服务器端:

  CentOS 7.4

  hostname:node1.lushenle.com

  IP:172.16.100.40

客户端:

  CentOS 7.4

  hostname:node2.lushengle.com

  IP:172.16.100.41

服务器端与客户端防火墙都为启用状态,selinux为enforcing状态

LDAP用户认证服务安装:
  1.安装LDAP服务端软件包
    # yum install -y openldap openldap-clients openldap-servers migrationtools

  2.设置LDAP服务器全局连接密码
    # slappasswd -s manunkind -n > /etc/openldap/passwd
    # cat /etc/openldap/passwd

  3.建立x509认证本地LDAP服务密钥
    # openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem -keyout /etc/openldap/certs/priv.pem -days 365
      ```server's hostname一定要与主机名相同```
      Common Name (eg, your name or your server's hostname) []:node1.lushenle.com
      Email Address []:root@node1.lushenle.com
    # cd /etc/openldapcerts

  4.设置LDAP密钥权限
    # chown ldap.ldap *.pem
    # chmod 600 priv.pem

  5.生成LDAP基础数据库并设置权限
    # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
    # cat !$
    # slaptest
    # cd /var/lib/ldap
    # ll
    # chown ldap.ldap *

  6.启动LDAP后台服务
    # systemctl start slapd
    # systemctl enable slapd

  7.设置防火墙规则允许LDAP服务被连接
    # firewall-cmd --permanent --add-service=ldap
    # firewall-cmd --reload

  8.设置LDAP日志文件,保存日志信息
    # vim /etc/rsyslog.conf
      配置文件末尾加入 local4.* /var/log/ldap.log
    # systemctl restart rsyslog

配置LDAP本地服务域
  1.配置基础用户认证结构
    # cd /etc/openldap/schema/
    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
    # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif

  2.配置自定义结构文件并导出LDAP服务器
    # vim base.ldif 

 1 #base.ldif
 2 dn: dc=lushenle,dc=com
 3 dc: lushenle
 4 objectClass: top
 5 objectClass: domain
 6 
 7 dn: ou=People,dc=lushenle,dc=com
 8 ou: People
 9 objectClass: top
10 objectClass: organizationalUnit
11 
12 dn: ou=Group,dc=lushenle,dc=com
13 ou: Group
14 objectClass: top
15 objectClass: organizationalUnit

    # vim changes.ldif

 1 #changes.ldif
 2 dn: olcDatabase={2}hdb,cn=config
 3 changetype: modify
 4 replace: olcSuffix
 5 olcSuffix: dc=lushenle,dc=com
 6 
 7 dn: olcDatabase={2}hdb,cn=config
 8 changetype: modify
 9 replace: olcRootDN
10 olcRootDN: cn=Manager,dc=lushenle,dc=com
11 
12 dn: olcDatabase={2}hdb,cn=config
13 changetype: modify
14 replace: olcRootPW
15 olcRootPW: manunkind
16 
17 dn: cn=config
18 changetype: modify
19 replace: olcTLSCertificateFile
20 olcTLSCertificateFile: /etc/openldap/certs/cert.pem
21 
22 dn: cn=config
23 changetype: modify
24 replace: olcTLSCertificateKeyFile
25 olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem
26 
27 dn: cn=config
28 changetype: modify
29 replace: olcLogLevel
30 olcLogLevel: -1
31 
32 dn: olcDatabase={1}monitor,cn=config
33 changetype: modify
34 replace: olcAccess
35 olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=lushenle,dc=com" read by * none

    ```需要注意的是每一行后面都不能有空格```

    # ldapmodify -Y EXTERNAL -H ldapi:/// -f changes.ldif
    # ldapadd -x -w manunkind -D cn=Manager,dc=lushenle,dc=com -f base.ldif

  3.创建本地用户及本地用户目录
    ```先添加30个用户吧```
    # vim useradd.sh

 1 #!/bin/bash
 2 #useradd 
 3 mkdir /home/guests
 4 for i in $(seq 1 30); do
 5     useradd -d /home/guests/ldapuser$i ldapuser$i
 6 done
 7 
 8 for i in $(seq 1 30); do
 9     echo ldapuser$i | passwd --stdin ldapuser$i
10 done

    # bash -x useradd.sh

  4.将本地用户认证信息导入LDAP服务器
    # cd /usr/share/migrationtools/
    # vim migrate_common.ph
      $DEFAULT_MAIL_DOMAIN = "padl.com"; 修改为 $DEFAULT_MAIL_DOMAIN = "lushenle.com";
      $DEFAULT_BASE = "dc=padl,dc=com"; 修改为 $DEFAULT_BASE = "dc=lushenle,dc=com";
    # cat /etc/passwd | grep ":10[0-9][0-9]" > /root/passwd
    # vim passwd #去掉非ldapuser的用户

    # ./migrate_passwd.pl /root/passwd /root/passwd.ldif
    # cat /root/passwd.ldif
    # ldapadd -x -w manunkind -D cn=Manager,dc=lushenle,dc=com -f /root/passwd.ldif

    # cat /etc/group | grep ":10[0-9][0-9]" > /root/group
    # vim /root/group #去掉非ldapuser的用户组

    # ./migrate_group.pl /root/group /root/group.ldif
    # cat /root/group.ldif
    # ldapadd -x -w manunkind -D cn=Manager,dc=lushenle,dc=com -f /root/group.ldif

  5.测试LDAP服务器用户认证信息
    # ldapsearch -x cn=ldapuser1 -b dc=lushenle,dc=com

LDAP客户端:
  1.安装LDAP客户端软件包
    # yum install -y openldap-clients nss-pam-ldapd

  2.配置本地认证方式为LDAP
    # authconfig-tui #通过其来配置,或安装authconfig-gtk来完成配置,其为图形化,ssh登录的时候需要加-X选项

  3.测试LDAP网络用户信息验证
    # getent passwd ldapuser1

LDAP网络用户目录共享
  1.LDAP服务端NFS共享
    # yum install -y nfs-utils
    # systemctl enable nfs-server
    # systemctl start nfs-server
    # vim /etc/exports
      /home/guests 172.16.0.0/16(rw)
    # exportfs -rv
    # exportfs -v

  2.LDAP服务端NFS防火墙设置
    # firewall-cmd --permanent --add-service=nfs
    # firewall-cmd --reload

LDAP客户端用户目录自动挂载配置
  1.LDAP客户端自动挂载服务软件包安装
    # yum install autofs nfs-utils -y

  2.LDAP客户端自动挂载服务配置
    # vim /etc/auto.guests
      * -rw,nfs4 node1.lushenle.com:/home/guests/&

    # vim /etc/auto.master
    文件末尾加入 /home/guests /etc/auto.guests

  3.自动挂载服务启动
    # systemctl enable autofs
    # systemctl start autofs

  4.LDAP网络用户本地登录验证自动挂载
    # su - ldapuser1
    # mount
    # pwd

posted on 2018-01-14 22:28  卢伸乐  阅读(2728)  评论(0编辑  收藏  举报