zoukankan      html  css  js  c++  java
  • openldap主机访问控制(基于用户组)

    建立组织单元

    cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
    dn: ou=host,dc=suntv,dc=tv
    ou: host
    objectClass: organizationalUnit
    
    dn: ou=people,dc=suntv,dc=tv
    ou: people
    objectClass: organizationalUnit
    
    dn: ou=group,dc=suntv,dc=tv
    ou: group
    objectClass: organizationalUnit
    _EOF_
    

    建立用户组

    cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
    dn: cn=admin,ou=group,dc=suntv,dc=tv
    objectClass: posixGroup
    cn: admin
    gidNumber: 2001
    
    dn: cn=op,ou=group,dc=suntv,dc=tv
    objectClass: posixGroup
    cn: op
    gidNumber: 2002
    
    dn: cn=dev,ou=group,dc=suntv,dc=tv
    objectClass: posixGroup
    cn: dev
    gidNumber: 2003
    _EOF_
    

    建立用户

    cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
    dn: uid=admin01,ou=people,dc=suntv,dc=tv
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    uid: admin01
    cn: admin01
    sn: admin01
    userPassword: 123456
    shadowLastChange: 17085
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 1001
    gidNumber: 2001
    homeDirectory: /home/admin01
    
    dn: uid=op01,ou=people,dc=suntv,dc=tv
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    uid: op01
    cn: op01
    sn: op01
    userPassword: 123456
    shadowLastChange: 17085
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 1002
    gidNumber: 2002
    homeDirectory: /home/op01
    
    dn: uid=dev01,ou=people,dc=suntv,dc=tv
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    uid: dev01
    cn: dev01
    sn: dev01
    userPassword: 123456
    shadowLastChange: 17085
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 1003
    gidNumber: 2003
    homeDirectory: /home/dev01
    _EOF_
    

    建立授权用户组

    cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
    dn: cn=admin,ou=host,dc=suntv,dc=tv
    objectclass: groupOfNames
    cn: admin
    member: uid=admin01,ou=people,dc=suntv,dc=tv
    
    dn: cn=dev,ou=host,dc=suntv,dc=tv
    objectclass: groupOfNames
    cn: dev
    member: uid=dev01,ou=people,dc=suntv,dc=tv
    
    dn: cn=op,ou=host,dc=suntv,dc=tv
    objectclass: groupOfNames
    cn: dev
    member: uid=op01,ou=people,dc=suntv,dc=tv
    _EOF_
    

    openldap服务器配置反向组查询

    # /etc/openldap/slapd.conf 确保有以下配置项
    modulepath /usr/lib64/openldap
    moduleload memberof.la
    overlay memberof
    
    rm -rf /etc/openldap/slapd.d/*
    slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
    chown -R ldap:ldap /etc/openldap/slapd.d
    systemctl restart slapd
    

    测试

    ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=op01,ou=people,dc=suntv,dc=tv "uid=op01" memberOf

    # extended LDIF
    #
    # LDAPv3
    # base <uid=op01,ou=people,dc=suntv,dc=tv> with scope subtree
    # filter: uid=op01
    # requesting: memberOf 
    #
    
    # op01, people, suntv.tv
    dn: uid=op01,ou=people,dc=suntv,dc=tv
    memberOf: cn=op,ou=host,dc=suntv,dc=tv # 这里是关键
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=admin01,ou=people,dc=suntv,dc=tv "uid=admin01" memberOf

    # admin01, people, suntv.tv
    dn: uid=admin01,ou=people,dc=suntv,dc=tv
    memberOf: cn=all,ou=host,dc=suntv,dc=tv
    
    

    ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=dev01,ou=people,dc=suntv,dc=tv "uid=dev01" memberOf

    # dev01, people, suntv.tv
    dn: uid=dev01,ou=people,dc=suntv,dc=tv
    memberOf: cn=dev,ou=host,dc=suntv,dc=tv
    

    登录服务器配置

    yum -y install openldap-clients sssd
    
    authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --ldapserver=ldaps://master.local,ldaps://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablelocauthorize --enableldaptls --enablemkhomedir  --update
    
    cat > /etc/sssd/sssd.conf << _EOF_
    [domain/LDAP]
    debug_level = 9
    cache_credentials = True
    enumerate = false
    
    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    
    ldap_uri = ldaps://master.local
    ldap_backup_uri = ldaps://slave.local
    ldap_search_base = dc=suntv,dc=tv
    ldap_user_search_base = ou=people,dc=suntv,dc=tv
    ldap_group_search_base = ou=group,dc=suntv,dc=tv
    
    access_provider = ldap
    ldap_access_order = filter
    ldap_access_filter = (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))
    
    ldap_tls_cacertdir = /etc/openldap/cacerts
    ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
    ldap_tls_reqcert = never
    ldap_id_use_start_tls = false
    
    [sssd]
    domains = LDAP
    services = nss, pam
    config_file_version = 2
    
    [nss]
    domains = LDAP
    filter_users = root
    filter_groups = root
    
    [pam]
    domains = LDAP
    
    [sudo]
    domains = LDAP
    
    [ssh]
    domains = LDAP
    _EOF_
    

    配置自启动

    centso7 : 
    systemctl restart sssd
    systemctl enable sssd
    
    centos6 : 
    /etc/init.d/sssd restart
    chkconfig sssd on
    

    权限

    192.168.1.21 centos7  允许op组及admin组登录
    ldap_access_filter =  (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=op,ou=host,dc=suntv,dc=tv))
    
    192.168.1.22 centos6  允许dev组及admin组登录
    ldap_access_filter =  (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))
    

    测试结果

    op01 登录192.168.1.21成功,登录192.168.1.22失败
    dev01 登录192.168.1.21失败,登录192.168.1.22成功
    admin 登录192.168.1.21成功,登录192.168.1.22成功
    
    [root@centos-1-21 home]# ll
    total 0
    drwx------ 2 admin01 admin 79 Oct 14 16:40 admin01
    drwx------ 2 op01    op    79 Oct 14 16:40 op01
    
    [root@centos6-1-22 home]# ll
    total 8
    drwx------ 2 admin01 admin 4096 Oct 14 16:40 admin01
    drwx------ 2 dev01   dev   4096 Oct 14 16:40 dev01
    
  • 相关阅读:
    RE
    【LeetCode】198. House Robber
    【LeetCode】053. Maximum Subarray
    【LeetCode】152. Maximum Product Subarray
    【LeetCode】238.Product of Array Except Self
    【LeetCode】042 Trapping Rain Water
    【LeetCode】011 Container With Most Water
    【LeetCode】004. Median of Two Sorted Arrays
    【LeetCode】454 4Sum II
    【LeetCode】259 3Sum Smaller
  • 原文地址:https://www.cnblogs.com/liujitao79/p/5959939.html
Copyright © 2011-2022 走看看