DevOps之CI/CD专题(5)--CentOS7.x下LDAP统一登录认证管理

技术分享  / 只看大图  / 倒序浏览   ©

#楼主# 2020-2-10

跳转到指定楼层

马上注册,分享更多源码,享用更多功能,让你轻松玩转云大陆。

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
一、搭建Openldap

1、安装openldap 服务

[root@node3 ~]# yum install -y epel-release openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools2、初始化openldap服务管理权限

[root@node3 ~]# slappasswd -s 123456{SSHA}gn0ZWIBguTeY2n/AVaTxuNc1tn/kxiiW[root@node3 ~]# sed -i 's/cn=Manager/cn=admin/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif[root@node3 ~]# sed -i 's/dc=my-domain,dc=com/dc=ldaptest,dc=com,dc=cn/g'  /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif[root@node3 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldifolcSuffix: dc=ldaptest,dc=com,dc=cnolcRootDN: cn=admin,dc=ldaptest,dc=com,dc=cnolcRootPW: {SSHA}gn0ZWIBguTeY2n/AVaTxuNc1tn/kxiiW[root@node3 ~]# sed -i 's/cn=Manager,dc=my-domain,dc=com/cn=admin,dc=ldaptest,dc=com,dc=cn/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif[root@node3 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldifolcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" read by * none[root@node3 ~]# slaptest -u5bea3013 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"5bea3013 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"config file testing succeeded[root@node3 ~]# [root@node3 ~]# systemctl restart slapd3、配置Openldap数据库

[root@node3 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG[root@node3 ~]# chown ldap.ldap -R /var/lib/ldap/[root@node3 ~]# chmod 700 -R /var/lib/ldap/[root@node3 ~]# ll /var/lib/ldap/total 324-rwx------. 1 ldap ldap 2048 Nov 13 09:59 alock-rwx------. 1 ldap ldap 262144 Nov 13 09:59 __db.001-rwx------. 1 ldap ldap 32768 Nov 13 09:59 __db.002-rwx------. 1 ldap ldap 49152 Nov 13 09:59 __db.003-rwx------. 1 ldap ldap 845 Nov 13 10:00 DB_CONFIG-rwx------. 1 ldap ldap 8192 Nov 13 09:59 dn2id.bdb-rwx------. 1 ldap ldap 32768 Nov 13 09:59 id2entry.bdb-rwx------. 1 ldap ldap 10485760 Nov 13 09:59 log.0000000001[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=cosine,cn=schema,cn=config"[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=nis,cn=schema,cn=config"You have mail in /var/spool/mail/root[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=inetorgperson,cn=schema,cn=config"4、初始化组织架构及添加初始用户和组

[root@node3 ~]# vim /usr/share/migrationtools/migrate_common.ph$DEFAULT_MAIL_DOMAIN = "ldaptest.com.cn";$DEFAULT_BASE = "dc=ldaptest,dc=com,dc=cn";$EXTENDED_SCHEMA = 1;[root@node3 ~]# groupadd OPS[root@node3 ~]# groupadd HR[root@node3 ~]# useradd -g OPS charles[root@node3 ~]# useradd -g HR fiona[root@node3 ~]# echo "123456" | passwd --stdin charlesChanging password for user charles.passwd: all authentication tokens updated successfully.[root@node3 ~]# echo "123456" | passwd --stdin fionaChanging password for user fiona.passwd: all authentication tokens updated successfully.[root@node3 ~]# grep "OPS" /etc/group > groups[root@node3 ~]# grep "HR" /etc/group >> groups[root@node3 ~]# grep "charles" /etc/passwd > users[root@node3 ~]# grep "fiona" /etc/passwd >> users[root@node3 ~]# /usr/share/migrationtools/migrate_passwd.pl users > users.ldif      [root@node3 ~]# /usr/share/migrationtools/migrate_group.pl groups > groups.ldif[root@node3 ~]# vim base.ldifdn: dc=ldaptest,dc=com,dc=cno: ldaptest.com.cndc: ldaptestobjectClass: topobjectClass: dcObjectobjectclass: organizationdn: cn=admin,dc=ldaptest,dc=com,dc=cncn: adminobjectClass: organizationalRoledescription: Directory Managerdn: ou=People,dc=ldaptest,dc=com,dc=cnou: PeopleobjectClass: topobjectClass: organizationalUnitdn: ou=Group,dc=ldaptest,dc=com,dc=cnou: GroupobjectClass: topobjectClass: organizationalUnit[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f base.ldif[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f users.ldif [root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f groups.ldif 5、启用Openldap服务的日志记载功能

