账号集中管理系统设计与实现----OpenLDAP

前端之家收集整理的这篇文章主要介绍了账号集中管理系统设计与实现----OpenLDAP前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

搭建一套OpenLDAP系统,实现账号的统一管理

可实现的功能

1:OpenLDAP服务端的搭建

2PHPLDAPAdmin的搭建(便于web页面管理)

3: OpenLDAP服务端配置分组管理用户sudo权限分配;

1)默认没有sudo权限;

2)运维具有sudo到任何用户执行任何命令权限;

3)研发具有相应的配置执行命令权限

4OpenLDAP客户端的配置

5OpenLDAPSSH

6OpenLDAP结合客户端PAM,限制用户登录主机

7OpenLDAP加入密码策略

1)强制用户首次登录系统更改密码

2)密码最小设置长度

3)密码设置强度

4)密码过期前警告天数

5)密码过期后不能登录的天数

6)密码尝试次数,被锁定

7)密码失败后恢复时间

8)是否允许用户修改密码

9)账号锁定后,不能自动解锁,需管理员解锁

8MirrorMode同步实现OpenLDAP双主模式

9Keepalived+OpenLDAP实现OpenLDAP高可用

10TCP Warppers


账号集中管理系统访问和维护流程:

wKiom1m3TnKRqyN7AADBDGl_5MY561.png-wh_50





实验环境:

系统:

主:CentOS6.5 64位 192.168.9.225

主:CentOS6.5 64 位 192.168.9.168

VIP: 192.168.9.253

客户端: CentoOS6.5 64位 192.168.9.176

软件包:

openldap-2.4.45

db-4.6.21

PHPldapadmin-1.2.3

ltb-project-openldap-initscript-2.2

资料链接

https://ltb-project.org/download
http://www.openldap.org/
http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/
http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz


一,安装OpenLDAP服务端

(俩台主安装方法一样)

1.1 基础环境配置

(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)

(2)关闭防火墙与SElinux

serviceiptablesstop
chkconfigiptablesoff
sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config

(3)时间同步

yum-yinstallntp
/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov
echo"12***/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov">>/var/spool/cron/root

1.2 源码安装OpenLDAP

(1)yum安装依赖包

yum-yinstallgccgcc-c++unzipgzipbzip2openssl-develcyrus-sasl-develkrb5-develtcp_wrappers-devellibtool-ltdl-developenslp-develunixODBC-develMysqL-devel

(2)源码安装Berkeley DB

cd/usr/local/src/
wgethttp://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
tarxfdb-4.6.21.tar.gz
cddb-4.6.21/build_unix/
../dist/configure--prefix=/usr/local/BDB4
make&&makeinstall
echo"/usr/local/BDB4/lib">>/etc/ld.so.conf.d/bdb.conf
ldconfig
ln-sv/usr/local/BDB4/include/usr/local/bdb

(3)源码安装OpenLDAP

cd/usr/local/src/
wgetftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.45.tgz
gunzip-copenldap-2.4.45.tgz|tarxf-
cdopenldap-2.4.45
./configure--prefix=/usr/local/openldap2.4\
--enable-slapd\
--enable-dynacl\
--enable-aci\
--enable-cleartext\
--enable-crypt\
--enable-lmpasswd\
--enable-spasswd\
--enable-modules\
--enable-rewrite\
--enable-rlookups\
--enable-slapi\
--enable-wrappers\
--enable-backends\
--enable-ndb=no\
--enable-perl=no\
--enable-overlays\
CPPFLAGS="-I/usr/local/BDB4/include"\
LDFLAGS="-L/usr/local/BDB4/lib"
makedepend
make
maketest
makeinstall
echo"/usr/local/openldap2.4/lib">>/etc/ld.so.conf.d/ldap.conf
ldconfig
ln-sv/usr/local/openldap2.4/include/usr/include/ldap2.4
ln-sv/usr/local/openldap2.4/bin/*/usr/local/bin/
ln-sv/usr/local/openldap2.4/sbin/*/usr/local/sbin/

