建设团队网站,那里做网站最好,wordpress分享跳转插件,分享音乐到wordpress文章目录 前言1.yum安装openldap2.配置密码3.导入配置4.定义域5.配置memberof6.配置base dn7.安装phpldapadmin管理8.调整httpd的配置9.调整php的配置10.登陆php管理页面11.同步旧ldapsever用户数据(可省略)12.客户端配置13.对接jumpserver 前言
介绍如何在centos7上部署openl… 文章目录 前言1.yum安装openldap2.配置密码3.导入配置4.定义域5.配置memberof6.配置base dn7.安装phpldapadmin管理8.调整httpd的配置9.调整php的配置10.登陆php管理页面11.同步旧ldapsever用户数据(可省略)12.客户端配置13.对接jumpserver 前言
介绍如何在centos7上部署openldap,并配置memberof进行组管理用户并介入jumpserver堡垒机 openldap参考的是这位大佬的博客,大佬文章的ldif格式有点乱,添加的时候不处理会报错 https://blog.csdn.net/weixin_41004350/article/details/89521170 1.yum安装openldap
[rootldapserver 10:37:52 ~]# yum install -y openldap openldap-clients openldap-servers
[rootldapserver 10:39:08 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[rootldapserver 10:39:10 ~]# chown -R ldap. /var/lib/ldap/DB_CONFIG
[rootldapserver 10:39:14 ~]# systemctl start slapd
[rootldapserver 10:39:14 ~]#systemctl enable slapd
[rootldapserver 10:39:20 ~]# systemctl status slapd
● slapd.service - OpenLDAP Server DaemonLoaded: loaded (/usr/lib/systemd/system/slapd.service; disabled; vendor preset: disabled)Active: active (running) since 三 2023-07-12 10:39:20 CST; 3s ago2.配置密码
我这里涉及到的密码都是000000
[rootldapserver 10:39:24 ~]# slappasswd -s 000000
{SSHA}LSgYPTUW4zjGtIVtuZ8cRUqqFRv1tWpE最后一行使用上面生成的密码
[rootldapserver 10:39:32 ~]# vim changepwd.ldif
dn: olcDatabase{0}config,cnconfig
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}LSgYPTUW4zjGtIVtuZ8cRUqqFRv1tWpE[rootldapserver 10:39:47 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f changepwd.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber0uidNumber0,cnpeercred,cnexternal,cnauth
SASL SSF: 0
modifying entry olcDatabase{0}config,cnconfig
3.导入配置
这里可以根据需要导入,不知道需要什么都执行一遍
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/collective.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/corba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/duaconf.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/dyngroup.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/java.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/misc.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openldap.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/pmi.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif4.定义域
我这里定义的是:dcyinhan,dccom,可根据自己的修改,比如改成dctest,dccom 这里修改建议是在vim模式下批量改:%s/dcyinhan,dccom/dcxxx,dcxxxx/g
这里olcRootPW的密码使用的也是前面生成的000000加密后的密文
[rootldapserver ~]# cat changedomain.ldif
dn: olcDatabase{1}monitor,cnconfig
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.basegidNumber0uidNumber0,cnpeercred,cnexternal,cnauth read by dn.basecnadmin,dcyinhan,dccom read by * nonedn: olcDatabase{2}hdb,cnconfig
changetype: modify
replace: olcSuffix
olcSuffix: dcyinhan,dccomdn: olcDatabase{2}hdb,cnconfig
changetype: modify
replace: olcRootDN
olcRootDN: cnadmin,dcyinhan,dccomdn: olcDatabase{2}hdb,cnconfig
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}LSgYPTUW4zjGtIVtuZ8cRUqqFRv1tWpEdn: olcDatabase{2}hdb,cnconfig
changetype: modify
add: olcAccess
olcAccess: {0}to attrsuserPassword,shadowLastChange by dncnadmin,dcyinhan,dccom write by anonymous auth by self write by * none
olcAccess: {1}to dn.base by * read
olcAccess: {2}to * by dncnadmin,dcyinhan,dccom write by * read[rootldapserver ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f changedomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber0uidNumber0,cnpeercred,cnexternal,cnauth
SASL SSF: 0
modifying entry olcDatabase{1}monitor,cnconfigmodifying entry olcDatabase{2}hdb,cnconfigmodifying entry olcDatabase{2}hdb,cnconfigmodifying entry olcDatabase{2}hdb,cnconfigmodifying entry olcDatabase{2}hdb,cnconfig5.配置memberof
[rootldapserver ~]# cat add-memberof.ldif
dn: cnmodule{0},cnconfig
cn: modulle{0}
objectClass: olcModuleList
objectclass: top
olcModuleload: memberof.la
olcModulePath: /usr/lib64/openldapdn: olcOverlay{0}memberof,olcDatabase{2}hdb,cnconfig
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf[rootetcd-test 10:45:41 ~]# vim refint1.ldif
dn: cnmodule{0},cnconfig
add: olcmoduleload
olcmoduleload: refint[rootetcd-test 10:45:53 ~]# vim refint2.ldif
dn: olcOverlayrefint,olcDatabase{2}hdb,cnconfig
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: refint
olcRefintAttribute: memberof uniqueMember manager owner[rootldapserver ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-memberof.ldif
adding new entry cnmodule{0},cnconfigadding new entry olcOverlay{0}memberof,olcDatabase{2}hdb,cnconfig[rootldapserver ~]# echo $?
