CentOS 6.8 OpenLDAP实现SSO并对sudo权限管控

前端之家收集整理的这篇文章主要介绍了CentOS 6.8 OpenLDAP实现SSO并对sudo权限管控前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

当机器成千上百台增加的时候,如果需要对机器内一台一台的使用密码或者密钥登录,也是一件痛苦的事情,今天分享下使用OpenLDAP实现一个帐号任何机器及应用都可登录


一.OpenLDAP安装及配置

1.安装依赖包及软件安装

yuminstall-yopenldapopenldap-serversopenldap-clientsopenldap-devel

2.配置文件配置

cp/usr/share/openldap-servers/slapd.conf.obsolete/etc/openldap/slapd.conf
cp/usr/share/openldap-servers/DB_CONFIG.example/var/lib/ldap/DB_CONFIG
cp/usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP/etc/openldap/schema/sudo.schema

#修改/etc/openldap/slapd.conf文件
找到include/etc/openldap/schema/core.schema在下面增加
include/etc/openldap/schema/sudo.schema

#找到databasebdb修改下面的几行
databasebdb
suffix"dc=abc,dc=com"
checkpoint102415
rootdn"cn=admin,dc=abc,dc=com"
rootpwadmin
loglevel1
#说明:
databasebdb说明使用BerkeleyDB
suffix"dc=abc,dc=com"域名就是abc.com
checkpoint102415就是每1M或者每15分钟将缓存刷进磁盘
rootdn"cn=admin,db=abc,dc=com"管理员是adnin
rootpwadmin管理员的密码就是admin
loglevel1日志级别是1

#日志级别
Any(-1,0xffffffff)//开启所有的dug信息
Trace(1,0x1)//跟踪trace函数调用
Packets(2,0x2)//与软件包的处理相关的dug信息
Args(4,0x4)//全面的debug信息
Conns(8,0x8)//链接数管理的相关信息
BER(16,0x10)//记录包发送和接收的信息
Filter(32,0x20)//记录过滤处理的过程
Config(64,0x40)//记录配置文件的相关信息
ACL(128,0x80)//记录访问控制列表的相关信息
Stats(256,0x100)//记录链接、操作以及统计信息
Stats2(512,0x200)//记录向客户端响应的统计信息
Shell(1024,0x400)//记录与shell后端的通信信息
Parse(2048,0x800)//记录条目的分析结果信息
Sync(16384,0x4000)//记录数据同步资源消耗的信息
None(32768,0x8000)//不记录

#在文件最后增加如下,允许用户自行修改密码
accesstoattrs=shadowLastChange,userPassword
byselfwrite
by*auth
accessto*
by*read

3.配置OpenLDAP日志

echo"local4.*/var/log/sldap.log">>/etc/rsyslog.conf
/etc/init.d/rsyslogrestart

4.初始化OpenLDAP

serviceslapdstart
rm-rf/etc/openldap/slapd.d/*
slaptest-f/etc/openldap/slapd.conf-F/etc/openldap/slapd.d
chown-Rldap:ldap/etc/openldap/slapd.d/
serviceslapdrestart

5.检查服务

netstat-ntlup|grep:389


二.迁移用户(将本地的用户和组迁移到OpenLDAP)

1.安装迁移工具

yuminstallmigrationtools-y
cd/usr/share/migrationtools/
[root@kvm242migrationtools]#ls
migrate_aliases.plmigrate_all_offline.shmigrate_group.plmigrate_profile.pl
migrate_all_netinfo_offline.shmigrate_all_online.shmigrate_hosts.plmigrate_protocols.pl
migrate_all_netinfo_online.shmigrate_automount.plmigrate_netgroup_byhost.plmigrate_rpc.pl
migrate_all_nis_offline.shmigrate_base.plmigrate_netgroup_byuser.plmigrate_services.pl
migrate_all_nis_online.shmigrate_common.phmigrate_netgroup.plmigrate_slapd_conf.pl
migrate_all_nisplus_offline.shmigrate_common.ph.orimigrate_networks.pl
migrate_all_nisplus_online.shmigrate_fstab.plmigrate_passwd.pl

2.配置迁移工具,修改migrate_common.ph 71、73行

$DEFAULT_MAIL_DOMAIN="abc.com";

#Defaultbase
$DEFAULT_BASE="dc=abc,dc=com";

3.导出用户,我这里只导出user1

cd/usr/share/migrationtools/
grep'user1'/etc/passwd>passwd.in
grep'user1'/etc/group>group.in
./migrate_base.pl>/tmp/base.ldif
./migrate_passwd.plpasswd.in>/tmp/passwd.ldif
./migrate_group.plgroup.in>/tmp/group.ldif
#这里生成了3个OpenLDAP数据
/tmp/base.ldif/tmp/passwd.ldif/tmp/group.ldif

导入数据:
ldapadd-x-D"cn=admin,dc=com"-W-f/tmp/base.ldif
ldapadd-x-D"cn=admin,dc=com"-W-f/tmp/passwd.ldif
ldapadd-x-D"cn=admin,dc=com"-W-f/tmp/group.ldif

