如何在 Centos 6 上配置 LDAP 以最安全和正确的方式进行用户身份验证?

如何在 Centos 6 上配置 LDAP 以最安全和正确的方式进行用户身份验证?

在过去的几天里,我在浏览互联网寻找有关如何设置 LDAP 服务器的优秀文档时说了很多脏话。到目前为止,我还没有找到任何文档,但有很多文档虽然不够好,但比坏文档要好。所以我不得不按照通常的 Linux 方式去做,阅读、测试、尖叫、阅读、测试和尖叫。

我对 LDAP 服务器的目标是:

  • 在 Centos 6 最低安装上安装 LDAP,包括服务器和客户端。
  • 按照 OpenLDAP 开发人员预期的方式进行安装。
  • 通过启用 LDAPS、iptables、SELinux 等来安全地安装 LDAP。
  • 在客户端上使用 SSSD 与 LDAP 服务器建立“身份验证”连接。

这类问题我通常会自己回答,但我希望得到关于如何更好地安装的建议。

答案1

这里有几个 shell 脚本,用于在服务器上安装和配置 openldap,以及安装和配置 sssd 以便针对 LDAP 服务器进行用户身份验证。

安装有组、用户等的 LDAP 服务器。

#!/bin/sh
###########################################################
# Install LDAP-server
###########################################################

# Enable SELinux for higher security.
setenforce 1
setsebool -P domain_kernel_load_modules 1

# Communication with the LDAP-server needs to be done with domain name, and not
# the ip. This ensures the dns-name is configured.
cat >> /etc/hosts << EOF
10.100.110.7 ldap.syco.net
EOF

# Install all required packages.
yum -y install openldap-servers openldap-clients

# Create backend database.
cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap

# Set password for cn=admin,cn=config (it's secret)
cat >> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif << EOF
olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
EOF

# Autostart slapd after reboot.
chkconfig slapd on

# Start ldap server
service slapd start

# Wait for slapd to start.
sleep 1

###########################################################
# General configuration of the server.
###########################################################

# Create folder to store log files in
mkdir /var/log/slapd
chmod 755 /var/log/slapd/
chown ldap:ldap /var/log/slapd/

# Redirect all log files through rsyslog.
sed -i "/local4.*/d" /etc/rsyslog.conf
cat >> /etc/rsyslog.conf << EOF
local4.*                        /var/log/slapd/slapd.log
EOF
service rsyslog restart

# Do the configurations.
ldapadd -H ldap://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF

# Setup logfile (not working now, propably needing debug level settings.)
dn: cn=config
changetype:modify
replace: olcLogLevel
olcLogLevel: config stats shell
-
replace: olcIdleTimeout
olcIdleTimeout: 30

# Set access for the monitor db.
dn: olcDatabase={2}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="cn=Manager,dc=syco,dc=net" read  by * none

# Set password for cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb

# Change LDAP-domain, password and access rights.
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=syco,dc=net
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=syco,dc=net
-
replace: olcRootPW
olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
-
replace: olcAccess
olcAccess: {0}to attrs=employeeType by dn="cn=sssd,dc=syco,dc=net" read by self read by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {2}to dn.base="" by * none
olcAccess: {3}to * by dn="cn=admin,cn=config" write by dn="cn=sssd,dc=syco,dc=net" read by self write by * none
EOF

##########################################################
# Configure sudo in ldap
#
# Users that should have sudo rights, are configured in
# in the ldap-db. The ldap sudo schema are not configured
# by default, and are here created.
#
# http://eatingsecurity.blogspot.com/2008/10/openldap-continued.html
# http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html
##########################################################

# Copy the sudo Schema into the LDAP schema repository
/bin/cp -f /usr/share/doc/sudo-1.7.2p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema
restorecon /etc/openldap/schema/sudo.schema

# Create a conversion file for schema
mkdir ~/sudoWork
echo "include /etc/openldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf

# Convert the "Schema" to "LDIF".
slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudoWork/sudo.ldif

# Remove invalid data.
sed -i "s/{0}sudo/sudo/g" ~/sudoWork/sudo.ldif

# Remove last 8 (invalid) lines.
head -n-8 ~/sudoWork/sudo.ldif > ~/sudoWork/sudo2.ldif

# Load the schema into the LDAP server
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret -f ~/sudoWork/sudo2.ldif

# Add index to sudoers db
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sudoUser    eq
EOF

###########################################################
# Create modules area
#
###########################################################
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap/
EOF

