LINUX下基于LDAP集中系统用户认证系统

其他 2019-06-14 10:56:54 阅读次数: 0

为什么80%的码农都做不了架构师?>>>   hot3.png

环境:
ldap node1:192.168.100.151
ldap node2:192.168.100.152
client ip:192.168.100.153

===========================服务端===========================
1、安装
安装DB
[codesyntax lang="perl" lines="no"]
[root@localhost openldap]# yum install -y libtool-ltdl-devel.x86_64  libtool-ltdl.x86_64  
[root@localhost tarbag]#tar -xzvf db-4.8.26.tar.gz -C ../software/
[root@localhost tarbag]# cd ../software/db-4.8.26/build_unix/
[root@localhost build_unix]# ../dist/configure 
[root@localhost build_unix]#make install
[root@localhost build_unix]#echo "/usr/local/BerkeleyDB.4.8/lib/" >> /etc/ld.so.conf
[root@localhost build_unix]#ldconfig -vv
[/codesyntax]
安装openldap
[codesyntax lang="perl" lines="no"]
[root@localhost tarbag]#tar zxvf openldap-2.4.21.tgz -C ../software/
[root@localhost tarbag]# cd ../software/openldap-2.4.21/
[root@localhost openldap-2.4.21]# ./configure --prefix=/usr/local/openldap-2.4.21 --enable-syslog --enable-modules --with-tls  CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include/ LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib/ 
[root@localhost openldap-2.4.21]#make depend
[root@localhost openldap-2.4.21]#make
[root@localhost openldap-2.4.21]#make test  这个需要比较长的时间.如果觉得没必要执行这一步的可以跳过.直接make install
[root@localhost openldap-2.4.21]#make install
[root@localhost openldap-2.4.21]# cd /usr/local/openldap-2.4.21/
[root@localhost openldap-2.4.21]# ls
bin  etc  include  lib  libexec  sbin  share  var
[/codesyntax]
2、openldap配置
下载openssh-lpk_openldap.schema
[codesyntax lang="perl" lines="no"]
[root@localhost ~]# cd /usr/local/openldap-2.4.21/etc/openldap/schema
[root@localhost schema]#wget http://openssh-lpk.googlecode.com/files/openssh-lpk_openldap.schema
[root@localhost schema]#cp openssh-lpk_openldap.schema openssh-lpk.schema
[/codesyntax]
生成密码:
[codesyntax lang="perl" lines="no"]
[root@localhost ~]# cd /usr/local/openldap-2.4.21/sbin/
[root@localhost sbin]# ./slappasswd 
New password: 
Re-enter new password: 
{SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ    密码是123456 这个密码写到slapd.conf里面的rootpw位置
[/codesyntax]

配置slapd.conf
[codesyntax lang="perl" lines="no"]
[root@localhost openldap]# cat /usr/local/openldap-2.4.21/etc/openldap/slapd.conf
include         /usr/local/openldap-2.4.21/etc/openldap/schema/core.schema
include         /usr/local/openldap-2.4.21/etc/openldap/schema/cosine.schema
include         /usr/local/openldap-2.4.21/etc/openldap/schema/inetorgperson.schema
include         /usr/local/openldap-2.4.21/etc/openldap/schema/nis.schema
include         /usr/local/openldap-2.4.21/etc/openldap/schema/openssh-lpk.schema 
loglevel        256
pidfile         /usr/local/openldap-2.4.21/var/run/slapd.pid
argsfile        /usr/local/openldap-2.4.21/var/run/slapd.args

#######################################################################
# database definition
#######################################################################

database        bdb
suffix          "dc=hsf,dc=com"

rootdn          "cn=Manager,dc=hsf,dc=com"
rootpw          {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ
directory       /opt/openldap_data/

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index sudoUser                          eq

[root@localhost openldap]#cd /usr/local/openldap-2.4.21/etc/openldap
拷贝DB_CONFIG到Ldap数据目录.
[root@localhost openldap]# cp DB_CONFIG.example  /opt/openldap_data/
[/codesyntax]

