搭建一套OpenLDAP系统,实现账号的统一管理
可实现的功能:
1:OpenLDAP服务端的搭建
3: OpenLDAP服务端配置分组管理用户sudo权限分配;
(1)默认没有sudo权限;
(2)运维具有sudo到任何用户执行任何命令权限;
(3)研发具有相应的配置执行命令权限
4:OpenLDAP客户端的配置
5:OpenLDAP与SSH
7:OpenLDAP加入密码策略
(2)密码最小设置长度
(3)密码设置强度
(4)密码过期前警告天数
(5)密码过期后不能登录的天数
(6)密码尝试次数,被锁定
(7)密码失败后恢复时间
8:MirrorMode同步实现OpenLDAP双主模式
9,Keepalived+OpenLDAP实现OpenLDAP高可用
10,TCP Warppers
账号集中管理系统访问和维护流程:
实验环境:
系统:
主:CentOS6.5 64位 192.168.9.225
主:CentOS6.5 64 位 192.168.9.168
VIP: 192.168.9.253
客户端: CentoOS6.5 64位 192.168.9.176
软件包:
openldap-2.4.45
db-4.6.21
PHPldapadmin-1.2.3
ltb-project-openldap-initscript-2.2
资料链接:
https://ltb-project.org/download
http://www.openldap.org/
http://www.oracle.com/technetwork/database/database-technologies/berkeleydb/downloads/index-082944.html
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/
http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
一,安装OpenLDAP服务端
(俩台主安装方法一样)
1.1 基础环境配置
(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)
(2)关闭防火墙与SElinux
serviceiptablesstop chkconfigiptablesoff sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config
(3)时间同步
yum-yinstallntp /usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov echo"12***/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov">>/var/spool/cron/root
1.2 源码安装OpenLDAP
(1)yum安装依赖包
yum-yinstallgccgcc-c++unzipgzipbzip2openssl-develcyrus-sasl-develkrb5-develtcp_wrappers-devellibtool-ltdl-developenslp-develunixODBC-develMysqL-devel
(2)源码安装Berkeley DB
cd/usr/local/src/ wgethttp://download.oracle.com/berkeley-db/db-4.6.21.tar.gz tarxfdb-4.6.21.tar.gz cddb-4.6.21/build_unix/ ../dist/configure--prefix=/usr/local/BDB4 make&&makeinstall echo"/usr/local/BDB4/lib">>/etc/ld.so.conf.d/bdb.conf ldconfig ln-sv/usr/local/BDB4/include/usr/local/bdb
(3)源码安装OpenLDAP
cd/usr/local/src/ wgetftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.45.tgz gunzip-copenldap-2.4.45.tgz|tarxf- cdopenldap-2.4.45 ./configure--prefix=/usr/local/openldap2.4\ --enable-slapd\ --enable-dynacl\ --enable-aci\ --enable-cleartext\ --enable-crypt\ --enable-lmpasswd\ --enable-spasswd\ --enable-modules\ --enable-rewrite\ --enable-rlookups\ --enable-slapi\ --enable-wrappers\ --enable-backends\ --enable-ndb=no\ --enable-perl=no\ --enable-overlays\ CPPFLAGS="-I/usr/local/BDB4/include"\ LDFLAGS="-L/usr/local/BDB4/lib" makedepend make maketest makeinstall echo"/usr/local/openldap2.4/lib">>/etc/ld.so.conf.d/ldap.conf ldconfig ln-sv/usr/local/openldap2.4/include/usr/include/ldap2.4 ln-sv/usr/local/openldap2.4/bin/*/usr/local/bin/ ln-sv/usr/local/openldap2.4/sbin/*/usr/local/sbin/
1.4 配置实现功能
(1)配置文件模板
#grep-v^#slapd.conf|grep-v^$ include/usr/local/openldap2.4/etc/openldap/schema/corba.schema include/usr/local/openldap2.4/etc/openldap/schema/core.schema include/usr/local/openldap2.4/etc/openldap/schema/cosine.schema include/usr/local/openldap2.4/etc/openldap/schema/duaconf.schema include/usr/local/openldap2.4/etc/openldap/schema/dyngroup.schema include/usr/local/openldap2.4/etc/openldap/schema/inetorgperson.schema include/usr/local/openldap2.4/etc/openldap/schema/java.schema include/usr/local/openldap2.4/etc/openldap/schema/misc.schema include/usr/local/openldap2.4/etc/openldap/schema/nis.schema include/usr/local/openldap2.4/etc/openldap/schema/openldap.schema include/usr/local/openldap2.4/etc/openldap/schema/ppolicy.schema include/usr/local/openldap2.4/etc/openldap/schema/collective.schema