LDAP部署统一认证机制以及phpldapadmin
一、LDAP简介
由于公司内部系统剧增,服务器太多,每个系统、服务器的账号都各不相同。所以决定采用LDAP的方式来一统Linux用户统一认证。背景随着团队人员、服务器增多,每台服务器的账号都独立管理,从而导致:运维人员维护成本过高员工操作非常不便员工需要记住的账号太多没有明确的权限划分那么通过统一认证,可以实现的效果有:员工增减,快速开通、注销账号所有用户具有权限的服务器
二、LDAP部署
环境:
| 角色 | 系统 | IP |
|---|---|---|
| Server | centos7 | 192.168.3.157 |
| Client | centos7 | 192.168.3.158 |
务必关闭server端selinux
sed -i ‘/SELINUX/s/enforcing/disabled/g’ /etc/sysconfig/selinux
systemctl disable firewalld
reboot
步骤:
①使用yum部署openldap
[root@server ~] #yum install -y openldap openldap-clients openldap-servers migrationtools
②部署后优化并且启动slapd
[root@server ~] #vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
修改其中两行
olcSuffix: dc=haze,dc=com
olcRootDN: cn=root,dc=haze,dc=com
添加一行
olcRootPW: 123456 #密码可以明文,可以使用slappasswd输出成密文粘贴至此,注意参数与密码之间的空格
[root@server ~] #vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif
修改其中一行
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=haze,dc=com" read by * none
[root@server ~] #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@server ~] #chown -R ldap:ldap /var/lib/ldap
[root@server ~] #chown -R ldap:ldap /etc/openldap/certs
给予证书权限,不然无法启动服务,卡死在这儿一下午
[root@server ~] #slaptest -u
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
checksum error:校验和错误,不影响实验,输出succeeded成功
[root@server ~] #systemctl start slapd
[root@server ~] #systemctl enable slapd
[root@server ~] #netstat -tunlp | egrep “389|636”
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3557/slapd
tcp6 0 0 :::389 :::* LISTEN 3557/slapd
③添加应有架构到ldap
[root@server ~] #cd /etc/openldap/schema/
[root@server schema] # vim start.sh
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
[root@server schema] # sh start.sh
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=collective,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=corba,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: Duplicate attributeType: "2.5.4.2"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=duaconf,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=java,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=misc,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openldap,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=pmi,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"
④使用migati创建ldap dit
[root@server schema] #cd /usr/share/migrationtools/
[root@server migrationtools] #vim migrate_common.ph
修改其中四行
$NAMINGCONTEXT{'group'} = "ou=Groups"; #61行Groups添加s
$DEFAULT_MAIL_DOMAIN = "haze.com"; #71行修改域值
$DEFAULT_BASE = "dc=haze,dc=com"; #74行dc
$EXTENDED_SCHEMA = 1; #90行0改为1,打开扩展架构
[root@server migrationtools] #./migrate_base.pl > /root/base.ldif
[root@server migrationtools] #ldapadd -x -W -D “cn=root,dc=haze,dc=com” -f /root/base.ldif
Enter LDAP Password:
adding new entry "dc=haze,dc=com"
adding new entry "ou=Hosts,dc=haze,dc=com"
adding new entry "ou=Rpc,dc=haze,dc=com"
adding new entry "ou=Services,dc=haze,dc=com"
adding new entry "nisMapName=netgroup.byuser,dc=haze,dc=com"
adding new entry "ou=Mounts,dc=haze,dc=com"
adding new entry "ou=Networks,dc=haze,dc=com"
adding new entry "ou=People,dc=haze,dc=com"
adding new entry "ou=Groups,dc=haze,dc=com"
adding new entry "ou=Netgroup,dc=haze,dc=com"
adding new entry "ou=Protocols,dc=haze,dc=com"
adding new entry "ou=Aliases,dc=haze,dc=com"
adding new entry "nisMapName=netgroup.byhost,dc=haze,dc=com"
⑤创建预用户目录guests以及创建测试用户设置密码
[root@server migrationtools] #mkdir /home/guests
[root@server migrationtools] #useradd -d /home/guests/ldapuser1 ldapuser1
[root@server migrationtools] #useradd -d /home/guests/ldapuser2 ldapuser2
[root@server migrationtools] #echo 'password' | passwd --stdin ldapuser1
[root@server migrationtools] #echo 'password' | passwd --stdin ldapuser2
⑥现在将这些用户和组和IT密码从/etc/过滤到不同的文件
[root@server migrationtools] #getent passwd | tail -n 5 > /root/users
[root@server migrationtools] #getent shadow | tail -n 5 > /root/shadow
[root@server migrationtools] #getent group | tail -n 5 > /root/groups
[root@server migrationtools] #cd /usr/share/migrationtools
[root@server migrationtools] #vim migrate_passwd.pl
......
sub read_shadow_file
{
open(SHADOW, "/root/shadow") || return; #188行改成/root/shadow
while(<SHADOW>) {
chop;
($shadowUser) = split(/:/, $_);
$shadowUsers{$shadowUser} = $_;
}
close(SHADOW);
......
⑦现在需要使用迁移工具为这些用户创建LDIF文件
[root@server migrationtools] #./migrate_passwd.pl /root/users > users.ldif
[root@server migrationtools] #./migrate_group.pl /root/groups > groups.ldif
[root@server migrationtools] #ldapadd -x -W -D “cn=root,dc=haze,dc=com” -f users.ldif
[root@server migrationtools] #ldapadd -x -W -D “cn=root,dc=haze,dc=com” -f groups.ldif
如果报错了,重新导出一次,再来添加
[root@server migrationtools] #ldapsearch -x -b “dc=haze,dc=com” -H ldap://127.0.0.1
......
result: 0 Success
# numResponses: 24
# numEntries: 23
三、客户端配置
步骤:
[root@client ~]yum install -y nss-pam*
nss-pam为交换模块和验证模块
[root@client ~]authconfig-tui
[root@client ~]# mkdir /home/guests/ldapuser1
[root@client ~]su – ldapuser1
-bash-4.2$
看到进入bash,测试成功
参考链接:
http://blog.chinaunix.net/uid…
https://jingyan.baidu.com/alb…
四、部署应用服务器管理ldap
步骤:
①更新yum第三方源安装phpldapadmin
[root@server ~] #yum -y install epel-re*
[root@server ~] #yum install -y phpldapadmin
②配置phpldapadmin
[root@server ~] #vim /etc/httpd/conf.d/phpldapadmin.conf
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
<IfModule mod_authz_core.c>
# Apache 2.4
Require local
Require ip 192.168.3.0/24
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
[root@server ~] #vim /etc/phpldapadmin/config.php
.....
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
.....
将uid结尾的注释掉,也就是行首添加//,将dn结尾的行打开,行首去掉//
[root@server ~] #systemctl start httpd
[root@server ~] #systemctl stop firewalld
③访问http://192.168.3.157/ldapadmin
使用web方式b/s结构管理ldap方便了运维人员
