Kerberos+LDAP+NFSv4 实现单点登录(续2)--一键安装
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Kerberos+LDAP+NFSv4 实现单点登录(续2)--一键安装相关的知识,希望对你有一定的参考价值。
Kerberos+LDAP+NFSv4 实现单点登录(续2)--一键安装( 附:LDAP简单认证登录 login4ldap-ver0.0.6.zip 源代码 下载地址 http://u.163.com/NeMVmlIT 提取码: ObEubL7Y )
上篇Kerberos+LDAP+NFSv4 实现单点登录(续1)链接地址http://lulinlin1.lofter.com/post/1cf3848f_11f58066?act=qbbloglofter_20150506_01
本篇是前两篇的总结,编写成一键安装脚本onekeysso.sh,并需名为dns.ldif文件.dns.ldif是从bind9-dyndb-ldap包的模式文件修改而来,可参考上篇
下面是onekeysso.sh的内容,将onekeysso.sh和dns.ldif放在同一目录下,以root用户运行onekeysso.sh
说明:脚本会卸载删除一些包及文件(如要重新一键安装),如果你的系统已是正在用于生产环境,请小心,还是请准备干净的系统一键安装
环境:debian 10
运行:
[email protected]:~# ls
dns.ldif onekeysso.sh
[email protected]:~# ./onekeysso.sh
内容:
#! /bin/bash
echo -n "before install new pack,Shall I remove some old files,database and uninstall [yes/no]?"
read
if [ "$REPLY" = "yes" ]; then
echo "install setup"
else
echo "exit install"
exit 0
fi
/etc/init.d/slapd stop
/etc/init.d/heimdal-kdc stop
apt-get -y remove --purge slapd
apt-get -y remove --purge heimdal-kdc
apt-get -y remove --purge krb5-config
apt-get -y remove --purge bind9-dyndb-ldap bind9 isc-dhcp-server-ldap isc-dhcp-server
rm /etc/ldap/krb5.keytab
rm /etc/bind/krb5.keytab
sed -i ‘/127.0.0.2/d‘ /etc/hosts
echo -n "input net(default: 192.168.1.0):"
read mynet
if [ -z $mynet ]; then
mynet="192.168.1.0"
fi
if [[ $mynet =~ [0-9]+.[0-9]+.[0-9]+.[0] ]] && !([[ $mynet =~ [^0-9.]+ ]]); then
echo ok
else
echo "必须是网络地址0"
exit 1
fi
IFS=. read -r myp1 myp2 myp3 myp4 <<< $mynet
mybroadcast=echo $mynet | sed ‘s/.0$/.255/‘
myiprange="echo $mynet | sed ‘s/.0$/.20/‘
echo $mynet | sed ‘s/.0$/.240/‘
"
echo -n "input static ip(default: "$myp1.$myp2.$myp3".11):"
read mystaticip
if [ -z $mystaticip ]; then
mystaticip=$myp1.$myp2.$myp3.11
fi
if [[ $mystaticip =~ $myp1.$myp2.$myp3.[0-9]+ ]] && !([[ $mystaticip =~ [^0-9.]+ ]]); then
echo ok
else
echo "必须是上面所设的同网段"
exit 1
fi
IFS=. read -r mys1 mys2 mys3 mys4 <<< $mystaticip
if [ $mys4 = 0 ]; then
echo "不能是网络地址0"
exit 1
fi
if [ $mys4 = 255 ]; then
echo "不能是广播地址255"
exit 1
fi
echo -n "input router(default: "$myp1.$myp2.$myp3".1):"
read myrouter
if [ -z $myrouter ]; then
myrouter=$myp1.$myp2.$myp3.1
fi
if [[ $myrouter =~ [0-9]+.[0-9]+.[0-9]+.[0-9]+ ]] && !([[ $myrouter =~ [^0-9.]+ ]]); then
echo ok
else
echo error
exit 1
fi
echo -n "input hostname:"
read mykdc
if [[ $mykdc =~ [a-z]+ ]] && !([[ $mykdc =~ [^a-z]+ ]]); then
echo ok
else
echo "仅支持小写字母"
exit 1
fi
echo -n "input domain:"
read mydomain
if [[ $mydomain =~ [a-z.]+ ]] && !([[ $mydomain =~ [^a-z.]+ ]]); then
echo ok
else
echo "仅支持小写字母和点号"
exit 1
fi
echo ‘127.0.0.2 ‘$mykdc‘.‘$mydomain‘ ‘$mykdc >> /etc/hosts
echo $mykdc > /etc/hostname
hostname $mykdc
mydomain=hostname -d
myrealm=hostname -d | tr a-z A-Z
mysuffix="dc=echo $mydomain | sed ‘s/^\.//; s/\.$//; s/\./,dc=/g‘
"
mybasedn=$mysuffix
myfullname=$mykdc.$mydomain
echo $myfullname
