一、配置Centos 7 使用openldap服务作为认证源

1、安装openldap 客户端软件

[charles@node3 ~]$ yum install -y openldap-clients nss-pam-ldapd

一般来说直接配置了下述命令就可以直接使用相应的openldap 认证：

[root@localhost ~]# authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --disablesssd --disablesssdauth --disableldaptls --enablelocauthorize --ldapserver=192.168.11.231 --ldapbasedn="dc=ldaptest,dc=com,dc=cn" --enableshadow --update

一般配置完成后，还是按照下述步骤检测相关配置是否已经生成了。

2、nslcd配置文件

[root@localhost ~]# vim /etc/nslcd.conf

uri ldap://192.168.11.231/

base dc=ldaptest,dc=com,dc=cn

binddn uid=monitor,ou=people,dc=ldaptest,dc=com,dc=cn #若服务器开启了禁止匿名用户访问，需要在客户端配置具有读权限的账号和密码才能验证成功。

bindpw 123456 #同上

ssl no

tls_cacertdir /etc/openldap/cacerts

3、system-auth配置文件

[root@localhost ~]# vim /etc/pam.d/system-auth

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 1000 quiet

auth sufficient pam_ldap.so use_first_pass #新增

auth required pam_deny.so

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 1000 quiet

account [default=bad success=ok user_unknown=ignore] pam.ldap.so #新增

account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password sufficient pam_ldap.so use_authtok #新增

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session optional pam_ldap.so #新增

session required pam_unix.so

4、nsswitch.conf 配置文件

[root@localhost ~]# vim /etc/nsswitch.conf

passwd: files ldap

shadow: files ldap

group: files ldap

5、authconfig配置文件

[root@localhost ~]# vim /etc/sysconfig/authconfig

USELOCAUTHORIZE=yes

USELDAPAUTH=yes

USELDAP=yes

USESHADOW=yes

6、配置客户端登录自动创建家目录

[root@localhost ~]# vim /etc/pam.d/system-auth

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_ldap.so

#创建家目录的模块

session optional pam__mkhomedir.so skel=/etc/skel umask=077

[root@localhost ~]# vim /etc/pam.d/sshd

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session required pam_namespace.so

session optional pam_keyinit.so force revoke

session include password-auth

#添加模块

session required pam_mkhomedir.so

7、在Centos 7 客户端上配置相关的sudo配置

[root@localhost ~]# vim /etc/nsswitch.conf

#在文件末尾添加

sudoers: ldap files

[root@localhost ~]# vim /etc/sudo-ldap.conf

binddn uid=monitor,ou=people,dc=ldaptest,dc=com,dc=cn

bindpw 123456

uri ldap://192.168.11.231

#在文件末尾添加

sudoers_base ou=sudoers,dc=ldaptest,dc=com,dc=cn

配置完成后，可以使用指定用户登录客户端系统验证其对应的sudo权限，类似如下：

[charles@localhost ~]$ sudo -l

[sudo] password for charles:

Matching Defaults entries for charles on localhost:

    requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",

    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION

    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMBERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME

    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin/:/usr/bin, !visiblepw,

    always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",

    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION

    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME

    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User charles may run the following commands on localhost:

    (root) PASSWD: /bin/rm, /bin/rmdir, /bin/chmod, /bin/chown, /bin/dd, /bin/mv, /bin/cp, /sbin/fsck*, /sbin/*remove,

        /usr/bin/chattr, /sbin/mkfs*, !/usr/bin/passwd

8、限制主机登录用户

[root@localhost ~]# vim /etc/nslcd.conf

#在文件末尾添加下述命令语句,此语句表示仅匹配gidNumber为50896的用户进行登录认证

filter passwd (gidNumber=50896)

[root@localhost ~]# systemctl restart nslcd

9、启动nslcd服务

[root@localhost ~]# systemctl restart nslcd

[root@localhost ~]# systemctl restart sshd

可通过下述命令，获取openldap认证用户的相关信息的话，说明配置成功。

[root@localhost ~]# getent passwd charles

charles:x:1000:1000:charles:/home/charles:/bin/bash

初次使用openldap认证用户登录系统时，系统会自动创建改用户的家目录。

image.png