账号集中管理系统设计与实现----OpenLDAP
发布时间:2020-12-15 16:20:12 所属栏目:安全 来源:网络整理
导读:搭建一套 OpenLDAP 系统,实现账号的统一管理 可实现的功能: 1:OpenLDAP服务端的搭建 2 : PhpLDAPAdmin 的搭建 ( 便于 web 页面管理 ) 3: OpenLDAP服务端配置分组管理用户sudo权限分配; ( 1 )默认没有 sudo 权限; ( 2 )运维具有 sudo 到任何用户执
搭建一套OpenLDAP系统,实现账号的统一管理可实现的功能: 1:OpenLDAP服务端的搭建 2:PhpLDAPAdmin的搭建(便于web页面管理) 3: OpenLDAP服务端配置分组管理用户sudo权限分配; (1)默认没有sudo权限; (2)运维具有sudo到任何用户执行任何命令权限; (3)研发具有相应的配置执行命令权限 4:OpenLDAP客户端的配置 5:OpenLDAP与SSH 6:OpenLDAP结合客户端PAM,限制用户登录主机 7:OpenLDAP加入密码策略 (1)强制用户首次登录系统更改密码 (2)密码最小设置长度 (3)密码设置强度 (4)密码过期前警告天数 (5)密码过期后不能登录的天数 (6)密码尝试次数,被锁定 (7)密码失败后恢复时间 (8)是否允许用户修改密码 (9)账号锁定后,不能自动解锁,需管理员解锁 8:MirrorMode同步实现OpenLDAP双主模式 9,Keepalived+OpenLDAP实现OpenLDAP高可用 10,TCP Warppers 账号集中管理系统访问和维护流程:
实验环境: 系统: 主:CentOS6.5 64位 192.168.9.225 主:CentOS6.5 64 位 192.168.9.168 VIP: 192.168.9.253 客户端: CentoOS6.5 64位 192.168.9.176 软件包: openldap-2.4.45 db-4.6.21 phpldapadmin-1.2.3 ltb-project-openldap-initscript-2.2 资料链接: https://ltb-project.org/download 一,安装OpenLDAP服务端 (俩台主安装方法一样) 1.1 基础环境配置 (1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545) (2)关闭防火墙与SElinux serviceiptablesstop chkconfigiptablesoff sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config (3)时间同步 yum-yinstallntp /usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov echo"12***/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov">>/var/spool/cron/root 1.2 源码安装OpenLDAP (1)yum安装依赖包 yum-yinstallgccgcc-c++unzipgzipbzip2openssl-develcyrus-sasl-develkrb5-develtcp_wrappers-devellibtool-ltdl-developenslp-develunixODBC-develmysql-devel (2)源码安装Berkeley DB cd/usr/local/src/ wgethttp://download.oracle.com/berkeley-db/db-4.6.21.tar.gz tarxfdb-4.6.21.tar.gz cddb-4.6.21/build_unix/ ../dist/configure--prefix=/usr/local/BDB4 make&&makeinstall echo"/usr/local/BDB4/lib">>/etc/ld.so.conf.d/bdb.conf ldconfig ln-sv/usr/local/BDB4/include/usr/local/bdb (3)源码安装OpenLDAP cd/usr/local/src/ wgetftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.45.tgz gunzip-copenldap-2.4.45.tgz|tarxf- cdopenldap-2.4.45 ./configure--prefix=/usr/local/openldap2.4 --enable-slapd --enable-dynacl --enable-aci --enable-cleartext --enable-crypt --enable-lmpasswd --enable-spasswd --enable-modules --enable-rewrite --enable-rlookups --enable-slapi --enable-wrappers --enable-backends --enable-ndb=no --enable-perl=no --enable-overlays CPPFLAGS="-I/usr/local/BDB4/include" LDFLAGS="-L/usr/local/BDB4/lib" makedepend make maketest makeinstall echo"/usr/local/openldap2.4/lib">>/etc/ld.so.conf.d/ldap.conf ldconfig ln-sv/usr/local/openldap2.4/include/usr/include/ldap2.4 ln-sv/usr/local/openldap2.4/bin/*/usr/local/bin/ ln-sv/usr/local/openldap2.4/sbin/*/usr/local/sbin/ 1.4 配置实现功能 (1)配置文件模板 #grep-v^#slapd.conf|grep-v^$
include/usr/local/openldap2.4/etc/openldap/schema/corba.schema
include/usr/local/openldap2.4/etc/openldap/schema/core.schema
include/usr/local/openldap2.4/etc/openldap/schema/cosine.schema
include/usr/local/openldap2.4/etc/openldap/schema/duaconf.schema
include/usr/local/openldap2.4/etc/openldap/schema/dyngroup.schema
include/usr/local/openldap2.4/etc/openldap/schema/inetorgperson.schema
include/usr/local/openldap2.4/etc/openldap/schema/java.schema
include/usr/local/openldap2.4/etc/openldap/schema/misc.schema
include/usr/local/openldap2.4/etc/openldap/schema/nis.schema