[root@node3 ~]# vim loglevel.ldif dn: cn=configchangetype: modifyreplace: olcLogLevelolcLogLevel: stats[root@node3 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry "cn=config"[root@node3 ~]# vim /etc/rsyslog.conflocal4.* /var/log/slapd/slapd.log[root@node3 ~]# systemctl restart rsyslog[root@node3 ~]# systemctl restart slapd6、禁止用户匿名登录

[root@node3 ~]# vim disable_anon.ldif dn: cn=configchangetype: modifyadd: olcDisallowsolcDisallows: bind_anondn: cn=configchangetype: modifyadd: olcRequiresolcRequires: authcdn: olcDatabase={-1}frontend,cn=configchangetype: modifyadd: olcRequiresolcRequires: authc[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry "cn=config"modifying entry "cn=config"modifying entry "olcDatabase={-1}frontend,cn=config"二、搭建ldap account manager 管理Openldap服务

本例中我安装的是lam 6.5 的版本,从官网的changelog上来看,此版本已经不支持使用httpd 2.2 ,且要求的php版本为7.2或以上,详情可检察:https://www.ldap-account-manager.org/lamcms/changelog
1、安装httpd服务及php 7.2

[root@node3 src]# yum install -y httpd#移除当前系统中安装的php版本[root@node3 src]# yum -y remove php*[root@node3 src]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm [root@node3 src]# rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm [root@node3 src]# yum install -y php72w php72w-ldap php72w-gd php72w-common1、下载安装lam

[root@node3 ~]# cd /usr/local/src/[root@node3 src]# wget https://nchc.dl.sourceforge.net/project/lam/LAM/6.5/ldap-account-manager-6.5.tar.bz2[root@node3 src]# tar jxf ldap-account-manager-6.5.tar.bz2[root@node3 src]# mv ldap-account-manager-6.5 /var/www/html/ldap[root@node3 src]# cd /var/www/html/ldap/config[root@node3 config]# cp config.cfg.sample config.cfg[root@node3 config]# cp unix.conf.sample lam.conf[root@node3 config]# sed -i "s/dc=my-domain,dc=com/dc=ldaptest,dc=com,dc=cn/g" lam.conf[root@node3 config]# sed -i "s/cn=Manager/cn=admin/g" lam.conf [root@node3 config]# sed -i "s/dc=yourdomain,dc=org/dc=ldaptest,dc=com,dc=cn/g" lam.conf [root@node3 config]# chown -R apache.apache /var/www/html/ldap/[root@node3 config]# systemctl start httpd
032527zcjofy3bmmebz0tj.png
三、配置Centos 7 使用openldap服务作为认证源

1、安装openldap 客户端软件

[root@localhost ~]# yum install -y openldap-clients nss-pam-ldapd2、修改nslcd配置文件

[root@localhost ~]# vim /etc/nslcd.confuri ldap://10.10.10.11/base dc=ldaptest,dc=com,dc=cnbinddn cn=admin,dc=ldaptest,dc=com,dc=cn #若服务器开启了禁止匿名用户访问,需要在客户端配置具有读权限的账号和密码才能验证成功。bindpw 123456 #同上rootpwmoddn cn=admin,dc=ldaptest,dc=com,dc=cnrootpwmodpw 123456ssl notls_cacertdir /etc/openldap/cacerts3、修改system-auth配置文件

[root@localhost ~]# vim /etc/pam.d/system-authauth required pam_env.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth sufficient pam_ldap.so use_first_pass #新增auth required pam_deny.soaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 500 quietaccount [default=bad success=ok user_unknown=ignore] pam.ldap.so #新增account required pam_permit.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword sufficient pam_ldap.so use_authtok #新增password required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession optional pam_ldap.so #新增session required pam_unix.so4、修改nsswitch.conf 配置文件