echo $mybasedn
echo $mybroadcast
echo $myiprange
#预配置krb5-config
echo ‘krb5-config krb5-config/default_realm string ‘$myrealm | debconf-set-selections
echo ‘krb5-config krb5-config/admin_server string 127.0.0.1‘ | debconf-set-selections
echo ‘krb5-config krb5-config/kerberos_servers string 127.0.0.1‘ | debconf-set-selections
apt-get -y install schema2ldif gzip
apt-get -y install slapd
apt-get -y install heimdal-kdc
apt-get -y install bind9 bind9-dyndb-ldap isc-dhcp-server isc-dhcp-server-ldap libsasl2-modules-gssapi-heimdal dnsutils
/etc/init.d/slapd stop
/etc/init.d/heimdal-kdc stop
/etc/init.d/bind9 stop
/etc/init.d/isc-dhcp-server stop
#1.修改配置
#1)ldap
#1.1)将krb5用户主体映射到ldap用户
sed -i ‘$a olcAuthzRegexp: {0}uid=dns/‘"$mykdc"‘,cn=gssapi,cn=auth krb5PrincipalName=DNS/‘"$mykdc"‘@‘"$myrealm"‘,ou=hdkrb5,‘"$mysuffix"‘‘ /etc/ldap/slapd.d/cn=config.ldif
#1.2)设置LDAP ACL,允许如DNS/[email protected]写ldap数据库
sed -i ‘/olcAccess: {2}to * by * read/a olcAccess: {3}to by self write by dn="cn=admin,‘"$mysuffix"‘" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by read‘ /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
sed -i ‘/olcAccess: {2}to * by * read/a olcAccess: {2}to dn.subtree="ou=dns,‘"$mysuffix"‘" by dn="krb5PrincipalName=DNS/‘"$mykdc"‘@‘"$myrealm"‘,ou=hdkrb5,‘"$mysuffix"‘" write by read‘ /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
sed -i ‘/olcAccess: {2}to * by \ read/d‘ /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
#1.3)缺省搜索
sed -i ‘$a olcDefaultSearchBase: ‘"$mybasedn"‘‘ /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
#1.4)必须启用同步,否则dig查询被拒绝
sed -i ‘/olcModuleLoad: {0}/a olcModuleLoad: {1}syncprov‘ /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
slapadd -b cn=config <<-EOF
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
EOF
chown openldap:openldap /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb
chown openldap:openldap /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={0}syncprov.ldif
#2)krb
#2.1)kdc.conf
sed -i ‘/[kdc]/a \n addresses = 0.0.0.0\n‘ /etc/heimdal-kdc/kdc.conf
sed -i ‘/dbname = \/var\/lib\/heimdal-kdc\/heimdal/a \n dbname = ldap:ou=hdkrb5,‘"$mysuffix"‘\n mkey_file = \/var\/lib\/heimdal-kdc\/m-key\n realm = ‘"$myrealm"‘‘ /etc/heimdal-kdc/kdc.conf
sed -i ‘/dbname = \/var\/lib\/heimdal-kdc\/heimdal/d‘ /etc/heimdal-kdc/kdc.conf
#2.2)krb5.conf
sed -i ‘/[libdefaults]/a \n allow_weak_crypto = true\n dns_lookup_kdc = true\n dns_lookup_realm = true‘ /etc/krb5.conf
sed -i ‘/admin_server = 127.0.0.1/d‘ /etc/krb5.conf
sed -i ‘/forwardable = true/d‘ /etc/krb5.conf
sed -i ‘/proxiable = true/d‘ /etc/krb5.conf
sed -i ‘/# default_tgs_enctypes = des3-hmac-sha1/a default_tgs_enctypes = aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5‘ /etc/krb5.conf
sed -i ‘/# default_tkt_enctypes = des3-hmac-sha1/a default_tkt_enctypes = aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5‘ /etc/krb5.conf
