统一用户登录管理认证LDAP 客户端部署
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了统一用户登录管理认证LDAP 客户端部署相关的知识,希望对你有一定的参考价值。
1、环境:
操作系统:CentOS release 6.8 (Final)
ip:192.168.31.155
操作系统:CentOS Linux release 7.2.1511 (Core)
ip:192.168.31.156
2、操作过程:
客户端配置文件
2.1、CentOS5
/etc/nsswitch.conf
/etc/ldap.conf
/etc/pam.d/system-auth
2.2、CentOS6
安装依赖包:
yum install nss-pam-ldap
/etc/nslcd.conf
/etc/pam_ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
操作过程:
[[email protected] ~]# yum install nss-pam-ldapd [[email protected] ~]# rpm -ql nss-pam-ldapd /etc/nslcd.conf /etc/rc.d/init.d/nslcd /lib64/libnss_ldap.so.2 /usr/lib64/libnss_ldap.so /usr/sbin/nslcd /usr/share/doc/nss-pam-ldapd-0.7.5 /usr/share/doc/nss-pam-ldapd-0.7.5/AUTHORS /usr/share/doc/nss-pam-ldapd-0.7.5/COPYING /usr/share/doc/nss-pam-ldapd-0.7.5/ChangeLog /usr/share/doc/nss-pam-ldapd-0.7.5/HACKING /usr/share/doc/nss-pam-ldapd-0.7.5/NEWS /usr/share/doc/nss-pam-ldapd-0.7.5/README /usr/share/doc/nss-pam-ldapd-0.7.5/TODO /usr/share/man/man5/nslcd.conf.5.gz /usr/share/man/man8/nslcd.8.gz /var/run/nslcd [[email protected] ~]#
备份配置文件:
[[email protected] ~]# mkdir configback [[email protected] ~]# cp /etc/nsswitch.conf configback/nsswitch.conf.bak [[email protected] ~]# cp /etc/pam.d/system-auth configback/system-auth.bak [[email protected] ~]# cp /etc/nslcd.conf configback/nslcd.conf.bak [[email protected] ~]# cp /etc/pam_ldap.conf configback/pam_ldap.conf.bak [[email protected] ~]#
备份当前涉及的配置文件:
[[email protected] ~]# authconfig --savebackup=openldap.bak
还原当前的配置文件:
[[email protected] ~]# authconfig --restorebackup=openldap.bak
注意:authconfig命令可以很迅速的将文件恢复到初始状态,相比手动逐一修改配置文件效率要高,准确性更好
CentOS6采用图形界面配置,具体配置步骤如下:
setup--->Run Tool-->Authentication configuration--->Use LDAP && Use LDAP Authentication --->netx-->
Server: ldap:192.168.31.153
Base DN: dc=ldap,dc=com
---->OK--->quit
配置好之后重启nslcd服务即可
[[email protected] ~]# /etc/init.d/nslcd restart Stopping nslcd: [ OK ] Starting nslcd: [ OK ] [[email protected] ~]# id user01 uid=1000(user01) gid=1010(Host) groups=1010(Host) [[email protected] ~]# [[email protected] ~]# [[email protected] ~]# grep user01 /etc/passwd [[email protected] ~]#
用user01测试登录:
[[email protected] ~]# ssh [email protected] [email protected]‘s password: Last login: Wed Oct 25 17:19:16 2017 from 192.168.31.154 Could not chdir to home directory /home/user01: No such file or directory -bash-4.1$ id uid=1000(user01) gid=1010(Host) groups=1010(Host) -bash-4.1$ hostname client01-centos6 -bash-4.1$
发现登录成功,但是不能创建家目录,接下来解决创建家目录问题(用参数--enablemkhomedir)
[[email protected] ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
[[email protected] ~]#
提示:如果执行上述命令没效果,可以执行authconfig --restorebackup=openldap.bak恢复初始配置,再执行“authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update”命令,具体操作如下:
[[email protected] ~]# authconfig --restorebackup=openldap.bak [[email protected] ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update Starting nslcd: [ OK ] [[email protected] ~]# id user01 uid=1000(user01) gid=1010(Host) groups=1010(Host) [[email protected] ~]# [[email protected] ~]# getent passwd user01 user01:x:1000:1010:user01:/hoome/user01:/bin/bash [[email protected] ~]#
查看文件/etc/pam.d/system-auth,其中增加了如下一行:
session optional pam_mkhomedir.so umask=0077
再测试获取ldap账户user01:
[[email protected] ~]$ id uid=1000(user01) gid=1010(Host) groups=1010(Host) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [[email protected] ~]$ pwd /hoome/user01 [[email protected] ~]$ [[email protected] ~]$ whoami user01 [[email protected] ~]$
继续登陆测试:
[[email protected] ~]# ssh [email protected] [email protected]。155‘s password: Creating directory ‘/home/user01‘. Last login: Wed Oct 25 17:24:43 2017 from 192.168.31.154 [[email protected] ~]$ pwd /home/user01 [[email protected] ~]$ whoami user01 [[email protected] ~]$
