阿新 • • 發佈:2018-06-09
apt att ati servers 問控制 use min img pad
OpenLDAP主機控制策略
閱讀視圖
- 參考
- 環境準備
- openldap服務端配置
- openldap客戶端配置
- 客戶端測試登錄
- 故障處理
1. 參考
本文基本轉載博客openldap主機訪問控制(基於hostname)
該博主另一篇文檔,還沒測試openldap主機訪問控制(基於ip)
2. 環境準備
因為本文與其他文檔屬性不沖突,所以完全可以使用以前的環境做實驗。
3. openldap服務端配置
導入ldapns.schema方案,(hostObject類屬性)
https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/nssov/ldapns.schema
cat > /etc/openldap/schema/ldapns.schema << _EOF_ # $OpenLDAP$ # $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $ # LDAP Name Service Additional Schema # http://www.iana.org/assignments/gssapi-service-names # # Not part of the distribution: this is a workaround! # attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME ‘authorizedService‘ DESC ‘IANA GSS-API authorized service name‘ EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME ‘loginStatus‘ DESC ‘Currently logged in sessions for a user‘ EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX OMsDirectoryString ) objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME ‘authorizedServiceObject‘ DESC ‘Auxiliary object class for adding authorizedService attribute‘ SUP top AUXILIARY MAY authorizedService ) objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME ‘hostObject‘ DESC ‘Auxiliary object class for adding host attribute‘ SUP top AUXILIARY MAY host ) objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME ‘loginStatusObject‘ DESC ‘Auxiliary object class for login status attribute‘ SUP top AUXILIARY MAY loginStatus ) _EOF_
復制到
/etc/openldap/schema/ldapns.schema
配置slapd.conf配置文件
include /etc/openldap/schema/ldapns.schema include /etc/openldap/schema/dyngroup.schema modulepath /usr/lib64/openldap moduleload dynlist.la overlay dynlist dynlist-attrset inetOrgPerson labeledURI
rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d systemctl restart slapd
驗證服務端是否正常加載
定義主機列表組
cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com dn: ou=servers,dc=gdy,dc=com objectClass: organizationalUnit ou: servers dn: ou=apphost,ou=servers,dc=gdy,dc=com objectClass: organizationalUnit objectClass: hostObject ou: apphost host: test01.gdy.com dn: ou=dbhost,ou=servers,dc=gdy,dc=com objectClass: organizationalUnit objectClass: hostObject ou: dbhost host: test02.gdy.com _EOF_
定義用戶
cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com dn: uid=lisi,ou=people,dc=gdy,dc=com objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson objectClass: hostObject cn: lisi sn: lisi uid: lisi userPassword: {CRYPT}$6$AgFUbww9$Pa70MIDhUT2z3.Sg83VRnWnaDRubTHJsSxYMzbD3LQlMmXX0VeqHRHd2usrJbId.oFOeoMKi3GC60qjIHUKqK. uidNumber: 10006 gidNumber: 10010 gecos: App Manager homeDirectory: /home/lisi loginShell: /bin/bash shadowLastChange: 15000 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 shadowExpire: -1 mobile: 13900001001 mail: [email protected] labeledURI: ldap:///ou=apphost,ou=servers,dc=gdy,dc=com?host _EOF_
cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com dn: uid=zhangsan,ou=people,dc=gdy,dc=com objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson objectClass: hostObject cn: zhangsan sn: zhangsan uid: zhangsan userPassword: {CRYPT}$6$0hM3RIS/$omCj0x/ggD.zy3pNNjVo80nhiYHbUvdQaBKsawBBTQ/r/KY2PD77NHDqEPgzZ1Wz2/ZiL./pL65BuNyZ1SHC41 uidNumber: 10007 gidNumber: 10011 gecos: opteam homeDirectory: /home/zhangsan loginShell: /bin/bash shadowLastChange: 15000 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 shadowExpire: -1 mobile: 13900001002 mail: [email protected] labeledURI: ldap:///ou=devhost,ou=servers,dc=gdy,dc=com?host _EOF_
4. openldap客戶端配置
定義FQDN解析, 已測試過如果不定義會登錄不成功
cat >> /etc/hosts << EOF 192.168.244.17 mldap01.gdy.com mldap01 192.168.244.18 test01.gdy.com test01
pam_ldap.conf參數規劃
cat >> /etc/pam_ldap.conf << EOF pam_check_host_attr yes EOF
5. 客戶端測試登錄
正確實例
[root@test01 ~]# ssh [email protected] [email protected]‘s password: Last login: Fri Jun 1 16:24:12 2018 from localhost [lisi@test01 ~]$ hostname test01.gdy.com
失敗實例
[root@test01 ~]# ssh [email protected] [email protected]‘s password: Access denied for this host Connection closed by 127.0.0.1
如果用戶沒有配置好登錄屬性,服務器基本就全部登錄不了。
6. 故障處理
PS1變量失效,錯誤如下
[root@test01 home]# ssh [email protected] [email protected]‘s password: Permission denied, please try again. [email protected]‘s password: Last login: Fri Jun 1 14:10:53 2018 from localhost -sh-4.1$ # 發現顯示不正常
解決方法:重新配置了一遍,發現
loginShell
忘記定義或者定義有問題導致loginShell
屬性不存在。所以會產生如上bug。
08-OpenLDAP主機控制策略