#3)dhcp
mysecret=ddns-confgen | grep secret
sed -i ‘/INTERFACESv4=""/a INTERFACESv4="‘"ls /sys/class/net | sed ‘/lo/d‘ | xargs
"‘"‘ /etc/default/isc-dhcp-server
sed -i ‘/INTERFACESv4=""/d‘ /etc/default/isc-dhcp-server
sed -i ‘s/^/#/‘ /etc/dhcp/dhcpd.conf
sed -i ‘1a ldap-server "127.0.0.1";\nldap-base-dn "‘"$mybasedn"‘";\nldap-method dynamic;‘ /etc/dhcp/dhcpd.conf
#将原放在ldap的密钥改放在dhcpd.conf
sed -i ‘1a key "ddns-key" { algorithm hmac-sha256; ‘"$mysecret"‘ }‘ /etc/dhcp/dhcpd.conf
chmod o-r /etc/dhcp/dhcpd.conf
#4)dns
sed -i ‘/include "\/etc\/bind\/named.conf.local";/a include "/etc/bind/named.conf.ldap";‘ /etc/bind/named.conf
sed -i ‘/include "\/etc\/bind\/named.conf.local";/d‘ /etc/bind/named.conf
sed -i ‘/include "\/etc\/bind\/named.conf.default-zones";/d‘ /etc/bind/named.conf
sed -i ‘/directory "\/var\/cache\/bind";/a \n allow-recursion { none; };‘ /etc/bind/named.conf.options
sed -i ‘/dnssec-validation auto;/d‘ /etc/bind/named.conf.options
sed -i ‘/auth-nxdomain no;/d‘ /etc/bind/named.conf.options
sed -i ‘/listen-on-v6 { any; };/d‘ /etc/bind/named.conf.options
#4.1)重装bind9时,bind用户及用户组ID可能有改变,而重装又没改到named.run
chown bind:bind /var/cache/bind/named.run
#4.2)新建named.conf.ldap
cat <<-EOF > /etc/bind/named.conf.ldap
logging {
channel default_debug {
file "named.run";
severity debug;
};
};
key "ddns-key" {
algorithm hmac-sha256;
$mysecret
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { ddns-key; };
};
//不同体系路径如/usr/lib/i386-linux-gnu/bind/ldap.so
dyndb "my_db_name" "dpkg-query -S ldap.so | grep bind9-dyndb-ldap | sed ‘s/bind9-dyndb-ldap: //‘
" {
//bind9-dyndb-ldap有bug,必须加server_id此行
server_id "";
directory "/var/cache/bind";
uri "ldap://127.0.0.1";
base "ou=dns,$mysuffix";
//认证机制
auth_method "sasl";
sasl_mech "GSSAPI";
//--v-- 添加krb5主体
sasl_auth_name "DNS/$mykdc";
krb5_keytab "FILE:/etc/bind/krb5.keytab";
//--^--
//超时及重连接间隔的值需设大一点,解决因使用SASL认证无法写问题
timeout 50;
reconnect_interval 100;
};
EOF
chmod o-r /etc/bind/named.conf.ldap
#2.添加模式
#1)krb
schema2ldif /etc/ldap/schema/hdb.schema | slapadd -b cn=config
#2)dhcp
zcat /usr/share/doc/isc-dhcp-server-ldap/dhcp.schema.gz | schema2ldif -c dhcp | slapadd -b cn=config
#3)dns
slapadd -b cn=config -l dns.ldif
chown openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema/cn={}hdb.ldif
chown openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema/cn={}dhcp.ldif
chown openldap:openldap /etc/ldap/slapd.d/cn=config/cn=schema/cn={*}dns.ldif
#3.添加条目
slapadd -b $mysuffix <<-EOF
#1)
dn: ou=hdkrb5,$mysuffix
krb5PrincipalName: [email protected]$myrealm
ou: hdkrb5
objectClass: krb5Principal
objectClass: organizationalUnit
dn: ou=users,ou=hdkrb5,$mysuffix
objectClass: organizationalUnit
ou: users
dn: ou=hosts,ou=hdkrb5,$mysuffix
objectClass: organizationalUnit
ou: hosts
dn: ou=groups,$mysuffix
objectClass: organizationalUnit
ou: groups
dn: ou=sudoers,$mysuffix
objectClass: organizationalUnit
