首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >2.如何在RedHat7中实现OpenLDAP集成SSH登录并使用sssd同步用户

2.如何在RedHat7中实现OpenLDAP集成SSH登录并使用sssd同步用户

作者头像
Fayson
发布2018-04-18 10:22:52
8.4K1
发布2018-04-18 10:22:52
举报
文章被收录于专栏:Hadoop实操Hadoop实操

温馨提示:要看高清无码套图,请使用手机打开并单击图片放大查看。

Fayson的github:https://github.com/fayson/cdhproject

提示:代码块部分可以左右滑动查看噢

1.文档编写目的


前面Fayson文章讲《1.如何在RedHat7上安装OpenLDA并配置客户端》,安装及配置好OpenLDAP后,如何使用OpenLDAP上的用户登录集群服务器,本篇文章主要介绍如何在RedHat7中实现OpenLDAP集成SSH登录并使用sssd同步用户。

  • 内容概述

1.安装OpenLDAP客户端及依赖包

2.OpenLDAP客户端SSSD配置

3.OpenLDAP与SSH集成

4.验证SSH登录

  • 测试环境

1.RedHat7.3

2.OpenLDAP版本2.4.40

  • 测试环境

1.OpenLDAP已安装且服务正常

2.OpenLDAP客户端SSSD配置


1.客户端安装软件包

yum -y install openldap-clients sssd authconfig nss-pam-ldapd

(可左右滑动)

2.将OpenLDAP服务器的/etc/openldap/certs目录下的ldap.key和ldap.crt文件拷贝至OpenLDAP客户端节点(如果OpenLDAP服务未启用TLS则跳过此步)

在客户端节点上执行如下命令:

[root@ip-172-31-30-69 openldap]# cacertdir_rehash /etc/openldap/certs/
[root@ip-172-31-30-69 openldap]# ll /etc/openldap/certs/

(可左右滑动)

3.执行如下命令启用sssd服务(在如下参数中--enableldaptls 如果OpenLDAP服务未启用TLS则将此参数修改为--disableldaptls)

authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enableldap --enableldapauth --disableforcelegacy --enableldaptls --disablekrb5 --ldapserver ldap://ip-172-31-24-169.ap-southeast-1.compute.internal --ldapbasedn "dc=fayson,dc=com" --enablemkhomedir --update

(可左右滑动)

4.修改/etc/sssd/sssd.conf文件,在执行authconfig命令时会默认生成,如果文件不存在则新建,文件内容如下:

[root@ip-172-31-30-69 certs]# vim /etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = FAYSON.COM
ldap_search_base = dc=fayson,dc=com
krb5_server = ip-172-31-16-68.ap-southeast-1.compute.internal
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ip-172-31-24-169.ap-southeast-1.compute.internal
ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

(可左右滑动)

注意:上图截图中,如果OpenLDAP服务启用了TLS则需要添加ldap_tls_reqcert = allow配置

修改sssd.conf文件权限

chmod 600 /etc/sssd/sssd.conf 

(可左右滑动)

5.启动sssd服务并加入系统自启动

[root@ip-172-31-30-69 ~]# systemctl start sssd
[root@ip-172-31-30-69 ~]# systemctl enable sssd
[root@ip-172-31-30-69 ~]# systemctl status sssd

(可左右滑动)

6.至此完成sssd的配置,可以通过id查看用户OpenLDAP的用户

[root@ip-172-31-30-69 ~]# more /etc/passwd|grep fayson
[root@ip-172-31-30-69 ~]# id fayson

(可左右滑动)

可以看到fayson用户是通过OpenLDAP添加的,在本地是没有fayson这个用户。

至此已完成SSSD的配置。

3.OpenLdap与SSH集成


1.修改配置文件/etc/ssh/sshd_config,是ssh通过pam认证账户

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

(可左右滑动)

