天楚锐齿

人工智能 云计算 大数据 物联网 IT 通信 嵌入式

使用LDAP给Linux鉴权和进行用户管理

安装LDAP:
# yum install openldap-servers

安装openSSL:
# tar -zxvf openssl-1.0.0e.tar.gz
# cd openssl-1.0.0e
# ./config -fPIC shared
# make clean
# make
# make test
# make install
默认安装位置在/usr/local/ssl/,加入export PATH=/usr/local/ssl/bin:$PATH。
# echo “/usr/local/ssl/lib” >> /etc/ld.so.conf.d/openssl.conf
# ldconfig
# ldconfig -p |grep ssl
# ldconfig -v |grep ssl

创建CA根证书,这里调用的都是CA.sh,跟使用openssl加一大堆参数是一样的:
# mkdir /etc/ssl/
# cd /etc/ssl
# /usr/local/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate …
Generating a 1024 bit RSA private key
………………………………++++++
….++++++
writing new private key to ‘./demoCA/private/./cakey.pem’
Enter PEM pass phrase: (输入ca根证书RAS密钥口令)
Verifying – Enter PEM pass phrase:(输入ca根证书RAS密钥口令)
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hanborq Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:nd0-rack2-cloud (必须是hostname命令的输出
Email Address []:adaishu@gmail.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:(不填,直接回车)
An optional company name []:(不填,直接回车)
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:  (上面输入的ca根证书RAS密钥口令)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
97:c5:5e:6c:8f:de:20:7b
Validity
Not Before: Nov 25 02:59:48 2011 GMT
Not After : Nov 24 02:59:48 2014 GMT
Subject:
countryName               = CN
stateOrProvinceName       = Guangdong
organizationName          = Hanborq Ltd.
commonName                = nd0-rack2-cloud
emailAddress              = adaishu@gmail.com
X509v3 extensions:
X509v3 Subject Key Identifier:
BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB
X509v3 Authority Key Identifier:
keyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB

X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 24 02:59:48 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

生成请求证书,为了LDAP能用,必须使用-newreq-nodes,正常情况应该用-newreq:
# /usr/local/ssl/misc/CA.sh -newreq-nodes
Generating a 1024 bit RSA private key
………………………..++++++
…….++++++
writing new private key to ‘newreq.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hanborq Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:nd0-rack2-cloud (必须是hostname命令的输出)
Email Address []:adaishu@gmail.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:(不填,直接回车)
An optional company name []:(不填,直接回车)
Request (and private key) is in newreq.pem

签发请求证书,就是生成签名后的证书:
# /usr/local/ssl/misc/CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
97:c5:5e:6c:8f:de:20:7c
Validity
Not Before: Nov 25 03:13:19 2011 GMT
Not After : Nov 24 03:13:19 2012 GMT
Subject:
countryName               = CN
stateOrProvinceName       = Guangdong
localityName              = Shenzhen
organizationName          = Hanborq Ltd.
commonName                = nd0-rack2-cloud
emailAddress              = adaishu@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2F:7C:AE:2C:9D:04:CE:B6:6F:5C:91:C5:95:1C:92:9E:E4:FA:D5:66
X509v3 Authority Key Identifier:
keyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB

Certificate is to be certified until Nov 24 03:13:19 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
97:c5:5e:6c:8f:de:20:7c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Guangdong, O=Hanborq Ltd., CN=Max Shu/emailAddress=adaishu@gmail.com
Validity
Not Before: Nov 25 03:13:19 2011 GMT
Not After : Nov 24 03:13:19 2012 GMT
Subject: C=CN, ST=Guangdong, L=Shenzhen, O=Hanborq Ltd., CN=Max Shu/emailAddress=adaishu@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e3:ef:5b:50:ff:3a:14:6b:c7:72:58:90:5f:76:
2d:9c:f8:cc:34:e7:2c:07:bd:72:92:9e:47:06:44:
78:8a:bd:34:21:ed:ac:c9:1d:f3:bf:77:1a:20:a8:
75:b1:ad:4f:9f:e1:70:d1:fe:64:45:63:7b:0b:bf:
36:a7:7b:e4:4a:6e:1a:07:f3:90:78:ca:35:46:8f:
09:6e:4e:9c:c9:56:c6:f1:17:c3:53:91:f2:72:3a:
db:7d:f4:b8:38:b8:e7:d4:e2:14:03:16:f1:10:50:
cb:ab:d2:cd:18:20:97:b2:83:17:bc:47:00:d4:69:
06:3c:e4:b3:91:23:3b:d1:b7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2F:7C:AE:2C:9D:04:CE:B6:6F:5C:91:C5:95:1C:92:9E:E4:FA:D5:66
X509v3 Authority Key Identifier:
keyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB

Signature Algorithm: sha1WithRSAEncryption
3a:37:db:9a:92:90:0b:c9:9e:c1:bc:bf:c2:be:e4:a5:7a:fa:
45:03:6a:cf:f0:6a:7d:0f:45:c3:a0:30:21:2f:3d:3a:c7:11:
63:f6:79:38:6e:de:9d:15:60:18:1c:d5:f1:1f:25:b1:05:e3:
56:bb:5f:d2:69:66:5c:66:50:e3:b9:06:41:3d:37:78:05:7d:
23:b8:40:d7:3b:b6:aa:59:7c:ce:dc:91:53:a5:7e:8c:dc:98:
c7:3a:ba:51:cd:f0:00:7d:1d:71:1b:22:51:ee:60:88:f8:d4:
2c:a4:d0:8b:c2:0a:55:37:a9:b2:ed:8e:9c:2e:a0:bd:31:3b:
ee:a5
—–BEGIN CERTIFICATE—–
MIIC5DCCAk2gAwIBAgIJAJfFXmyP3iB8MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV
BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ2RvbmcxFTATBgNVBAoMDEhhbmJvcnEgTHRk
LjEQMA4GA1UEAwwHTWF4IFNodTEgMB4GCSqGSIb3DQEJARYRYWRhaXNodUBnbWFp
bC5jb20wHhcNMTExMTI1MDMxMzE5WhcNMTIxMTI0MDMxMzE5WjB/MQswCQYDVQQG
EwJDTjESMBAGA1UECAwJR3Vhbmdkb25nMREwDwYDVQQHDAhTaGVuemhlbjEVMBMG
A1UECgwMSGFuYm9ycSBMdGQuMRAwDgYDVQQDDAdNYXggU2h1MSAwHgYJKoZIhvcN
AQkBFhFhZGFpc2h1QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA4+9bUP86FGvHcliQX3YtnPjMNOcsB71ykp5HBkR4ir00Ie2syR3zv3caIKh1
sa1Pn+Fw0f5kRWN7C782p3vkSm4aB/OQeMo1Ro8Jbk6cyVbG8RfDU5HycjrbffS4
OLjn1OIUAxbxEFDLq9LNGCCXsoMXvEcA1GkGPOSzkSM70bcCAwEAAaN7MHkwCQYD
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFC98riydBM62b1yRxZUckp7k+tVmMB8GA1UdIwQYMBaA
FLooqpybKklPGx2W3WFrqyNznUq7MA0GCSqGSIb3DQEBBQUAA4GBADo325qSkAvJ
nsG8v8K+5KV6+kUDas/wan0PRcOgMCEvPTrHEWP2eThu3p0VYBgc1fEfJbEF41a7
X9JpZlxmUOO5BkE9N3gFfSO4QNc7tqpZfM7ckVOlfozcmMc6ulHN8AB9HXEbIlHu
YIj41Cyk0IvCClU3qbLtjpwuoL0xO+6l
—–END CERTIFICATE—–
Signed certificate is in newcert.pem
最终生成的有用的证书就是newcert.pem,可以拷贝到别的地方使用,挪走newreq.pem和newcrt.pem之后,又可以请求和签发新证书了。

