OpenLDAP主机控制策略

阅读视图

1. 参考
2. 环境准备
3. openldap服务端配置
4. openldap客户端配置
5. 客户端测试登录
6. 故障处理

1. 参考

本文基本转载博客openldap主机访问控制（基于hostname）

该博主另一篇文档，还没测试openldap主机访问控制（基于ip）

2. 环境准备

因为本文与其他文档属性不冲突，所以完全可以使用以前的环境做实验。

3. openldap服务端配置

1. 导入ldapns.schema方案，（hostObject类属性）

   https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/nssov/ldapns.schema

   cat > /etc/openldap/schema/ldapns.schema << _EOF_
   
   # $OpenLDAP$
   
   # $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $
   
   # LDAP Name Service Additional Schema
   
   # http://www.iana.org/assignments/gssapi-service-names
   
   #
   
   # Not part of the distribution: this is a workaround!
   
   #
   
   attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
   
           DESC 'IANA GSS-API authorized service name'
   
           EQUALITY caseIgnoreMatch
   
           SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
   
   attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus'
   
           DESC 'Currently logged in sessions for a user'
   
           EQUALITY caseIgnoreMatch
   
           SUBSTR caseIgnoreSubstringsMatch
   
           ORDERING caseIgnoreOrderingMatch
   
           SYNTAX OMsDirectoryString )
   
   objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
   
           DESC 'Auxiliary object class for adding authorizedService attribute'
   
           SUP top
   
           AUXILIARY
   
           MAY authorizedService )
   
   objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
   
           DESC 'Auxiliary object class for adding host attribute'
   
           SUP top
   
           AUXILIARY
   
           MAY host )
   
   objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject'
   
           DESC 'Auxiliary object class for login status attribute'
   
           SUP top
   
           AUXILIARY
   
           MAY loginStatus )
   
   _EOF_
   

   复制到/etc/openldap/schema/ldapns.schema

2. 配置slapd.conf配置文件

   include         /etc/openldap/schema/ldapns.schema
   
   include         /etc/openldap/schema/dyngroup.schema
   
   modulepath /usr/lib64/openldap
   
   moduleload dynlist.la
   
   overlay dynlist
   
   dynlist-attrset inetOrgPerson labeledURI
   

   rm -rf /etc/openldap/slapd.d/*
   
   slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
   
   chown -R ldap:ldap /etc/openldap/slapd.d
   
   systemctl restart slapd
   

3. 验证服务端是否正常加载

   

   

4. 定义主机列表组

   cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com
   
   dn: ou=servers,dc=gdy,dc=com
   
   objectClass: organizationalUnit
   
   ou: servers
   
   dn: ou=apphost,ou=servers,dc=gdy,dc=com
   
   objectClass: organizationalUnit
   
   objectClass: hostObject
   
   ou: apphost
   
   host: test01.gdy.com
   
   dn: ou=dbhost,ou=servers,dc=gdy,dc=com
   
   objectClass: organizationalUnit
   
   objectClass: hostObject
   
   ou: dbhost
   
   host: test02.gdy.com
   
   _EOF_
   

5. 定义用户

   cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com
   
   dn: uid=lisi,ou=people,dc=gdy,dc=com
   
   objectClass: posixAccount
   
   objectClass: shadowAccount
   
   objectClass: person
   
   objectClass: inetOrgPerson
   
   objectClass: hostObject
   
   cn: lisi
   
   sn: lisi
   
   uid: lisi
   
   userPassword: {CRYPT}$6$AgFUbww9$Pa70MIDhUT2z3.Sg83VRnWnaDRubTHJsSxYMzbD3LQlMmXX0VeqHRHd2usrJbId.oFOeoMKi3GC60qjIHUKqK.
   
   uidNumber: 10006
   
   gidNumber: 10010
   
   gecos: App Manager
   
   homeDirectory: /home/lisi
   
   loginShell: /bin/bash
   
   shadowLastChange: 15000
   
   shadowMin: 0
   
   shadowMax: 999999
   
   shadowWarning: 7
   
   shadowExpire: -1
   
   mobile: 13900001001
   
   mail: lisi@gdy.com
   
   labeledURI: ldap:///ou=apphost,ou=servers,dc=gdy,dc=com?host
   
   _EOF_
   

   cat << _EOF_ | ldapadd -x -W -H ldapi:/// -D cn=Manager,dc=gdy,dc=com
   
   dn: uid=zhangsan,ou=people,dc=gdy,dc=com
   
   objectClass: posixAccount
   
   objectClass: shadowAccount
   
   objectClass: person
   
   objectClass: inetOrgPerson
   
   objectClass: hostObject
   
   cn: zhangsan
   
   sn: zhangsan
   
   uid: zhangsan
   
   userPassword: {CRYPT}$6$0hM3RIS/$omCj0x/ggD.zy3pNNjVo80nhiYHbUvdQaBKsawBBTQ/r/KY2PD77NHDqEPgzZ1Wz2/ZiL./pL65BuNyZ1SHC41
   
   uidNumber: 10007
   
   gidNumber: 10011
   
   gecos: opteam
   
   homeDirectory: /home/zhangsan
   
   loginShell: /bin/bash
   
   shadowLastChange: 15000
   
   shadowMin: 0
   
   shadowMax: 999999
   
   shadowWarning: 7
   
   shadowExpire: -1
   
   mobile: 13900001002
   
   mail: zhangsan@gdy.com
   
   labeledURI: ldap:///ou=devhost,ou=servers,dc=gdy,dc=com?host
   
   _EOF_
   

4. openldap客户端配置

1. 定义FQDN解析, 已测试过如果不定义会登录不成功

   cat >> /etc/hosts << EOF
   
   192.168.244.17    mldap01.gdy.com    mldap01
   
   192.168.244.18    test01.gdy.com     test01
   

2. pam_ldap.conf参数规划

   cat >> /etc/pam_ldap.conf  << EOF
   
   pam_check_host_attr yes
   
   EOF
   

5. 客户端测试登录

1. 正确实例

   [root@test01 ~]# ssh lisi@127.0.0.1
   
   lisi@127.0.0.1's password:
   
   Last login: Fri Jun  1 16:24:12 2018 from localhost
   
   [lisi@test01 ~]$ hostname
   
   test01.gdy.com
   

2. 失败实例

   [root@test01 ~]# ssh zhangsan@127.0.0.1
   
   zhangsan@127.0.0.1's password:
   
   Access denied for this host
   
   Connection closed by 127.0.0.1
   

3. 如果用户没有配置好登录属性，服务器基本就全部登录不了。

6. 故障处理

1. PS1变量失效，错误如下

   [root@test01 home]# ssh lisi@127.0.0.1
   
   lisi@127.0.0.1's password:
   
   Permission denied, please try again.
   
   lisi@127.0.0.1's password:
   
   Last login: Fri Jun  1 14:10:53 2018 from localhost
   
   -sh-4.1$      # 发现显示不正常
   

   解决方法：重新配置了一遍，发现loginShell忘记定义或者定义有问题导致loginShell属性不存在。所以会产生如上bug。