openldap主机访问控制(基于用户组)

it2022-05-05  208

openldap主机访问控制(基于用户组)

建立组织单元

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv dn: ou=host,dc=suntv,dc=tv ou: host objectClass: organizationalUnit dn: ou=people,dc=suntv,dc=tv ou: people objectClass: organizationalUnit dn: ou=group,dc=suntv,dc=tv ou: group objectClass: organizationalUnit _EOF_

建立用户组

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv dn: cn=admin,ou=group,dc=suntv,dc=tv objectClass: posixGroup cn: admin gidNumber: 2001 dn: cn=op,ou=group,dc=suntv,dc=tv objectClass: posixGroup cn: op gidNumber: 2002 dn: cn=dev,ou=group,dc=suntv,dc=tv objectClass: posixGroup cn: dev gidNumber: 2003 _EOF_

建立用户

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv dn: uid=admin01,ou=people,dc=suntv,dc=tv objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson uid: admin01 cn: admin01 sn: admin01 userPassword: 123456 shadowLastChange: 17085 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1001 gidNumber: 2001 homeDirectory: /home/admin01 dn: uid=op01,ou=people,dc=suntv,dc=tv objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson uid: op01 cn: op01 sn: op01 userPassword: 123456 shadowLastChange: 17085 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1002 gidNumber: 2002 homeDirectory: /home/op01 dn: uid=dev01,ou=people,dc=suntv,dc=tv objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson uid: dev01 cn: dev01 sn: dev01 userPassword: 123456 shadowLastChange: 17085 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 1003 gidNumber: 2003 homeDirectory: /home/dev01 _EOF_

建立授权用户组

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv dn: cn=admin,ou=host,dc=suntv,dc=tv objectclass: groupOfNames cn: admin member: uid=admin01,ou=people,dc=suntv,dc=tv dn: cn=dev,ou=host,dc=suntv,dc=tv objectclass: groupOfNames cn: dev member: uid=dev01,ou=people,dc=suntv,dc=tv dn: cn=op,ou=host,dc=suntv,dc=tv objectclass: groupOfNames cn: dev member: uid=op01,ou=people,dc=suntv,dc=tv _EOF_

openldap服务器配置反向组查询

# /etc/openldap/slapd.conf 确保有以下配置项 modulepath /usr/lib64/openldap moduleload memberof.la overlay memberof rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d systemctl restart slapd

测试

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=op01,ou=people,dc=suntv,dc=tv "uid=op01" memberOf

# extended LDIF # # LDAPv3 # base <uid=op01,ou=people,dc=suntv,dc=tv> with scope subtree # filter: uid=op01 # requesting: memberOf # # op01, people, suntv.tv dn: uid=op01,ou=people,dc=suntv,dc=tv memberOf: cn=op,ou=host,dc=suntv,dc=tv # 这里是关键 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=admin01,ou=people,dc=suntv,dc=tv "uid=admin01" memberOf

# admin01, people, suntv.tv dn: uid=admin01,ou=people,dc=suntv,dc=tv memberOf: cn=all,ou=host,dc=suntv,dc=tv

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=dev01,ou=people,dc=suntv,dc=tv "uid=dev01" memberOf

# dev01, people, suntv.tv dn: uid=dev01,ou=people,dc=suntv,dc=tv memberOf: cn=dev,ou=host,dc=suntv,dc=tv

登录服务器配置

yum -y install openldap-clients sssd authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --ldapserver=ldaps://master.local,ldaps://slave.local --ldapbasedn='dc=suntv,dc=tv' --enablelocauthorize --enableldaptls --enablemkhomedir --update cat > /etc/sssd/sssd.conf << _EOF_ [domain/LDAP] debug_level = 9 cache_credentials = True enumerate = false id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://master.local ldap_backup_uri = ldaps://slave.local ldap_search_base = dc=suntv,dc=tv ldap_user_search_base = ou=people,dc=suntv,dc=tv ldap_group_search_base = ou=group,dc=suntv,dc=tv access_provider = ldap ldap_access_order = filter ldap_access_filter = (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv)) ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/ca.crt ldap_tls_reqcert = never ldap_id_use_start_tls = false [sssd] domains = LDAP services = nss, pam config_file_version = 2 [nss] domains = LDAP filter_users = root filter_groups = root [pam] domains = LDAP [sudo] domains = LDAP [ssh] domains = LDAP _EOF_

配置自启动

centso7 : systemctl restart sssd systemctl enable sssd centos6 : /etc/init.d/sssd restart chkconfig sssd on

权限

192.168.1.21 centos7 允许op组及admin组登录 ldap_access_filter = (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=op,ou=host,dc=suntv,dc=tv)) 192.168.1.22 centos6 允许dev组及admin组登录 ldap_access_filter = (|(memberOf=cn=admin,ou=host,dc=suntv,dc=tv)(memberOf=cn=dev,ou=host,dc=suntv,dc=tv))

测试结果

op01 登录192.168.1.21成功,登录192.168.1.22失败 dev01 登录192.168.1.21失败,登录192.168.1.22成功 admin 登录192.168.1.21成功,登录192.168.1.22成功 [root@centos-1-21 home]# ll total 0 drwx------ 2 admin01 admin 79 Oct 14 16:40 admin01 drwx------ 2 op01 op 79 Oct 14 16:40 op01 [root@centos6-1-22 home]# ll total 8 drwx------ 2 admin01 admin 4096 Oct 14 16:40 admin01 drwx------ 2 dev01 dev 4096 Oct 14 16:40 dev01 posted on 2016-10-14 12:38 北京涛子 阅读( ...) 评论( ...) 编辑 收藏

转载于:https://www.cnblogs.com/liujitao79/p/5959939.html


最新回复(0)