1.4 配置实现功能

(1)配置文件模板

#grep-v^#slapd.conf|grep-v^$
include/usr/local/openldap2.4/etc/openldap/schema/corba.schema
include/usr/local/openldap2.4/etc/openldap/schema/core.schema
include/usr/local/openldap2.4/etc/openldap/schema/cosine.schema
include/usr/local/openldap2.4/etc/openldap/schema/duaconf.schema
include/usr/local/openldap2.4/etc/openldap/schema/dyngroup.schema
include/usr/local/openldap2.4/etc/openldap/schema/inetorgperson.schema
include/usr/local/openldap2.4/etc/openldap/schema/java.schema
include/usr/local/openldap2.4/etc/openldap/schema/misc.schema
include/usr/local/openldap2.4/etc/openldap/schema/nis.schema
include/usr/local/openldap2.4/etc/openldap/schema/openldap.schema
include/usr/local/openldap2.4/etc/openldap/schema/ppolicy.schema
include/usr/local/openldap2.4/etc/openldap/schema/collective.schema
include/usr/local/openldap2.4/etc/openldap/schema/sudo.schema
pidfile/usr/local/openldap2.4/var/run/slapd.pid
argsfile/usr/local/openldap2.4/var/run/slapd.args
modulepath/usr/local/openldap2.4/libexec/openldap
moduleloadaccesslog.la
moduleloadauditlog.la
moduleloadppolicy.la
moduleloadsyncprov.la
moduleloadback_mdb.la
moduleloadback_ldap.la
accesstoattrs=shadowLastChange,userPassword
byselfwrite
byanonymousauth
bydn.base="cn=admin,dc=dabayouxi,dc=com"write
by*none
accessto*
byselfwrite
by*read
databaseconfig
accessto*
bydn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"manage
bydn.base="cn=admin,dc=com"write
by*none
databasemdb
suffix"dc=dabayouxi,dc=com"
rootdn"cn=admin,dc=com"
rootpw{SSHA}jnN16Laklfzlm4hCrob1nhUgUloLpvnm
directory/data0/openldap-data
indexobjectClasseq,pres
indexou,cn,mail,surname,givennameeq,pres,sub
indexuidNumber,gidNumber,loginShelleq,pres
indexuid,memberUideq,sub
indexnisMapName,nisMapEntryeq,sub
loglevel256
logfile/data0/logs/slapd/slapd.log
checkpoint204810
overlayppolicy
ppolicy_defaultcn=default,ou=pwpolicies,dc=com

(2)添加sudo.schema

cp-f/usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP/usr/local/openldap2.4/etc/openldap/schema/sudo.schema
restorecon/usr/local/openldap2.4/etc/openldap/schema/sudo.schema

(3)创建ldap用户和组

groupadd-rldap
useradd-r-gldap-s/sbin/nologinldap

(4)配置日志

mkdir-p/data0/logs/slapd
touch/data0/logs/slapd/slapd.log
echo"local4.*/data0/logs/slapd/slapd.log">>/etc/rsyslog.d/openldap.conf
servicersyslogrestart
echo"/data0/logs/slapd/*log{
missingok
compress
notifempty
daily
rotate5
create0600rootroot
}">>/etc/logrotate.d/slapd

(5)配置数据存放路径

mkdir-p/data0/openldap-data
chmod700/data0/openldap-data/
cp/usr/local/openldap2.4/etc/openldap/DB_CONFIG.example/data0/openldap-data/DB_CONFIG
chown-Rldap.ldap/data0/openldap-data/
mkdir-p/usr/local/openldap2.4/etc/openldap/slapd.d
cd/usr/local/openldap2.4/etc/openldap/
slaptest-fslapd.conf-Fslapd.d/
echo"BASEdc=dabayouxi,dc=com
URIldap://192.168.9.168">>/usr/local/openldap2.4/etc/openldap/ldap.conf

