zoukankan      html  css  js  c++  java
  • ldap + kerberos 整合

    第一部分:ldap

    1. 安装ldap

    yum install -y openldap openldap-clients openldap-servers openldap-devel



    2. 配置ldap

    # cat /etc/openldap/slapd.conf
    include /etc/openldap/schema/core.schema
    include /etc/openldap/schema/cosine.schema
    include /etc/openldap/schema/inetorgperson.schema
    include /etc/openldap/schema/misc.schema
    include /etc/openldap/schema/nis.schema
    include /etc/openldap/schema/kerberos.schema

    pidfile     /var/run/openldap/slapd.pid
    argsfile    /var/run/openldap/slapd.args

    loglevel 135
    idletimeout 5
    writetimeout 5

    access to attrs=userPassword
        by self read
        by dn.exact="cn=ops,ou=Control,dc=lishen,dc=com" write
        by anonymous auth

    access to dn.subtree="cn=Kerberos,dc=lishen,dc=com"
        by dn.exact="cn=kdc-adm,ou=Control,dc=lishen,dc=com" write
        by dn.exact="cn=kdc-srv,ou=Control,dc=lishen,dc=com" read
        by * none

    access to dn.base=""
        by * read

    access to *
        by self write
        by dn.base="cn=ops,ou=Control,dc=lishen,dc=com" write
        by users read
        by anonymous read

    #TLSCipherSuite        HIGH:MEDIUM:-SSLv2
    #TLSVerifyClient       never
    TLSCertificateFile    /etc/openldap/certs/server.pem
    TLSCertificateKeyFile /etc/openldap/certs/server.pem
    TLSCACertificateFile  /etc/openldap/certs/server.pem

    #######################################################################
    # BDB database definitions
    #######################################################################
    database    hdb
    suffix      "dc=lishen,dc=com"
    checkpoint  32    30
    rootdn      "cn=root,ou=Control,dc=lishen,dc=com"
    rootpw      {SSHA}ifM5X6pQS2eO8hODguTPmjRLFyCnVWvP
    directory   /var/lib/ldap/
    dbconfig    set_cachesize  0 268435456 1
    dbconfig    set_lg_regionmax 262144
    dbconfig    set_lg_bsize 2097152
    index       objectClass,entryCSN,entryUUID eq
    index       uid,uidNumber,gidNumber eq,pres
    index       ou,krbPrincipalName eq,pres,sub


    说明:
    1. rootpw 后面的密码是由命令 slappasswd -s 123456 生成
    2. 证书使用命令生成:openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 36500 


    3. 启动openldap服务:slapd

    service slapd restart


    4. 测试:现在数据库是空的

    slapcat
    ldapsearch -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=lishen,dc=com'


    5. 初始化数据库
    准备ldif文件:


    cat init.ldif
    dn: dc=lishen,dc=com
    dc: lishen
    objectClass: domain
    objectClass: dcObject

    dn: ou=Group,dc=lishen,dc=com
    ou: Group
    objectClass: organizationalUnit

    dn: ou=Aliases,dc=lishen,dc=com
    ou: Aliases
    objectClass: organizationalUnit

    dn: ou=People,dc=lishen,dc=com
    ou: People
    objectClass: organizationalUnit

    dn: cn=Kerberos,dc=lishen,dc=com
    cn: Kerberos
    objectClass: organizationalRole

    dn: ou=Control,dc=lishen,dc=com
    ou: Control
    objectClass: organizationalUnit

    dn: cn=kdc-srv,ou=Control,dc=lishen,dc=com
    cn: kdc-srv
    userPassword:: e1NTSEF9cUNhclpCYXN1SWhGRExkQ1o4bUxTbkMyZXg3bXQ2UTMK
    objectClass: simpleSecurityObject
    objectClass: organizationalRole

    dn: cn=kdc-adm,ou=Control,dc=lishen,dc=com
    cn: kdc-adm
    userPassword:: e1NTSEF9cUNhclpCYXN1SWhGRExkQ1o4bUxTbkMyZXg3bXQ2UTMK
    objectClass: simpleSecurityObject
    objectClass: organizationalRole

    dn: cn=root,ou=Control,dc=lishen,dc=com
    cn: root
    userPassword:: e1NTSEF9cUNhclpCYXN1SWhGRExkQ1o4bUxTbkMyZXg3bXQ2UTMK
    objectClass: simpleSecurityObject
    objectClass: organizationalRole

    dn: cn=demo_users,ou=Group,dc=lishen,dc=com
    cn: demo_users
    gidNumber: 20000
    objectClass: posixGroup

    dn: uid=test,ou=People,dc=lishen,dc=com
    uid: test
    uidNumber: 10000
    gidNumber: 20000
    sn: Test
    cn: Test User
    loginShell: /bin/bash
    homeDirectory: /home/users/test
    objectClass: person
    objectClass: posixAccount
    objectClass: inetOrgPerson
    objectClass: organizationalPerson


    说明:文件中的userPassword由命令slappasswd  -s 123456 | base64生成

    执行命令导入数据:ldapadd -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -f init.ldif

    执行命令验证数据导入是否成功: ldapsearch -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=lishen,dc=com'

    6. 去掉配置文件中配置的rootdn密码,因为ldif文件中已经配置了密码
    注释掉slapd.conf文件中的rootpw      {SSHA}J/6iFFDlPhucaupBEI9V//gkIFTZBNrr
    重启slapd:service slapd restart
    测试是否密码正确:ldapsearch -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=lishen,dc=com'