include/usr/local/openldap2.4/etc/openldap/schema/openldap.schema
include/usr/local/openldap2.4/etc/openldap/schema/ppolicy.schema
include/usr/local/openldap2.4/etc/openldap/schema/collective.schema
include/usr/local/openldap2.4/etc/openldap/schema/sudo.schema
pidfile/usr/local/openldap2.4/var/run/slapd.pid
argsfile/usr/local/openldap2.4/var/run/slapd.args
modulepath/usr/local/openldap2.4/libexec/openldap
moduleloadaccesslog.la
moduleloadauditlog.la
moduleloadppolicy.la
moduleloadsyncprov.la
moduleloadback_mdb.la
moduleloadback_ldap.la
accesstoattrs=shadowLastChange,userPassword
byselfwrite
byanonymousauth
bydn.base="cn=admin,dc=dabayouxi,dc=com"write
by*none
accessto*
byselfwrite
by*read
databaseconfig
accessto*
bydn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"manage
bydn.base="cn=admin,dc=com"write
by*none
databasemdb
suffix"dc=dabayouxi,dc=com"
rootdn"cn=admin,dc=com"
rootpw{SSHA}jnN16Laklfzlm4hCrob1nhUgUloLpvnm
directory/data0/openldap-data
indexobjectClasseq,pres
indexou,cn,mail,surname,givennameeq,pres,sub
indexuidNumber,gidNumber,loginShelleq,pres
indexuid,memberUideq,sub
indexnisMapName,nisMapEntryeq,sub
loglevel256
logfile/data0/logs/slapd/slapd.log
checkpoint204810
overlayppolicy
ppolicy_defaultcn=default,ou=pwpolicies,dc=com
(2)添加sudo.schema cp-f/usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP/usr/local/openldap2.4/etc/openldap/schema/sudo.schema restorecon/usr/local/openldap2.4/etc/openldap/schema/sudo.schema (3)创建ldap用户和组 groupadd-rldap useradd-r-gldap-s/sbin/nologinldap (4)配置日志 mkdir-p/data0/logs/slapd
touch/data0/logs/slapd/slapd.log
echo"local4.*/data0/logs/slapd/slapd.log">>/etc/rsyslog.d/openldap.conf
servicersyslogrestart
echo"/data0/logs/slapd/*log{
missingok
compress
notifempty
daily
rotate5
create0600rootroot
}">>/etc/logrotate.d/slapd
(5)配置数据存放路径 mkdir-p/data0/openldap-data chmod700/data0/openldap-data/ cp/usr/local/openldap2.4/etc/openldap/DB_CONFIG.example/data0/openldap-data/DB_CONFIG chown-Rldap.ldap/data0/openldap-data/ mkdir-p/usr/local/openldap2.4/etc/openldap/slapd.d cd/usr/local/openldap2.4/etc/openldap/ slaptest-fslapd.conf-Fslapd.d/ echo"BASEdc=dabayouxi,dc=com URIldap://192.168.9.168">>/usr/local/openldap2.4/etc/openldap/ldap.conf (6)启动脚本下载,修改配置 cd/usr/local/src/ wgethttps://ltb-project.org/archives/ltb-project-openldap-initscript-2.2.tar.gz tar-xvfltb-project-openldap-initscript-2.2.tar.gz mvltb-project-openldap-initscript-2.2/slapd/etc/init.d vim/etc/init.d/slapd SLAPD_PATH="/usr/local/openldap2.4" DATA_PATH="/data0/openldap-data" BDB_PATH="/usr/local/BDB4" chmod+x/etc/init.d/slapd chkconfigslapdon serviceslapdrestart 1.5 OpenLDAP目录树规划 mkdir-p/data0/ldapldif/{users,groups,sudoers,policy}
(1)base.ldif vim/data0/ldapldif/base.ldif dn:dc=dabayouxi,dc=com dc:dabayouxi objectClass:top objectClass:domain dn:ou=users,dc=com ou:users objectClass:top objectClass:organizationalUnit dn:ou=groups,dc=com ou:groups objectClass:top objectClass:organizationalUnit dn:ou=sudoers,dc=com ou:sudoers objectClass:top objectClass:organizationalUnit dn:ou=pwpolicies,dc=com ou:pwpolicies objectClass:top objectClass:organizationalUnit ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/base.ldif EnterLDAPPassword: addingnewentry"dc=dabayouxi,dc=com" addingnewentry"ou=users,dc=com" addingnewentry"ou=groups,dc=com" addingnewentry"ou=sudoers,dc=com" addingnewentry"ou=pwpolicies,dc=com" -x使用简单认证,不使用加密协议 -D指定查找的dn,类似操作系统中的根目录 -W输入密码,不想输入密码使用-wpasswd,不推荐容易暴露密码 -f指定ldif文件 #通过ldapsearch查看当前目录树结构 ldapsearch-x-LLL#-LLL禁止输出不匹配的消息 (2)groups.ldif echo"dn:cn=web,ou=groups,dc=com objectClass:posixGroup objectClass:top cn:web gidNumber:1501">>/data0/ldapldif/groups/web.ldif echo"dn:cn=core,dc=com objectClass:posixGroup objectClass:top cn:core gidNumber:1502">>/data0/ldapldif/groups/core.ldif ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/groups/web.ldif EnterLDAPPassword: addingnewentry"cn=web,dc=com" ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/groups/core.ldif EnterLDAPPassword: addingnewentry"cn=core,dc=com" (3)users.ldif echo"dn:uid=webuser,ou=users,dc=com
uid:webuser
cn:webuser
objectClass:account
objectClass:posixAccount
objectClass:top
objectClass:shadowAccount
userPassword:{SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange:17412
shadowMin:0
shadowMax:999999
shadowWarning:7
loginShell:/bin/bash
uidNumber:2501
gidNumber:1501
homeDirectory:/home/webuser
pwdReset:TRUE">>/data0/ldapldif/users/webuser.ldif
echo"dn:uid=coreuser,dc=com
uid:coreuser
cn:coreuser
objectClass:account
objectClass:posixAccount
objectClass:top
objectClass:shadowAccount
userPassword:{SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange:17412
shadowMin:0
shadowMax:999999
shadowWarning:7
loginShell:/bin/bash
uidNumber:2502
gidNumber:1502
homeDirectory:/home/coreuser
pwdReset:TRUE">>/data0/ldapldif/users/coreuser.ldif
ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/users/webuser.ldif
EnterLDAPPassword:
addingnewentry"uid=webuser,dc=com-W-f/data0/ldapldif/users/coreuser.ldif
EnterLDAPPassword:
addingnewentry"uid=coreuser,dc=com"
(4)sudoers.ldif vim/data0/ldapldif/sudoers/defaults.ldif dn:cn=defaults,ou=sudoers,dc=com objectClass:top objectClass:sudoRole cn:defaults sudoOption:requiretty sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset vim/data0/ldapldif/sudoers/web.ldif dn:cn=%web,dc=com objectClass:top objectClass:sudoRole cn:%web sudoHost:ALL sudoRunAsUser:www sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:ALL sudoUser:%web vim/data0/ldapldif/sudoers/core.ldif dn:cn=%core,dc=com objectClass:top objectClass:sudoRole cn:%core sudoHost:ALL sudoRunAsUser:ALL sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:ALL sudoUser:%core ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/sudoers/defaults.ldif EnterLDAPPassword: addingnewentry"cn=defaults,dc=com-W-f/data0/ldapldif/sudoers/web.ldif EnterLDAPPassword: addingnewentry"cn=%web,dc=com-W-f/data0/ldapldif/sudoers/core.ldif EnterLDAPPassword: addingnewentry"cn=%core,dc=com" (5)pwpolicies.ldif echo"dn:cn=default,dc=com cn:default objectClass:pwdPolicy objectClass:person pwdAllowUserChange:TRUE pwdAttribute:userPassword pwdExpireWarning:259200 pwdFailureCountInterval:0 pwdGraceAuthNLimit:5 pwdInHistory:5 pwdLockout:TRUE pwdLockoutDuration:300 pwdMaxAge:2592000 pwdMaxFailure:5 pwdMinAge:0 pwdMinLength:8 pwdMustChange:TRUE pwdSafeModify:TRUE sn:dummyvalue">>/data0/ldapldif/policy/default.ldif ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/policy/default.ldif EnterLDAPPassword: addingnewentry"cn=default,dc=com" 1.6 安装PhpLDAPAdmin yuminstall-yhttpdphpphp-mbstringphp-pearphp-ldap