include/usr/local/openldap2.4/etc/openldap/schema/sudo.schema pidfile/usr/local/openldap2.4/var/run/slapd.pid argsfile/usr/local/openldap2.4/var/run/slapd.args modulepath/usr/local/openldap2.4/libexec/openldap moduleloadaccesslog.la moduleloadauditlog.la moduleloadppolicy.la moduleloadsyncprov.la moduleloadback_mdb.la moduleloadback_ldap.la accesstoattrs=shadowLastChange,userPassword byselfwrite byanonymousauth bydn.base="cn=admin,dc=dabayouxi,dc=com"write by*none accessto* byselfwrite by*read databaseconfig accessto* bydn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"manage bydn.base="cn=admin,dc=com"write by*none databasemdb suffix"dc=dabayouxi,dc=com" rootdn"cn=admin,dc=com" rootpw{SSHA}jnN16Laklfzlm4hCrob1nhUgUloLpvnm directory/data0/openldap-data indexobjectClasseq,pres indexou,cn,mail,surname,givennameeq,pres,sub indexuidNumber,gidNumber,loginShelleq,pres indexuid,memberUideq,sub indexnisMapName,nisMapEntryeq,sub loglevel256 logfile/data0/logs/slapd/slapd.log checkpoint204810 overlayppolicy ppolicy_defaultcn=default,ou=pwpolicies,dc=com
(2)添加sudo.schema
cp-f/usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP/usr/local/openldap2.4/etc/openldap/schema/sudo.schema restorecon/usr/local/openldap2.4/etc/openldap/schema/sudo.schema
(3)创建ldap用户和组
groupadd-rldap useradd-r-gldap-s/sbin/nologinldap
(4)配置日志
mkdir-p/data0/logs/slapd touch/data0/logs/slapd/slapd.log echo"local4.*/data0/logs/slapd/slapd.log">>/etc/rsyslog.d/openldap.conf servicersyslogrestart echo"/data0/logs/slapd/*log{ missingok compress notifempty daily rotate5 create0600rootroot }">>/etc/logrotate.d/slapd
(5)配置数据存放路径
mkdir-p/data0/openldap-data chmod700/data0/openldap-data/ cp/usr/local/openldap2.4/etc/openldap/DB_CONFIG.example/data0/openldap-data/DB_CONFIG chown-Rldap.ldap/data0/openldap-data/ mkdir-p/usr/local/openldap2.4/etc/openldap/slapd.d cd/usr/local/openldap2.4/etc/openldap/ slaptest-fslapd.conf-Fslapd.d/ echo"BASEdc=dabayouxi,dc=com URIldap://192.168.9.168">>/usr/local/openldap2.4/etc/openldap/ldap.conf
(6)启动脚本下载,修改配置
cd/usr/local/src/ wgethttps://ltb-project.org/archives/ltb-project-openldap-initscript-2.2.tar.gz tar-xvfltb-project-openldap-initscript-2.2.tar.gz mvltb-project-openldap-initscript-2.2/slapd/etc/init.d vim/etc/init.d/slapd SLAPD_PATH="/usr/local/openldap2.4" DATA_PATH="/data0/openldap-data" BDB_PATH="/usr/local/BDB4" chmod+x/etc/init.d/slapd chkconfigslapdon serviceslapdrestart
1.5 OpenLDAP目录树规划
# 将规划的dn导入,将以下内容写入ldif文件中使用ldapadd 命令添加到数据库
mkdir-p/data0/ldapldif/{users,groups,sudoers,policy}
(1)base.ldif
vim/data0/ldapldif/base.ldif dn:dc=dabayouxi,dc=com dc:dabayouxi objectClass:top objectClass:domain dn:ou=users,dc=com ou:users objectClass:top objectClass:organizationalUnit dn:ou=groups,dc=com ou:groups objectClass:top objectClass:organizationalUnit dn:ou=sudoers,dc=com ou:sudoers objectClass:top objectClass:organizationalUnit dn:ou=pwpolicies,dc=com ou:pwpolicies objectClass:top objectClass:organizationalUnit ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/base.ldif EnterLDAPPassword: addingnewentry"dc=dabayouxi,dc=com" addingnewentry"ou=users,dc=com" addingnewentry"ou=groups,dc=com" addingnewentry"ou=sudoers,dc=com" addingnewentry"ou=pwpolicies,dc=com" -x使用简单认证,不使用加密协议 -D指定查找的dn,类似操作系统中的根目录 -W输入密码,不想输入密码使用-wpasswd,不推荐容易暴露密码 -f指定ldif文件 #通过ldapsearch查看当前目录树结构 ldapsearch-x-LLL#-LLL禁止输出不匹配的消息