修改syslog.conf 
[codesyntax lang="perl" lines="no"]
[root@localhost www]# vi /etc/syslog.conf 
#Save ldap messages to ldap.log
local4.*                                                /var/log/ldap.log
[/codesyntax]
重启syslog
[codesyntax lang="perl" lines="no"]
[root@localhost openldap]# service syslog restart
Shutting down kernel logger: [  OK  ]
Shutting down system logger: [  OK  ]
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]
[/codesyntax]
启动ldap
[codesyntax lang="perl" lines="no"]
启动方法1:
# /usr/local/openldap-2.4.21/libexec/slapd # 直接进入后台工作
启动方法2:
# /usr/local/openldap-2.4.21/libexec/slapd -d 256 # 依旧在前端,有debug信息
[/codesyntax]
[codesyntax lang="perl" lines="no"]
[root@localhost run]# /usr/local/openldap-2.4.21/libexec/slapd 
[root@localhost run]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      22917/slapd         
tcp        0      0 :::389                      :::*                        LISTEN      22917/slapd         
tcp        0      0 :::22                       :::*                        LISTEN      1987/sshd  
[/codesyntax]
3、生成公私密钥对(任何一台机器都行)
[codesyntax lang="perl" lines="no"]
# ssh-keygen -t rsa
.....不断回车
# cd /root/.ssh/
# sz id_rsa.pub 公钥(导入ldap的sshPublicKey字段)   
# sz id_rsa 私钥(放在crt,putty,linux的/root/.ssh/下)
[/codesyntax]

4、导入ldap数据
根:
[codesyntax lang="perl" lines="no"]
[root@localhost ~]# cat passwd.ldif 
#version: 1
dn: dc=hsf,dc=com
objectClass: top
objectClass: domain
dc: hsf

dn: ou=groups,dc=hsf,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: cn=root,ou=groups,dc=hsf,dc=com
objectClass: posixGroup
objectClass: top
cn: root
gidNumber: 0
memberUid: root

dn: ou=users,dc=hsf,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: users
sn: users
ou: users

dn: uid=root,ou=users,dc=hsf,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: ldapPublicKey
objectClass: posixAccount
cn: root
gidNumber: 0
homeDirectory: /root/
sn: root
uid: root
uidNumber: 0
sshPublicKey: ssh-rsa testAAgQDl+WA5jQja/BDfBSwo3dJ78uaaaaaILbNEEbHGqbXXL74S2HUHkGJ5UH1RHd9AzH1bzgEfP3CU7wHeghG5co576xRUrZw5BolybBz+3q1GxRfqfoZGxZP6/fyYogSrjaR+pT3MxBx91vt+OK61uBhuOCzIe8gDOpxAeZP6SRAJw== [email protected]

[root@localhost openldap]# /usr/local/openldap-2.4.21/bin/ldapadd -x -D "cn=Manager,dc=hsf,dc=com" -W -f passwd.ldif 
[/codesyntax]

====================客户端====================
IP地址:192.168.100.153

1、安装openssh补丁包:
[codesyntax lang="perl" lines="no"]
[root@localhost tarbag]# gunzip openssh-lpk-5.9p1-0.3.14.patch.gz 
[root@localhost tarbag]# tar zxvf openssh-5.9p1.tar.tar 
[root@localhost tarbag]# cd openssh-5.9p1
[root@localhost openssh-5.9p1]# patch -Np1 -i /usr/local/src/tarbag/openssh-lpk-5.9p1-0.3.14.patch 
patching file auth2-pubkey.c
patching file auth-rsa.c
patching file config.h.in
patching file configure.ac
patching file ldapauth.c
patching file ldapauth.h
patching file lpk-user-example.txt
patching file Makefile.in
patching file openssh-lpk_openldap.schema
patching file openssh-lpk_sun.schema
patching file README.lpk
patching file servconf.c
patching file servconf.h
patching file sshd.c
patching file sshd_config
patching file sshd_config.5
patching file version.h

[root@localhost tarbag]#./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--libexecdir=/usr/sbin \
--with-md5-passwords \
--with-pam  \
--with-libs="-lldap" \
--with-cppflags="-DWITH_LDAP_PUBKEY" \
[root@localhost tarbag]#make 
[root@localhost tarbag]#make install
[/codesyntax]
2、修改sshd配置文件
[codesyntax lang="perl" lines="no"]
# cat /etc/ssh/sshd_config  | grep -v '#' | grep -v '^$'

SyslogFacility AUTHPRIV
PasswordAuthentication no
UsePAM no
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
UseLPK  yes
LpkServers      ldap://192.168.100.151:389
LpkUserDN       ou=users,dc=hsf,dc=com
LpkGroupDN      ou=groups,dc=hsf,dc=com
LpkBindDN       cn=Manager,dc=hsf,dc=com
LpkBindPw {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ
LpkForceTLS     no
LpkSearchTimelimit      3
LpkBindTimelimit        3
[/codesyntax]
修改:nsswitch.conf 
[codesyntax lang="perl" lines="no"]
[root@localhost openssh-5.9p1]# vi /etc/nsswitch.conf 
passwd:     files ldap
shadow:     files ldap
group:      files ldap