ou: sudoers
dn: ou=roles,$mysuffix
objectClass: organizationalUnit
ou: roles
#2)dhcp
dn: cn=$mykdc,$mysuffix
objectClass: dhcpServer
cn: $mykdc
dhcpServiceDN: cn=dhcp,$mysuffix
#Here is the config tree
dn: cn=dhcp,$mysuffix
cn: dhcp
objectClass: dhcpService
dhcpPrimaryDN: cn=$mykdc,$mysuffix
dhcpStatements: ddns-update-style interim
dhcpStatements: ignore client-updates
#动态更新DNS的密钥改放到dhcpd.conf,方便设置访问权限控制,免泄漏密钥
#dhcpStatements: key "ddns-key" { algorithm hmac-sha256; $mysecret }
dhcpStatements: zone $mydomain { primary 127.0.0.1; key ddns-key; }
dhcpStatements: default-lease-time 600
dhcpStatements: max-lease-time 7200
#Set up a subnet declaration with a pool statement. Also note that we have a dhcpOptions object with this entry
dn: cn=$mynet,cn=dhcp,$mysuffix
cn: $mynet
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpOption: domain-name "$mydomain"
dhcpOption: domain-name-servers $mystaticip
dhcpOption: routers $myrouter
dhcpOption: subnet-mask 255.255.255.0
dhcpOption: broadcast-address $mybroadcast
dhcpNetMask: 24
dhcpRange: $myiprange
#3)dns
#定义正、反向区域存储到ldap数据库
dn: ou=dns,$mysuffix
objectClass: organizationalUnit
ou: dns
#Zone
dn: idnsName=$mydomain,ou=dns,$mysuffix
objectClass: idnsZone
objectClass: idnsRecord
idnsName: $mydomain
#动态更新
idnsAllowDynUpdate: TRUE
#同步反向解析
idnsAllowSyncPTR: TRUE
#动态更新策略
idnsUpdatePolicy: grant ddns-key zonesub ANY;
idnsZoneActive: TRUE
idnsSOAmName: $mykdc
idnsSOArName: root.$mykdc
idnsSOAserial: 1
idnsSOArefresh: 10800
idnsSOAretry: 900
idnsSOAexpire: 604800
idnsSOAminimum: 86400
#域名服务器记录
NSRecord: $mydomain.
ARecord: $mystaticip
#别名
dn: idnsName=$mykdc,idnsName=$mydomain,ou=dns,$mysuffix
objectClass: idnsRecord
idnsName: $mykdc
CNAMERecord: $mydomain.
#DNS records for zone
#--v-- SRV资源记录
dn: idnsName=_kerberos._udp,idnsName=$mydomain,ou=dns,$mysuffix
objectClass: idnsRecord
idnsName: _kerberos._udp
SRVRecord: 0 100 88 $mykdc
dn: idnsName=_kerberos._tcp,idnsName=$mydomain,ou=dns,$mysuffix
objectClass: idnsRecord
idnsName: _kerberos._tcp
SRVRecord: 0 100 88 $mykdc
dn: idnsName=_kpasswd._udp,idnsName=$mydomain,ou=dns,$mysuffix
objectClass: idnsRecord
idnsName: _kpasswd._udp
SRVRecord: 0 100 464 $mykdc
dn: idnsName=_ldap._tcp,idnsName=$mydomain,ou=dns,$mysuffix
objectClass: idnsRecord
idnsName: _ldap._tcp
SRVRecord: 0 100 389 $mykdc
dn: idnsName=_ntp._udp,idnsName=$mydomain,ou=dns,$mysuffix
objectClass: idnsRecord
idnsName: _ntp._udp
SRVRecord: 0 100 123 $mykdc
#--^--
#--v-- 反向解析
dn: idnsName=$myp3.$myp2.$myp1.in-addr.arpa,ou=dns,$mysuffix
objectClass: idnsZone
objectClass: idnsRecord
idnsName: $myp3.$myp2.$myp1.in-addr.arpa
idnsAllowDynUpdate: TRUE
idnsUpdatePolicy: grant ddns-key zonesub ANY;
idnsZoneActive: TRUE
idnsSOAmName: $myfullname.
idnsSOArName: root.$myfullname.
idnsSOAserial: 1
idnsSOArefresh: 10800
idnsSOAretry: 900
idnsSOAexpire: 604800
idnsSOAminimum: 86400
NSRecord: $myfullname.