说明:登陆成功,顺利创建家目录.创建家目录参数是"--enablemkhomedir"
2.3、CentOS7
/etc/nslcd.conf
/etc/pam_ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
安装配置文件和相应的工具包
[[email protected] ~]# yum install nss-pam-ldapd setuptool
备份配置文件:
[[email protected] ~]# authconfig --savebackup=openldap.bak [[email protected] ~]# id user01 id: user01: no such user [[email protected] ~]# getent passwd user01 [[email protected] ~]# getent shadow user01
恢复配置文件:
[[email protected] ~]# authconfig --restorebackup=openldap.bak
运行添加命令:
[[email protected] ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update [[email protected] ~]# getent shadow user01 user01:*:::::::0 [[email protected] ~]# getent passwd user01 user01:x:1000:1010:user01:/hoome/user01:/bin/bash [[email protected] ~]# [[email protected] ~]# id user01 uid=1000(user01) gid=1010(Host) groups=1010(Host) [[email protected] ~]#
同样进行登录测试:
[[email protected] ~]# ssh [email protected] [email protected]‘s password: Creating directory ‘/home/user01‘. Last login: Tue Oct 24 13:04:39 2017 from 192.168.31.100 [[email protected] ~]$ whoami user01 [[email protected] ~]$ id uid=1000(user01) gid=1010(Host) groups=1010(Host) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [[email protected] ~]$ pwd /home/user01 [[email protected] ~]$ -bash-4.2$ cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) -bash-4.2$
总结:
ldap客户端配置方法有如下三种:
1、修改配置文件
2、authconfig
3、setup配置
说明:第1种方法修改最复杂,也是最不可靠,很容易出错,所以一般不建议使用,第2、3种方法可以根据请考虑,个人建议用第2种,操作便捷准确性搞,另外在进行任何配置的时候切记要进行备份(即:authconfig --savebackup=</backupfile.bak>)
一、无论是CentOS6还是CentOS7都要装一个组件 nss-pam-ldapd
yum install nss-pam-ldapd -y
在进行配置之前切记要将文件进行备份,这里推荐用"authconfig --savebackup=openldap.bak"命令
authconfig --savebackup=openldap.bak(备份)
如果想快速还原配置文件至初始状态,则进行如下操作:
authconfig --restorebackup=openldap.bak(还原)
将客户端加入ldap服务进行统一管理,运行以下命令,切记服务器地址和对应参数必须保持正确:
authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
在实际工作中由于自己的疏忽漏掉了参数"--enbaleldapauth",结果导致无法远程ssh登陆服务器,后来不得不跑到机房将配置文件恢复回来,然后添加该参数重新执行。
二、环境上需要注意的问题
①确保selinux和iptables必须是关闭状态,即getenforce返回结果为disabled,iptables状态为stop
②确保客户端连接服务端的地址要正确
三、修改用户初始密码的方法:
默认情况下用户是不能修改用户密码的,示例如下:
[[email protected] ~]$ id
uid=1000(user01) gid=1010(Host) groups=1010(Host) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[[email protected] ~]$ passwd
Changing password for user user01.
(current) LDAP Password:
New password:
Retype new password:
password change failed: Insufficient access
passwd: Authentication token manipulation error
[[email protected] ~]$
如果要想用户可以修改初始化密码,则需要到ldapserver中进行修改授权,操作如下:
[[email protected] cn=config]# cat << EOF |ldapmodify -Y EXTERNAL -H ldapi:///
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> add: olcAccess
> olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=ldap,dc=com" write by anonymous auth by self write by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to by dn="cn=Manager,dc=ldap,dc=com" write by * read
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
[[email protected] cn=config]#
操作代码:
cat << EOF |ldapmodify -Y EXTERNAL -H ldapi:/// dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=ldap,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to by dn="cn=Manager,dc=ldap,dc=com" write by * read EOF
退出登录,重新执行修改命令:
[[email protected] ~]$ exit logout Connection to 192.168.31.156 closed. [[email protected] ~]# ssh [email protected] [email protected]‘s password: Last login: Tue Oct 24 13:07:36 2017 from 192.168.31.155 [[email protected] ~]$ passwd Changing password for user user01. (current) LDAP Password: New password: Retype new password: passwd: all authentication tokens updated successfully. [[email protected] ~]$
以上是关于统一用户登录管理认证LDAP 客户端部署的主要内容,如果未能解决你的问题,请参考以下文章