校验:
# /usr/local/ssl/misc/CA.sh -verify
newcert.pem: OK

移动证书到LDAP:
# cp /etc/ssl/newcert.pem /etc/openldap/cacerts/servercrt.pem
# cp /etc/ssl/newreq.pem /etc/openldap/cacerts/serverkey.pem
# cp /etc/ssl/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem
# chmod 400 /etc/openldap/cacerts/serverkey.pem
# chown ldap:ldap /etc/openldap/cacerts/serverkey.pem
# chmod 644 /etc/openldap/cacerts/servercrt.pem
# chown ldap:ldap /etc/openldap/cacerts/servercrt.pem
# chmod 644 /etc/openldap/cacerts/cacert.pem
# chown ldap:ldap /etc/openldap/cacerts/cacert.pem
# ll /etc/openldap/cacerts/
total 12
-rw-r–r– 1 ldap ldap 3046 Nov 25 13:40 cacert.pem
-rw-r–r– 1 ldap ldap 3217 Nov 25 13:40 servercrt.pem
-r——– 1 ldap ldap 1600 Nov 25 13:40 serverkey.pem

得到ldap管理帐号的密码,下面会把这个密码加入slapd.conf的rootpw:
# slappasswd
New password:
Re-enter new password:
{SSHA}L19zkWmhL8zXnKfLDetVAwXt3Lm7qBOa

修改slapd.conf:
# vi /etc/openldap/slapd.conf

include         /etc/openldap/schema/nis.schema

TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem

suffix          “dc=hanborq,dc=com”
rootdn          “cn=Manager,dc=hanborq,dc=com”

rootpw                  {SSHA}L19zkWmhL8zXnKfLDetVAwXt3Lm7qBOa

access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read

修改/etc/openldap/ldap.conf,注意这个ldap.conf是用于ldapadd之类的工具的,如果是客户端,则还需要使用/etc/ldap.conf:
# vi /etc/openldap/ldap.conf
BASE    dc=hanborq, dc=com
URI     ldap://nd0-rack2-cloud ldaps://nd0-rack2-cloud:636
TLS_REQCERT      allow
TLS_CACERTDIR    /etc/openldap/cacerts

默认DB配置:
# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

增加LOG:
# echo “local4.* /var/log/slapd.log” >> /etc/syslog.conf
# service syslog restart

启动:
# service ldap restart
测试tls是否可用:
# openssl s_client -connect nd0-rack2-cloud:636
会输出证书。
# ldapsearch -x -b ” -s base ‘(objectclass=*)’ namingContexts
dn:
namingContexts: dc=hanborq,dc=com  这里是正确的。
search: 2
result: 0 Success
# netstat -an | grep 389
# netstat -an | grep 636

编辑ldif文件:
# cd /etc/openldap/
# /usr/share/openldap/migration/migrate_base.pl > base.ldif
# sed -i “s/padl/hanborq/” base.ldif
编辑base.ldif,只需要三项:
# vi base.ldif
dn: dc=hanborq,dc=com
dc: hanborq
objectClass: top
objectClass: domain

dn: ou=People,dc=hanborq,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=hanborq,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

添加进数据库:
# ldapdelete -x -D “cn=Manager,dc=hanborq,dc=com” -W -r “dc=hanborq,dc=com”
# ldapadd -x -D “cn=Manager,dc=hanborq,dc=com” -W -f base.ldif
Enter LDAP Password:  这里口令为slapd.conf的rootpw的口令
注意这里的-D参数需要跟slapd.conf的rootdn一致,否则会出错。
这里的-x表示简单鉴权,-W为提醒输入口令。

迁移组信息:
# /usr/share/openldap/migration/migrate_group.pl /etc/group > group.ldif
# sed -i “s/padl/hanborq/” group.ldif
# ldapadd -x -D “cn=Manager,dc=hanborq,dc=com” -W -f group.ldif

迁移用户信息,其中shadow过的口令会自动加入:
# /usr/share/openldap/migration/migrate_passwd.pl /etc/passwd > passwd.ldif
# sed -i “s/padl/hanborq/” passwd.ldif
# ldapadd -x -D “cn=Manager,dc=hanborq,dc=com” -W -f passwd.ldif