[root@localhost ~]# vim /etc/nsswitch.confpasswd: files ldapshadow: files ldapgroup: files ldap5、修改authconfig配置文件

[root@localhost ~]# vim /etc/sysconfig/authconfigUSELOCAUTHORIZE=yesUSELDAPAUTH=yesUSELDAP=yesUSESHADOW=yes6、启动nslcd服务

[root@localhost ~]# systemctl restart nslcd#可通过下述下令,获取openldap认证用户的相干信息的话,阐明配置成功。[root@localhost ~]# getent passwd charlescharles:x:1000:1000:charles:/home/charles:/bin/bash7、配置客户端登录主动创建家目录

[root@localhost ~]# vim /etc/pam.d/system-authsession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.sosession optional pam_ldap.so#添加创建家目录的模块session optional pam__mkhomedir.so skel=/etc/skel umask=077[root@localhost ~]# vim /etc/pam.d/sshd #%PAM-1.0auth required pam_sepermit.soauth include password-authaccount required pam_nologin.soaccount include password-authpassword include password-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession required pam_namespace.sosession optional pam_keyinit.so force revokesession include password-auth#添加模块session required pam_mkhomedir.so#重启相应的服务[root@localhost ~]# service sshd restartStopping sshd: [ OK ]Starting sshd: [ OK ][root@localhost ~]# service nslcd restartStopping nslcd: [ OK ]Starting nslcd: [ OK ]配置完成后,初次使用openldap认证用户登录系统时,系统会主动创建改用户的家目录。
032527k203m2x888x8xn0h.png
四、配置Openldap服务的sudo权限管理

1、在openldap服务器上导入相应的sudo schema

[root@node3 ~]# cp -f /usr/share/doc/sudo-1.8.19p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema[root@node3 ~]# restorecon /etc/openldap/schema/sudo.schema[root@node3 ~]# mkdir ~/sudo[root@node3 ~]# echo "include /etc/openldap/schema/sudo.schema" > ~/sudo/sudoSchema.conf[root@node3 ~]# slapcat -f ~/sudo/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudo/sudo.ldif[root@node3 ~]# sed -i "s/{0}sudo/{12}sudo/g" ~/sudo/sudo.ldif[root@node3 ~]# head -n-8 ~/sudo/sudo.ldif > ~/sudo/sudo-config.ldif[root@node3 ~]# vim ~/sudo/sudo-config.ldif[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f ~/sudo/sudo-config.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn={12}sudo,cn=schema,cn=config"[root@node3 ~]# ls /etc/openldap/slapd.d/cn\=config/cn\=schemacn={0}core.ldif cn={1}cosine.ldif cn={2}nis.ldif cn={3}inetorgperson.ldif cn={4}sudo.ldif2、定义sudo组及规则

[root@node3 ~]# vim sudoenv.ldif dn: ou=sudoers,dc=ldaptest,dc=com,dc=cnobjectClass: organizationalUnitou: sudoersdn: cn=defaults,ou=sudoers,dc=ldaptest,dc=com,dc=cnobjectClass: sudoRolecn: defaultsdescription: Default suduOption's go heresudoOption: requirettysudoOption: always_set_homesudoOption: env_resetsudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMBERIC LC_PAPER LC_TELEPHONE"sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"sudoOption: secure_path=/sbin:/bin:/usr/sbin/:/usr/bin[root@node3 ~]# vim sudorules.ldifdn: cn=%admin,ou=sudoers,dc=ldaptest,dc=com,dc=cnobjectClass: sudoRolecn: %adminsudoUser: %adminsudoHost: ALLsudoOption: authenticatesudoCommand: /bin/rmsudoCommand: /bin/rmdirsudoCommand: /bin/chmodsudoCommand: /bin/chownsudoCommand: /bin/ddsudoCommand: /bin/mvsudoCommand: /bin/cpsudoCommand: /sbin/fsck*sudoCommand: /sbin/*removesudoCommand: /usr/bin/chattrsudoCommand: /sbin/mkfs*sudoCommand: !/usr/bin/passwdsudoOrder: 0dn: cn=%app,ou=sudoers,dc=ldaptest,dc=com,dc=cnobjectClass: sudoRolecn: %appsudoUser: %appsudoHost: ALLsudoRunAsUser: appmansudoOption: !authenticatesudoCommand: /bin/bash[root@node3 ~]# ldapadd -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -x -W -f sudoenv.ldif Enter LDAP Password: adding new entry "ou=sudoers,dc=ldaptest,dc=com,dc=cn"adding new entry "cn=defaults,ou=sudoers,dc=ldaptest,dc=com,dc=cn"[root@node3 ~]# ldapadd -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -x -W -f sudorules.ldif Enter LDAP Password: adding new entry "cn=%admin,ou=sudoers,dc=ldaptest,dc=com,dc=cn"adding new entry "cn=%app,ou=sudoers,dc=ldaptest,dc=com,dc=cn"配置完成后,新增一个用户组为admin,并把相应的管理员用户添加为该组成员,在配置了读取openldap上的sudo配置的系统中登录时,该用户就能获取相应的sudo权限。
3、在Centos 7 客户端上配置相干的sudo配置

