openldap主机访问控制（基于用户组）

建立组织单元

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: ou=host,dc=suntv,dc=tv
ou: host
objectClass: organizationalUnit

dn: ou=people,dc=suntv,dc=tv
ou: people
objectClass: organizationalUnit

dn: ou=group,dc=suntv,dc=tv
ou: group
objectClass: organizationalUnit
_EOF_

建立用户组

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: cn=admin,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: admin
gidNumber: 2001

dn: cn=op,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: op
gidNumber: 2002

dn: cn=dev,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: dev
gidNumber: 2003
_EOF_

建立用户

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: uid=admin01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: admin01
cn: admin01
sn: admin01
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2001
homeDirectory: /home/admin01

dn: uid=op01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: op01
cn: op01
sn: op01
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 2002
homeDirectory: /home/op01

dn: uid=dev01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
uid: dev01
cn: dev01
sn: dev01
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 2003
homeDirectory: /home/dev01
_EOF_

建立授权用户组

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: cn=admin,ou=host,dc=suntv,dc=tv
objectclass: groupOfNames
cn: admin
member: uid=admin01,ou=people,dc=suntv,dc=tv

dn: cn=dev,ou=host,dc=suntv,dc=tv
objectclass: groupOfNames
cn: dev
member: uid=dev01,ou=people,dc=suntv,dc=tv

dn: cn=op,ou=host,dc=suntv,dc=tv
objectclass: groupOfNames
cn: dev
member: uid=op01,ou=people,dc=suntv,dc=tv
_EOF_

openldap服务器配置反向组查询

# /etc/openldap/slapd.conf　确保有以下配置项
modulepath /usr/lib64/openldap
moduleload memberof.la
overlay memberof

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

测试

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=op01,ou=people,dc=suntv,dc=tv "uid=op01" memberOf

# extended LDIF
#
# LDAPv3
# base <uid=op01,ou=people,dc=suntv,dc=tv> with scope subtree
# filter: uid=op01
# requesting: memberOf 
#

# op01, people, suntv.tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
memberOf: cn=op,ou=host,dc=suntv,dc=tv # 这里是关键

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=admin01,ou=people,dc=suntv,dc=tv "uid=admin01" memberOf

# admin01, people, suntv.tv
dn: uid=admin01,ou=people,dc=suntv,dc=tv
memberOf: cn=all,ou=host,dc=suntv,dc=tv

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=dev01,ou=people,dc=suntv,dc=tv "uid=dev01" memberOf

# dev01, people, suntv.tv
dn: uid=dev01,ou=people,dc=suntv,dc=tv
memberOf: cn=dev,ou=host,dc=suntv,dc=tv

登录服务器配置

yum -y install openldap-clients sssd

authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --ldapserver=ldaps://master.local,ldaps://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablelocauthorize --enableldaptls --enablemkhomedir  --update

cat > /etc/sssd/sssd.conf << _EOF_
[domain/LDAP]
debug_level = 9
cache_credentials = True
enumerate = false

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldaps://master.local
ldap_backup_uri = ldaps://slave.local
ldap_search_base = dc=suntv,dc=tv
ldap_user_search_base = ou=people,dc=suntv,dc=tv
ldap_group_search_base = ou=group,dc=suntv,dc=tv

access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))

ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_tls_reqcert = never
ldap_id_use_start_tls = false

[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2

[nss]
domains = LDAP
filter_users = root
filter_groups = root

[pam]
domains = LDAP

[sudo]
domains = LDAP

[ssh]
domains = LDAP
_EOF_

配置自启动

centso7 : 
systemctl restart sssd
systemctl enable sssd

centos6 : 
/etc/init.d/sssd restart
chkconfig sssd on

权限

192.168.1.21 centos7  允许op组及admin组登录
ldap_access_filter =  (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=op,ou=host,dc=suntv,dc=tv))

192.168.1.22 centos6  允许dev组及admin组登录
ldap_access_filter =  (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))

测试结果

op01　登录192.168.1.21成功，登录192.168.1.22失败
dev01 登录192.168.1.21失败，登录192.168.1.22成功
admin 登录192.168.1.21成功，登录192.168.1.22成功

[root@centos-1-21 home]# ll
total 0
drwx------ 2 admin01 admin 79 Oct 14 16:40 admin01
drwx------ 2 op01    op    79 Oct 14 16:40 op01

[root@centos6-1-22 home]# ll
total 8
drwx------ 2 admin01 admin 4096 Oct 14 16:40 admin01
drwx------ 2 dev01   dev   4096 Oct 14 16:40 dev01