(2)groups.ldif
echo"dn:cn=web,ou=groups,dc=com objectClass:posixGroup objectClass:top cn:web gidNumber:1501">>/data0/ldapldif/groups/web.ldif echo"dn:cn=core,dc=com objectClass:posixGroup objectClass:top cn:core gidNumber:1502">>/data0/ldapldif/groups/core.ldif ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/groups/web.ldif EnterLDAPPassword: addingnewentry"cn=web,dc=com" ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/groups/core.ldif EnterLDAPPassword: addingnewentry"cn=core,dc=com"
(3)users.ldif
echo"dn:uid=webuser,ou=users,dc=com uid:webuser cn:webuser objectClass:account objectClass:posixAccount objectClass:top objectClass:shadowAccount userPassword:{SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc shadowLastChange:17412 shadowMin:0 shadowMax:999999 shadowWarning:7 loginShell:/bin/bash uidNumber:2501 gidNumber:1501 homeDirectory:/home/webuser pwdReset:TRUE">>/data0/ldapldif/users/webuser.ldif echo"dn:uid=coreuser,dc=com uid:coreuser cn:coreuser objectClass:account objectClass:posixAccount objectClass:top objectClass:shadowAccount userPassword:{SSHA}1F4G8mlpJ4asfQud0kJOsj6tIWdoiHEc shadowLastChange:17412 shadowMin:0 shadowMax:999999 shadowWarning:7 loginShell:/bin/bash uidNumber:2502 gidNumber:1502 homeDirectory:/home/coreuser pwdReset:TRUE">>/data0/ldapldif/users/coreuser.ldif ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/users/webuser.ldif EnterLDAPPassword: addingnewentry"uid=webuser,dc=com-W-f/data0/ldapldif/users/coreuser.ldif EnterLDAPPassword: addingnewentry"uid=coreuser,dc=com"
(4)sudoers.ldif
vim/data0/ldapldif/sudoers/defaults.ldif dn:cn=defaults,ou=sudoers,dc=com objectClass:top objectClass:sudoRole cn:defaults sudoOption:requiretty sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset vim/data0/ldapldif/sudoers/web.ldif dn:cn=%web,dc=com objectClass:top objectClass:sudoRole cn:%web sudoHost:ALL sudoRunAsUser:www sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:ALL sudoUser:%web vim/data0/ldapldif/sudoers/core.ldif dn:cn=%core,dc=com objectClass:top objectClass:sudoRole cn:%core sudoHost:ALL sudoRunAsUser:ALL sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:ALL sudoUser:%core ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/sudoers/defaults.ldif EnterLDAPPassword: addingnewentry"cn=defaults,dc=com-W-f/data0/ldapldif/sudoers/web.ldif EnterLDAPPassword: addingnewentry"cn=%web,dc=com-W-f/data0/ldapldif/sudoers/core.ldif EnterLDAPPassword: addingnewentry"cn=%core,dc=com"
(5)pwpolicies.ldif
echo"dn:cn=default,dc=com cn:default objectClass:pwdPolicy objectClass:person pwdAllowUserChange:TRUE pwdAttribute:userPassword pwdExpireWarning:259200 pwdFailureCountInterval:0 pwdGraceAuthNLimit:5 pwdInHistory:5 pwdLockout:TRUE pwdLockoutDuration:300 pwdMaxAge:2592000 pwdMaxFailure:5 pwdMinAge:0 pwdMinLength:8 pwdMustChange:TRUE pwdSafeModify:TRUE sn:dummyvalue">>/data0/ldapldif/policy/default.ldif ldapadd-x-Dcn=admin,dc=com-W-f/data0/ldapldif/policy/default.ldif EnterLDAPPassword: addingnewentry"cn=default,dc=com"
1.6 安装PHPLDAPAdmin