(6)启动脚本下载,修改配置

cd/usr/local/src/
wgethttps://ltb-project.org/archives/ltb-project-openldap-initscript-2.2.tar.gz
tar-xvfltb-project-openldap-initscript-2.2.tar.gz
mvltb-project-openldap-initscript-2.2/slapd/etc/init.d
vim/etc/init.d/slapd
SLAPD_PATH="/usr/local/openldap2.4"
DATA_PATH="/data0/openldap-data"
BDB_PATH="/usr/local/BDB4"

chmod+x/etc/init.d/slapd
chkconfigslapdon
serviceslapdrestart

1.5 OpenLDAP目录树规划
# 将规划的dn导入,将以下内容写入ldif文件中使用ldapadd 命令添加数据库

mkdir-p/data0/ldapldif/{users,groups,sudoers,policy}

(1)base.ldif

vim/data0/ldapldif/base.ldif
dn:dc=dabayouxi,dc=com
dc:dabayouxi
objectClass:top
objectClass:domain

dn:ou=users,dc=com
ou:users
objectClass:top
objectClass:organizationalUnit

dn:ou=groups,dc=com
ou:groups
objectClass:top
objectClass:organizationalUnit

dn:ou=sudoers,dc=com
ou:sudoers
objectClass:top
objectClass:organizationalUnit

dn:ou=pwpolicies,dc=com
ou:pwpolicies
objectClass:top
objectClass:organizationalUnit


ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/base.ldif
EnterLDAPPassword:
addingnewentry"dc=dabayouxi,dc=com"
addingnewentry"ou=users,dc=com"
addingnewentry"ou=groups,dc=com"
addingnewentry"ou=sudoers,dc=com"
addingnewentry"ou=pwpolicies,dc=com"
-x使用简单认证,不使用加密协议
-D指定查找的dn,类似操作系统中的根目录
-W输入密码,不想输入密码使用-wpasswd,不推荐容易暴露密码
-f指定ldif文件

#通过ldapsearch查看当前目录树结构
ldapsearch-x-LLL#-LLL禁止输出不匹配的消息

(2)groups.ldif

echo"dn:cn=web,ou=groups,dc=com
objectClass:posixGroup
objectClass:top
cn:web
gidNumber:1501">>/data0/ldapldif/groups/web.ldif

echo"dn:cn=core,dc=com
objectClass:posixGroup
objectClass:top
cn:core
gidNumber:1502">>/data0/ldapldif/groups/core.ldif

ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/groups/web.ldif
EnterLDAPPassword:
addingnewentry"cn=web,dc=com"

ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/groups/core.ldif
EnterLDAPPassword:
addingnewentry"cn=core,dc=com"

(3)users.ldif

echo"dn:uid=webuser,ou=users,dc=com
uid:webuser
cn:webuser
objectClass:account
objectClass:posixAccount
objectClass:top
objectClass:shadowAccount
userPassword:{SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange:17412
shadowMin:0
shadowMax:999999
shadowWarning:7
loginShell:/bin/bash
uidNumber:2501
gidNumber:1501
homeDirectory:/home/webuser
pwdReset:TRUE">>/data0/ldapldif/users/webuser.ldif

echo"dn:uid=coreuser,dc=com
uid:coreuser
cn:coreuser
objectClass:account
objectClass:posixAccount
objectClass:top
objectClass:shadowAccount
userPassword:{SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc
shadowLastChange:17412
shadowMin:0
shadowMax:999999
shadowWarning:7
loginShell:/bin/bash
uidNumber:2502
gidNumber:1502
homeDirectory:/home/coreuser
pwdReset:TRUE">>/data0/ldapldif/users/coreuser.ldif

ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/users/webuser.ldif
EnterLDAPPassword:
addingnewentry"uid=webuser,dc=com-W-f/data0/ldapldif/users/coreuser.ldif
EnterLDAPPassword:
addingnewentry"uid=coreuser,dc=com"

(4)sudoers.ldif

vim/data0/ldapldif/sudoers/defaults.ldif
dn:cn=defaults,ou=sudoers,dc=com
objectClass:top
objectClass:sudoRole
cn:defaults
sudoOption:requiretty
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset

vim/data0/ldapldif/sudoers/web.ldif
dn:cn=%web,dc=com
objectClass:top
objectClass:sudoRole
cn:%web
sudoHost:ALL
sudoRunAsUser:www
sudoOption:!authenticate
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset
sudoCommand:ALL
sudoUser:%web

vim/data0/ldapldif/sudoers/core.ldif
dn:cn=%core,dc=com
objectClass:top
objectClass:sudoRole
cn:%core
sudoHost:ALL
sudoRunAsUser:ALL
sudoOption:!authenticate
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset
sudoCommand:ALL
sudoUser:%core

ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/sudoers/defaults.ldif
EnterLDAPPassword:
addingnewentry"cn=defaults,dc=com-W-f/data0/ldapldif/sudoers/web.ldif
EnterLDAPPassword:
addingnewentry"cn=%web,dc=com-W-f/data0/ldapldif/sudoers/core.ldif
EnterLDAPPassword:
addingnewentry"cn=%core,dc=com"

(5)pwpolicies.ldif

echo"dn:cn=default,dc=com
cn:default
objectClass:pwdPolicy
objectClass:person
pwdAllowUserChange:TRUE
pwdAttribute:userPassword
pwdExpireWarning:259200
pwdFailureCountInterval:0
pwdGraceAuthNLimit:5
pwdInHistory:5
pwdLockout:TRUE
pwdLockoutDuration:300
pwdMaxAge:2592000
pwdMaxFailure:5
pwdMinAge:0
pwdMinLength:8
pwdMustChange:TRUE
pwdSafeModify:TRUE
sn:dummyvalue">>/data0/ldapldif/policy/default.ldif

ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/policy/default.ldif
EnterLDAPPassword:
addingnewentry"cn=default,dc=com"

1.6 安装PHPLDAPAdmin

yuminstall-yhttpdPHPPHP-mbstringPHP-pearPHP-ldap
cd/usr/local/src/
wgethttps://jaist.dl.sourceforge.net/project/PHPldapadmin/PHPldapadmin-PHP5/1.2.3/PHPldapadmin-1.2.3.zip
unzipPHPldapadmin-1.2.3.zip
mkdir-p/data0/web_root/
mvPHPldapadmin-1.2.3/data0/web_root/PHPldapadmin
echo"<VirtualHost*:80>
ServerAdminopenldap@dabayouxi.com
DocumentRoot/data0/web_root/PHPldapadmin
ServerNameopenldap.dabayouxi.com
ErrorLog/data0/logs/apache/openldap.dabayouxi.com-error_log
CustomLog/data0/logs/apache/openldap.dabayouxi.com-access_logcommon
<Directory"/data/web_root/PHPldapadmin">
OptionsFollowSymLinks
AllowOverrideall
Requireallgranted
</Directory>
</VirtualHost>">>/etc/httpd/conf/httpd.conf
mkdir-p/data0/logs/apache/
servicehttpdrestart

cp/data0/web_root/PHPldapadmin/config/config.PHP.example/data0/web_root/PHPldapadmin/config/config.PHP
vim/data0/web_root/PHPldapadmin/config/config.PHP
$servers->setValue('server','host','192.168.9.168');
$servers->setValue('server','port',389);

浏览器访问输入:http://192.168.9.168

wKiom1m3gT6CZtekAAFcKLll9-8872.png-wh_50

1.7 MirrorMode同步实现OpenLDAP双主模式

(1)192.168.9.168上slapd.conf最后添加

vim/usr/local/openldap2.4/etc/openldap/slapd.conf
#添加以下内容
overlaysyncprov
syncprov-checkpoint10010
syncprov-sessionlog100
serverID1
syncreplrid=123
provider=ldap://192.168.9.225/
bindmethod=simple
binddn="cn=admin,dc=com"
credentials=dabayouxi
searchbase="dc=dabayouxi,dc=com"
schemachecking=off
type=refreshAndPersist
retry="60+"
mirrormodeon

cd/usr/local/openldap2.4/etc/openldap/
slaptest-u
rm-rfslapd.d/*
slaptest-fslapd.conf-Fslapd.d/
serviceslapdrestart

(2)192.168.9.225上slapd.conf最后添加

vim/usr/local/openldap2.4/etc/openldap/slapd.conf
#添加以下内容
overlaysyncprov
syncprov-checkpoint10010
syncprov-sessionlog100
serverID2
syncreplrid=123
provider=ldap://192.168.9.168/
bindmethod=simple
binddn="cn=admin,dc=com"
schemachecking=off
type=refreshAndPersist
retry="60+"
mirrormodeon

cd/usr/local/openldap2.4/etc/openldap/
slaptest-u
rm-rfslapd.d/*
slaptest-fslapd.conf-Fslapd.d/
serviceslapdrestart