cd/usr/local/src/
wgethttps://jaist.dl.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.3/phpldapadmin-1.2.3.zip
unzipphpldapadmin-1.2.3.zip
mkdir-p/data0/web_root/
mvphpldapadmin-1.2.3/data0/web_root/phpldapadmin
echo"<VirtualHost*:80>
ServerAdminopenldap@dabayouxi.com
DocumentRoot/data0/web_root/phpldapadmin
ServerNameopenldap.dabayouxi.com
ErrorLog/data0/logs/apache/openldap.dabayouxi.com-error_log
CustomLog/data0/logs/apache/openldap.dabayouxi.com-access_logcommon
<Directory"/data/web_root/phpldapadmin">
OptionsFollowSymLinks
AllowOverrideall
Requireallgranted
</Directory>
</VirtualHost>">>/etc/httpd/conf/httpd.conf
mkdir-p/data0/logs/apache/
servicehttpdrestart
cp/data0/web_root/phpldapadmin/config/config.php.example/data0/web_root/phpldapadmin/config/config.php
vim/data0/web_root/phpldapadmin/config/config.php
$servers->setValue('server','host','192.168.9.168');
$servers->setValue('server','port',389);
浏览器访问输入:http://192.168.9.168
1.7 MirrorMode同步实现OpenLDAP双主模式 (1)192.168.9.168上slapd.conf最后添加 vim/usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlaysyncprov syncprov-checkpoint10010 syncprov-sessionlog100 serverID1 syncreplrid=123 provider=ldap://192.168.9.225/ bindmethod=simple binddn="cn=admin,dc=com" credentials=dabayouxi searchbase="dc=dabayouxi,dc=com" schemachecking=off type=refreshAndPersist retry="60+" mirrormodeon cd/usr/local/openldap2.4/etc/openldap/ slaptest-u rm-rfslapd.d/* slaptest-fslapd.conf-Fslapd.d/ serviceslapdrestart (2)192.168.9.225上slapd.conf最后添加 vim/usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlaysyncprov syncprov-checkpoint10010 syncprov-sessionlog100 serverID2 syncreplrid=123 provider=ldap://192.168.9.168/ bindmethod=simple binddn="cn=admin,dc=com" schemachecking=off type=refreshAndPersist retry="60+" mirrormodeon cd/usr/local/openldap2.4/etc/openldap/ slaptest-u rm-rfslapd.d/* slaptest-fslapd.conf-Fslapd.d/ serviceslapdrestart (2)测试同步 1.8 Keepalived+OpenLDAP实现OpenLDAP高可用 (1)下载安装keepalive cd/usr/local/src/ wgethttp://www.keepalived.org/software/keepalived-1.2.13.tar.gz yuminstall-ypcre-developenssl-develpopt-devel tarxfkeepalived-1.2.13.tar.gz cdkeepalived-1.2.13 ./configure--prefix=/usr/local/keepalived make makeinstall (2)配置keepalived配置成系统服务 cd/usr/local/keepalived/ cpetc/rc.d/init.d/keepalived/etc/init.d/ cpetc/sysconfig/keepalived/etc/sysconfig/ mkdir/etc/keepalived cpetc/keepalived/keepalived.conf/etc/keepalived/ cpsbin/keepalived/usr/sbin/ chkconfigkeepalivedon chkconfig--listkeepalived (3)配置OpenLDAP热备 Master 192.168.9.168 vim/etc/keepalived/keepalived.conf
!ConfigurationFileforkeepalived
global_defs{
router_idOpenLDAP_HA
}
vrrp_instanceOpenLDAP{
stateBackup
interfaceeth0
virtual_router_id53
priority100
advert_int1
nopreempt
authentication{
auth_typePASS
auth_passdabayouxi
}
virtual_ipaddress{
192.168.9.253
}
}
virtual_server192.168.9.253389{
delay_loop6
nat_mask255.255.255.0
persistence_timeout50
protocolTCP
real_server192.168.9.168389{
weight3
notify_down"/etc/keepalived/openldap.sh"
TCP_CHECK{
connect_timeout5
nb_get_retry2
delay_before_retry3
}
}
}
vim/etc/keepalived/openldap.sh
#!/bin/bash
/etc/init.d/keepalivedstop
chmod+x/etc/keepalived/openldap.sh
servicekeepalivedstart
Startingkeepalived:[OK]
ipaddr
1:lo:<LOOPBACK,UP,LOWER_UP>mtu16436qdiscnoqueuestateUNKNOWN
