使用LDAP给Linux鉴权和进行用户管理
安装LDAP:
# yum install openldap-servers
安装openSSL:
# tar -zxvf openssl-1.0.0e.tar.gz
# cd openssl-1.0.0e
# ./config -fPIC shared
# make clean
# make
# make test
# make install
默认安装位置在/usr/local/ssl/,加入export PATH=/usr/local/ssl/bin:$PATH。
# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf.d/openssl.conf
# ldconfig
# ldconfig -p |grep ssl
# ldconfig -v |grep ssl
创建CA根证书,这里调用的都是CA.sh,跟使用openssl加一大堆参数是一样的:
# mkdir /etc/ssl/
# cd /etc/ssl
# /usr/local/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
....................................++++++
....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: (输入ca根证书RAS密钥口令)
Verifying - Enter PEM pass phrase:(输入ca根证书RAS密钥口令)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hanborq Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:nd0-rack2-cloud (必须是hostname命令的输出)
Email Address []:adaishu@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(不填,直接回车)
An optional company name []:(不填,直接回车)
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: (上面输入的ca根证书RAS密钥口令)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
97:c5:5e:6c:8f:de:20:7b
Validity
Not Before: Nov 25 02:59:48 2011 GMT
Not After : Nov 24 02:59:48 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Guangdong
organizationName = Hanborq Ltd.
commonName = nd0-rack2-cloud
emailAddress = adaishu@gmail.com
X509v3 extensions:
X509v3 Subject Key Identifier:
BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB
X509v3 Authority Key Identifier:
keyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 24 02:59:48 2014 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
生成请求证书,为了LDAP能用,必须使用-newreq-nodes,正常情况应该用-newreq:
# /usr/local/ssl/misc/CA.sh -newreq-nodes
Generating a 1024 bit RSA private key
.............................++++++
.......++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hanborq Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:nd0-rack2-cloud (必须是hostname命令的输出)
Email Address []:adaishu@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(不填,直接回车)
An optional company name []:(不填,直接回车)
Request (and private key) is in newreq.pem
签发请求证书,就是生成签名后的证书:
# /usr/local/ssl/misc/CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
97:c5:5e:6c:8f:de:20:7c
Validity
Not Before: Nov 25 03:13:19 2011 GMT
Not After : Nov 24 03:13:19 2012 GMT
Subject:
countryName = CN
stateOrProvinceName = Guangdong
localityName = Shenzhen
organizationName = Hanborq Ltd.
commonName = nd0-rack2-cloud
emailAddress = adaishu@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2F:7C:AE:2C:9D:04:CE:B6:6F:5C:91:C5:95:1C:92:9E:E4:FA:D5:66
X509v3 Authority Key Identifier:
keyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB
Certificate is to be certified until Nov 24 03:13:19 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
97:c5:5e:6c:8f:de:20:7c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Guangdong, O=Hanborq Ltd., CN=Max Shu/emailAddress=adaishu@gmail.com
Validity
Not Before: Nov 25 03:13:19 2011 GMT
Not After : Nov 24 03:13:19 2012 GMT
Subject: C=CN, ST=Guangdong, L=Shenzhen, O=Hanborq Ltd., CN=Max Shu/emailAddress=adaishu@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e3:ef:5b:50:ff:3a:14:6b:c7:72:58:90:5f:76:
2d:9c:f8:cc:34:e7:2c:07:bd:72:92:9e:47:06:44:
78:8a:bd:34:21:ed:ac:c9:1d:f3:bf:77:1a:20:a8:
