kerberos&LDAP实现免密码登录搭建

kerberos && openldap 

1.install openldap & kerberos server:
	yum install db4 db4-utils db4-devel cyrus-sasl* krb5-server-ldap -y
	yum install openldap openldap-servers openldap-clients openldap-devel compat-openldap -y
	
2.conf ldap
	rm -rf /var/lib/ldap/*
	cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
	chown -R ldap.ldap /var/lib/ldap
	cp -rf /etc/openldap/slapd.d /etc/openldap/slapd.d.bak
	cp /usr/share/doc/krb5-server-ldap-1.15.1/kerberos.schema /etc/openldap/schema/
	
#include  (kerberos  & openldap) schema:
cat >>/etc/openldap/slapd.conf<<"EOF"	
	include /etc/openldap/schema/core.schema
	include /etc/openldap/schema/collective.schema
	include /etc/openldap/schema/corba.schema
	include /etc/openldap/schema/cosine.schema
	include /etc/openldap/schema/duaconf.schema
	include /etc/openldap/schema/dyngroup.schema
	include /etc/openldap/schema/inetorgperson.schema
	include /etc/openldap/schema/java.schema
	include /etc/openldap/schema/misc.schema
	include /etc/openldap/schema/nis.schema
	include /etc/openldap/schema/openldap.schema
	include /etc/openldap/schema/ppolicy.schema
	include /etc/openldap/schema/kerberos.schema
EOF

#update slapd.d
	slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
	chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d


#start sldap
    rpm -e cyrus-sasl-sql 
	rpm -e cyrus-sasl-ldap
	
	systemctl start slapd
	systemctl enable slapd
	ps aux | grep slapd | grep -v grep
	
	
cat >>/root/modify.ldif<<"EOF"
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}R5ZBYELRk8gpViFSY2MLnyHsIwHDP3Ec
#PW: slappasswd  123456生成的密码:{SSHA}R5ZBYELRk8gpViFSY2MLnyHsIwHDP3Ec

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: uid=([^,]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to * by dn.base="cn=Manager,dc=test,dc=com" write by self write by * read
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f modify.ldif


cat >>/root/init.ldif<<"EOF"
dn: dc=test,dc=com
dc: test
objectClass: domain
objectClass: dcObject

dn: cn=Kerberos,dc=test,dc=com
cn: Kerberos
objectClass: organizationalRole

dn: ou=people,dc=test,dc=com
objectclass: organizationalUnit
ou: people
description: Users

dn: ou=group,dc=test,dc=com
objectClass: organizationalUnit
description: Groups
ou: group
EOF

#导入数据:
ldapadd -x -D 'cn=Manager,dc=test,dc=com' -w 123456 -h 127.0.0.1 -f init.ldif
#执行命令验证数据导入是否成功:
ldapsearch -x -D 'cn=Manager,dc=test,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=test,dc=com'


配置kerberos:


cat >/etc/krb5.conf<<EOF
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_ccache_name = KEYRING:persistent:%{uid}
 default_realm = TEST.COM

[realms]
  TEST.COM = {
  kdc = 10.130.98.196
  admin_server = 10.130.98.196
        default_domain = TEST.COM
        database_module = openldap_ldapconf
        key_stash_file = /etc/krb5.TEST.COM
        max_life = 1d 0h 0m 0s
        max_renewable_life = 90d 0h 0m 0s
        dict_file = /usr/share/dict/words
    }

[dbdefaults]
    ldap_kerberos_container_dn = cn=Kerberos,dc=test,dc=com

[dbmodules]
    openldap_ldapconf = {
        db_library = kldap
        ldap_servers = ldapi://
        ldap_kerberos_container_dn = cn=Kerberos,dc=test,dc=com
        ldap_kdc_dn = cn=Manager,dc=test,dc=com
        ldap_kadmind_dn = cn=Manager,dc=test,dc=com
        ldap_service_password_file = /etc/krb5.ldap
        ldap_conns_per_server = 5
    }


[domain_realm]
 test.com = TEST.COM
 .test.com = TEST.COM
EOF

生成访问ldap的服务密码文件:
kdb5_ldap_util -D cn=Manager,dc=test,dc=com  -w 123456 stashsrvpw -f /etc/krb5.ldap  cn=Manager,dc=test,dc=com

创建kerberos数据库:
kdb5_ldap_util -D cn=Manager,dc=test,dc=com -H ldap://  create  -r TEST.COM

启动kerberos
systemctl start krb5kdc 
systemctl status krb5kdc
systemctl start kadmin
systemctl status kadmin


