0
点赞
收藏
分享

微信扫一扫

#Word文档导入#LDAP的部署及用户同步

郝春妮 2022-05-16 阅读 18

1安装openldap软件

使用如下命令安装OpenLDAP:

[root@node168 ~]# yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools

#Word文档导入#LDAP的部署及用户同步_3c

[root@incubator-t3-infra01 ]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@incubator-t3-infra01 ]# chown ldap:ldap -R /var/lib/ldap

[root@incubator-t3-infra01 ]# chmod 700 -R /var/lib/ldap

#Word文档导入#LDAP的部署及用户同步_配置文件_02

2启动ldap

[root@node168 ~]# systemctl enable slapd

[root@node168 ~]# systemctl start slapd

[root@node168 ~]# systemctl status slapd

#Word文档导入#LDAP的部署及用户同步_unix_03

3 配置openldap管理员密码

生成管理员秘钥

[root@node168 ~]# slappasswd -s xxxxxx

{SSHA}z56dz1Ew6rF5mkMIVqp0UkAa+73RhXhx

[root@node168 ldap]# vi /root/ldap/chrootpw.ldif

#specify the password generated above for "olcRootPW" section

dn: olcDatabase={0}config,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}z56dz1Ew6rF5mkMIVqp0UkAa+73RhXhx

#Word文档导入#LDAP的部署及用户同步_unix_04

导入相关属性

[root@node168 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldap/chrootpw.ldif

#Word文档导入#LDAP的部署及用户同步_配置文件_05

4导入相关openldap属性

[root@node168 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

[root@node168 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

[root@node168 ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

#Word文档导入#LDAP的部署及用户同步_3c_06

5修改openldap的基本配置

[root@node168 ldap]# vi /root/ldap/chdomain.ldif

#replace to your own domain name for "dc=***,dc=***" section

#specify the password generated above for "olcRootPW" section

dn: olcDatabase={1}monitor,cn=config

changetype: modify

replace: olcAccess

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

read by dn.base="cn=ldapadm,dc=xxx,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcSuffix

olcSuffix: dc=xxx,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

replace: olcRootDN

olcRootDN: cn=ldapadm,dc=xxx,dc=com

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcRootPW

olcRootPW: {SSHA}z56dz1Ew6rF5mkMIVqp0UkAa+73RhXhx

dn: olcDatabase={2}hdb,cn=config

changetype: modify

add: olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by

dn="cn=ldapadm,dc=t3cx,dc=com" write by anonymous auth by self write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by dn="cn=ldapadm,dc=xxx,dc=com" write by * read#Word文档导入#LDAP的部署及用户同步_配置文件_07

导入配置文件

[root@node168 ldap]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldap/chdomain.ldif

#Word文档导入#LDAP的部署及用户同步_配置文件_08

6导入基础数据库

[root@node168 ~]# vi /root/ldap/basedomain.ldif

#replace to your own domain name for "dc=***,dc=***" section

dn:dc=t3cx,dc=com

objectClass: top

objectClass: dcObject

objectclass: organization

o: Server cn

dc: xxx

dn: cn=ldapadm,dc=xxx,dc=com

objectClass: organizationalRole

cn: ldapadm

description: Directory ldapadm

dn: ou=People,dc=xxx,dc=com

objectClass: organizationalUnit

ou: People

dn: ou=Group,dc=xxx,dc=com

objectClass: organizationalUnit

ou: Group

#Word文档导入#LDAP的部署及用户同步_配置文件_09

导入配置

[root@node168 ~]# ldapadd -x -D cn=ldapadm,dc=xxx,dc=com -w "xxx@123" -f /root/ldap/basedomain.ldif#Word文档导入#LDAP的部署及用户同步_unix_10

7导入用户

[root@node168 ~]# vi /root/ldap/users.ldif

dn: uid=ldapuser1,ou=People,dc=xxx,dc=com

uid: ldapuser1

cn: 测试用户1

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: 123456

shadowLastChange: 17642

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 1000

gidNumber: 1000

homeDirectory: /home/ldapuser1

dn: uid=ldapuser2,ou=People,dc=xxx,dc=com

uid: ldapuser2

cn: 测试用户2

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

userPassword: 123456

shadowLastChange: 17642

shadowMin: 0

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 1001

gidNumber: 1001

homeDirectory: /home/ldapuser2#Word文档导入#LDAP的部署及用户同步_unix_11

导入配置

[root@incubator-t3-infra01 ~]# ldapadd -x -w "xxx@123" -D "cn=ldapadm,dc=xxx,dc=com" -f /root/ldap/users.ldif#Word文档导入#LDAP的部署及用户同步_配置文件_12

8导入用户组

[root@node168 ~]# vi /root/ldap/groups.ldif

dn: cn=ldapgroup1,ou=Group,dc= xxx,dc=com

objectClass: posixGroup

objectClass: top

cn: ldapgroup1

userPassword: 123456

gidNumber: 1000

dn: cn=ldapgroup2,ou=Group,dc=xxx,dc=com

objectClass: posixGroup

objectClass: top

cn: ldapgroup2

userPassword: 123456

gidNumber: 1001

#Word文档导入#LDAP的部署及用户同步_配置文件_13

导入配置

[root@incubator-t3-infra01 ~]# ldapadd -x -w "xxx@123" -D "cn=ldapadm,dc=t3cx,dc=com" -f /root/ldap/groups.ldif #Word文档导入#LDAP的部署及用户同步_配置文件_14

