生产环境中CDH集群需要启用安全认证,在CDH7以后,Ranger被替换成了Ranger,因此启用安全认证的步骤包括:集群安装并启用Kerberos,安装OpenLDAP和客户端,集成sssd和SSH,Hive、impala、hue集成LDAP,Ranger集成LDAP,这几个步骤我们分成几篇文章都有详细的操作。
本篇文章主要讲解如何安装OpenLDAP和客户端,需要注意的是,CDP中的Hue要求OpenLDAP启用TLS,否则集成Ldap无法同步用户。
1.执行如下命令安装OpenLDAP服务
[root@cdh1 ~]# yum -y install openldap-clients openldap openldap-servers migrationtools openldap-devel nss-pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl
查看安装的RPM包
[root@cdh1 ~]# rpm -qa |grep openldap
openldap-devel-2.4.40-8.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64
openldap-2.4.40-8.el7.x86_64
openldap-servers-2.4.40-8.el7.x86_64
openldap-clients-2.4.40-8.el7.x86_64
2 使用openssl生成TLS加密文件
使用如下命令生成服务器的RSA私钥
[root@cdh1 ~]# openssl genrsa -out ldap.key 1024
Generating RSA private key, 1024 bit long modulus
..................................++++++
.++++++
e is 65537 (0x10001)
使用如下命令生成签名文件
[root@cdh1 ~]# openssl req -new -key ldap.key -out ldap.csr
只需要在Common Name处填写当前服务器的hostname,其他处留空。
使用如下命令生成公钥文件
[root@cdh1 ~]# openssl x509 -req -days 3653 -in ldap.csr -signkey ldap.key -out ldap.crt
将生成的公钥文件和私钥拷贝至/etc/openldap/certs目录下
[root@cdh1 ~]# cp ldap.crt ldap.key /etc/openldap/certs/
[root@cdh1 certs]# ll
total 92
-rw-r--r--. 1 root root 65536 Dec 18 2019 cert8.db
-rw-r--r--. 1 root root 16384 Dec 18 2019 key3.db
-rw-r--r-- 1 root root 814 Dec 18 2019 ldap.crt
-rw-r--r-- 1 root root 887 Dec 18 2019 ldap.key
-r--r-----. 1 root ldap 45 Apr 19 2018 password
-rw-r--r--. 1 root root 16384 Apr 19 2018 secmod.db
3 修改OpenLDAP的slapd.ldif配置文件
安装OpenLDAP服务后默认的配置文件及数据库文件在/usr/share/openldap-servers目录下,将slapd.ldif拷贝至/root目录下
cd /usr/share/openldap-servers
cp slapd.ldif /root/
修改slapd.ldif文件,配置TLS密钥路径,增加include的文件及配置管理员账号和OpenLDAP的根域信息,完整文件如下:
[root@cdh1 ~]# cat slapd.ldif
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: /etc/openldap/certs/ldap.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none
#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=macro,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=macro,dc=com
olcRootDN: cn=Manager,dc=macro,dc=com
olcRootPW: 123456
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
4.删除掉原来的配置,重新生成OpenLDAP的配置
[root@cdh1 slapd.d]# rm -rf /etc/openldap/slapd.d/*
[root@cdh1 slapd.d]# slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif
测试配置文件是否正确,返回“config file testing succeeded”则表示配置文件正确
[root@cdh1 ~]# slaptest -u -F /etc/openldap/slapd.d
config file testing succeeded
修改配置文件的属主,操作如下:
[root@cdh1 ~]# chown -R ldap. /etc/openldap/slapd.d/
[root@cdh1 ~]# ll /etc/openldap/slapd.d/
total 8
drwxr-x--- 3 ldap ldap 4096 Dec 19 2019 cn=config
-rw------- 1 ldap ldap 600 Dec 19 2019 cn=config.ldif
5.安装OpenLDAP的数据库文件
将/usr/share/openldap-servers/目录下的DB_CONFIG.example文件拷贝至/var/lib/ldap目录下并重命名为DB_CONFIG,操作如下:
[root@cdh1 lib]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
修改数据库文件属主
[root@cdh01 lib]# chown -R ldap. /var/lib/ldap
[root@cdh01 lib]# ll /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap 845 Feb 9 2020 DB_CONFIG
6.完成上述操作后,执行如下命令将slapd服务添加到系统自启动服务并启动slapd服务,查看服务启动状态
[root@cdh1 lib]# systemctl enable slapd
[root@cdh1 lib]# systemctl start slapd
[root@cdh1 lib]# systemctl status slapd
到此OpenLDAP服务安装成功。
1.创建root.ldif文件,内容如下
[root@cdh1 ~]# vim root.ldif
dn: dc=macro,dc=com
dc: macro
objectClass: top
objectClass: domain
dn: cn=Manager,dc=macro,dc=com
objectClass: organizationalRole
cn: Manager
2.导入根域及管理员信息到OpenLDAP服务中
[root@cdh1 ~]# ldapadd -D "cn=Manager,dc=macro,dc=com" -W -x -f root.ldif
Enter LDAP Password:
adding new entry "dc=macro,dc=com"
adding new entry "cn=Manager,dc=macro,dc=com"
3.查看导入是否成功
[root@cdh1 ~]# ldapsearch -h cdh1.macro.com -b "dc=macro,dc=com" -D "cn=Manager,dc=macro,dc=com" -W
前面安装了migrationtools服务,这里可以通过该服务生成OpenLDAP的基础文件、用户和用户组的ldif文件。1.进入/usr/share/migrationtools/目录修改migrate_common.ph文件,将文件中的DEFAULT_MAIL_DOMAIN和DEFAULT_BASE修改为自己OpenLDAP的域
[root@cdh1 ~]# vim /usr/share/migrationtools/migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "macro.com";
# Default base
$DEFAULT_BASE = "dc=macro,dc=com";
2.使用如下命令导出OpenLdap的base.ldif文件
[root@cdh1 ~]# /usr/share/migrationtools/migrate_base.pl >base.ldif
3.执行如下命令导出操作系统的group.ldif文件
[root@cdh1 ~]# /usr/share/migrationtools/migrate_group.pl /etc/group >group.ldif
4.使用如下命令导出操作系统用户的ldif文件
[root@cdh1 ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd > user.ldif
使用ldapadd命令将基础文件和用户和组导入OpenLDAP
[root@cdh1 ldap]# ldapadd -D "cn=Manager,dc=macro,dc=com" -W -x -f base.ldif
4.查看是否导入成功
[root@cdh1 ldap]# ldapsearch -h cdh1.macro.com -b "dc=macro,dc=com" -D "cn=Manager,dc=macro,dc=com" -W | grep dn
1.在所有客户端节点安装OpenLDAP的客户端软件包
yum install -y openldap-clients
2.修改/etc/openldap/ldap.conf文件,内容如下
[root@cdh2 ~]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://cdh1.macro.com
BASE dc=macro,dc=com
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
3.测试客户端是否配置成功
[root@cdh2 ~]# ldapsearch -D "cn=Manager,dc=macro,dc=com" -W |grep dn
Enter LDAP Password:
dn: dc=macro,dc=com
dn: cn=Manager,dc=macro,dc=com
dn: ou=People,dc=macro,dc=com
dn: ou=Group,dc=macro,dc=com
dn: cn=root,ou=Group,dc=macro,dc=com
dn: cn=bin,ou=Group,dc=macro,dc=com
dn: cn=daemon,ou=Group,dc=macro,dc=com
dn: cn=sys,ou=Group,dc=macro,dc=com