link/loopback00:00:00:00:00:00brd00:00:00:00:00:00
inet127.0.0.1/8scopehostlo
inet6::1/128scopehost
valid_lftforeverpreferred_lftforever
2:eth0:<BROADCAST,MULTICAST,LOWER_UP>mtu1500qdiscpfifo_faststateUPqlen1000
link/etherfa:9b:55:ac:33:00brdff:ff:ff:ff:ff:ff
inet192.168.9.168/24brd192.168.9.255scopeglobaleth0
inet192.168.9.253/32scopeglobaleth0
inet6fe80::f89b:55ff:feac:3300/64scopelink
valid_lftforeverpreferred_lftforever
Master 192.168.9.225 vim/etc/keepalived/keepalived.conf
!ConfigurationFileforkeepalived
global_defs{
router_idOpenLDAP_HA
}
vrrp_instanceOpenLDAP{
stateBackup
interfaceeth0
virtual_router_id53
priority90
advert_int1
authentication{
auth_typePASS
auth_passdabayouxi
}
virtual_ipaddress{
192.168.9.253
}
}
virtual_server192.168.9.253389{
delay_loop6
nat_mask255.255.255.0
persistence_timeout50
protocolTCP
real_server192.168.9.225389{
weight3
notify_down"/etc/keepalived/openldap.sh"
TCP_CHECK{
connect_timeout5
nb_get_retry2
delay_before_retry3
}
}
}
vim/etc/keepalived/openldap.sh
#!/bin/bash
/etc/init.d/keepalivedstop
chmod+x/etc/keepalived/openldap.sh
servicekeepalivedstart
(4)验证 二,安装OpenLDAP客户端 2.1 基础环境配置 (1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545) (2)关闭防火墙与SElinux serviceiptablesstop chkconfigiptablesoff sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config (3)时间同步 yum-yinstallntp /usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov echo"12***/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov">>/var/spool/cron/root 1.2 源码安装OpenLDAP (1)yum安装依赖包 yum-yinstallopenldapopenldap-develcompat-openldapnss-pam-ldapd (2)备份源文件 cp/etc/nslcd.conf/etc/nslcd.conf_default cp/etc/nsswitch.conf/etc/nsswitch.conf_dafault cp/etc/pam.d/system-auth-ac/etc/pam.d/system-auth-ac_default cp/etc/pam.d/password-auth-ac/etc/pam.d/password-auth-ac_default cp/etc/pam.d/fingerprint-auth-ac/etc/pam.d/fingerprint-auth-ac_default cp/etc/pam.d/smartcard-auth-ac/etc/pam.d/smartcard-auth-ac_default cp/etc/pam.d/sshd/etc/pam.d/sshd_default cp/etc/pam.d/login/etc/pam.d/login_default cp/etc/openldap/ldap.conf/etc/openldap/ldap.conf_defalut cp/etc/sudo-ldap.conf/etc/sudo-ldap.conf_default (3)停用sssd服务 servicesssdstop&&chkconfigsssdoff (4)客户端文件配置修改 #/etc/nslcd.conf vim/etc/nslcd.conf urildap://192.168.9.253 basedc=dabayouxi,dc=com sslno tls_cacertdir/etc/openldap/cacerts #/etc/pam_ldap.conf vim/etc/pam_ldap.conf urildap://192.168.9.253 basedc=dabayouxi,dc=com sslno tls_cacertdir/etc/openldap/cacerts pam_passwordmd5 bind_policysoft pam_lookup_policyyes pam_passwordclear_remove_old #/etc/pam.d/system-auth vim/etc/pam.d/system-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.sonulloktry_first_pass authrequisitepam_succeed_if.souid>=500quiet authsufficientpam_ldap.souse_first_pass authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequisitepam_cracklib.sominlen=10ucredit=-1lcredit=-1dcredit=-1ocredit=-1try_first_passretry=3type= passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtok passwordsufficientpam_ldap.souse_authtok passwordrequiredpam_deny.