4.导入sudo基础库

vim /tmp/sudo.ldif

dn:ou=SUDOers,dc=com
objectClass:top
objectClass:organizationalUnit
description:SUDOConfigurationSubtree
ou:SUDOers

dn:cn=defaults,ou=SUDOers,dc=com
objectClass:top
objectClass:sudoRole
cn:defaults
description:DefaultsudoOption'sgohere
sudoOption:visiblepw
sudoOption:always_set_home
sudoOption:env_reset

dn:cn=root,dc=com
objectClass:top
objectClass:sudoRole
cn:root
sudoUser:root
sudoHost:ALL
sudoRunAsUser:ALL
sudoCommand:ALL
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset

dn:cn=%wheel,dc=com
objectClass:top
objectClass:sudoRole
cn:%wheel
sudoUser:%wheel
sudoHost:ALL
sudoRunAsUser:ALL
sudoCommand:ALL
sudoOption:!authenticate
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset
sudoOption:requiretty

dn:cn=%confops,dc=com
objectClass:top
objectClass:sudoRole
cn:%confops
sudoUser:%confops
sudoHost:ALL
sudoRunAsUser:ALL
sudoOption:!authenticate
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset
sudoCommand:ALL
sudoCommand:!/bin/passwd

dn:cn=%confdev,dc=com
objectClass:top
objectClass:sudoRole
cn:%confdev
sudoUser:%confdev
sudoHost:ALL
sudoRunAsUser:ALL
sudoOption:!authenticate
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset
sudoCommand:/sbin/service
sudoCommand:!/bin/passwd
sudoCommand:/etc/init.d/tomcat
sudoCommand:/bin/kill
sudoCommand:/usr/bin/pkill
sudoCommand:/usr/bin/killall
sudoCommand:/etc/init.d/confservice
sudoCommand:/bin/su-app-s/bin/bash
sudoCommand:/bin/su-tomcat-s/bin/bash

dn:cn=%confqa,dc=com
objectClass:top
objectClass:sudoRole
cn:%confqa
sudoUser:%confqa
sudoHost:ALL
sudoRunAsUser:ALL
sudoOption:!authenticate
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset
sudoCommand:/sbin/service
sudoCommand:!/bin/passwd
sudoCommand:/etc/init.d/confservice
sudoCommand:/bin/kill
sudoCommand:/usr/bin/pkill
sudoCommand:/usr/bin/killall
sudoCommand:/bin/su-app-s/bin/bash
sudoCommand:/bin/su-tomcat-s/bin/bash
sudoCommand:/etc/init.d/tomcat

dn:cn=zabbix,dc=com
objectClass:top
objectClass:sudoRole
cn:zabbix
sudoHost:ALL
sudoUser:zabbix
sudoOption:!authenticate
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset
sudoRunAsUser:root
sudoCommand:!/bin/passwd
sudoCommand:/etc/init.d/tomcat
sudoCommand:/etc/init.d/confservice
sudoCommand:/usr/bin/nmap
sudoCommand:/usr/local/zabbix-ztc/bin/sudo-*

dn:cn=admin,dc=com
objectClass:top
objectClass:sudoRole
cn:admin
sudoHost:ALL
sudoRunAsUser:ALL
sudoOption:!authenticate
sudoOption:!visiblepw
sudoOption:always_set_home
sudoOption:env_reset
sudoCommand:ALL
sudoCommand:!/bin/passwd
sudoUser:admin

导入sudo.ldif

ldapadd-x-D"cn=admin,dc=com"-W-f/tmp/sudo.ldif

从上面可以看到会生成

SUDOers(OU)

%confdev(cn)

%confops (cn)

%confqa(cn)

%wheel (cn)

admin(cn)

defaults(cn)

root (cn)

zabbix(cn)

wKioL1fNM96zWwo8AADimxVC-lk718.png

因此只需要建立组confdev,然后将用户拉入confdev组即可有相应的权限,同理zabbix用户也有zabbix相应的权限



二.客户端部署

CentOS 6

yum-yinstallopenldapopenldap-clientsnss-pam-ldapdpam_ldap
echo"sessionrequiredpam_mkhomedir.soskel=/etc/skelumask=0077">>/etc/pam.d/system-auth
authconfig--savebackup=auth.bak
authconfig--enablemkhomedir--disableldaptls--enableldap--enableldapauth--ldapserver=ldap://192.168.10.242--ldapbasedn="dc=abc,dc=com"--update
echo-e"urildap://192.168.10.242\nSudoers_baSEOu=SUDOers,dc=com">/etc/sudo-ldap.conf
echo"Sudoers:filesldap">>/etc/nsswitch.conf


CentOS 5

yum-yinstallopenldapopenldap-clientsnss_ldap
echo"sessionrequiredpam_mkhomedir.soskel=/etc/skelumask=0077">>/etc/pam.d/system-auth
authconfig--savebackup=auth.bak
authconfig--enableldap--enableldapauth--enablemkhomedir--ldapserver=192.168.10.242--ldapbasedn="dc=abc,dc=com"--update
echo"Sudoers_baSEOu=SUDOers,dc=com">>/etc/ldap.conf
echo"Sudoers:filesldap">>/etc/nsswitch.conf

猜你在找的CentOS相关文章