#必须配置kdc服务器地址的反向解析
dn: idnsName=$mys4,idnsName=$myp3.$myp2.$myp1.in-addr.arpa,ou=dns,$mysuffix
objectClass: idnsRecord
idnsName: $mys4
PTRRecord: $myfullname.
#--^--
EOF
#4.其它
/etc/init.d/slapd start
/etc/init.d/heimdal-kdc start
#1)初始化krb
kadmin -l init --realm-max-ticket-life=unlimited --realm-max-renewable-life=unlimited $myrealm
#2)添加krb5主体
#2.1)
kadmin -l add -r --use-defaults ldap/$mykdc
#使ldap/mykdc成为应用服务器
kadmin -l modify -a -disallow-svr ldap/$mykdc
#导出keytab
kadmin -l ext -k /etc/ldap/krb5.keytab ldap/$mykdc
#不知为何在/etc/default/slapd指定KRB5_KTNAME没作用,因此还是复制一份到/etc/下
cp -a /etc/ldap/krb5.keytab /etc/krb5.keytab
#krb5.keytab拥有者改为openldap,并只openldap用户可读
chown openldap:openldap /etc/ldap/krb5.keytab
chmod o-r /etc/ldap/krb5.keytab
chmod g-r /etc/ldap/krb5.keytab
#在/etc/default/slapd里增加一行
sed -i ‘$a export KRB5_KTNAME=/etc/ldap/krb5.keytab‘ /etc/default/slapd
#2.2)
kadmin -l add -r --use-defaults DNS/$mykdc
kadmin -l ext -k /etc/bind/krb5.keytab DNS/$mykdc
#krb5.keytab拥有者改为bind,并只bind用户可读
chown bind:bind /etc/bind/krb5.keytab
chmod o-r /etc/bind/krb5.keytab
chmod g-r /etc/bind/krb5.keytab
#3)略
#ssl
#密码同步
#4)
sed -i ‘/127.0.0.2/d‘ /etc/hosts
sed -i ‘/iface eth0 inet dhcp/a iface eth0 inet static\naddress ‘"$mystaticip"‘\nnetmask 255.255.255.0‘ /etc/network/interfaces
sed -i ‘/iface eth0 inet dhcp/d‘ /etc/network/interfaces
#/etc/init.d/networking restart
/etc/init.d/bind9 start
/etc/init.d/isc-dhcp-server start
后记:
1.dig查询DNS被拒绝问题
bind9-dyndb-ldap文档有提到SyncRepl (RFC 4533) ,但没说明LDAP必须启用同步.
起初脚本没启用LDAP同步,DNS解析总被拒绝,调试bind9提示SyncRepl (RFC 4533)有问题,启用了LDAP同步就正常.
因此脚本添加加了启用LDAP同步.
2.krb5Key属性安全问题
脚本没设置krb5Key属性的读写权限,因此是匿名可读,heimdal文档也没说明krb5Key属性的安全问题.
为提高安全性,用户可自行参考userPassword属性的设置方法来禁止匿名读取krb5Key属性.
3.动态更新DNS模式
一般手册推荐标准模式standard,但使用了bind9-dyndb-ldap,在模式standard下客户机第一次分配地址能添加到DNS,但客户机地址改变时无法更新DNS,提示没DHCIDRecord属性,而bind-dyndb-ldap模式没有DHCIDRecord属性.
所以动态更新DNS模式改为interim,客户机地址改变时已可正常更新DNS
以上是关于Kerberos+LDAP+NFSv4 实现单点登录(续2)--一键安装的主要内容,如果未能解决你的问题,请参考以下文章
Kerberos+LDAP+NFSv4 实现单点登录(续2)--一键安装
Kerberos+LDAP+NFSv4 实现单点登录(续4)--SASL/GSSAPI