yuminstall-yhttpdPHPPHP-mbstringPHP-pearPHP-ldap cd/usr/local/src/ wgethttps://jaist.dl.sourceforge.net/project/PHPldapadmin/PHPldapadmin-PHP5/1.2.3/PHPldapadmin-1.2.3.zip unzipPHPldapadmin-1.2.3.zip mkdir-p/data0/web_root/ mvPHPldapadmin-1.2.3/data0/web_root/PHPldapadmin echo"<VirtualHost*:80> ServerAdminopenldap@dabayouxi.com DocumentRoot/data0/web_root/PHPldapadmin ServerNameopenldap.dabayouxi.com ErrorLog/data0/logs/apache/openldap.dabayouxi.com-error_log CustomLog/data0/logs/apache/openldap.dabayouxi.com-access_logcommon <Directory"/data/web_root/PHPldapadmin"> OptionsFollowSymLinks AllowOverrideall Requireallgranted </Directory> </VirtualHost>">>/etc/httpd/conf/httpd.conf mkdir-p/data0/logs/apache/ servicehttpdrestart cp/data0/web_root/PHPldapadmin/config/config.PHP.example/data0/web_root/PHPldapadmin/config/config.PHP vim/data0/web_root/PHPldapadmin/config/config.PHP $servers->setValue('server','host','192.168.9.168'); $servers->setValue('server','port',389);
浏览器访问输入:http://192.168.9.168
1.7 MirrorMode同步实现OpenLDAP双主模式
(1)192.168.9.168上slapd.conf最后添加
vim/usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlaysyncprov syncprov-checkpoint10010 syncprov-sessionlog100 serverID1 syncreplrid=123 provider=ldap://192.168.9.225/ bindmethod=simple binddn="cn=admin,dc=com" credentials=dabayouxi searchbase="dc=dabayouxi,dc=com" schemachecking=off type=refreshAndPersist retry="60+" mirrormodeon cd/usr/local/openldap2.4/etc/openldap/ slaptest-u rm-rfslapd.d/* slaptest-fslapd.conf-Fslapd.d/ serviceslapdrestart
(2)192.168.9.225上slapd.conf最后添加
vim/usr/local/openldap2.4/etc/openldap/slapd.conf #添加以下内容 overlaysyncprov syncprov-checkpoint10010 syncprov-sessionlog100 serverID2 syncreplrid=123 provider=ldap://192.168.9.168/ bindmethod=simple binddn="cn=admin,dc=com" schemachecking=off type=refreshAndPersist retry="60+" mirrormodeon cd/usr/local/openldap2.4/etc/openldap/ slaptest-u rm-rfslapd.d/* slaptest-fslapd.conf-Fslapd.d/ serviceslapdrestart
(2)测试同步
1.8 Keepalived+OpenLDAP实现OpenLDAP高可用
(1)下载安装keepalive
cd/usr/local/src/ wgethttp://www.keepalived.org/software/keepalived-1.2.13.tar.gz yuminstall-ypcre-developenssl-develpopt-devel tarxfkeepalived-1.2.13.tar.gz cdkeepalived-1.2.13 ./configure--prefix=/usr/local/keepalived make makeinstall
(2)配置keepalived配置成系统服务
cd/usr/local/keepalived/ cpetc/rc.d/init.d/keepalived/etc/init.d/ cpetc/sysconfig/keepalived/etc/sysconfig/ mkdir/etc/keepalived cpetc/keepalived/keepalived.conf/etc/keepalived/ cpsbin/keepalived/usr/sbin/ chkconfigkeepalivedon chkconfig--listkeepalived
(3)配置OpenLDAP热备
Master 192.168.9.168
vim/etc/keepalived/keepalived.conf !ConfigurationFileforkeepalived global_defs{ router_idOpenLDAP_HA } vrrp_instanceOpenLDAP{ stateBackup interfaceeth0 virtual_router_id53 priority100 advert_int1 nopreempt authentication{ auth_typePASS auth_passdabayouxi } virtual_ipaddress{ 192.168.9.253 } } virtual_server192.168.9.253389{ delay_loop6 nat_mask255.255.255.0 persistence_timeout50 protocolTCP real_server192.168.9.168389{ weight3 notify_down"/etc/keepalived/openldap.sh" TCP_CHECK{ connect_timeout5 nb_get_retry2 delay_before_retry3 } } } vim/etc/keepalived/openldap.sh #!/bin/bash /etc/init.d/keepalivedstop chmod+x/etc/keepalived/openldap.sh servicekeepalivedstart Startingkeepalived:[OK] ipaddr 1:lo:<LOOPBACK,UP,LOWER_UP>mtu16436qdiscnoqueuestateUNKNOWN link/loopback00:00:00:00:00:00brd00:00:00:00:00:00 inet127.0.0.1/8scopehostlo inet6::1/128scopehost valid_lftforeverpreferred_lftforever 2:eth0:<BROADCAST,MULTICAST,LOWER_UP>mtu1500qdiscpfifo_faststateUPqlen1000 link/etherfa:9b:55:ac:33:00brdff:ff:ff:ff:ff:ff inet192.168.9.168/24brd192.168.9.255scopeglobaleth0 inet192.168.9.253/32scopeglobaleth0 inet6fe80::f89b:55ff:feac:3300/64scopelink valid_lftforeverpreferred_lftforever