###########################################################
# Add auditlog overlay.
#
# http://www.manpagez.com/man/5/slapo-auditlog/
###########################################################
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
changetype:modify
add: olcModuleLoad
olcModuleLoad: auditlog.la

dn: olcOverlay=auditlog,olcDatabase={1}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log
EOF

###########################################################
# Add accesslog overlay.
#
# http://www.manpagez.com/man/5/slapo-accesslog/
#
# TODO: Didn't get it working.
#
###########################################################
# ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
# dn: cn=module,cn=config
# objectClass: olcModuleList
# cn: module
# olcModulePath: /usr/lib64/openldap/
# olcModuleLoad: access.la
#
#
# dn: olcOverlay=accesslog,olcDatabase={1}bdb,cn=config
# changetype: add
# olcOverlay: accesslog
# objectClass: olcOverlayConfig
# objectClass: olcAccessLogConfig
# logdb: cn=auditlog
# logops: writes reads
# # read log every 5 days and purge entries
# # when older than 30 days
# logpurge 180+00:00 5+00:00
# # optional - saves the previous contents of
# # person objectclass before performing a write operation
# logold: (objectclass=person)
# EOF

###########################################################
# Add pwdpolicy overlay
#
# http://www.zytrax.com/books/ldap/ch6/ppolicy.html
# http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release
# http://www.symas.com/blog/?page_id=66
###########################################################

ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
changetype:modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la

dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config
olcOverlay: ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=syco,dc=net
EOF

##########################################################
# Add users, groups, sudoers. Ie. the dc=syco,dc=net database.
##########################################################
ldapadd  -H ldap:/// -x -D "cn=Manager,dc=syco,dc=net" -w secret  -f /opt/syco/doc/ldap/manager.ldif

###########################################################
# Create certificates
###########################################################

# Create CA
echo "00" > /etc/openldap/cacerts/ca.srl
openssl req -new -x509 -sha512 -nodes -days 3650 -newkey rsa:4096\
    -out /etc/openldap/cacerts/ca.crt \
    -keyout /etc/openldap/cacerts/ca.key \
    -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com'

# Creating server cert
openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096 \
    -keyout /etc/openldap/cacerts/slapd.key \
    -out /etc/openldap/cacerts/slapd.csr \
    -subj '/O=syco/OU=System Console Project/CN=ldap.syco.net'
openssl x509 -req -sha512 -days 1095 \
    -in /etc/openldap/cacerts/slapd.csr \
    -out /etc/openldap/cacerts/slapd.crt \
    -CA /etc/openldap/cacerts/ca.crt \
    -CAkey /etc/openldap/cacerts/ca.key

#
# Customer create a CSR (Certificate Signing Request) file for client cert
#
openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096 \
    -keyout /etc/openldap/cacerts/client.key \
    -out /etc/openldap/cacerts/client.csr \
    -subj '/O=syco/OU=System Console Project/CN=client.syco.net'

#
# Create a signed client crt.
#
cat > /etc/openldap/cacerts/sign.conf << EOF
[ v3_req ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
EOF

openssl x509 -req -days 1095 \
    -sha512 \
    -extensions v3_req \
    -extfile /etc/openldap/cacerts/sign.conf \
    -CA /etc/openldap/cacerts/ca.crt \
    -CAkey /etc/openldap/cacerts/ca.key \
    -in /etc/openldap/cacerts/client.csr \
    -out /etc/openldap/cacerts/client.crt

# One file with both crt and key. Easier to manage the cert on client side.
cat /etc/openldap/cacerts/client.crt /etc/openldap/cacerts/client.key > \
    /etc/openldap/cacerts/client.pem

# Create hash and set permissions of cert
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
chown -Rf root:ldap /etc/openldap/cacerts
chmod -Rf 750 /etc/openldap/cacerts
restorecon -R /etc/openldap/cacerts

# View cert info
# openssl x509 -text -in /etc/openldap/cacerts/ca.crt
# openssl x509 -text -in /etc/openldap/cacerts/slapd.crt
# openssl x509 -text -in /etc/openldap/cacerts/client.pem
# openssl req -noout -text -in /etc/openldap/cacerts/client.csr

###########################################################
# Configure ssl
#
# Configure slapd to only be accessible over ssl,
# with client certificate.
#
# http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0
# http://www.openldap.org/faq/data/cache/185.html
###########################################################
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/cacerts/slapd.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/slapd.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/cacerts/ca.crt
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: demand
EOF

# Enable LDAPS and dispable LDAP
sed -i 's/[#]*SLAPD_LDAPS=.*/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap
sed -i 's/[#]*SLAPD_LDAP=.*/SLAPD_LDAP=no/g' /etc/sysconfig/ldap
service slapd restart

