kerberos&LDAP实现免密码登录搭建
kerberos && openldap 1.install openldap & kerberos server: yum install db4 db4-utils db4-devel cyrus-sasl* krb5-server-ldap -y yum install openldap openldap-servers openldap-clients openldap-devel compat-openldap -y 2.conf ldap rm -rf /var/lib/ldap/* cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown -R ldap.ldap /var/lib/ldap cp -rf /etc/openldap/slapd.d /etc/openldap/slapd.d.bak cp /usr/share/doc/krb5-server-ldap-1.15.1/kerberos.schema /etc/openldap/schema/ #include (kerberos & openldap) schema: cat >>/etc/openldap/slapd.conf<<"EOF" include /etc/openldap/schema/core.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/kerberos.schema EOF #update slapd.d slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d #start sldap rpm -e cyrus-sasl-sql rpm -e cyrus-sasl-ldap systemctl start slapd systemctl enable slapd ps aux | grep slapd | grep -v grep cat >>/root/modify.ldif<<"EOF" dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=test,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=test,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}R5ZBYELRk8gpViFSY2MLnyHsIwHDP3Ec #PW: slappasswd 123456生成的密码:{SSHA}R5ZBYELRk8gpViFSY2MLnyHsIwHDP3Ec dn: cn=config changetype: modify add: olcAuthzRegexp olcAuthzRegexp: uid=([^,]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to dn.base="" by * read olcAccess: {1}to * by dn.base="cn=Manager,dc=test,dc=com" write by self write by * read EOF ldapmodify -Y EXTERNAL -H ldapi:/// -f modify.ldif cat >>/root/init.ldif<<"EOF" dn: dc=test,dc=com dc: test objectClass: domain objectClass: dcObject dn: cn=Kerberos,dc=test,dc=com cn: Kerberos objectClass: organizationalRole dn: ou=people,dc=test,dc=com objectclass: organizationalUnit ou: people description: Users dn: ou=group,dc=test,dc=com objectClass: organizationalUnit description: Groups ou: group EOF #导入数据: ldapadd -x -D 'cn=Manager,dc=test,dc=com' -w 123456 -h 127.0.0.1 -f init.ldif #执行命令验证数据导入是否成功: ldapsearch -x -D 'cn=Manager,dc=test,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=test,dc=com' 配置kerberos: cat >/etc/krb5.conf<<EOF # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_ccache_name = KEYRING:persistent:%{uid} default_realm = TEST.COM [realms] TEST.COM = { kdc = 10.130.98.196 admin_server = 10.130.98.196 default_domain = TEST.COM database_module = openldap_ldapconf key_stash_file = /etc/krb5.TEST.COM max_life = 1d 0h 0m 0s max_renewable_life = 90d 0h 0m 0s dict_file = /usr/share/dict/words } [dbdefaults] ldap_kerberos_container_dn = cn=Kerberos,dc=test,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_servers = ldapi:// ldap_kerberos_container_dn = cn=Kerberos,dc=test,dc=com ldap_kdc_dn = cn=Manager,dc=test,dc=com ldap_kadmind_dn = cn=Manager,dc=test,dc=com ldap_service_password_file = /etc/krb5.ldap ldap_conns_per_server = 5 } [domain_realm] test.com = TEST.COM .test.com = TEST.COM EOF 生成访问ldap的服务密码文件: kdb5_ldap_util -D cn=Manager,dc=test,dc=com -w 123456 stashsrvpw -f /etc/krb5.ldap cn=Manager,dc=test,dc=com 创建kerberos数据库: kdb5_ldap_util -D cn=Manager,dc=test,dc=com -H ldap:// create -r TEST.COM 启动kerberos systemctl start krb5kdc