Master 192.168.9.225
vim/etc/keepalived/keepalived.conf !ConfigurationFileforkeepalived global_defs{ router_idOpenLDAP_HA } vrrp_instanceOpenLDAP{ stateBackup interfaceeth0 virtual_router_id53 priority90 advert_int1 authentication{ auth_typePASS auth_passdabayouxi } virtual_ipaddress{ 192.168.9.253 } } virtual_server192.168.9.253389{ delay_loop6 nat_mask255.255.255.0 persistence_timeout50 protocolTCP real_server192.168.9.225389{ weight3 notify_down"/etc/keepalived/openldap.sh" TCP_CHECK{ connect_timeout5 nb_get_retry2 delay_before_retry3 } } } vim/etc/keepalived/openldap.sh #!/bin/bash /etc/init.d/keepalivedstop chmod+x/etc/keepalived/openldap.sh servicekeepalivedstart
(4)验证
二,安装OpenLDAP客户端
2.1 基础环境配置
(1)系统初始化(参见http://wupengfei.blog.51cto.com/7174803/1955545)
(2)关闭防火墙与SElinux
serviceiptablesstop chkconfigiptablesoff sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config
(3)时间同步
yum-yinstallntp /usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov echo"12***/usr/sbin/ntpdate-uclepsydra.dec.comtick.ucla.eduntp.nasa.gov">>/var/spool/cron/root
1.2 源码安装OpenLDAP
(1)yum安装依赖包
yum-yinstallopenldapopenldap-develcompat-openldapnss-pam-ldapd
(2)备份源文件
cp/etc/nslcd.conf/etc/nslcd.conf_default cp/etc/nsswitch.conf/etc/nsswitch.conf_dafault cp/etc/pam.d/system-auth-ac/etc/pam.d/system-auth-ac_default cp/etc/pam.d/password-auth-ac/etc/pam.d/password-auth-ac_default cp/etc/pam.d/fingerprint-auth-ac/etc/pam.d/fingerprint-auth-ac_default cp/etc/pam.d/smartcard-auth-ac/etc/pam.d/smartcard-auth-ac_default cp/etc/pam.d/sshd/etc/pam.d/sshd_default cp/etc/pam.d/login/etc/pam.d/login_default cp/etc/openldap/ldap.conf/etc/openldap/ldap.conf_defalut cp/etc/sudo-ldap.conf/etc/sudo-ldap.conf_default
(3)停用sssd服务
servicesssdstop&&chkconfigsssdoff
#/etc/nslcd.conf
vim/etc/nslcd.conf urildap://192.168.9.253 basedc=dabayouxi,dc=com sslno tls_cacertdir/etc/openldap/cacerts
#/etc/pam_ldap.conf
vim/etc/pam_ldap.conf urildap://192.168.9.253 basedc=dabayouxi,dc=com sslno tls_cacertdir/etc/openldap/cacerts pam_passwordmd5 bind_policysoft pam_lookup_policyyes pam_passwordclear_remove_old
#/etc/pam.d/system-auth
vim/etc/pam.d/system-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so authsufficientpam_fprintd.so authsufficientpam_unix.sonulloktry_first_pass authrequisitepam_succeed_if.souid>=500quiet authsufficientpam_ldap.souse_first_pass authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequisitepam_cracklib.sominlen=10ucredit=-1lcredit=-1dcredit=-1ocredit=-1try_first_passretry=3type= passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtok passwordsufficientpam_ldap.souse_authtok passwordrequiredpam_deny.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so
#/etc/pam.d/password-auth
vim/etc/pam.d/password-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so authsufficientpam_unix.sonulloktry_first_pass authrequisitepam_succeed_if.souid>=500quiet authsufficientpam_ldap.souse_first_pass authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequisitepam_cracklib.sominlen=10ucredit=-1lcredit=-1dcredit=-1ocredit=-1try_first_passretry=3type= passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtok passwordsufficientpam_ldap.souse_authtok passwordrequiredpam_deny.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so
