LDAP部署统一认证机制以及phpldapadmin(Centos7环境)

时间  2019-12-07
标签 ldap 部署 统一 认证 机制 以及 phpldapadmin centos7 centos 环境 栏目 Tomcat 繁體版
原文   原文链接

LDAP部署统一认证机制以及phpldapadmin

1、LDAP简介

因为公司内部系统剧增,服务器太多,每一个系统、服务器的帐号都各不相同。因此决定采用LDAP的方式来一统Linux用户统一认证。背景随着团队人员、服务器增多,每台服务器的帐号都独立管理,从而致使:运维人员维护成本太高员工操做很是不便员工须要记住的帐号太多没有明确的权限划分那么经过统一认证,能够实现的效果有:员工增减,快速开通、注销帐号全部用户具备权限的服务器

2、LDAP部署

环境:php

角色 系统 IP
Server centos7 192.168.3.157
Client centos7 192.168.3.158

务必关闭server端selinux
sed -i ‘/SELINUX/s/enforcing/disabled/g’ /etc/sysconfig/selinux
systemctl disable firewalld
reboothtml

步骤:java

①使用yum部署openldap
[root@server ~] #yum install -y openldap openldap-clients openldap-servers migrationtoolslinux

②部署后优化而且启动slapd
[root@server ~] #vim /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldifweb

修改其中两行
olcSuffix: dc=haze,dc=com               
olcRootDN: cn=root,dc=haze,dc=com
添加一行
olcRootPW: 123456    #密码能够明文,可使用slappasswd输出成密文粘贴至此,注意参数与密码之间的空格

[root@server ~] #vim /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldifvim

修改其中一行
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" read by dn.base="cn=root,dc=haze,dc=com" read by * none

[root@server ~] #cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIGcentos

[root@server ~] #chown -R ldap:ldap /var/lib/ldapapi

[root@server ~] #chown -R ldap:ldap /etc/openldap/certs
给予证书权限,否则没法启动服务,卡死在这儿一下午bash

[root@server ~] #slaptest -u服务器

56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
56e7c83d ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded

checksum error:校验和错误,不影响实验,输出succeeded成功

[root@server ~] #systemctl start slapd

[root@server ~] #systemctl enable slapd

[root@server ~] #netstat -tunlp | egrep "389|636"

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      3557/slapd          
tcp6       0      0 :::389                  :::*                    LISTEN      3557/slapd

③添加应有架构到ldap
[root@server ~] #cd /etc/openldap/schema/

[root@server schema] # vim start.sh

ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif

[root@server schema] # sh start.sh

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=collective,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=corba,cn=schema,cn=config"    

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=core,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
    additional info: olcAttributeTypes: Duplicate attributeType: "2.5.4.2"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=duaconf,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=dyngroup,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=java,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=misc,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=openldap,cn=schema,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=pmi,cn=schema,cn=config"
 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"

④使用migati建立ldap dit
[root@server schema] #cd /usr/share/migrationtools/

[root@server migrationtools] #vim migrate_common.ph 

修改其中四行
$NAMINGCONTEXT{'group'} = "ou=Groups";         #61行Groups添加s
$DEFAULT_MAIL_DOMAIN = "haze.com";        #71行修改域值
$DEFAULT_BASE = "dc=haze,dc=com";        #74行dc
$EXTENDED_SCHEMA = 1;                    #90行0改成1,打开扩展架构

[root@server migrationtools] #./migrate_base.pl > /root/base.ldif

[root@server migrationtools] #ldapadd -x -W -D "cn=root,dc=haze,dc=com" -f /root/base.ldif

Enter LDAP Password: 
adding new entry "dc=haze,dc=com"

adding new entry "ou=Hosts,dc=haze,dc=com"

adding new entry "ou=Rpc,dc=haze,dc=com"

adding new entry "ou=Services,dc=haze,dc=com"

adding new entry "nisMapName=netgroup.byuser,dc=haze,dc=com"

adding new entry "ou=Mounts,dc=haze,dc=com"

adding new entry "ou=Networks,dc=haze,dc=com"

adding new entry "ou=People,dc=haze,dc=com"

adding new entry "ou=Groups,dc=haze,dc=com"

adding new entry "ou=Netgroup,dc=haze,dc=com"

adding new entry "ou=Protocols,dc=haze,dc=com"

adding new entry "ou=Aliases,dc=haze,dc=com"

adding new entry "nisMapName=netgroup.byhost,dc=haze,dc=com"

⑤建立预用户目录guests以及建立测试用户设置密码

[root@server migrationtools] #mkdir /home/guests
[root@server migrationtools] #useradd -d /home/guests/ldapuser1 ldapuser1 
[root@server migrationtools] #useradd -d /home/guests/ldapuser2 ldapuser2
[root@server migrationtools] #echo 'password' | passwd --stdin ldapuser1
[root@server migrationtools] #echo 'password' | passwd --stdin ldapuser2

⑥如今将这些用户和组和IT密码从/etc/过滤到不一样的文件

[root@server migrationtools] #getent passwd | tail -n 5 > /root/users
[root@server migrationtools] #getent shadow | tail -n 5 > /root/shadow
[root@server migrationtools] #getent group | tail -n 5 > /root/groups

[root@server migrationtools] #cd /usr/share/migrationtools

[root@server migrationtools] #vim migrate_passwd.pl

......
sub read_shadow_file
{
        open(SHADOW, "/root/shadow") || return;    #188行改为/root/shadow
        while(<SHADOW>) {
                chop;
                ($shadowUser) = split(/:/, $_);
                $shadowUsers{$shadowUser} = $_;
        }
        close(SHADOW);
......

⑦如今须要使用迁移工具为这些用户建立LDIF文件
[root@server migrationtools] #./migrate_passwd.pl /root/users > users.ldif
[root@server migrationtools] #./migrate_group.pl /root/groups > groups.ldif
[root@server migrationtools] #ldapadd -x -W -D "cn=root,dc=haze,dc=com" -f users.ldif
[root@server migrationtools] #ldapadd -x -W -D "cn=root,dc=haze,dc=com" -f groups.ldif
若是报错了,从新导出一次,再来添加
[root@server migrationtools] #ldapsearch -x -b "dc=haze,dc=com" -H ldap://127.0.0.1

......
result: 0 Success

# numResponses: 24
# numEntries: 23

3、客户端配置

步骤:

[root@client ~]yum install -y nss-pam*
nss-pam为交换模块和验证模块

[root@client ~]authconfig-tui
图片描述
图片描述

[root@client ~]# mkdir /home/guests/ldapuser1
[root@client ~]su - ldapuser1
-bash-4.2$

看到进入bash,测试成功

参考连接:
http://blog.chinaunix.net/uid...
https://jingyan.baidu.com/alb...

4、部署应用服务器管理ldap

步骤:

①更新yum第三方源安装phpldapadmin
[root@server ~] #yum -y install epel-re*
[root@server ~] #yum install -y phpldapadmin

②配置phpldapadmin
[root@server ~] #vim /etc/httpd/conf.d/phpldapadmin.conf

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require local
    Require ip 192.168.3.0/24
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
  </IfModule>
</Directory>

[root@server ~] #vim /etc/phpldapadmin/config.php

.....
$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');
.....

将uid结尾的注释掉,也就是行首添加//,将dn结尾的行打开,行首去掉//

[root@server ~] #systemctl start httpd
[root@server ~] #systemctl stop firewalld

③访问http://192.168.3.157/ldapadmin
图片描述
图片描述

使用web方式b/s结构管理ldap方便了运维人员

相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程