(2)测试同步


1.8 Keepalived+OpenLDAP实现OpenLDAP高可用

(1)下载安装keepalive

cd/usr/local/src/
wgethttp://www.keepalived.org/software/keepalived-1.2.13.tar.gz
yuminstall-ypcre-developenssl-develpopt-devel
tarxfkeepalived-1.2.13.tar.gz
cdkeepalived-1.2.13
./configure--prefix=/usr/local/keepalived
make
makeinstall

(2)配置keepalived配置成系统服务

cd/usr/local/keepalived/
cpetc/rc.d/init.d/keepalived/etc/init.d/
cpetc/sysconfig/keepalived/etc/sysconfig/
mkdir/etc/keepalived
cpetc/keepalived/keepalived.conf/etc/keepalived/
cpsbin/keepalived/usr/sbin/
chkconfigkeepalivedon
chkconfig--listkeepalived

(3)配置OpenLDAP热备

Master 192.168.9.168

vim/etc/keepalived/keepalived.conf

!ConfigurationFileforkeepalived
global_defs{
router_idOpenLDAP_HA
}

vrrp_instanceOpenLDAP{
stateBackup
interfaceeth0
virtual_router_id53
priority100
advert_int1
nopreempt
authentication{
auth_typePASS
auth_passdabayouxi
}
virtual_ipaddress{
192.168.9.253
}
}
virtual_server192.168.9.253389{
delay_loop6
nat_mask255.255.255.0
persistence_timeout50
protocolTCP
real_server192.168.9.168389{
weight3
notify_down"/etc/keepalived/openldap.sh"
TCP_CHECK{
connect_timeout5
nb_get_retry2
delay_before_retry3
}
}
}


vim/etc/keepalived/openldap.sh
#!/bin/bash
/etc/init.d/keepalivedstop

chmod+x/etc/keepalived/openldap.sh

servicekeepalivedstart
Startingkeepalived:[OK]

ipaddr
1:lo:<LOOPBACK,UP,LOWER_UP>mtu16436qdiscnoqueuestateUNKNOWN
link/loopback00:00:00:00:00:00brd00:00:00:00:00:00
inet127.0.0.1/8scopehostlo
inet6::1/128scopehost
valid_lftforeverpreferred_lftforever
2:eth0:<BROADCAST,MULTICAST,LOWER_UP>mtu1500qdiscpfifo_faststateUPqlen1000
link/etherfa:9b:55:ac:33:00brdff:ff:ff:ff:ff:ff
inet192.168.9.168/24brd192.168.9.255scopeglobaleth0
inet192.168.9.253/32scopeglobaleth0
inet6fe80::f89b:55ff:feac:3300/64scopelink
valid_lftforeverpreferred_lftforever

Master 192.168.9.225

vim/etc/keepalived/keepalived.conf
!ConfigurationFileforkeepalived
global_defs{
router_idOpenLDAP_HA
}

vrrp_instanceOpenLDAP{
stateBackup
interfaceeth0
virtual_router_id53
priority90
advert_int1
authentication{
auth_typePASS
auth_passdabayouxi
}
virtual_ipaddress{
192.168.9.253
}
}
virtual_server192.168.9.253389{
delay_loop6
nat_mask255.255.255.0
persistence_timeout50
protocolTCP
real_server192.168.9.225389{
weight3
notify_down"/etc/keepalived/openldap.sh"
TCP_CHECK{
connect_timeout5
nb_get_retry2
delay_before_retry3
}
}
}

vim/etc/keepalived/openldap.sh
#!/bin/bash
/etc/init.d/keepalivedstop

chmod+x/etc/keepalived/openldap.sh

servicekeepalivedstart

(4)验证


二,安装OpenLDAP客户端

2.1 基础环境配置

(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)

(2)关闭防火墙与SElinux

serviceiptablesstop
chkconfigiptablesoff
sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config