注意:默认使用的是密码认证方式,在集成SSH登录时需要确保PasswordAuthentication yes配置为yes

2.修改配置文件/etc/pam.d/sshd,以确认调用pam认证文件

[root@ip-172-31-30-69 sssd]# vim /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user cont
ext
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
session    required     pam_mkhomedir.so   #加入此行后确保登录成功后创建用户的home目录
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

(可左右滑动)

3.修改配置文件

[root@ip-172-31-30-69 sssd]# vim /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
#auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_ldap.so forward_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
#account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authto
k_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
#session     optional      pam_sss.so
session     optional      pam_ldap.so

(可左右滑动)

注意:将上图标注部分对应的pam_sss.so配置修改为pam_ldap.so

4.修改/etc/pam.d/system-auth配置文件

[root@ip-172-31-30-69 pam.d]# vim system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
#auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_ldap.so forward_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
#account     [default=bad success=ok user_unknown=ignore] pam_sss.so
ccount     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authto
k_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
#session     optional      pam_sss.so
session     optional      pam_ldap.so

(可左右滑动)

注意:将上图标注部分对应的pam_sss.so配置修改为pam_ldap.so并增加pam_mkhomedir.so配置

5.重启sshd服务

[root@ip-172-31-30-69 pam.d]# systemctl restart sshd
[root@ip-172-31-30-69 pam.d]# systemctl status sshd

(可左右滑动)

到此为止就完成了OpenLDAP与SSH的集成。

4.验证SSH登录


1.确认testldap用户只存在于OpenLDAP

[root@ip-172-31-30-69 ~]# more /etc/passwd |grep testldap
[root@ip-172-31-30-69 ~]# id testldap
uid=10100(testldap) gid=10100(testldap) groups=10100(testldap)
[root@ip-172-31-30-69 ~]# 

(可左右滑动)

2.su切换至testldap用户

[root@ip-172-31-30-69 ~]# su testldap
[testldap@ip-172-31-30-69 root]$ cd ~
[testldap@ip-172-31-30-69 ~]$ pwd
/home/testldap
[testldap@ip-172-31-30-69 ~]$ id
uid=10100(testldap) gid=10100(testldap) groups=10100(testldap)
[testldap@ip-172-31-30-69 ~]$ 

(可左右滑动)

3.ssh登录本机

[root@ip-172-31-30-69 ~]# ssh testldap@localhost
testldap@localhost's password: 
Last login: Wed Apr  4 05:36:27 2018 from localhost
[testldap@ip-172-31-30-69 ~]$ pwd
/home/testldap
[testldap@ip-172-31-30-69 ~]$ id 
uid=10100(testldap) gid=10100(testldap) groups=10100(testldap)
[testldap@ip-172-31-30-69 ~]$ 

(可左右滑动)

4.ssh远程登录

[root@ip-172-31-16-68 ~]# ssh testldap@ip-172-31-30-69
testldap@ip-172-31-30-69's password: 
Last login: Wed Apr  4 05:46:03 2018 from ip-172-31-16-68.ap-southeast-1.compute.internal
[testldap@ip-172-31-30-69 ~]$ pwd
/home/testldap
[testldap@ip-172-31-30-69 ~]$ id
uid=10100(testldap) gid=10100(testldap) groups=10100(testldap)
[testldap@ip-172-31-30-69 ~]$ 

(可左右滑动)

5.总结


  • OpenLDAP服务启用了TLS后在进行客户端配置和SSH集成是需要启用ldaptls,否则无法使用LDAP用户进行SSH登陆
  • 关于SSSD服务的日志可以在/var/log/message中查看

提示:代码块部分可以左右滑动查看噢

为天地立心,为生民立命,为往圣继绝学,为万世开太平。 温馨提示:要看高清无码套图,请使用手机打开并单击图片放大查看。

推荐关注Hadoop实操,第一时间,分享更多Hadoop干货,欢迎转发和分享。

本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2018-04-04,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 Hadoop实操 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档