检查一下:
# ldapsearch -x -b “dc=hanborq,dc=com”
可以看到所有用户和组都加入了。

URL方式检查:
非加密方式:
# ldapsearch -v -x -H ldap://nd0-rack2-cloud
SSL方式:
# ldapsearch -v -x -H ldaps://nd0-rack2-cloud:636
TLS方式,最好就用TLS方式:
# ldapsearch -v -x -h nd0-rack2-cloud -ZZ

客户端配置:
传输CA到客户端:
# scp LDAP_SERVER_IP:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/

下面的配置最好使用setup命令来配置。
修改/etc/sysconfig/authconfig:
# sed -i “/USELDAP=/d”         /etc/sysconfig/authconfig && echo “USELDAP=yes”         >> /etc/sysconfig/authconfig
# sed -i “/USELDAPAUTH=/d”     /etc/sysconfig/authconfig && echo “USELDAPAUTH=yes”     >> /etc/sysconfig/authconfig
# sed -i “/USEMD5=/d”          /etc/sysconfig/authconfig && echo “USEMD5=yes”          >> /etc/sysconfig/authconfig
# sed -i “/USESHADOW=/d”       /etc/sysconfig/authconfig && echo “USESHADOW=yes”       >> /etc/sysconfig/authconfig
# sed -i “/USELOCAUTHORIZE=/d” /etc/sysconfig/authconfig && echo “USELOCAUTHORIZE=yes” >> /etc/sysconfig/authconfig

修改/etc/openldap/ldap.conf:
# vi /etc/openldap/ldap.conf
BASE    dc=hanborq, dc=com
URI     ldap://nd0-rack2-cloud ldaps://nd0-rack2-cloud:636
TLS_REQCERT      allow
TLS_CACERTDIR    /etc/openldap/cacerts

修改/etc/ldap.conf和/etc/nslcd.conf,注意这个ldap.conf是用于客户端的,不是用于ldapadd之类的工具,CentOS6.x是/etc/pam_ldap.conf:
# vi /etc/ldap.conf
host nd0-rack2-cloud
base dc=hanborq,dc=com
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem

CentOS6.x需要配置/etc/nslcd.conf:
# vi /etc/nslcd.conf
uri ldap://nd0-rack2-cloud
base dc=hanborq,dc=com
ssl start_tls
tls_reqcert allow
tls_cacertdir /etc/openldap/cacerts

CentOS6.x如果不使用sssd,就不需要配置/etc/sssd/sssd.conf:
# vi /etc/sssd/sssd.conf

domains = default

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=hanborq,dc=com
chpass_provider = ldap
id_provider = ldap
auth_provider = ldap
debug_level = 0
ldap_uri = ldap://nd0-rack2-cloud
ldap_tls_cacertdir = /etc/openldap/cacerts

CentOS6.x需要重启nslcd进程,如果用非加密方式,则必须修改/etc/sysconfig/authconfig里面的FORCELEGACY=no为yes,使用TLS,则不需要修改:
# sed -i “/FORCELEGACY=/d” /etc/sysconfig/authconfig && echo “FORCELEGACY=yes” >> /etc/sysconfig/authconfig
# service nslcd restart
# service sssd restart

修改NSS:
# vi /etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

netgroup:   files ldap

automount:  files ldap

修改系统鉴权:
# vi /etc/pam.d/system-auth
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass

account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok

session     required      pam_unix.so
session     optional      pam_ldap.so

测试:
刚才已经导入了linux的所有用户到LDAP,现在我们删除掉一个linux用户,用修改密码方式可以看到该用户已经在LDAP上面了:
# userdel nimbus
# passwd nimbus
Changing password for user nimbus.
Enter login(LDAP) password:
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
LDAP password information changed for nimbus
passwd: all authentication tokens updated successfully.
登录测试:
# ssh nimbus@10.24.170
可以登录。

 

1,160次阅读

发表回复