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so #/etc/pam.d/password-auth vim/etc/pam.d/password-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so authsufficientpam_unix.sonulloktry_first_pass authrequisitepam_succeed_if.souid>=500quiet authsufficientpam_ldap.souse_first_pass authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequisitepam_cracklib.sominlen=10ucredit=-1lcredit=-1dcredit=-1ocredit=-1try_first_passretry=3type= passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtok passwordsufficientpam_ldap.souse_authtok passwordrequiredpam_deny.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so #/etc/pam.d/fingerprint-auth vim/etc/pam.d/fingerprint-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so authsufficientpam_fprintd.so authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequiredpam_deny.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so #/etc/pam.d/smartcard-auth vim/etc/pam.d/smartcard-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so auth[success=doneignore=ignoredefault=die]pam_pkcs11.sowait_for_cardcard_only authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequiredpam_pkcs11.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so #/etc/pam.d/sshd vim/etc/pam.d/sshd #%PAM-1.0 authrequiredpam_sepermit.so authincludepassword-auth accountrequiredpam_access.so accountrequiredpam_nologin.so accountincludepassword-auth passwordincludepassword-auth #pam_selinux.socloseshouldbethefirstsessionrule sessionrequiredpam_selinux.soclose sessionrequiredpam_loginuid.so #pam_selinux.soopenshouldonlybefollowedbysessionstobeexecutedintheusercontext sessionrequiredpam_selinux.soopenenv_params sessionrequiredpam_namespace.so sessionoptionalpam_keyinit.soforcerevoke sessionincludepassword-auth #/etc/pam.d/login vim/etc/pam.d/login #%PAM-1.0 auth[user_unknown=ignoresuccess=okignore=ignoredefault=bad]pam_securetty.so authincludesystem-auth accountrequiredpam_nologin.so accountincludesystem-auth passwordincludesystem-auth #pam_selinux.socloseshouldbethefirstsessionrule sessionrequiredpam_selinux.soclose sessionrequiredpam_loginuid.so sessionrequiredpam_limits.so sessionoptionalpam_console.so #pam_selinux.soopenshouldonlybefollowedbysessionstobeexecutedintheusercontext sessionrequiredpam_selinux.soopen sessionrequiredpam_namespace.so sessionoptionalpam_keyinit.soforcerevoke sessionincludesystem-auth -sessionoptionalpam_ck_connector.so #/etc/nsswitch.conf vim/etc/nsswitch.conf passwd:filesldap shadow:filesldap group:filesldap hosts:filesdns bootparams:nisplus[NOTFOUND=return]files ethers:files netmasks:files networks:files protocols:files rpc:files services:files netgroup:ldap publickey:nisplus automount:filesldap sudoers:filesldap #/etc/sysconfig/authconfig vim/etc/sysconfig/authconfig IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no USESSSD=no PASSWDALGORITHM=sha512 FORCELEGACY=no USEFPRINTD=no USEHESIOD=no FORCESMARTCARD=no USELDAPAUTH=yes IPAV2NONTP=no USELDAP=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELOCAUTHORIZE=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no USEDB=no USEPASSWDQC=no # /etc/sudo-ldap.conf echo"urildap://192.168.9.253 sudoers_baSEOu=sudoers,dc=com">>/etc/sudo-ldap.conf #/etc/openldap/ldap.conf vim/etc/openldap/ldap.conf TLS_CACERTDIR/etc/openldap/cacerts URIldap://192.168.9.253 BASEdc=dabayouxi,dc=com #/etc/security/access.conf vim/etc/security/access.conf 添加内容 -:ALLEXCEPTrootweb:ALL (5)启动服务 servicenslcdrestart (6)测试 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