9把用户加入到用户组

[root@node168 ~]# vi /root/ldap/add_user_to_groups.ldif

dn: cn=ldapgroup1,ou=Group,dc=xxx,dc=com

changetype: modify

add: memberuid

memberuid: ldapuser1

dn: cn=ldapgroup2,ou=Group,dc= t3cx,dc=com

changetype: modify

add: memberuid

memberuid: ldapuser2#Word文档导入#LDAP的部署及用户同步_3c_15

导入配置文件

[root@incubator-t3-infra01 ~]# ldapadd -x -w "t3cx@123" -D "cn=ldapadm,dc=xxx,dc=com" -f /root/ldap/add_user_to_groups.ldif #Word文档导入#LDAP的部署及用户同步_配置文件_16

10查看

#Word文档导入#LDAP的部署及用户同步_3c_17

#Word文档导入#LDAP的部署及用户同步_3c_18

#Word文档导入#LDAP的部署及用户同步_配置文件_19

10开启openldap日志功能

[root@node168 ldap]# vi /root/ldap/loglevel.ldif

dn: cn=config

changetype: modify

replace: olcLogLevel

olcLogLevel: stats

#Word文档导入#LDAP的部署及用户同步_3c_20

导入配置文件

[root@incubator-t3-infra01 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /root/ldap/loglevel.ldif #Word文档导入#LDAP的部署及用户同步_3c_21

#重启服务

[root@incubator-t3-infra01 ~]# systemctl restart slapd

[root@incubator-t3-infra01 ~]# echo 'local4.* /var/log/ldap.log'>> /etc/rsyslog.conf

[root@node168 ldap]# systemctl restart slapd

#Word文档导入#LDAP的部署及用户同步_3c_22

[root@node168~]#tail -f /var/log/ldap.log

#Word文档导入#LDAP的部署及用户同步_配置文件_23

2Openldap客户端安装(集群所有客户端)

安装yum源

#yum -y install openldap-clients

修改配置文件ldap.conf

[root@incubator-xx-dc-012 ~]# vim /etc/openldap/ldap.conf

#Word文档导入#LDAP的部署及用户同步_unix_24

添加

URI ldap://incubator-xx-infra01

BASE dc=xxx,dc=com

验证ldap

密码******

#ldapsearch -D "cn=ldapadm,dc=xxx,dc=com" -W |grep dn

Enter LDAP Password: xxx@123

Enter LDAP Password:

dn: dc=t3cx,dc=com

dn: cn=ldapadm,dc=xxx,dc=com

dn: ou=People,dc=xxx,dc=com

dn: ou=Group,dc=xxx,dc=com

dn: uid=ldapuser1,ou=People,dc=xxx,dc=com

dn: uid=ldapuser2,ou=People,dc=xxx,dc=com

dn: cn=ldapgroup1,ou=Group,dc=xxx,dc=com

dn: cn=ldapgroup2,ou=Group,dc=xxx,dc=com

dn: uid=ldapuser3,ou=People,dc=xxx,dc=com

#Word文档导入#LDAP的部署及用户同步_unix_25

3LDAP和SSSD集成

#每个节点都执行

[root@incubator-xx-infra01 yum.repos.d]# yum install -y mlocate sssd authconfig oddjob-mkhomedir nss-pam-ldapd

#Word文档导入#LDAP的部署及用户同步_unix_26

[root@incubator-xx-infra01 yum.repos.d]# export LC_ALL="en_US.UTF-8"

[root@incubator-xx-infra01 yum.repos.d]# export LC_CTYPE="en_US.UTF-8"

authconfig \

--enablesssd \

--enablesssdauth \

--enablelocauthorize \

--enableldap \

--enableldapauth \

--ldapserver=ldap://incubator-xx-infra01:389 \

--ldapbasedn=dc=xxx,dc=com \

--enablemkhomedir \

--enablecachecreds \

--update

[root@node168 pam.d]# vim /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth required pam_faildelay.so delay=2000000

auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet

auth [default=1 ignore=ignore success=ok] pam_localuser.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 1000 quiet_success

auth sufficient pam_ldap.so forward_pass

auth required pam_deny.so

account required pam_unix.so broken_shadow

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 1000 quiet

account [default=bad success=ok user_unknown=ignore] pam_ldap.so

account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password sufficient pam_ldap.so use_authtok

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

-session optional pam_systemd.so

session optional pam_oddjob_mkhomedir.so umask=0077

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_ldap.so

#Word文档导入#LDAP的部署及用户同步_3c_27

[root@node168 pam.d]# vim /etc/pam.d/password-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so

auth required pam_faildelay.so delay=2000000

auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet

auth [default=1 ignore=ignore success=ok] pam_localuser.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 1000 quiet_success

auth sufficient pam_ldap.so forward_pass

auth required pam_deny.so

account required pam_unix.so broken_shadow

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 1000 quiet

account [default=bad success=ok user_unknown=ignore] pam_ldap.so

account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password sufficient pam_ldap.so use_authtok

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

-session optional pam_systemd.so

session optional pam_oddjob_mkhomedir.so umask=0077

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_ldap.so

#Word文档导入#LDAP的部署及用户同步_3c_28

启动命令

[root@incubator-xx-infra01 ~]# systemctl restart messagebus

[root@incubator-xx-infra01 ~]# systemctl restart oddjobd

[root@incubator-xx-infra01 ~]# systemctl restart nslcd

[root@incubator-xx-infra01 ~]# systemctl restart sssd

[root@incubator-xx-infra01 ~]# systemctl restart systemd-logind

[root@incubator-xx-infra01 ~]# systemctl enable messagebus

[root@incubator-xx-infra01 ~]# systemctl enable oddjobd

[root@incubator-xx-infra01 ~]# systemctl enable nslcd

[root@incubator-xx-infra01 ~]# systemctl enable sssd

[root@incubator-xx-infra01 ~]# systemctl enable systemd-logind

#Word文档导入#LDAP的部署及用户同步_3c_29

举报

相关推荐

0 条评论