[root@localhost ~]# vim /etc/nsswitch.conf #在文件末端添加sudoers: ldap files[root@localhost ~]# vim /etc/sudo-ldap.confbinddn cn=admin,dc=ldaptest,dc=com,dc=cn bindpw 123456uri ldap://10.10.10.35#在文件末端添加sudoers_base ou=sudoers,dc=ldaptest,dc=com,dc=cn配置完成后,可以使用指定用户登录客户端系统验证其对应的sudo权限,雷同如下:
[charles@localhost ~]$ sudo -l[sudo] password for charles: Matching Defaults entries for charles on localhost:    requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMBERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin/:/usr/bin, !visiblepw,    always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/binUser charles may run the following commands on localhost:    (root) PASSWD: /bin/rm, /bin/rmdir, /bin/chmod, /bin/chown, /bin/dd, /bin/mv, /bin/cp, /sbin/fsck*, /sbin/*remove,        /usr/bin/chattr, /sbin/mkfs*, !/usr/bin/passwd五、Openldap的用户密码管理

1、Openldap服务端加载ppolicy schema

[root@node3 ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif adding new entry "cn=ppolicy,cn=schema,cn=config"2、Openldap服务端加载平policy模块及相应的obejectClass

[root@node3 ~]# vim add_module.ldifdn: cn=module,cn=configcn: moduleobjectClass: olcModuleListolcModulePath: /usr/lib64/openldapdn: cn=module{0},cn=configchangetype: modifyadd: olcModuleLoadolcModuleLoad: ppolicy.la[root@node3 ~]# vim add_objectClass.ldif dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=configchangetype: addobjectClass: olcOverlayConfigobjectClass: olcPPolicyConfigolcOverlay: ppolicyolcPPolicyDefault: cn=default,ou=policy,dc=ldaptest,dc=com,dc=cnolcPPolicyHashCleartext: TRUEolcPPolicyUseLockout: TRUE[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_module.ldif SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "cn=module,cn=config"modifying entry "cn=module{0},cn=config"[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_objectClass.ldif SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config"3、在服务端定义密码策略组

[root@node3 ~]# vim ppolicy.ldif dn: ou=policy,dc=ldaptest,dc=com,dc=cnobjectClass: organizationalUnitou: policy[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f ppolicy.ldif Enter LDAP Password: adding new entry "ou=policy,dc=ldaptest,dc=com,dc=cn"4、在服务端定义默认的密码规则