#/etc/pam.d/fingerprint-auth
vim/etc/pam.d/fingerprint-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so authsufficientpam_fprintd.so authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequiredpam_deny.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so
#/etc/pam.d/smartcard-auth
vim/etc/pam.d/smartcard-auth #%PAM-1.0 #Thisfileisauto-generated. #Userchangeswillbedestroyedthenexttimeauthconfigisrun. authrequiredpam_env.so auth[success=doneignore=ignoredefault=die]pam_pkcs11.sowait_for_cardcard_only authrequiredpam_deny.so accountrequiredpam_unix.sobroken_shadow accountsufficientpam_localuser.so accountsufficientpam_succeed_if.souid<500quiet account[default=badsuccess=okuser_unknown=ignore]pam_ldap.so accountrequiredpam_permit.so passwordrequiredpam_pkcs11.so sessionoptionalpam_keyinit.sorevoke sessionrequiredpam_limits.so sessionoptionalpam_mkhomedir.so session[success=1default=ignore]pam_succeed_if.soserviceincrondquietuse_uid sessionrequiredpam_unix.so sessionoptionalpam_ldap.so
#/etc/pam.d/sshd
vim/etc/pam.d/sshd #%PAM-1.0 authrequiredpam_sepermit.so authincludepassword-auth accountrequiredpam_access.so accountrequiredpam_nologin.so accountincludepassword-auth passwordincludepassword-auth #pam_selinux.socloseshouldbethefirstsessionrule sessionrequiredpam_selinux.soclose sessionrequiredpam_loginuid.so #pam_selinux.soopenshouldonlybefollowedbysessionstobeexecutedintheusercontext sessionrequiredpam_selinux.soopenenv_params sessionrequiredpam_namespace.so sessionoptionalpam_keyinit.soforcerevoke sessionincludepassword-auth
#/etc/pam.d/login
vim/etc/pam.d/login #%PAM-1.0 auth[user_unknown=ignoresuccess=okignore=ignoredefault=bad]pam_securetty.so authincludesystem-auth accountrequiredpam_nologin.so accountincludesystem-auth passwordincludesystem-auth #pam_selinux.socloseshouldbethefirstsessionrule sessionrequiredpam_selinux.soclose sessionrequiredpam_loginuid.so sessionrequiredpam_limits.so sessionoptionalpam_console.so #pam_selinux.soopenshouldonlybefollowedbysessionstobeexecutedintheusercontext sessionrequiredpam_selinux.soopen sessionrequiredpam_namespace.so sessionoptionalpam_keyinit.soforcerevoke sessionincludesystem-auth -sessionoptionalpam_ck_connector.so
#/etc/nsswitch.conf
vim/etc/nsswitch.conf passwd:filesldap shadow:filesldap group:filesldap hosts:filesdns bootparams:nisplus[NOTFOUND=return]files ethers:files netmasks:files networks:files protocols:files rpc:files services:files netgroup:ldap publickey:nisplus automount:filesldap sudoers:filesldap
#/etc/sysconfig/authconfig
vim/etc/sysconfig/authconfig IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no USESSSD=no PASSWDALGORITHM=sha512 FORCELEGACY=no USEFPRINTD=no USEHESIOD=no FORCESMARTCARD=no USELDAPAUTH=yes IPAV2NONTP=no USELDAP=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELOCAUTHORIZE=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no USEDB=no USEPASSWDQC=no
# /etc/sudo-ldap.conf
echo"urildap://192.168.9.253 sudoers_baSEOu=sudoers,dc=com">>/etc/sudo-ldap.conf
#/etc/openldap/ldap.conf
vim/etc/openldap/ldap.conf TLS_CACERTDIR/etc/openldap/cacerts URIldap://192.168.9.253 BASEdc=dabayouxi,dc=com
#/etc/security/access.conf
vim/etc/security/access.conf 添加内容 -:ALLEXCEPTrootweb:ALL
(5)启动服务
servicenslcdrestart
(6)测试