(3)时间同步

yum-yinstallntp
/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov
echo"12***/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov">>/var/spool/cron/root

1.2 源码安装OpenLDAP

(1)yum安装依赖包

yum-yinstallopenldapopenldap-develcompat-openldapnss-pam-ldapd

(2)备份源文件

cp/etc/nslcd.conf/etc/nslcd.conf_default
cp/etc/nsswitch.conf/etc/nsswitch.conf_dafault
cp/etc/pam.d/system-auth-ac/etc/pam.d/system-auth-ac_default
cp/etc/pam.d/password-auth-ac/etc/pam.d/password-auth-ac_default
cp/etc/pam.d/fingerprint-auth-ac/etc/pam.d/fingerprint-auth-ac_default
cp/etc/pam.d/smartcard-auth-ac/etc/pam.d/smartcard-auth-ac_default
cp/etc/pam.d/sshd/etc/pam.d/sshd_default
cp/etc/pam.d/login/etc/pam.d/login_default
cp/etc/openldap/ldap.conf/etc/openldap/ldap.conf_defalut
cp/etc/sudo-ldap.conf/etc/sudo-ldap.conf_default

(3)停用sssd服务

servicesssdstop&&chkconfigsssdoff

(4)客户端文件配置修改

#/etc/nslcd.conf

vim/etc/nslcd.conf
urildap://192.168.9.253
basedc=dabayouxi,dc=com
sslno
tls_cacertdir/etc/openldap/cacerts

#/etc/pam_ldap.conf

vim/etc/pam_ldap.conf
urildap://192.168.9.253
basedc=dabayouxi,dc=com
sslno
tls_cacertdir/etc/openldap/cacerts
pam_passwordmd5
bind_policysoft
pam_lookup_policyyes
pam_passwordclear_remove_old

#/etc/pam.d/system-auth

vim/etc/pam.d/system-auth
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequiredpam_env.so
authsufficientpam_fprintd.so
authsufficientpam_unix.sonulloktry_first_pass
authrequisitepam_succeed_if.souid>=500quiet
authsufficientpam_ldap.souse_first_pass
authrequiredpam_deny.so

accountrequiredpam_unix.sobroken_shadow
accountsufficientpam_localuser.so
accountsufficientpam_succeed_if.souid<500quiet
account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so
accountrequiredpam_permit.so

passwordrequisitepam_cracklib.sominlen=10ucredit=-1lcredit=-1dcredit=-1ocredit=-1try_first_passretry=3type=
passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtok
passwordsufficientpam_ldap.souse_authtok
passwordrequiredpam_deny.so

sessionoptionalpam_keyinit.sorevoke
sessionrequiredpam_limits.so
sessionoptionalpam_mkhomedir.so
session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid
sessionrequiredpam_unix.so
sessionoptionalpam_ldap.so

#/etc/pam.d/password-auth

vim/etc/pam.d/password-auth
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequiredpam_env.so
authsufficientpam_unix.sonulloktry_first_pass
authrequisitepam_succeed_if.souid>=500quiet
authsufficientpam_ldap.souse_first_pass
authrequiredpam_deny.so

accountrequiredpam_unix.sobroken_shadow
accountsufficientpam_localuser.so
accountsufficientpam_succeed_if.souid<500quiet
account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so
accountrequiredpam_permit.so

passwordrequisitepam_cracklib.sominlen=10ucredit=-1lcredit=-1dcredit=-1ocredit=-1try_first_passretry=3type=
passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtok
passwordsufficientpam_ldap.souse_authtok
passwordrequiredpam_deny.so

sessionoptionalpam_keyinit.sorevoke
sessionrequiredpam_limits.so
sessionoptionalpam_mkhomedir.so
session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid
sessionrequiredpam_unix.so
sessionoptionalpam_ldap.so

#/etc/pam.d/fingerprint-auth

vim/etc/pam.d/fingerprint-auth
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequiredpam_env.so
authsufficientpam_fprintd.so
authrequiredpam_deny.so

accountrequiredpam_unix.sobroken_shadow
accountsufficientpam_localuser.so
accountsufficientpam_succeed_if.souid<500quiet
account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so
accountrequiredpam_permit.so

passwordrequiredpam_deny.so

sessionoptionalpam_keyinit.sorevoke
sessionrequiredpam_limits.so
sessionoptionalpam_mkhomedir.so
session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid
sessionrequiredpam_unix.so
sessionoptionalpam_ldap.so