修改authconfig
[root@localhost etc]# cat /etc/sysconfig/authconfig  | grep yes
USELDAPAUTH=yes
USESHADOW=yes
USELOCAUTHORIZE=yes
USELDAP=yes
USECRACKLIB=yes
[/codesyntax]
3、重启sshd
[codesyntax lang="perl" lines="no"]
# service sshd restart
[/codesyntax]
4、增加文件
[codesyntax lang="perl" lines="no"]
[root@localhost etc]#vi /etc/pam.d/common-session 
session required        pam_unix.so 
session required        pam_mkhomedir.so skel=/etc/skel/ 
session optional        pam_ldap.so
[/codesyntax]

===========================Autofs配置=========================== 
(也可以用ldap里面的auto.schema来配置.我觉得没有这个来得方便.)

ldap 共享家目录 client使用autofs自动挂载对应的家目录 做这个是解决Could not chdir to home directory /home/hsf: No such file or directory

ldap nfs配置:
[codesyntax lang="perl" lines="no"]
[root@localhost home]# cat /etc/exports 
/home           192.168.100.0/255.255.255.0(rw,async,wdelay,root_squash,no_subtree_check,anonuid=65534,anongid=65534)

[root@localhost home]# service portmap start 
[root@localhost home]# service nfs start 
[root@localhost home]# chkconfig nfs on
[root@localhost home]# chkconfig portmap on 
[/codesyntax]
client配置:
[codesyntax lang="perl" lines="no"]
[root@localhost ~]# cat /etc/auto.master 
#
/home   /etc/auto.nfs   --timeout=100
[root@localhost ~]# cat /etc/auto.nfs 
*       192.168.100.151:/home/&

[root@localhost ~]# service autofs start
[root@localhost ~]# service portmap start
[/codesyntax]
测试client端:
[codesyntax lang="perl" lines="no"]
[root@localhost ~]# cd /home/
[root@localhost home]# ls
[root@localhost home]#
[root@localhost home]# su - test
-sh-3.00$ pwd
/home/test/
-sh-3.00$ 
[/codesyntax]

===========================Ldap+sudoers配置===========================:
先添加sudoer.schema配置
[codesyntax lang="perl" lines="no"]
[root@localhost log]#vi /etc/openldap/schema/sudoer.schema 
attributetype ( 1.3.6.1.4.1.15953.9.1.1
    NAME 'sudoUser'
    DESC 'User(s) who may  run sudo'
    EQUALITY caseExactIA5Match
    SUBSTR caseExactIA5SubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.2
    NAME 'sudoHost'
    DESC 'Host(s) who may run sudo'
    EQUALITY caseExactIA5Match
    SUBSTR caseExactIA5SubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.3
    NAME 'sudoCommand'
    DESC 'Command(s) to be executed by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.4
    NAME 'sudoRunAs'
    DESC 'User(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.5
    NAME 'sudoOption'
    DESC 'Options(s) followed by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.6
    NAME 'sudoRunAsUser'
    DESC 'User(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.7
    NAME 'sudoRunAsGroup'
    DESC 'Group(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.8
    NAME 'sudoNotBefore'
    DESC 'Start of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributetype ( 1.3.6.1.4.1.15953.9.1.9
    NAME 'sudoNotAfter'
    DESC 'End of time interval for which the entry is valid'
    EQUALITY generalizedTimeMatch
    ORDERING generalizedTimeOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

 attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
     NAME 'sudoOrder'
     DESC 'an integer to order the sudoRole entries'
     EQUALITY integerMatch
     ORDERING integerOrderingMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
    DESC 'Sudoer Entries'
    MUST ( cn )
    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
          sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
          sudoOrder $ description $ou )
    )
[/codesyntax]
将这个sudoer.schema加到slapd.conf中
[codesyntax lang="perl" lines="no"]
[root@localhost log]# cat /etc/openldap/slapd.conf  | grep sudo
include         /etc/openldap/schema/sudoer.schema 
[/codesyntax]
sudoer默认Ldif数据.
[codesyntax lang="perl" lines="no"]
[root@localhost ~]# cat sudo.ldif 
dn: ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: organizationalUnit
description: SUDO Configuration Subtree
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: env_reset