0
[rootldapserver ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif
modifying entry cnmodule{0},cnconfig[rootldapserver ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif
adding new entry olcOverlayrefint,olcDatabase{2}hdb,cnconfig
6.配置base dn
[rootldapserver ~]# cat base.ldif
dn: dcyinhan,dccom
objectClass: top
objectClass: dcObject
objectClass: organization
o: yinhan Company
dc: yinhandn: cnadmin,dcyinhan,dccom
objectClass: organizationalRole
cn: admindn: ouPeople,dcyinhan,dccom
objectClass: organizationalUnit
ou: Peopledn: ouGroup,dcyinhan,dccom
objectClass: organizationalRole
cn: Group[rootldapserver ~]# ldapadd -x -D cnadmin,dcyinhan,dccom -f base.ldif -w 000000
Enter LDAP Password:
adding new entry dcyinhan,dccomadding new entry cnadmin,dcyinhan,dccomadding new entry ouPeople,dcyinhan,dccomadding new entry ouGroup,dcyinhan,dccom7.安装phpldapadmin管理
这里需要有epel的yum源
[rootldapserver ~]# yum install phpldapadmin -y8.调整httpd的配置
增加12行IP为自己的网段
[rootldapserver ~]# cat -n /etc/httpd/conf.d/phpldapadmin.conf 1 #2 # Web-based tool for managing LDAP servers3 #45 Alias /phpldapadmin /usr/share/phpldapadmin/htdocs6 Alias /ldapadmin /usr/share/phpldapadmin/htdocs78 Directory /usr/share/phpldapadmin/htdocs9 IfModule mod_authz_core.c10 # Apache 2.411 Require local12 Require ip 192.168.0.0/1613 /IfModule14 IfModule !mod_authz_core.c15 # Apache 2.216 Order Deny,Allow17 Allow from 127.0.0.118 Allow from ::119 /IfModule20 /Directory9.调整php的配置
注释掉389行 开启397行
[rootldapserver ~]#vim /etc/phpldapadmin/config.php
397 $servers-setValue(login,attr,dn);
398 //$servers-setValue(login,attr,uid);
[rootldapserver phpldapadmin]# systemctl restart httpd10.登陆php管理页面
登陆地址: http://ip/ldapadmin 账号为第四步定义的:cnadmin,dcyinhan,dccom 密码也是前面定义的
登陆报错解决
[rootldapserver ~]# setsebool -P httpd_can_connect_ldap on11.同步旧ldapsever用户数据(可省略)
我这里原来有一套ldapserver已经跑了很多年了,可以通过slapcat跟slapadd把数据导入到新的server里
[rootldapserver bak]# systemctl stop slapd
[rootldapserver bak]# grep dn: uid user.ldif
dn: uidtest1,ouPeople,dcyinhan,dccom
dn: uidtest2,ouPeople,dcyinhan,dccom[rootldapserver bak]# slapadd -n 2 -l user.ldif
.#################### 100.00% eta none elapsed none fast!
Closing DB...
[rootldapserver bak]# systemctl start slapd
12.客户端配置
[rootcompute02_11bak]# yum install -y openldap-clients nss-pam-ldapd
[rootcompute02_11:58:44_~ $ip a|grep inet 17inet 172.16.4.80/16 brd 172.16.255.255 scope global eth0inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0inet 172.20.0.1/16 brd 172.20.255.255 scope global br-b76db9453ac8inet 172.23.0.1/16 brd 172.23.255.255 scope global br-f422a62a0cc9
rootcompute02_11:58:55_~ $authconfig --enablemkhomedir --enableshadow --enableldap --enableldapauth --ldapserverldap://192.168.11.21 --ldapbasedndcyinhan,dccom --disableldaptls --enablecache --disablewinbindauth --disablesssdauth --updateallgetsebool: SELinux is disabled
getsebool: SELinux is disabled
rootcompute02_11:59:03_~ $id liliangde
uid1000(liliangde) gid500(sa_test) 组908(monitorUsers),917(hc_group),902(sa_group),903(dba_group),500(sa_test)
rootcompute02_11:59:06_~ $id liliangde1
uid1001(liliangde1) gid500(sa_test) 组500(sa_test)rootcompute02_11:59:07_~ $ssh liliangde1172.16.4.80
liliangde1172.16.4.80s password:
Creating directory /data/home/liliangde1.
Last login: Tue Jun 28 18:37:23 2022
liliangde1compute02_11:59:35_~ $who
root pts/0 2023-08-11 11:57 (mirrors.yh.com)
liliangde1 pts/1 2023-08-11 11:59 (compute02)13.对接jumpserver
添加一个新的组,按照红色框勾选的操作
这里需要勾选groupOfUnxxx 新组的名称我设置为 test_mem 添加完成通过命令可以通过uniqueMember查看组里面包含哪些用户
[rootldapserver bak]# ldapsearch -LL -Y EXTERNAL -H ldapi:/// (cntest_mem) -b dcyinhan,dccom uniqueMember
SASL/EXTERNAL authentication started
SASL username: gidNumber0uidNumber0,cnpeercred,cnexternal,cnauth
SASL SSF: 0
version: 1dn: cntest_mem,ouGroup,dcyinhan,dccom
uniqueMember: cnliliangde,ouPeople,dcyinhan,dccomjumpserver上面配置 配置完导入可以看到新的组