75:b1:ad:4f:9f:e1:70:d1:fe:64:45:63:7b:0b:bf:
36:a7:7b:e4:4a:6e:1a:07:f3:90:78:ca:35:46:8f:
09:6e:4e:9c:c9:56:c6:f1:17:c3:53:91:f2:72:3a:
db:7d:f4:b8:38:b8:e7:d4:e2:14:03:16:f1:10:50:
cb:ab:d2:cd:18:20:97:b2:83:17:bc:47:00:d4:69:
06:3c:e4:b3:91:23:3b:d1:b7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2F:7C:AE:2C:9D:04:CE:B6:6F:5C:91:C5:95:1C:92:9E:E4:FA:D5:66
X509v3 Authority Key Identifier:
keyid:BA:28:AA:9C:9B:2A:49:4F:1B:1D:96:DD:61:6B:AB:23:73:9D:4A:BB
Signature Algorithm: sha1WithRSAEncryption
3a:37:db:9a:92:90:0b:c9:9e:c1:bc:bf:c2:be:e4:a5:7a:fa:
45:03:6a:cf:f0:6a:7d:0f:45:c3:a0:30:21:2f:3d:3a:c7:11:
63:f6:79:38:6e:de:9d:15:60:18:1c:d5:f1:1f:25:b1:05:e3:
56:bb:5f:d2:69:66:5c:66:50:e3:b9:06:41:3d:37:78:05:7d:
23:b8:40:d7:3b:b6:aa:59:7c:ce:dc:91:53:a5:7e:8c:dc:98:
c7:3a:ba:51:cd:f0:00:7d:1d:71:1b:22:51:ee:60:88:f8:d4:
2c:a4:d0:8b:c2:0a:55:37:a9:b2:ed:8e:9c:2e:a0:bd:31:3b:
ee:a5
-----BEGIN CERTIFICATE-----
MIIC5DCCAk2gAwIBAgIJAJfFXmyP3iB8MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV
BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ2RvbmcxFTATBgNVBAoMDEhhbmJvcnEgTHRk
LjEQMA4GA1UEAwwHTWF4IFNodTEgMB4GCSqGSIb3DQEJARYRYWRhaXNodUBnbWFp
bC5jb20wHhcNMTExMTI1MDMxMzE5WhcNMTIxMTI0MDMxMzE5WjB/MQswCQYDVQQG
EwJDTjESMBAGA1UECAwJR3Vhbmdkb25nMREwDwYDVQQHDAhTaGVuemhlbjEVMBMG
A1UECgwMSGFuYm9ycSBMdGQuMRAwDgYDVQQDDAdNYXggU2h1MSAwHgYJKoZIhvcN
AQkBFhFhZGFpc2h1QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA4+9bUP86FGvHcliQX3YtnPjMNOcsB71ykp5HBkR4ir00Ie2syR3zv3caIKh1
sa1Pn+Fw0f5kRWN7C782p3vkSm4aB/OQeMo1Ro8Jbk6cyVbG8RfDU5HycjrbffS4
OLjn1OIUAxbxEFDLq9LNGCCXsoMXvEcA1GkGPOSzkSM70bcCAwEAAaN7MHkwCQYD
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFC98riydBM62b1yRxZUckp7k+tVmMB8GA1UdIwQYMBaA
FLooqpybKklPGx2W3WFrqyNznUq7MA0GCSqGSIb3DQEBBQUAA4GBADo325qSkAvJ
nsG8v8K+5KV6+kUDas/wan0PRcOgMCEvPTrHEWP2eThu3p0VYBgc1fEfJbEF41a7
X9JpZlxmUOO5BkE9N3gFfSO4QNc7tqpZfM7ckVOlfozcmMc6ulHN8AB9HXEbIlHu
YIj41Cyk0IvCClU3qbLtjpwuoL0xO+6l
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
最终生成的有用的证书就是newcert.pem,可以拷贝到别的地方使用,挪走newreq.pem和newcrt.pem之后,又可以请求和签发新证书了。
校验:
# /usr/local/ssl/misc/CA.sh -verify
newcert.pem: OK
移动证书到LDAP:
# cp /etc/ssl/newcert.pem /etc/openldap/cacerts/servercrt.pem
# cp /etc/ssl/newreq.pem /etc/openldap/cacerts/serverkey.pem
# cp /etc/ssl/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem
# chmod 400 /etc/openldap/cacerts/serverkey.pem
# chown ldap:ldap /etc/openldap/cacerts/serverkey.pem
# chmod 644 /etc/openldap/cacerts/servercrt.pem
# chown ldap:ldap /etc/openldap/cacerts/servercrt.pem
# chmod 644 /etc/openldap/cacerts/cacert.pem
# chown ldap:ldap /etc/openldap/cacerts/cacert.pem
# ll /etc/openldap/cacerts/
total 12
-rw-r--r-- 1 ldap ldap 3046 Nov 25 13:40 cacert.pem
-rw-r--r-- 1 ldap ldap 3217 Nov 25 13:40 servercrt.pem
-r-------- 1 ldap ldap 1600 Nov 25 13:40 serverkey.pem
得到ldap管理帐号的密码,下面会把这个密码加入slapd.conf的rootpw:
# slappasswd
New password:
Re-enter new password:
{SSHA}L19zkWmhL8zXnKfLDetVAwXt3Lm7qBOa
修改slapd.conf:
# vi /etc/openldap/slapd.conf
...
include /etc/openldap/schema/nis.schema
...
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
...
suffix "dc=hanborq,dc=com"
rootdn "cn=Manager,dc=hanborq,dc=com"
...
rootpw {SSHA}L19zkWmhL8zXnKfLDetVAwXt3Lm7qBOa
...
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
...
