openldap主机访问控制（基于ip）

openldap主机访问控制（基于ip）

http://blog.oddbit.com/2013/07/22/generating-a-membero/ http://gsr-linux.blogspot.jp/2011/01/howto-on-using-dynlist-with-openldap.html

建立组织单元

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv dn: ou=people,dc=suntv,dc=tv ou: people objectClass: organizationalUnit dn: ou=group,dc=suntv,dc=tv ou: group objectClass: organizationalUnit dn: ou=host,dc=suntv,dc=tv ou: host objectClass: organizationalUnit _EOF_

建立主机组

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv dn: ou=all,ou=host,dc=suntv,dc=tv objectClass: organizationalUnit objectClass: hostObject ou: all host: all dn: ou=op,ou=host,dc=suntv,dc=tv objectClass: organizationalUnit objectClass: hostObject ou: op host: 192.168.1.21 host: 192.168.1.22 dn: ou=dev,ou=host,dc=suntv,dc=tv objectClass: organizationalUnit objectClass: hostObject ou: dev host: 192.168.1.31 host: 192.168.1.32 _EOF_

建立用户组

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv dn: cn=op,ou=group,dc=suntv,dc=tv objectClass: posixGroup cn: op gidNumber: 2001 dn: cn=dev,ou=group,dc=suntv,dc=tv objectClass: posixGroup cn: dev gidNumber: 2002 _EOF_

建立用户

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv dn: uid=op01,ou=people,dc=suntv,dc=tv uid: op01 cn: op01 sn: op01 objectClass: hostObject objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson userPassword: 123456 shadowLastChange: 17085 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1001 gidNumber: 2001 homeDirectory: /home/op01 labeledURI: ldaps:///ou=op,ou=host,dc=suntv,dc=tv?host dn: uid=dev01,ou=people,dc=suntv,dc=tv uid: dev01 cn: dev01 sn: op01 objectClass: hostObject objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson userPassword: 123456 shadowLastChange: 17085 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1002 gidNumber: 2002 homeDirectory: /home/dev01 labeledURI: ldaps:///ou=dev,ou=host,dc=suntv,dc=tv?host _EOF_

动态组

# /etc/openldap/slapd.conf 确保有以下配置 include /etc/openldap/schema/dyngroup.schema modulepath /usr/lib64/openldap moduleload dynlist.la overlay dynlist dynlist-attrset inetOrgPerson labeledURI rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d systemctl restart slapd

测试

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=op01,ou=people,dc=suntv,dc=tv

Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=op01,ou=people,dc=suntv,dc=tv> with scope subtree # filter: (objectclass=*) # requesting: ALL # # op01, people, suntv.tv dn: uid=op01,ou=people,dc=suntv,dc=tv uid: op01 cn: op01 sn: op01 objectClass: hostObject objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson userPassword:: MTIzNDU2 shadowLastChange: 17085 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1001 gidNumber: 2001 homeDirectory: /home/op01 labeledURI: ldaps:///ou=op,ou=host,dc=suntv,dc=tv?host host: 192.168.1.21 # 动态组自动增加内容 host: 192.168.1.22 # 动态组自动增加内容 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1

ldapsearch过滤用法　http://blog.chinaunix.net/uid-393131-id-2410065.html

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=dev01,ou=people,dc=suntv,dc=tv host

# extended LDIF # # LDAPv3 # base <uid=dev01,ou=people,dc=suntv,dc=tv> with scope subtree # filter: (objectclass=*) # requesting: host # # dev01, people, suntv.tv dn: uid=dev01,ou=people,dc=suntv,dc=tv host: 192.168.1.31 # 动态组自动增加内容 host: 192.168.1.32 # 动态组自动增加内容 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 cat > /etc/sssd/sssd.conf << _EOF_ [domain/LDAP] debug_level = 9 cache_credentials = true enumerate = false id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://master.local ldap_backup_uri = ldaps://slave.local ldap_search_base = dc=suntv,dc=tv ldap_user_search_base = ou=people,dc=suntv,dc=tv ldap_group_search_base = ou=group,dc=suntv,dc=tv access_provider = ldap ldap_access_order = filter ldap_access_filter = (|(host=all)(host=192.168.1.21)) ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/ca.crt ldap_tls_reqcert = never ldap_id_use_start_tls = false [sssd] domains = LDAP services = nss, pam config_file_version = 2 [nss] domains = LDAP fd_limit = 65535 filter_users = root filter_groups = root [pam] domains = LDAP [ssh] domains = LDAP ssh_hash_known_hosts = false _EOF_

测试

# ssh op01@192.168.1.22 op01@192.168.1.22's password: Connection to 192.168.1.22 closed by remote host. Connection to 192.168.1.22 closed.

sssd_LDAP日志显示如下，其中　[(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv]　是过滤条件，问题应该就出在ldap_access_filter = (|(host=all)(host=192.168.1.21))这里。

(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [op01] (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching 192.168.1.11 (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv]. (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4 (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New operation 4 timeout 6 (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x9380c0], connected[1], ops[0x9f7470], ldap[0x931330] (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000): Operation 4 finished (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0100): User [op01] was not found with the specified filter. Denying access. (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0400): Access denied by online lookup (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9e6f50 (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9e76c0 (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x9e6f50 "ltdb_callback" (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x9e76c0 "ltdb_timeout" (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer event 0x9e6f50 "ltdb_callback" (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_done] (0x0400): Access was denied. (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success] (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [6][LDAP] (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [6][LDAP] (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x9380c0], connected[1], ops[(nil)], ldap[0x931330] (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Oct 13 17:24:00 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x91cdf0 (Thu Oct 13 17:24:00 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching. dynlist不支持filter功能　http://www.openldap.org/lists/openldap-software/200708/msg00250.html 这个帖子上说，使用第三方autogroup，这个是把记录存储在数据库里，支持filter

op01用户使用动态组，dev01用户不使用动态组，直接添加host记录192.168.1.22

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv "host=192.168.1.22" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=people,dc=suntv,dc=tv> with scope subtree # filter: host=192.168.1.22　# 过滤后找到信息 # requesting: ALL # # dev01, people, suntv.tv dn: uid=dev01,ou=people,dc=suntv,dc=tv uid: dev01 cn: dev01 sn: op01 objectClass: hostObject objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson userPassword:: MTIzNDU2 shadowLastChange: 17085 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1002 gidNumber: 2002 homeDirectory: /home/dev01 host: 192.168.1.22 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv "host=192.168.1.21" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=people,dc=suntv,dc=tv> with scope subtree # filter: host=192.168.1.21 # 过滤后未找到记录 # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1

鉴于dynlist暂不支持filter，另autogroup是第三方模块，openldap程序未默认内置，用静态组每个用户要加入很多条host记录，因此基于ip动态组方案废弃。我换个基于用户组的方案来试试

posted on 2016-10-12 15:53 北京涛子 阅读( ...) 评论( ...) 编辑 收藏

转载于:https://www.cnblogs.com/liujitao79/p/openldap.html