#/etc/pam.d/smartcard-auth

vim/etc/pam.d/smartcard-auth
#%PAM-1.0
#Thisfileisauto-generated.
#Userchangeswillbedestroyedthenexttimeauthconfigisrun.
authrequiredpam_env.so
auth[success=doneignore=ignoredefault=die]pam_pkcs11.sowait_for_cardcard_only
authrequiredpam_deny.so

accountrequiredpam_unix.sobroken_shadow
accountsufficientpam_localuser.so
accountsufficientpam_succeed_if.souid<500quiet
account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so
accountrequiredpam_permit.so

passwordrequiredpam_pkcs11.so

sessionoptionalpam_keyinit.sorevoke
sessionrequiredpam_limits.so
sessionoptionalpam_mkhomedir.so
session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid
sessionrequiredpam_unix.so
sessionoptionalpam_ldap.so

#/etc/pam.d/sshd

vim/etc/pam.d/sshd
#%PAM-1.0
authrequiredpam_sepermit.so
authincludepassword-auth
accountrequiredpam_access.so
accountrequiredpam_nologin.so
accountincludepassword-auth
passwordincludepassword-auth
#pam_selinux.socloseshouldbethefirstsessionrule
sessionrequiredpam_selinux.soclose
sessionrequiredpam_loginuid.so
#pam_selinux.soopenshouldonlybefollowedbysessionstobeexecutedintheusercontext
sessionrequiredpam_selinux.soopenenv_params
sessionrequiredpam_namespace.so
sessionoptionalpam_keyinit.soforcerevoke
sessionincludepassword-auth

#/etc/pam.d/login

vim/etc/pam.d/login
#%PAM-1.0
auth[user_unknown=ignoresuccess=okignore=ignoredefault=bad]pam_securetty.so
authincludesystem-auth
accountrequiredpam_nologin.so
accountincludesystem-auth
passwordincludesystem-auth
#pam_selinux.socloseshouldbethefirstsessionrule
sessionrequiredpam_selinux.soclose
sessionrequiredpam_loginuid.so
sessionrequiredpam_limits.so
sessionoptionalpam_console.so
#pam_selinux.soopenshouldonlybefollowedbysessionstobeexecutedintheusercontext
sessionrequiredpam_selinux.soopen
sessionrequiredpam_namespace.so
sessionoptionalpam_keyinit.soforcerevoke
sessionincludesystem-auth
-sessionoptionalpam_ck_connector.so

#/etc/nsswitch.conf

vim/etc/nsswitch.conf
passwd:filesldap
shadow:filesldap
group:filesldap
hosts:filesdns
bootparams:nisplus[NOTFOUND=return]files
ethers:files
netmasks:files
networks:files
protocols:files
rpc:files
services:files
netgroup:ldap
publickey:nisplus
automount:filesldap
sudoers:filesldap

#/etc/sysconfig/authconfig

vim/etc/sysconfig/authconfig
IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USESSSD=no
PASSWDALGORITHM=sha512
FORCELEGACY=no
USEFPRINTD=no
USEHESIOD=no
FORCESMARTCARD=no
USELDAPAUTH=yes
IPAV2NONTP=no
USELDAP=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELOCAUTHORIZE=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USEDB=no
USEPASSWDQC=no

# /etc/sudo-ldap.conf

echo"urildap://192.168.9.253
sudoers_baSEOu=sudoers,dc=com">>/etc/sudo-ldap.conf

#/etc/openldap/ldap.conf

vim/etc/openldap/ldap.conf
TLS_CACERTDIR/etc/openldap/cacerts
URIldap://192.168.9.253
BASEdc=dabayouxi,dc=com

#/etc/security/access.conf

vim/etc/security/access.conf
添加内容
-:ALLEXCEPTrootweb:ALL

(5)启动服务

servicenslcdrestart

(6)测试

猜你在找的Bash相关文章