当机器成千上百台增加的时候,如果需要对机器内一台一台的使用密码或者密钥登录,也是一件痛苦的事情,今天分享下使用OpenLDAP实现一个帐号任何机器及应用都可登录。
一.OpenLDAP安装及配置
1.安装依赖包及软件安装
yuminstall-yopenldapopenldap-serversopenldap-clientsopenldap-devel
2.配置文件配置
cp/usr/share/openldap-servers/slapd.conf.obsolete/etc/openldap/slapd.conf cp/usr/share/openldap-servers/DB_CONFIG.example/var/lib/ldap/DB_CONFIG cp/usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP/etc/openldap/schema/sudo.schema #修改/etc/openldap/slapd.conf文件 找到include/etc/openldap/schema/core.schema在下面增加 include/etc/openldap/schema/sudo.schema #找到databasebdb修改下面的几行 databasebdb suffix"dc=abc,dc=com" checkpoint102415 rootdn"cn=admin,dc=abc,dc=com" rootpwadmin loglevel1 #说明: databasebdb说明使用BerkeleyDB suffix"dc=abc,dc=com"域名就是abc.com checkpoint102415就是每1M或者每15分钟将缓存刷进磁盘 rootdn"cn=admin,db=abc,dc=com"管理员是adnin rootpwadmin管理员的密码就是admin loglevel1日志级别是1 #日志级别 Any(-1,0xffffffff)//开启所有的dug信息 Trace(1,0x1)//跟踪trace函数调用 Packets(2,0x2)//与软件包的处理相关的dug信息 Args(4,0x4)//全面的debug信息 Conns(8,0x8)//链接数管理的相关信息 BER(16,0x10)//记录包发送和接收的信息 Filter(32,0x20)//记录过滤处理的过程 Config(64,0x40)//记录配置文件的相关信息 ACL(128,0x80)//记录访问控制列表的相关信息 Stats(256,0x100)//记录链接、操作以及统计信息 Stats2(512,0x200)//记录向客户端响应的统计信息 Shell(1024,0x400)//记录与shell后端的通信信息 Parse(2048,0x800)//记录条目的分析结果信息 Sync(16384,0x4000)//记录数据同步资源消耗的信息 None(32768,0x8000)//不记录 #在文件最后增加如下,允许用户自行修改密码 accesstoattrs=shadowLastChange,userPassword byselfwrite by*auth accessto* by*read
3.配置OpenLDAP日志
echo"local4.*/var/log/sldap.log">>/etc/rsyslog.conf /etc/init.d/rsyslogrestart
4.初始化OpenLDAP
serviceslapdstart rm-rf/etc/openldap/slapd.d/* slaptest-f/etc/openldap/slapd.conf-F/etc/openldap/slapd.d chown-Rldap:ldap/etc/openldap/slapd.d/ serviceslapdrestart
5.检查服务
netstat-ntlup|grep:389
1.安装迁移工具
yuminstallmigrationtools-y cd/usr/share/migrationtools/ [root@kvm242migrationtools]#ls migrate_aliases.plmigrate_all_offline.shmigrate_group.plmigrate_profile.pl migrate_all_netinfo_offline.shmigrate_all_online.shmigrate_hosts.plmigrate_protocols.pl migrate_all_netinfo_online.shmigrate_automount.plmigrate_netgroup_byhost.plmigrate_rpc.pl migrate_all_nis_offline.shmigrate_base.plmigrate_netgroup_byuser.plmigrate_services.pl migrate_all_nis_online.shmigrate_common.phmigrate_netgroup.plmigrate_slapd_conf.pl migrate_all_nisplus_offline.shmigrate_common.ph.orimigrate_networks.pl migrate_all_nisplus_online.shmigrate_fstab.plmigrate_passwd.pl
2.配置迁移工具,修改migrate_common.ph 71、73行
$DEFAULT_MAIL_DOMAIN="abc.com"; #Defaultbase $DEFAULT_BASE="dc=abc,dc=com";
3.导出用户,我这里只导出user1
cd/usr/share/migrationtools/ grep'user1'/etc/passwd>passwd.in grep'user1'/etc/group>group.in ./migrate_base.pl>/tmp/base.ldif ./migrate_passwd.plpasswd.in>/tmp/passwd.ldif ./migrate_group.plgroup.in>/tmp/group.ldif #这里生成了3个OpenLDAP数据 /tmp/base.ldif/tmp/passwd.ldif/tmp/group.ldif 导入数据: ldapadd-x-D"cn=admin,dc=com"-W-f/tmp/base.ldif ldapadd-x-D"cn=admin,dc=com"-W-f/tmp/passwd.ldif ldapadd-x-D"cn=admin,dc=com"-W-f/tmp/group.ldif
4.导入sudo基础库
vim /tmp/sudo.ldif
