温馨提示:要看高清无码套图,请使用手机打开并单击图片放大查看。
Fayson的github:https://github.com/fayson/cdhproject
提示:代码块部分可以左右滑动查看噢
1.文档编写目的
前面Fayson文章讲《1.如何在RedHat7上安装OpenLDA并配置客户端》,安装及配置好OpenLDAP后,如何使用OpenLDAP上的用户登录集群服务器,本篇文章主要介绍如何在RedHat7中实现OpenLDAP集成SSH登录并使用sssd同步用户。
1.安装OpenLDAP客户端及依赖包
2.OpenLDAP客户端SSSD配置
3.OpenLDAP与SSH集成
4.验证SSH登录
1.RedHat7.3
2.OpenLDAP版本2.4.40
1.OpenLDAP已安装且服务正常
2.OpenLDAP客户端SSSD配置
1.客户端安装软件包
yum -y install openldap-clients sssd authconfig nss-pam-ldapd
(可左右滑动)
2.将OpenLDAP服务器的/etc/openldap/certs目录下的ldap.key和ldap.crt文件拷贝至OpenLDAP客户端节点(如果OpenLDAP服务未启用TLS则跳过此步)
在客户端节点上执行如下命令:
[root@ip-172-31-30-69 openldap]# cacertdir_rehash /etc/openldap/certs/
[root@ip-172-31-30-69 openldap]# ll /etc/openldap/certs/
(可左右滑动)
3.执行如下命令启用sssd服务(在如下参数中--enableldaptls 如果OpenLDAP服务未启用TLS则将此参数修改为--disableldaptls)
authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enableldap --enableldapauth --disableforcelegacy --enableldaptls --disablekrb5 --ldapserver ldap://ip-172-31-24-169.ap-southeast-1.compute.internal --ldapbasedn "dc=fayson,dc=com" --enablemkhomedir --update
(可左右滑动)
4.修改/etc/sssd/sssd.conf文件,在执行authconfig命令时会默认生成,如果文件不存在则新建,文件内容如下:
[root@ip-172-31-30-69 certs]# vim /etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = FAYSON.COM
ldap_search_base = dc=fayson,dc=com
krb5_server = ip-172-31-16-68.ap-southeast-1.compute.internal
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ip-172-31-24-169.ap-southeast-1.compute.internal
ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
(可左右滑动)
注意:上图截图中,如果OpenLDAP服务启用了TLS则需要添加ldap_tls_reqcert = allow配置
修改sssd.conf文件权限
chmod 600 /etc/sssd/sssd.conf
(可左右滑动)
5.启动sssd服务并加入系统自启动
[root@ip-172-31-30-69 ~]# systemctl start sssd
[root@ip-172-31-30-69 ~]# systemctl enable sssd
[root@ip-172-31-30-69 ~]# systemctl status sssd
(可左右滑动)
6.至此完成sssd的配置,可以通过id查看用户OpenLDAP的用户
[root@ip-172-31-30-69 ~]# more /etc/passwd|grep fayson
[root@ip-172-31-30-69 ~]# id fayson
(可左右滑动)
可以看到fayson用户是通过OpenLDAP添加的,在本地是没有fayson这个用户。
至此已完成SSSD的配置。
3.OpenLdap与SSH集成
1.修改配置文件/etc/ssh/sshd_config,是ssh通过pam认证账户
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
(可左右滑动)
注意:默认使用的是密码认证方式,在集成SSH登录时需要确保PasswordAuthentication yes配置为yes
2.修改配置文件/etc/pam.d/sshd,以确认调用pam认证文件
[root@ip-172-31-30-69 sssd]# vim /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user cont
ext
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
session required pam_mkhomedir.so #加入此行后确保登录成功后创建用户的home目录
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
(可左右滑动)
3.修改配置文件
[root@ip-172-31-30-69 sssd]# vim /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
auth sufficient pam_ldap.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authto
k_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
session optional pam_ldap.so
(可左右滑动)
注意:将上图标注部分对应的pam_sss.so配置修改为pam_ldap.so
4.修改/etc/pam.d/system-auth配置文件
[root@ip-172-31-30-69 pam.d]# vim system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
auth sufficient pam_ldap.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
ccount [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authto
k_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
session optional pam_ldap.so
(可左右滑动)
注意:将上图标注部分对应的pam_sss.so配置修改为pam_ldap.so并增加pam_mkhomedir.so配置
5.重启sshd服务
[root@ip-172-31-30-69 pam.d]# systemctl restart sshd
[root@ip-172-31-30-69 pam.d]# systemctl status sshd
(可左右滑动)
到此为止就完成了OpenLDAP与SSH的集成。
4.验证SSH登录
1.确认testldap用户只存在于OpenLDAP
[root@ip-172-31-30-69 ~]# more /etc/passwd |grep testldap
[root@ip-172-31-30-69 ~]# id testldap
uid=10100(testldap) gid=10100(testldap) groups=10100(testldap)
[root@ip-172-31-30-69 ~]#
(可左右滑动)
2.su切换至testldap用户
[root@ip-172-31-30-69 ~]# su testldap
[testldap@ip-172-31-30-69 root]$ cd ~
[testldap@ip-172-31-30-69 ~]$ pwd
/home/testldap
[testldap@ip-172-31-30-69 ~]$ id
uid=10100(testldap) gid=10100(testldap) groups=10100(testldap)
[testldap@ip-172-31-30-69 ~]$
(可左右滑动)
3.ssh登录本机
[root@ip-172-31-30-69 ~]# ssh testldap@localhost
testldap@localhost's password:
Last login: Wed Apr 4 05:36:27 2018 from localhost
[testldap@ip-172-31-30-69 ~]$ pwd
/home/testldap
[testldap@ip-172-31-30-69 ~]$ id
uid=10100(testldap) gid=10100(testldap) groups=10100(testldap)
[testldap@ip-172-31-30-69 ~]$
(可左右滑动)
4.ssh远程登录
[root@ip-172-31-16-68 ~]# ssh testldap@ip-172-31-30-69
testldap@ip-172-31-30-69's password:
Last login: Wed Apr 4 05:46:03 2018 from ip-172-31-16-68.ap-southeast-1.compute.internal
[testldap@ip-172-31-30-69 ~]$ pwd
/home/testldap
[testldap@ip-172-31-30-69 ~]$ id
uid=10100(testldap) gid=10100(testldap) groups=10100(testldap)
[testldap@ip-172-31-30-69 ~]$
(可左右滑动)
5.总结
提示:代码块部分可以左右滑动查看噢
为天地立心,为生民立命,为往圣继绝学,为万世开太平。 温馨提示:要看高清无码套图,请使用手机打开并单击图片放大查看。
推荐关注Hadoop实操,第一时间,分享更多Hadoop干货,欢迎转发和分享。