dn: cn=root,ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

dn: cn=%wheel,ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate

dn: cn=hsf,ou=SUDOers,dc=hsf,dc=com
objectClass: top
objectClass: sudoRole
cn: hsf
sudoUser: hsf
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
[/codesyntax]
导入sudo数据到Ldap中.
[codesyntax lang="perl" lines="no"]
[root@localhost ~]# ldapadd -x -D "cn=Manager,dc=hsf,dc=com" -W -f sudo.ldif 
[/codesyntax]
===========================sudo client配置===========================:
安装sudo: (默认安装的sudo不支持ldap)
下载:http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz
[codesyntax lang="perl" lines="no"]
[root@localhost tarbag]# wget http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz
[root@localhost tarbag]# tar zxvf sudo-1.7.2p1.tar.gz  -C ../software/
[root@localhost tarbag]# cd ../software/sudo-1.7.2p1/
[root@localhost sudo-1.7.2p1]#./configure --with-ldap --with-pam
[root@localhost sudo-1.7.2p1]#make
[root@localhost sudo-1.7.2p1]#make install
[root@localhost sudo-1.7.2p1]#mv /etc/pam.d/sudo /etc/pam.d/sudo.orig
[root@localhost sudo-1.7.2p1]#mv /usr/bin/sudo /usr/bin/sudo.orig
[root@localhost sudo-1.7.2p1]#ln -s /usr/local/bin/sudo /usr/bin/sudo
[root@localhost sudo-1.7.2p1]#cp sample.pam /etc/pam.d/sudo
[/codesyntax]
配置 ldap.conf
[codesyntax lang="perl" lines="no"]
[root@localhost ~]# cat /etc/ldap.conf | grep -v '#' | grep -v '^$'
host 	192.168.100.151
URI     ldap://192.168.100.151
BASE dc=hsf,dc=com
SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com
ssl no
修改nsswitch.conf 
[root@localhost home]# cat  /etc/nsswitch.conf  | grep sudo
sudoers:    ldap
[/codesyntax]
验证:
[codesyntax lang="perl" lines="no"]
[root@localhost ~]# sudo -V | grep ldap
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
[/codesyntax]
安装好后重启下ldap服务

测试:
[codesyntax lang="perl" lines="no"]
-sh-3.00$ sudo -l
Matching Defaults entries for test on this host:
    requiretty, !visiblepw, env_reset

Runas and Command-specific defaults for test:

User test may run the following commands on this host:
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
-sh-3.00$ sudo su -
[/codesyntax]

===========================openldap主主配置===========================
[codesyntax lang="perl" lines="no"]
节点1:192.168.100.151
节点2:192.168.100.152
[/codesyntax]

节点1(node1)配置
slapd.conf配置文件的最后一行追加如下配置
[codesyntax lang="perl" lines="no"]
index entryCSN,entryUUID eq # 新增索引,提高同步速度,同步需要使用到这二个字段
overlay syncprov # 复制引擎
syncprov-checkpoint 100 10 # 操作100次同步一次,或者10分钟同步一次
syncprov-sessionlog 100

serverID     1 # 节点ID,唯一
syncrepl     rid=123
             provider=ldap://192.168.100.152 # 对端IP地址
             bindmethod=simple
             binddn="cn=Manager,dc=hsf,dc=com" # Bind DN
             credentials=123456 # 密码
             searchbase="dc=hsf,dc=com" # 起始域
             schemachecking=off
             type=refreshAndPersist
             retry="60 +"
mirrormode on # 开启mirrormode模式
[/codesyntax]

节点2(node2)配置
slapd.conf配置文件的最后一行追加如下配置
[codesyntax lang="perl" lines="no"]
index entryCSN,entryUUID 		eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

serverID    2
syncrepl      rid=123
              provider=ldap://192.168.100.151
              bindmethod=simple
              binddn="cn=Manager,dc=hsf,dc=com"
              credentials=123456
              searchbase="dc=hsf,dc=com"
              schemachecking=off
              type=refreshAndPersist
              retry="60 +"
mirrormode on
[/codesyntax]
===========================配置 TLS 安全性===========================
[codesyntax lang="perl" lines="no"]
[root@localhost ~]#mkdir /usr/local/openldap-2.4.21/etc/openldap/ssl/
[root@localhost ~]#cd /usr/local/openldap-2.4.21/etc/openldap/ssl/
[root@localhost ssl]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
........................................++++++
......................................................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:hsf
Organizational Unit Name (eg, section) []:hsf
Common Name (eg, your name or your server's hostname) []: 192.168.100.152
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Dec 28 06:27:46 2011 GMT
            Not After : Dec 27 06:27:46 2014 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = hsf
            organizationalUnitName    = hsf
            commonName                =  192.168.100.152
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
            X509v3 Authority Key Identifier: 
                keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD

Certificate is to be certified until Dec 27 06:27:46 2014 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

[root@localhost ssl]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem  //如果是主主ldap的话.这个要执行两次.第一次Common Name 填主主ldap node1的Hostname 第一次Common Name 填node2的hostname//
Generating a 1024 bit RSA private key
.........++++++
.++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:hsf
Organizational Unit Name (eg, section) []:hsf
Common Name (eg, your name or your server's hostname) []:192.168.100.152
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@localhost ssl]# ls
newreq.pem

[root@localhost ssl]# /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 28 06:29:44 2011 GMT
            Not After : Dec 27 06:29:44 2012 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            localityName              = beijing
            organizationName          = hsf
            organizationalUnitName    = hsf
            commonName                = 192.168.100.152
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
            X509v3 Authority Key Identifier: 
                keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD

Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, O=hsf, OU=hsf, CN= 192.168.100.152
        Validity
            Not Before: Dec 28 06:29:44 2011 GMT
            Not After : Dec 27 06:29:44 2012 GMT
        Subject: C=CN, ST=beijing, L=beijing, O=hsf, OU=hsf, CN=192.168.100.152
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:cf:ac:a6:5f:6a:de:42:71:87:32:c9:10:1f:3a:
                    72:ce:a2:0b:f9:e9:89:d2:ac:fa:b3:b3:09:f9:c6:
                    60:d7:7f:12:37:4b:04:0c:23:5a:1a:98:52:df:6b:
                    02:30:d6:a7:0e:f6:6a:3a:6d:9a:db:2b:c7:77:68:
                    88:a3:b8:7e:29:3e:d3:6d:8b:d1:46:01:71:48:da:
                    17:de:dc:dd:59:ad:b4:5e:45:ff:9d:e5:19:94:2d:
                    e4:d9:d5:c3:71:d0:1d:73:f8:7f:70:16:c4:78:62:
                    ec:7f:a7:61:f7:00:c2:c7:85:f2:17:43:73:d9:ec:
                    2b:9b:ae:c0:c5:74:04:c0:9f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
            X509v3 Authority Key Identifier: 
                keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD

    Signature Algorithm: sha1WithRSAEncryption
        75:ac:44:1f:af:ea:f0:d0:75:9b:77:3c:6f:7a:62:b4:9e:1d:
        14:c5:ef:b5:88:a8:d7:c8:b3:43:b0:ba:39:36:e1:59:f6:d8:
        e4:bc:9a:22:57:ed:48:a4:57:13:62:bb:8a:04:75:42:5e:76:
        ca:e0:89:7e:e8:cd:da:0e:0d:2e:b8:62:94:4a:28:9a:c7:41:
        47:17:08:b9:9e:1a:87:31:94:de:52:99:42:2a:5b:40:d0:a2:
        20:79:0f:ea:ab:bf:e3:e1:cc:75:9c:cb:14:a6:59:a5:6c:a0:
        50:bb:1a:e4:66:8d:89:20:fa:69:64:0f:31:80:68:68:17:6f:
        9f:18
-----BEGIN CERTIFICATE-----
MIICujCCAiOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T
SEkxGTAXBgNVBAMTECAxOTIuMTY4LjEwMC4xNTIwHhcNMTExMjI4MDYyOTQ0WhcN
MTIxMjI3MDYyOTQ0WjBtMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ
MA4GA1UEBxMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T
SEkxGDAWBgNVBAMTDzE5Mi4xNjguMTAwLjE1MjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAz6ymX2reQnGHMskQHzpyzqIL+emJ0qz6s7MJ+cZg138SN0sEDCNa
GphS32sCMNanDvZqOm2a2yvHd2iIo7h+KT7TbYvRRgFxSNoX3tzdWa20XkX/neUZ
lC3k2dXDcdAdc/h/cBbEeGLsf6dh9wDCx4XyF0Nz2ewrm67AxXQEwJ8CAwEAAaN7
MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFGcF+ZsX4GOr7f1lvk5dfsRNUWMB8GA1Ud
IwQYMBaAFLrS+eG7Flc+eJZeKSGkp0qu5CO9MA0GCSqGSIb3DQEBBQUAA4GBAHWs
RB+v6vDQdZt3PG96YrSeHRTF77WIqNfIs0Owujk24Vn22OS8miJX7UikVxNiu4oE
dUJedsrgiX7ozdoODS64YpRKKJrHQUcXCLmeGocxlN5SmUIqW0DQoiB5D+qrv+Ph
zHWcyxSmWaVsoFC7GuRmjYkg+mlkDzGAaGgXb58Y
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[root@localhost ssl]# ls
newcert.pem  newreq.pem
[root@localhost ssl]# mkdir /usr/local/openldap-2.4.21/etc/openldap/cacerts
[root@localhost ssl]#cp ../../CA/cacert.pem /usr/local/openldap-2.4.21/etc/openldap/cacerts/
[root@localhost ssl]#cp newcert.pem /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem 
[root@localhost ssl]#cp newreq.pem /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem 
[root@localhost ssl]#chmod  600 /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem 
[root@localhost openldap]# vi /usr/local/openldap-2.4.21/etc/openldap/slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/openldap-2.4.21/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem
TLSCertificateKeyFile /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem
[/codesyntax]
修改客户端/etc/openldap/ldap.conf
[codesyntax lang="perl" lines="no"]
[root@localhost etc]# vi ldap.conf 