# Configure the client cert to be used by ldapsearch for user root.
sed -i '/^TLS_CERT.*\|^TLS_KEY.*/d' /root/ldaprc
cat >> /root/ldaprc  << EOF
TLS_CERT /etc/openldap/cacerts/client.pem
TLS_KEY /etc/openldap/cacerts/client.pem
EOF

###########################################################
# Require higher security from clients.
###########################################################
ldapadd -H ldaps://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=config
changetype:modify
replace: olcLocalSSF
olcLocalSSF: 128
-
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain

dn: cn=config
changetype:modify
replace: olcSecurity
olcSecurity: ssf=128
olcSecurity: simple_bind=128
olcSecurity: tls=128
EOF

###########################################################
# Open firewall
#
# Let clients connect to the server through the firewall.
# This is done after everything else is done, so we are sure
# that the server is secure before letting somebody in.
# TODO: Add destination ip
###########################################################
iptables -I INPUT -m state --state NEW -p tcp -s 10.100.110.7/24 --dport 636 -j ACCEPT

还有一个在客户端上安装 sssd 并连接到 LDAP 服务器。

#!/bin/sh
###########################################################
# Install LDAP-client
#
# This part should be executed on both LDAP-Server and
# on all clients that should authenticate against the
# LDAP-server
#
# This script is based on information from at least the following links.
#   http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=2
#   http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Introduction.html
#
###########################################################

###########################################################
# Uninstall sssd
#
# Note: Only needed if sssd has been setup before.
#       might need --skip-broken when installing sssd.
###########################################################
#yum -y remove openldap-clients sssd
#rm -rf /var/lib/sss/

###########################################################
# Install relevant packages
###########################################################
# Install packages
yum -y install openldap-clients

# Pick one package from the Continuous Release
# Version 1.5.1 of sssd.
yum -y install sssd --skip-broken
yum -y install centos-release-cr
yum -y update sssd
yum -y remove centos-release-cr

###########################################################
# Get certificate from ldap server
#
# This is not needed to be done on the server.
###########################################################
if [ ! -f /etc/openldap/cacerts/client.pem ];
then
    scp [email protected]:/etc/openldap/cacerts/client.pem /etc/openldap/cacerts/client.pem
fi

if [ ! -f /etc/openldap/cacerts/ca.crt ];
then
    scp [email protected]:/etc/openldap/cacerts/ca.crt /etc/openldap/cacerts/ca.crt
fi

/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
chown -Rf root:ldap /etc/openldap/cacerts
chmod -Rf 750 /etc/openldap/cacerts
restorecon -R /etc/openldap/cacerts

###########################################################
# Configure client authenticate against ldap.
###########################################################
# Setup iptables before configuring sssd, so it can connect to the server.
iptables -I OUTPUT -m state --state NEW -p tcp -d 10.100.110.7 --dport 636 -j ACCEPT

# Communication with the LDAP-server needs to be done with domain name, and not
# the ip. This ensures the dns-name is configured.
sed -i '/^10.100.110.7.*/d' /etc/hosts
cat >> /etc/hosts << EOF
10.100.110.7 ldap.syco.net
EOF

# Configure all relevant /etc files for sssd, ldap etc.
authconfig \
    --enablesssd --enablesssdauth --enablecachecreds \
    --enableldap --enableldaptls --enableldapauth \
    --ldapserver=ldaps://ldap.syco.net --ldapbasedn=dc=syco,dc=net \
    --disablenis --disablekrb5 \
    --enableshadow --enablemkhomedir --enablelocauthorize \
    --passalgo=sha512 \
    --updateall

# Configure the client cert to be used by ldapsearch for user root.
sed -i '/^TLS_CERT.*\|^TLS_KEY.*/d' /root/ldaprc
cat >> /root/ldaprc  << EOF
TLS_CERT /etc/openldap/cacerts/client.pem
TLS_KEY /etc/openldap/cacerts/client.pem
EOF

###########################################################
# Configure sssd
###########################################################

# If the authentication provider is offline, specifies for how long to allow
# cached log-ins (in days). This value is measured from the last successful
# online log-in. If not specified, defaults to 0 (no limit).
sed -i '/\[pam\]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf

cat >> /etc/sssd/sssd.conf << EOF
# Enumeration means that the entire set of available users and groups on the
# remote source is cached on the local machine. When enumeration is disabled,
# users and groups are only cached as they are requested.
enumerate=true