dn:ou=SUDOers,dc=com objectClass:top objectClass:organizationalUnit description:SUDOConfigurationSubtree ou:SUDOers dn:cn=defaults,ou=SUDOers,dc=com objectClass:top objectClass:sudoRole cn:defaults description:DefaultsudoOption'sgohere sudoOption:visiblepw sudoOption:always_set_home sudoOption:env_reset dn:cn=root,dc=com objectClass:top objectClass:sudoRole cn:root sudoUser:root sudoHost:ALL sudoRunAsUser:ALL sudoCommand:ALL sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset dn:cn=%wheel,dc=com objectClass:top objectClass:sudoRole cn:%wheel sudoUser:%wheel sudoHost:ALL sudoRunAsUser:ALL sudoCommand:ALL sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoOption:requiretty dn:cn=%confops,dc=com objectClass:top objectClass:sudoRole cn:%confops sudoUser:%confops sudoHost:ALL sudoRunAsUser:ALL sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:ALL sudoCommand:!/bin/passwd dn:cn=%confdev,dc=com objectClass:top objectClass:sudoRole cn:%confdev sudoUser:%confdev sudoHost:ALL sudoRunAsUser:ALL sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:/sbin/service sudoCommand:!/bin/passwd sudoCommand:/etc/init.d/tomcat sudoCommand:/bin/kill sudoCommand:/usr/bin/pkill sudoCommand:/usr/bin/killall sudoCommand:/etc/init.d/confservice sudoCommand:/bin/su-app-s/bin/bash sudoCommand:/bin/su-tomcat-s/bin/bash dn:cn=%confqa,dc=com objectClass:top objectClass:sudoRole cn:%confqa sudoUser:%confqa sudoHost:ALL sudoRunAsUser:ALL sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:/sbin/service sudoCommand:!/bin/passwd sudoCommand:/etc/init.d/confservice sudoCommand:/bin/kill sudoCommand:/usr/bin/pkill sudoCommand:/usr/bin/killall sudoCommand:/bin/su-app-s/bin/bash sudoCommand:/bin/su-tomcat-s/bin/bash sudoCommand:/etc/init.d/tomcat dn:cn=zabbix,dc=com objectClass:top objectClass:sudoRole cn:zabbix sudoHost:ALL sudoUser:zabbix sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoRunAsUser:root sudoCommand:!/bin/passwd sudoCommand:/etc/init.d/tomcat sudoCommand:/etc/init.d/confservice sudoCommand:/usr/bin/nmap sudoCommand:/usr/local/zabbix-ztc/bin/sudo-* dn:cn=admin,dc=com objectClass:top objectClass:sudoRole cn:admin sudoHost:ALL sudoRunAsUser:ALL sudoOption:!authenticate sudoOption:!visiblepw sudoOption:always_set_home sudoOption:env_reset sudoCommand:ALL sudoCommand:!/bin/passwd sudoUser:admin
导入sudo.ldif
ldapadd-x-D"cn=admin,dc=com"-W-f/tmp/sudo.ldif
从上面可以看到会生成
SUDOers(OU)
%confdev(cn)
%confops (cn)
%confqa(cn)
%wheel (cn)
admin(cn)
defaults(cn)
root (cn)
zabbix(cn)
因此只需要建立组confdev,然后将用户拉入confdev组即可有相应的权限,同理zabbix用户也有zabbix相应的权限
二.客户端部署
CentOS 6
yum-yinstallopenldapopenldap-clientsnss-pam-ldapdpam_ldap echo"sessionrequiredpam_mkhomedir.soskel=/etc/skelumask=0077">>/etc/pam.d/system-auth authconfig--savebackup=auth.bak authconfig--enablemkhomedir--disableldaptls--enableldap--enableldapauth--ldapserver=ldap://192.168.10.242--ldapbasedn="dc=abc,dc=com"--update echo-e"urildap://192.168.10.242\nSudoers_baSEOu=SUDOers,dc=com">/etc/sudo-ldap.conf echo"Sudoers:filesldap">>/etc/nsswitch.conf
CentOS 5
yum-yinstallopenldapopenldap-clientsnss_ldap echo"sessionrequiredpam_mkhomedir.soskel=/etc/skelumask=0077">>/etc/pam.d/system-auth authconfig--savebackup=auth.bak authconfig--enableldap--enableldapauth--enablemkhomedir--ldapserver=192.168.10.242--ldapbasedn="dc=abc,dc=com"--update echo"Sudoers_baSEOu=SUDOers,dc=com">>/etc/ldap.conf echo"Sudoers:filesldap">>/etc/nsswitch.conf