测试添加用户:
kadmin.local -q 'ank -pw 123456 test'  #配置 test 用户的密码为:123456

测试
slapcat |grep "test"
测试获取凭证:
kinit test

导入系统用户:
yum install migrationtools -y
vim /usr/share/migrationtools/migrate_common.ph  
DEFAULT_MAIL_DOMAIN = "example.com";  #改成自己的域名
DEFAULT_BASE = "dc=example,dc=com";   #改成自己的域名

grep -E "test" /etc/passwd >/opt/passwd.txt  #选择要导入ldap的帐号
grep -E "test" /etc/group >/opt/group.txt  #选择要导入ldap的组
/usr/share/migrationtools/migrate_passwd.pl /opt/passwd.txt /opt/passwd.ldif  #生成ldap帐号文件
/usr/share/migrationtools/migrate_group.pl /opt/group.txt /opt/group.ldif     #生成group文件 
ldapadd -x -D "cn=Manager,dc=test,dc=com" -w 123456 -f /opt/group.ldif  #导入用户组
ldapadd -x -D "cn=Manager,dc=test,dc=com" -w 123456 -f /opt/passwd.ldif   #导入用户数据

#测试LDAP是否正常
getent passwd test
 systemctl status nslcd 

#ldap 方式认证,test 用户设置密码123456
cat >/root/change.ldif<<EOF
dn: uid=cjb,ou=People,dc=test,dc=com
changetype: modify
add: userPassword
userPassword:: e1NTSEF9Ym0rZXloV1ExalB1aWNEVU1BaHlNM0hZVHh3REIrWU4K
EOF

ldapmodify -x -D 'cn=Manager,dc=test,dc=com' -w 123456 -f change.ldif
测试test密码是否生效
ldapsearch -x -D 'uid=test,ou=People,dc=test,dc=com' -w 123456 127.0.0.1 -b 'ou=People,dc=test,dc=com'

#Kerberos方式认证
echo -n "{SASL}test@TEST.COM" | base64  生成串:e1NBU0x9dGVzdEBURVNULkNPTQ==

cat >/root/change.ldif<<EOF
dn: uid=maokey,ou=People,dc=test,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NBU0x9bWFva2V5QFRFU1QuQ09N
EOF

ldapmodify -x -D 'cn=Manager,dc=test,dc=com' -w 123456 -f change.ldif

#修改saslauthd 配置
vim 

MECH=kerberos5

cat >/etc/sasl2/slapd.conf<<EOF
pwcheck_method: saslauthd
EOF
service slapd restart
service saslauthd status -l #查看有没报错


#Kerberos 相关操作 待整理
服务端相关操作:
创建管理员:
/usr/sbin/kadmin.local -q "addprinc admin/admin"
#database administrator设置ACL权限
vim /var/kerberos/krb5kdc/kadm5.acl  #修改里面的内容
#创建主机KEY
kadmin.local
addprinc -randkey host/node2.example.com
#kadmin.local -q "ank -clearpolicy -randkey host/node2.example.com"
#kadmin.local -q "ktadd host/c2bde55"  #keytab必须为:/etc/krb5.keytab ,

kdestroy 删除凭证
service saslauthd restart
ps -aux | grep saslauthd

Kerberos 认证测试:
testsaslauthd -u test -p 123456

执行 ldapsearch测试LDAP 认证:
ldapsearch -x -D 'uid=test,ou=People,dc=test,dc=com' -w 123456 -h 127.0.0.1 -b 'ou=People,dc=test,dc=com'


clinet相关操作
yum -y install nss-pam-ldapd     #ldap认证模块
yum -y install pam_krb5 sssd krb5-workstation #Kerberos 认证模块、

#配置用户ldap,认证:kerberos
authconfig-tui
注意:
  1.会更改三个配置文件:/etc/sssd/sssd.conf 、/etc/nsswithch.conf、/etc/pam.d/system-auth
  2.配置结束,sssd服务自动启动

systemctl status nslcd  #LDAP确认此服务成功启动,否则无法ldap用户信息
systemctl status sssd   #认证缓存,服务挂将引发无法登录

.导入keytab

#客户端导出:/etc/krb5.keytab ,keytab必须为:/etc/krb5.keytab
kinit  kadmin/admin   #上面创建用的用记
kadmin
ktadd host/client.example.com  #根据配置文件,连接到kerberos服务器,将主机的key下载到本地,在此之前,请确认主机已设定hostame 而且主机名可以解析

#ssh相关配置
vi /etc/ssh/ssh_config
	GSSAPIAuthentication yes
	GSSAPIDelegateCredentials yes
vi /etc/ssh/sshd_config
	GSSAPIAuthentication yes
	GSSAPICleanupCredentials yes
systemctl reload sshd
#测试
ssh demouser1@node1

  #不需要输入密码就对了

klist

  #列出票据
 
 
 https://blog.csdn.net/linlinv3/article/details/45171097

  

posted @ 2019-12-16 09:17  波士地盘  阅读(960)  评论(0编辑  收藏  举报