openldap主机访问控制(基于hostname)

it2022-05-05  216

openldap主机访问控制(基于hostname)

http://mayiwei.com/2013/03/21/centos6-openldap/ http://www.zytrax.com/books/ldap/ch11/dynamic.html

https://www.linux.com/blog/centralized-authentication-openldap

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/304/1/How_to_Work_with_UserID_and_OpenLDAP_Dynamic_Groups.pdf

http://serverfault.com/questions/643650/ssh-access-to-hosts-groups-based-on-user-groups-using-ldap

https://www.jqlinux.com/archives/600 http://blog.oddbit.com/2013/07/22/generating-a-membero/

文档 man slapo-dynlist

导入ldapns.schema方案,(hostObject类属性)

https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/nssov/ldapns.schema

cat > /etc/openldap/schema/ldapns.schema << _EOF_ # $OpenLDAP$ # $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $ # LDAP Name Service Additional Schema # http://www.iana.org/assignments/gssapi-service-names # # Not part of the distribution: this is a workaround! # attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus' DESC 'Currently logged in sessions for a user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX OMsDirectoryString ) objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 'Auxiliary object class for adding authorizedService attribute' SUP top AUXILIARY MAY authorizedService ) objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxiliary object class for adding host attribute' SUP top AUXILIARY MAY host ) objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject' DESC 'Auxiliary object class for login status attribute' SUP top AUXILIARY MAY loginStatus ) _EOF_

/etc/openldap/slapd.conf

include /etc/openldap/schema/ldapns.schema modulepath /usr/lib64/openldap moduleload dynlist.la overlay dynlist dynlist-attrset inetOrgPerson labeledURI rm -rf /etc/openldap/slapd.d/* slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d systemctl restart slapd

定义主机列表组

cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv dn: ou=servers,dc=suntv,dc=tv objectClass: organizationalUnit ou: servers dn: ou=ophost,ou=servers,dc=suntv,dc=tv objectClass: organizationalUnit objectClass: hostObject ou: ophost host: client-1-21 host: client-1-22 dn: ou=devhost,ou=servers,dc=suntv,dc=tv objectClass: organizationalUnit objectClass: hostObject ou: devhost host: client-1-31 host: client-1-32 _EOF_

定义用户组

cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv dn: ou=people,dc=suntv,dc=tv objectClass: organizationalUnit ou: people dn: ou=group,dc=suntv,dc=tv objectClass: organizationalUnit ou: group dn: cn=opteam,ou=group,dc=suntv,dc=tv objectClass: posixGroup cn: opteam gidNumber: 2001 dn: cn=devteam,ou=group,dc=suntv,dc=tv objectClass: posixGroup cn: devteam gidNumber: 2002 _EOF_

定义用户

cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv dn: uid=op01,ou=people,dc=suntv,dc=tv objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson objectClass: hostObject cn: op01 sn: op01 uid: op01 userPassword: 123456 uidNumber: 1001 gidNumber: 2001 gecos: opteam homeDirectory: /home/op01 loginShell: /bin/bash shadowLastChange: 15000 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 shadowExpire: -1 mobile: 13900001001 mail: op01@abc.com labeledURI: ldap:///ou=ophost,ou=servers,dc=suntv,dc=tv?host _EOF_ cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv dn: uid=dev01,ou=people,dc=suntv,dc=tv objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson objectClass: hostObject cn: dev01 sn: dev01 uid: dev01 userPassword: 123456 uidNumber: 1002 gidNumber: 2002 gecos: opteam homeDirectory: /home/dev01 loginShell: /bin/bash shadowLastChange: 15000 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 shadowExpire: -1 mobile: 13900001002 mail: dev01@abc.com labeledURI: ldap:///ou=devhost,ou=servers,dc=suntv,dc=tv?host _EOF_

已经测试成功。但是nss-pam-ldap仅centos 6.x可用。 host属性需要获取登录主机hostname的fdqn,要不用dns,要不在/etc/hosts里指定。

客户端 cat pam_ldap.conf pam_check_host_attr yes

posted on 2016-09-25 21:43 北京涛子 阅读( ...) 评论( ...) 编辑 收藏

转载于:https://www.cnblogs.com/liujitao79/p/5907103.html


最新回复(0)