    7. 现在如果要使用LDAP作为用户认证,只需要给用户(uid=test)添加userPassword属性即可
    准备ldif文件:

    cat add.ldif
    dn: uid=test,ou=People,dc=lishen,dc=com
    changetype: modify
    add: userPassword
    userPassword:: e1NTSEF9Ym0rZXloV1ExalB1aWNEVU1BaHlNM0hZVHh3REIrWU4K

    执行命令:ldapmodify -x -D  'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -f add.ldif

    如果需要更改密码,ldif例子如下:


    # cat /tmp/change.ldif
    dn: cn=kdc-adm,ou=Control,dc=demo,dc=local
    changetype: modify
    replace: userPassword
    userPassword: e1NTSEF9aGc5OGh0OGVlbiszaGk3OFhkRVlWc0MzNWJ2SWRCcG8K


    dn: cn=kdc-srv,ou=Control,dc=demo,dc=local
    changetype: modify
    replace: userPassword
    userPassword: e1NTSEF9aGc5OGh0OGVlbiszaGk3OFhkRVlWc0MzNWJ2SWRCcG8K


    执行命令:ldapmodify -x -D  'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -f change.ldif


    第二部分:kerberos

    1. 安装kerberos

    yum install krb5-server krb5-libs


    2. 配置Kerberos

    cat /etc/krb5.conf
    [libdefaults]
        debug = false
        default_realm = LISHEN.COM

    [realms]
        LISHEN.COM = {
            kdc = 127.0.0.1
            admin_server = 127.0.0.1
            default_domain = lishen.com
            database_module = openldap_ldapconf
            key_stash_file = /etc/krb5.LISHEN.COM
            max_life = 1d 0h 0m 0s
            max_renewable_life = 90d 0h 0m 0s
            dict_file = /usr/share/dict/words
        }

    [domain_realm]
        .lishen.com = LISHEN.COM
         lishen.com = LISHEN.COM

    [logging]
        default = SYSLOG
        admin_server = FILE:/var/log/kadmind.log
        kdc = FILE:/var/log/kdc.log

    [dbdefaults]
        ldap_kerberos_container_dn = cn=Kerberos,dc=lishen,dc=com

    [dbmodules]
        openldap_ldapconf = {
            db_library = kldap
            ldap_servers = ldapi://
            ldap_kerberos_container_dn = cn=Kerberos,dc=lishen,dc=com
            ldap_kdc_dn = cn=kdc-srv,ou=Control,dc=lishen,dc=com
            ldap_kadmind_dn = cn=kdc-adm,ou=Control,dc=lishen,dc=com
            ldap_service_password_file = /etc/krb5.ldap
            ldap_conns_per_server = 5

        }

        
    说明: ldap_kerberos_container_dn must start with a 'cn'.    

    4. 生成访问ldap的服务密码文件

    kdb5_ldap_util -D cn=root,ou=Control,dc=lishen,dc=com  -w 123456 stashsrvpw -f /etc/krb5.ldap  cn=kdc-srv,ou=Control,dc=lishen,dc=com
    kdb5_ldap_util -D cn=root,ou=Control,dc=lishen,dc=com  -w 123456 stashsrvpw -f /etc/krb5.ldap  cn=kdc-adm,ou=Control,dc=lishen,dc=com


    5. 创建kerberos数据库

    kdb5_ldap_util -D cn=root,ou=Control,dc=lishen,dc=com -H ldap://  create  -r LISHEN.COM


    6. 启动kerberos
    #

    service krb5kdc restart


    7. 测试:添加用户

    # kadmin.local
    Authenticating as principal root/admin@LISHEN.COM with password.
    kadmin.local:  addprinc test
    WARNING: no policy specified for test@LISHEN.COM; defaulting to no policy
    Enter password for principal "test@LISHEN.COM":
    Re-enter password for principal "test@LISHEN.COM":
    Principal "test@LISHEN.COM" created.

    #slapcat |grep "test"
    dn: uid=test,ou=People,dc=lishen,dc=com
    uid: test
    homeDirectory: /home/users/test
    dn: krbPrincipalName=test@LISHEN.COM,cn=LISHEN.COM,cn=Kerberos,dc=lishen,dc=co
    krbPrincipalName: test@LISHEN.COM

    添加用户成功

    测试获取凭证:

    # kinit test
    Password for test@LISHEN.COM:
    # klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: test@LISHEN.COM

    Valid starting       Expires              Service principal
    10/16/2016 02:11:55  10/17/2016 02:11:55  krbtgt/LISHEN.COM@LISHEN.COM



    帮助:
    1. http://blog.clanzx.net/2013/09/27/ldap-kerberos.html
    2. http://web.mit.edu/KERBEROS/krb5-1.12/doc/admin/conf_ldap.html
    3. http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm
    4. http://secfree.github.io/blog/2015/06/29/kerberos-ldap-deploy.html#kdc--kadmin--dn--acl
    5. http://ian.wang/69.htm
    6. https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html#kerberos-ldap-openldap

    ldap使用工具:http://directory.apache.org/studio/




  • 相关阅读:
    HTTP——Web服务器、代理、缓存
    nginx配置文件详解2
    nginx配置文件详解
    shell笔记2
    django笔记
    python 发请求,urllib,urllib2
    nginx配置
    python os模块学习
    mac 终端命令小结
    mac常用命令笔记
  • 原文地址:https://www.cnblogs.com/zhaojonjon/p/5967281.html
Copyright © 2011-2022 走看看