[root@node3 ~]# vim ppolicy_rules.ldifdn: cn=default,ou=policy,dc=ldaptest,dc=com,dc=cncn: defaultobjectClass: pwdPolicyobjectClass: personobjectClass: pwdPolicyCheckerpwdCheckModule: check_password.so                #调用密码复杂性检查模块pwdAllowUserChange: TRUEpwdAttribute: userPasswordpwdExpireWarning: 259200pwdFailureCountInterval: 0pwdGraceAuthNLimit: 5pwdCheckQuality: 1                    #默认为0不检测密码强度,1为检查密码强度,并调用相应的模块检查密码复杂性,如果模块不存在,则仅检测ppolicy设置的属性;2为逼迫检测,如果检测模块不存在,则认为检测失败。pwdInHistory: 5pwdLockout: TRUEpwdLockoutDuration: 300pwdMaxAge: 259200pwdMinAge: 0pwdMaxFailure: 5pwdMinLength: 8pwdMustChange: TRUEpwdSafeModify: TRUEpwdReset: TRUEsn: dummy value[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f ppolicy_rules.ldif Enter LDAP Password: adding new entry "cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn"[root@node3 ~]# vim /etc/openldap/check_password.conf                 #配置密码复杂性检查规则# OpenLDAP pwdChecker library configuration#useCracklib 1minPoints 3        #至少满足三个规则,此5个规则之间的关系为与关系,会按顺序匹配检查,如果全启用,则密码必须全部匹配所有规则才算合法。minUpper 1        #至少1个大写字母minLower 1        #至少1个小写字母minDigit 1            #至少一个数字minPunct 1        #至少一个标点符号5、定义用户登录修改密码

#定义用户自助修改密码的acl权限[root@node3 ~]# vim pw_access.ldif dn: olcDatabase={-1}frontend,cn=configchangetype: modifyadd: olcAccessolcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" write by * noneolcAccess: to * by self write by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" write by * readdn: olcDatabase={-1}frontend,cn=config        #定义修改默认的密码hash算法changetype: modifyreplace: olcPasswordHasholcPasswordHash: {MD5}[root@node3 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f pw_access.ldif SASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry "olcDatabase={-1}frontend,cn=config"[root@node3 ~]# vim pwreset.ldifdn: uid=charles,ou=People,dc=ldaptest,dc=com,dc=cnchangetype: modifyreplace: pwdResetpwdReset: TRUE[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f pwreset.ldif Enter LDAP Password: modifying entry "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn"[root@node3 ~]# ldapwhoami -x -D "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn" -W -e ppolicy -vldap_initialize(  )Enter LDAP Password: ldap_bind: Success (0); Password must be changed (Password expires in 258868 seconds)dn:uid=charles,ou=People,dc=ldaptest,dc=com,dc=cnResult: Success (0)在某些情况下,使用pwReset 来让用户登录修改密码的话,有时候用户会无法成功登录。在这种情况下,我们可以通过修改用户的密码属性shadowLastChange 的时间为0,来主动使得用户的密码过期,以达到用户下一次登录后触发密码更改的机制。如:
[root@node3 ~]# vim pwExpire.ldif dn: uid=charles,ou=People,dc=ldaptest,dc=com,dc=cnchangetype: modifyreplace: shadowLastChangeshadowLastChange: 0[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f pwExpire.ldif Enter LDAP Password: modifying entry "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn"6、在服务端配置密码审计

[root@node3 ~]# vim add_audit.ldif dn: cn=module,cn=configcn: moduleobjectClass: olcModuleListolcModulePath: /usr/lib64/openldapdn: cn=module{0},cn=configchangetype: modifyadd: olcModuleLoadolcModuleLoad: auditlog.la [root@node3 ~]# vim add_auditlog_objectClass.ldif dn: olcOverlay=auditlog,olcDatabase={2}hdb,cn=configchangetype: addobjectClass: olcOverlayConfigobjectClass: olcAuditLogConfigolcOverlay: auditlogolcAuditlogFile: /var/log/slapd/auditlog.log                    #配置密码审计记载的日志保存路径[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_audit.ldif[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_auditlog_objectClass.ldif[root@node3 ~]# mkdir /var/log/slapd[root@node3 ~]# touch /var/log/slapd/auditlog.log[root@node3 ~]# chown -R ldap.ldap /var/log/slapd/auditlog.log[root@node3 ~]# systemctl restart slapd[root@node3 ~]# systemctl restart rsyslog配置完成后,在用户修改密码的记载均会记载到指定的路径下。
分享淘帖
回复

使用道具

您的回复是对作者最大的奖励

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

关于作者

waymomo

新手猿

  • 主题

    4

  • 帖子

    4

  • 关注者

    0

Archiver|手机版|小黑屋|云大陆 | 赣ICP备18008958号-4|网站地图
Powered by vrarz.com!  © 2019-2020版权所有云大陆