systemctl status krb5kdc systemctl start kadmin systemctl status kadmin 测试添加用户: kadmin.local -q 'ank -pw 123456 test' #配置 test 用户的密码为:123456 测试 slapcat |grep "test" 测试获取凭证: kinit test 导入系统用户: yum install migrationtools -y vim /usr/share/migrationtools/migrate_common.ph DEFAULT_MAIL_DOMAIN = "example.com"; #改成自己的域名 DEFAULT_BASE = "dc=example,dc=com"; #改成自己的域名 grep -E "test" /etc/passwd >/opt/passwd.txt #选择要导入ldap的帐号 grep -E "test" /etc/group >/opt/group.txt #选择要导入ldap的组 /usr/share/migrationtools/migrate_passwd.pl /opt/passwd.txt /opt/passwd.ldif #生成ldap帐号文件 /usr/share/migrationtools/migrate_group.pl /opt/group.txt /opt/group.ldif #生成group文件 ldapadd -x -D "cn=Manager,dc=test,dc=com" -w 123456 -f /opt/group.ldif #导入用户组 ldapadd -x -D "cn=Manager,dc=test,dc=com" -w 123456 -f /opt/passwd.ldif #导入用户数据 #测试LDAP是否正常 getent passwd test systemctl status nslcd #ldap 方式认证,test 用户设置密码123456 cat >/root/change.ldif<<EOF dn: uid=cjb,ou=People,dc=test,dc=com changetype: modify add: userPassword userPassword:: e1NTSEF9Ym0rZXloV1ExalB1aWNEVU1BaHlNM0hZVHh3REIrWU4K EOF ldapmodify -x -D 'cn=Manager,dc=test,dc=com' -w 123456 -f change.ldif 测试test密码是否生效 ldapsearch -x -D 'uid=test,ou=People,dc=test,dc=com' -w 123456 127.0.0.1 -b 'ou=People,dc=test,dc=com' #Kerberos方式认证 echo -n "{SASL}test@TEST.COM" | base64 生成串:e1NBU0x9dGVzdEBURVNULkNPTQ== cat >/root/change.ldif<<EOF dn: uid=maokey,ou=People,dc=test,dc=com changetype: modify replace: userPassword userPassword:: e1NBU0x9bWFva2V5QFRFU1QuQ09N EOF ldapmodify -x -D 'cn=Manager,dc=test,dc=com' -w 123456 -f change.ldif #修改saslauthd 配置 vim MECH=kerberos5 cat >/etc/sasl2/slapd.conf<<EOF pwcheck_method: saslauthd EOF service slapd restart service saslauthd status -l #查看有没报错 #Kerberos 相关操作 待整理 服务端相关操作: 创建管理员: /usr/sbin/kadmin.local -q "addprinc admin/admin" #database administrator设置ACL权限 vim /var/kerberos/krb5kdc/kadm5.acl #修改里面的内容 #创建主机KEY kadmin.local addprinc -randkey host/node2.example.com #kadmin.local -q "ank -clearpolicy -randkey host/node2.example.com" #kadmin.local -q "ktadd host/c2bde55" #keytab必须为:/etc/krb5.keytab , kdestroy 删除凭证 service saslauthd restart ps -aux | grep saslauthd Kerberos 认证测试: testsaslauthd -u test -p 123456 执行 ldapsearch测试LDAP 认证: ldapsearch -x -D 'uid=test,ou=People,dc=test,dc=com' -w 123456 -h 127.0.0.1 -b 'ou=People,dc=test,dc=com' clinet相关操作 yum -y install nss-pam-ldapd #ldap认证模块 yum -y install pam_krb5 sssd krb5-workstation #Kerberos 认证模块、 #配置用户ldap,认证:kerberos authconfig-tui 注意: 1.会更改三个配置文件:/etc/sssd/sssd.conf 、/etc/nsswithch.conf、/etc/pam.d/system-auth 2.配置结束,sssd服务自动启动 systemctl status nslcd #LDAP确认此服务成功启动,否则无法ldap用户信息 systemctl status sssd #认证缓存,服务挂将引发无法登录 .导入keytab #客户端导出:/etc/krb5.keytab ,keytab必须为:/etc/krb5.keytab kinit kadmin/admin #上面创建用的用记 kadmin ktadd host/client.example.com #根据配置文件,连接到kerberos服务器,将主机的key下载到本地,在此之前,请确认主机已设定hostame 而且主机名可以解析 #ssh相关配置 vi /etc/ssh/ssh_config GSSAPIAuthentication yes GSSAPIDelegateCredentials yes vi /etc/ssh/sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes systemctl reload sshd #测试 ssh demouser1@node1 #不需要输入密码就对了 klist #列出票据 https://blog.csdn.net/linlinv3/article/details/45171097