修改/etc/openldap/ldap.conf,注意这个ldap.conf是用于ldapadd之类的工具的,如果是客户端,则还需要使用/etc/ldap.conf:
# vi /etc/openldap/ldap.conf
BASE dc=hanborq, dc=com
URI ldap://nd0-rack2-cloud ldaps://nd0-rack2-cloud:636
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts
默认DB配置:
# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
增加LOG:
# echo "local4.* /var/log/slapd.log" >> /etc/syslog.conf
# service syslog restart
启动:
# service ldap restart
测试tls是否可用:
# openssl s_client -connect nd0-rack2-cloud:636
会输出证书。
# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
dn:
namingContexts: dc=hanborq,dc=com 这里是正确的。
search: 2
result: 0 Success
# netstat -an | grep 389
# netstat -an | grep 636
编辑ldif文件:
# cd /etc/openldap/
# /usr/share/openldap/migration/migrate_base.pl > base.ldif
# sed -i "s/padl/hanborq/" base.ldif
编辑base.ldif,只需要三项:
# vi base.ldif
dn: dc=hanborq,dc=com
dc: hanborq
objectClass: top
objectClass: domain
dn: ou=People,dc=hanborq,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=hanborq,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
添加进数据库:
# ldapdelete -x -D "cn=Manager,dc=hanborq,dc=com" -W -r "dc=hanborq,dc=com"
# ldapadd -x -D "cn=Manager,dc=hanborq,dc=com" -W -f base.ldif
Enter LDAP Password: 这里口令为slapd.conf的rootpw的口令
注意这里的-D参数需要跟slapd.conf的rootdn一致,否则会出错。
这里的-x表示简单鉴权,-W为提醒输入口令。
迁移组信息:
# /usr/share/openldap/migration/migrate_group.pl /etc/group > group.ldif
# sed -i "s/padl/hanborq/" group.ldif
# ldapadd -x -D "cn=Manager,dc=hanborq,dc=com" -W -f group.ldif
迁移用户信息,其中shadow过的口令会自动加入:
# /usr/share/openldap/migration/migrate_passwd.pl /etc/passwd > passwd.ldif
# sed -i "s/padl/hanborq/" passwd.ldif
# ldapadd -x -D "cn=Manager,dc=hanborq,dc=com" -W -f passwd.ldif
检查一下:
# ldapsearch -x -b "dc=hanborq,dc=com"
可以看到所有用户和组都加入了。
URL方式检查:
非加密方式:
# ldapsearch -v -x -H ldap://nd0-rack2-cloud
SSL方式:
# ldapsearch -v -x -H ldaps://nd0-rack2-cloud:636
TLS方式,最好就用TLS方式:
# ldapsearch -v -x -h nd0-rack2-cloud -ZZ
客户端配置:
传输CA到客户端:
# scp LDAP_SERVER_IP:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/
下面的配置最好使用setup命令来配置。
修改/etc/sysconfig/authconfig:
# sed -i "/USELDAP=/d" /etc/sysconfig/authconfig && echo "USELDAP=yes" >> /etc/sysconfig/authconfig
# sed -i "/USELDAPAUTH=/d" /etc/sysconfig/authconfig && echo "USELDAPAUTH=yes" >> /etc/sysconfig/authconfig
# sed -i "/USEMD5=/d" /etc/sysconfig/authconfig && echo "USEMD5=yes" >> /etc/sysconfig/authconfig
# sed -i "/USESHADOW=/d" /etc/sysconfig/authconfig && echo "USESHADOW=yes" >> /etc/sysconfig/authconfig
# sed -i "/USELOCAUTHORIZE=/d" /etc/sysconfig/authconfig && echo "USELOCAUTHORIZE=yes" >> /etc/sysconfig/authconfig
修改/etc/openldap/ldap.conf:
# vi /etc/openldap/ldap.conf
BASE dc=hanborq, dc=com
URI ldap://nd0-rack2-cloud ldaps://nd0-rack2-cloud:636
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts
修改/etc/ldap.conf和/etc/nslcd.conf,注意这个ldap.conf是用于客户端的,不是用于ldapadd之类的工具,CentOS6.x是/etc/pam_ldap.conf:
# vi /etc/ldap.conf
host nd0-rack2-cloud
base dc=hanborq,dc=com
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
CentOS6.x需要配置/etc/nslcd.conf:
# vi /etc/nslcd.conf
uri ldap://nd0-rack2-cloud
base dc=hanborq,dc=com
ssl start_tls
tls_reqcert allow
tls_cacertdir /etc/openldap/cacerts
CentOS6.x如果不使用sssd,就不需要配置/etc/sssd/sssd.conf:
# vi /etc/sssd/sssd.conf
...
domains = default
...
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=hanborq,dc=com
chpass_provider = ldap
id_provider = ldap
auth_provider = ldap
debug_level = 0
ldap_uri = ldap://nd0-rack2-cloud
ldap_tls_cacertdir = /etc/openldap/cacerts
CentOS6.x需要重启nslcd进程,如果用非加密方式,则必须修改/etc/sysconfig/authconfig里面的FORCELEGACY=no为yes,使用TLS,则不需要修改:
# sed -i "/FORCELEGACY=/d" /etc/sysconfig/authconfig && echo "FORCELEGACY=yes" >> /etc/sysconfig/authconfig
# service nslcd restart
# service sssd restart
修改NSS:
# vi /etc/nsswitch.conf
...
passwd: files ldap
shadow: files ldap
group: files ldap
...
netgroup: files ldap
...
automount: files ldap
...
修改系统鉴权:
# vi /etc/pam.d/system-auth
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
...
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
...
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
...
session required pam_unix.so
session optional pam_ldap.so
测试:
刚才已经导入了linux的所有用户到LDAP,现在我们删除掉一个linux用户,用修改密码方式可以看到该用户已经在LDAP上面了:
# userdel nimbus
# passwd nimbus
Changing password for user nimbus.
Enter login(LDAP) password:
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
LDAP password information changed for nimbus
passwd: all authentication tokens updated successfully.
登录测试:
# ssh nimbus@10.24.170
可以登录。
评论