TLS_CACERT /etc/openldap/cacerts/cacert.pem
[/codesyntax]
重启客户端sshd
[codesyntax lang="perl" lines="no"]
[root@localhost etc]# service sshd restart
Stopping sshd: [  OK  ]
Starting sshd: [  OK  ]
[/codesyntax]
查看ldap服务器日志:
[codesyntax lang="perl" lines="no"]
conn=1004 fd=14 ACCEPT from IP=192.168.100.153:58390 (IP=0.0.0.0:389)
conn=1004 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1004 op=0 STARTTLS
conn=1004 op=0 RESULT oid= err=0 text=
conn=1004 fd=14 TLS established tls_ssf=256 ssf=256
conn=1004 op=1 BIND dn="cn=Manager,dc=hsf,dc=com" method=128
conn=1004 op=1 BIND dn="cn=Manager,dc=hsf,dc=com" mech=SIMPLE ssf=0
conn=1004 op=1 RESULT tag=97 err=0 text=
出现STARTTLS为 OK
[/codesyntax]

配置ldap node2证书
将前面生成的cacert.pem newcert.pem newreq.pem抟到从服务器对应的位置上.修改权限
修改下slapd.conf 重启Ldap服务即可.

配置主主Ldap时.客户机配置需要增加两台主主的IP:
[codesyntax lang="perl" lines="no"]
[root@localhost etc]# cat /etc/ldap.conf  | grep -v '#' | grep -v '^$'
host  192.168.100.151 192.168.100.152
URI      ldap://192.168.100.151 ldap://192.168.100.152
BASE    dc=hsf,dc=com
SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com
pam_password md5

[root@localhost etc]# cat /etc/openldap/ldap.conf  | grep -v '#' | grep -v '^$'
TIMELIMIT       30
BIND_TIMELIMT   30
BASE dc=hsf,dc=com
SUDOERS_BASE    ou=SUDOers,dc=hsf,dc=com
TLS_CACERT /etc/openldap/cacerts/cacert.pem
[/codesyntax]
重启client sshd 
基于openldap+openssh-lpk+sudo+tls用户验证管理完成.

转载于:https://my.oschina.net/766/blog/211415

猜你喜欢

转载自blog.csdn.net/weixin_34352005/article/details/91548239
今日推荐
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
美国拟限制 AI 大模型出口中国和俄罗斯
苹果将与 OpenAI 达成协议,将 ChatGPT 应用于 iPhone
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
报告:Django 仍然是 74% 开发者的首选
《2024 年一季度互联网投融资运行情况》研究报告
15 年前上了“FFmpeg 耻辱柱”,今天他还得谢谢咱——腾讯QQPlayer一雪前耻?
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
周排行
BPM为企业带来的实际利益
好程序员web前端分享css常用属性缩写
Java文件下载(excel)
css样式的动态添加及显示和隐藏等零碎用法
axios全局配置以及拦截器
使用Logstash来实时同步MySQL和log日志数据到ES
C++获取当前时间(年月日、时分秒、毫秒)
Odoo产品分析 (四) -- 工具板块(11) -- 网站即时聊天(1)
Java环境配置正确,但是java、javac、java -version均返回“不是内部或外部命令,也不是可运行的程序或批处理文件”?
01 官网下载各种CentOS教程(超详细版)
每日归档
更多
2024-05-14(0)
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022