# Configure client certificate auth.
ldap_tls_cert = /etc/openldap/cacerts/client.pem
ldap_tls_key = /etc/openldap/cacerts/client.pem
ldap_tls_reqcert = demand

# Only users with this employeeType are allowed to login to this computer.
access_provider = ldap
ldap_access_filter = (employeeType=Sysop)

# Login to ldap with a specified user.
ldap_default_bind_dn = cn=sssd,dc=syco,dc=net
ldap_default_authtok_type = password
ldap_default_authtok = secret
EOF

# Restart sssd
service sssd restart

# Start sssd after reboot.
chkconfig sssd on

###########################################################
# Configure the client to use sudo
###########################################################
sed -i '/^sudoers.*/d' /etc/nsswitch.conf
cat >> /etc/nsswitch.conf << EOF
sudoers: ldap files
EOF

sed -i '/^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl on.*\|^tls_cert.*\|^tls_key.*\|sudoers_debug.*/d' /etc/ldap.conf
cat >> /etc/ldap.conf << EOF
# Configure sudo ldap.
uri ldaps://ldap.syco.net
base dc=syco,dc=net
sudoers_base ou=SUDOers,dc=syco,dc=net
binddn cn=sssd,dc=syco,dc=net
bindpw secret
ssl on
tls_cacertdir /etc/openldap/cacerts
tls_cert /etc/openldap/cacerts/client.pem
tls_key /etc/openldap/cacerts/client.pem
#sudoers_debug 5
EOF    

还提供了 LDIF 文件,需要将其放在与上述脚本相同的文件夹中。

# Filename: manager.ldif
###########################################################
# NEW DATABASE
###########################################################
dn: dc=syco,dc=net
objectClass: top
objectclass: dcObject
objectclass: organization
o: System Console Project
dc: syco
description: Tree root

# Used by sssd to ask general queries.
dn: cn=sssd,dc=syco,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: sssd
description: Account for sssd.
userPassword: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb

###########################################################
# Add pwdpolicy overlay
# Need to be done before adding new users.
###########################################################
dn: ou=pwpolicies,dc=syco,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=pwpolicies,dc=syco,dc=net
cn: default
#objectClass: pwdPolicyChecker
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
#pwdCheckModule: crackcheck.so
#pwdCheckQuality: 2
pwdExpireWarning: 604800
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 0
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 3600
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 3600
pwdMinLength: 12
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value
EOF

###########################################################
# GROUPS
###########################################################
dn: ou=group,dc=syco,dc=net
objectClass: top
objectclass: organizationalunit
ou: group

dn: cn=sycousers,ou=group,dc=syco,dc=net
cn: sycousers
objectClass: posixGroup
gidNumber: 2000
memberUid: user1
memberUid: user2
memberUid: user3

dn: cn=sysop,ou=group,dc=syco,dc=net
cn: sysop
objectClass: posixGroup
gidNumber: 2001
memberUid: user1
memberUid: user2

dn: cn=management,ou=group,dc=syco,dc=net
cn: management
objectClass: posixGroup
gidNumber: 2002
memberUid: user1

###########################################################
# USERS
###########################################################
dn: ou=people,dc=syco,dc=net
objectClass: top
objectclass: organizationalunit
ou: people

dn: uid=user1,ou=people,dc=syco,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user1
employeeType: Sysop
givenName: User1
surname: Syco
displayName: Syco User1
commonName: Syco User1
gecos: Syco User1
initials: SU
title: System Administrator (fratsecret)
userPassword: {CRYPT}frzelFSD.VhkI
loginShell: /bin/bash
uidNumber: 2001
gidNumber: 2000
homeDirectory: /home/user1
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: [email protected]
postalCode: 666666
mobile: +46 (0)73 xx xx xx xx
homePhone: +46 (0)8 xx xx xx xx
postalAddress:

dn: uid=user2,ou=people,dc=syco,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user2
employeeType: Sysop
givenName: User2
surname: Syco
displayName: Syco User2
commonName: Syco User2
gecos: Syco User2
initials: SU
title: System Administrator
userPassword: {CRYPT}frzelFSD.VhkI
loginShell: /bin/bash
uidNumber: 2002
gidNumber: 2000
homeDirectory: /home/user2
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: [email protected]
postalCode: 666666
mobile: +46 (0)73 xx xx xx xx
homePhone: +46 (0)8 xx xx xx xx
postalAddress:

dn: uid=user3,ou=people,dc=syco,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user3
employeeType: Developer
givenName: User3
surname: Syco
displayName: Syco User3
commonName: Syco User3
gecos: Syco User3
initials: SU
title: System Administrator
userPassword: {CRYPT}frzelFSD.VhkI
loginShell: /bin/bash
uidNumber: 2003
gidNumber: 2000
homeDirectory: /home/user3
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: [email protected]
postalCode: 666666
mobile: +46 (0)73 xx xx xx xx
homePhone: +46 (0)8 xx xx xx xx
postalAddress:

###########################################################
# SUDOERS
###########################################################
dn: ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: organizationalUnit
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOptions go here
sudoOption: requiretty
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin

dn: cn=root,ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

# Allow all sysops to execute anything
dn: cn=%sysop,ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: sudoRole
cn: %sysop
sudoUser: %sysop
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

您需要先理解并编辑脚本,然后才能在服务器上执行它们。除其他事项外,您需要为安装自定义与“syco.net”、用户、组和密码相关的内容。

答案2

客户端设置

我多次参考了 Arlukin 的回答,但我认为精简版的客户端设置会很有帮助。设置好证书后,只需执行以下操作:

yum install sssd pam_ldap
chkconfig sssd on

authconfig      \
 --enablesssd --enablesssdauth --enablecachecreds \
 --enableldap --enableldaptls --enableldapauth \
 --ldapserver=ldap://ldap.example.com --ldapbasedn=dc=example,dc=com \
 --disablenis --disablekrb5 \
 --enableshadow --enablemkhomedir --enablelocauthorize \
 --passalgo=sha512 --updateall

将这些设置添加到以下[domain/default]部分/etc/sssd/sssd.conf

ldap_schema = rfc2307bis
ldap_user_fullname = displayName
ldap_user_search_base = dc=People,dc=example,dc=com
ldap_group_search_base = dc=Roles,dc=example,dc=com
ldap_group_member = member
ldap_group_nesting_level = 4

ldap_default_bind_dn = cn=fooServer,dc=Devices,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = yourSecretPassword

要测试不使用证书的设置:

ldap_id_use_start_tls = False
ldap_auth_disable_tls_never_use_in_production = true

OpenLDAP 访问控制

一些可帮助您入门的访问控制规则(顺序无关紧要)。请记住,break允许处理与同一目标匹配的其他规则。其中一些针对嵌套组——请参阅来自 ldap 的基于 dn 的 linux 组寻求帮助进行设置。

to attrs=userPassword,sambaLMPassword,sambaNTPassword
  by anonymous auth
  by self =rwdx
  by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage
  by dn.children="ou=Special Accounts,dc=example,dc=com" auth
  • 允许匿名用户进行身份验证
  • 经过身份验证的用户可以更改自己的密码
  • LDAP 管理员组的成员可以更改任何人的密码
  • 最后一行是供特别账户成员代理认证

to *
  by set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage
  by * break

允许所有 ldap 管理员更改任何内容


to dn.children="dc=Roles,dc=example,dc=com" attrs=member
  by set="user & this/owner" manage
  by set="user & this/owner*/member*" manage
  by set="user & this/owner*/manager*" manage
  by set="user & this/owner*/member*/manager*" manage
  by * break
  • 允许用户管理他们拥有的群组
  • 群组也可以是所有者
  • 任何群组所有者的管理员都可以管理该群组
  • 如果群组foo是群组的所有者bar,则群组中的任何人的管理员也foo可以进行管理bar

to dn.children="ou=Special Accounts,dc=example,dc=com" attrs=authzTo
  by * auth

允许特殊账户对任何其他用户进行代理身份验证。这可用于让 Web 服务器使用特殊账户绑定一次,然后检查同一连接上普通用户的凭证。


to dn.children="dc=People,dc=example,dc=com" 
  attrs=givenName,sn,middleName,dateOfBirth,displayName,cn,
    telephoneNumber,fax,postalAddress,homePhone,homePostalAddress,mobile,pager,
    postalCode,postOfficeBox,preferredLanguage,streetAddress,l,st,c 
  by self write
  by * break
  • 允许用户编辑他们的“个人资料”字段

重要的是,用户不得更改任何会影响其权限的属性,例如manager,或者memberOf如果您的服务器支持的话。


to dn.children="dc=People,dc=example,dc=com"   
  attrs=uid,uidNumber,gidNumber,mail,telephoneNumber,mobile,departmentNumber,manager,
    title,initials,givenName,sn,displayName,cn,dateHired,dateTerminated,fax,middleName,
    organizationName,organizationalUnitName,pager,postalAddress,l,st,c 
  by * read

使一些基本联系信息对任何人都可见。

相关内容