环境:
ldap node1:192.168.100.151
ldap node2:192.168.100.152
client ip:192.168.100.153
===========================服务端===========================
1、安装
安装DB
1 2 3 4 5 6 7 | [root@localhost openldap]# yum install -y libtool-ltdl-devel.x86_64 libtool-ltdl.x86_64 [root@localhost tarbag]#tar -xzvf db-4.8.26.tar.gz -C ../software/ [root@localhost tarbag]# cd ../software/db-4.8.26/build_unix/ [root@localhost build_unix]# ../dist/configure [root@localhost build_unix]#make install [root@localhost build_unix]#echo “/usr/local/BerkeleyDB.4.8/lib/” >> /etc/ld.so.conf [root@localhost build_unix]#ldconfig -vv |
安装openldap
1 2 3 4 5 6 7 8 9 10 | [root@localhost tarbag]#tar zxvf openldap-2.4.21.tgz -C ../software/ [root@localhost tarbag]# cd ../software/openldap-2.4.21/ [root@localhost openldap–2.4.21]# ./configure –prefix=/usr/local/openldap-2.4.21 –enable-syslog –enable-modules –with-tls CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include/ LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib/ [root@localhost openldap–2.4.21]#make depend [root@localhost openldap–2.4.21]#make [root@localhost openldap–2.4.21]#make test 这个需要比较长的时间.如果觉得没必要执行这一步的可以跳过.直接make install [root@localhost openldap–2.4.21]#make install [root@localhost openldap–2.4.21]# cd /usr/local/openldap-2.4.21/ [root@localhost openldap–2.4.21]# ls bin etc include lib libexec sbin share var |
2、openldap配置
下载openssh-lpk_openldap.schema
1 2 3 | [root@localhost ~]# cd /usr/local/openldap-2.4.21/etc/openldap/schema [root@localhost schema]#wget http://openssh-lpk.googlecode.com/files/openssh-lpk_openldap.schema [root@localhost schema]#cp openssh-lpk_openldap.schema openssh-lpk.schema |
生成密码:
1 2 3 4 5 | [root@localhost ~]# cd /usr/local/openldap-2.4.21/sbin/ [root@localhost sbin]# ./slappasswd New password: Re–enter new password: {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ 密码是123456 这个密码写到slapd.conf里面的rootpw位置 |
配置slapd.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | [root@localhost openldap]# cat /usr/local/openldap-2.4.21/etc/openldap/slapd.conf include /usr/local/openldap–2.4.21/etc/openldap/schema/core.schema include /usr/local/openldap–2.4.21/etc/openldap/schema/cosine.schema include /usr/local/openldap–2.4.21/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap–2.4.21/etc/openldap/schema/nis.schema include /usr/local/openldap–2.4.21/etc/openldap/schema/openssh–lpk.schema loglevel 256 pidfile /usr/local/openldap–2.4.21/var/run/slapd.pid argsfile /usr/local/openldap–2.4.21/var/run/slapd.args ####################################################################### # database definition ####################################################################### database bdb suffix “dc=hsf,dc=com” rootdn “cn=Manager,dc=hsf,dc=com” rootpw {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ directory /opt/openldap_data/ # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index sudoUser eq [root@localhost openldap]#cd /usr/local/openldap-2.4.21/etc/openldap 拷贝DB_CONFIG到Ldap数据目录. [root@localhost openldap]# cp DB_CONFIG.example /opt/openldap_data/ |
修改syslog.conf
1 2 3 | [root@localhost www]# vi /etc/syslog.conf #Save ldap messages to ldap.log local4.* /var/log/ldap.log |
重启syslog
1 2 3 4 5 | [root@localhost openldap]# service syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ] |
启动ldap
启动方法1:
1 | # /usr/local/openldap-2.4.21/libexec/slapd # 直接进入后台工作 |
启动方法2:
1 | # /usr/local/openldap-2.4.21/libexec/slapd -d 256 # 依旧在前端,有debug信息 |
1 2 3 4 5 6 7 | [root@localhost run]# /usr/local/openldap-2.4.21/libexec/slapd [root@localhost run]# netstat -lntp Active Internet connections (only servers) Proto Recv–Q Send–Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 22917/slapd tcp 0 0 :::389 :::* LISTEN 22917/slapd tcp 0 0 :::22 :::* LISTEN 1987/sshd |
3、生成公私密钥对(任何一台机器都行)
1 2 3 4 5 | # ssh-keygen -t rsa .....不断回车 # cd /root/.ssh/ # sz id_rsa.pub 公钥(导入ldap的sshPublicKey字段) # sz id_rsa 私钥(放在crt,putty,linux的/root/.ssh/下) |
4、导入ldap数据
根:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | [root@localhost ~]# cat passwd.ldif #version: 1 dn: dc=hsf,dc=com objectClass: top objectClass: domain dc: hsf dn: ou=groups,dc=hsf,dc=com objectClass: top objectClass: organizationalUnit ou: groups dn: cn=root,ou=groups,dc=hsf,dc=com objectClass: posixGroup objectClass: top cn: root gidNumber: 0 memberUid: root dn: ou=users,dc=hsf,dc=com objectClass: organizationalPerson objectClass: person objectClass: top cn: users sn: users ou: users dn: uid=root,ou=users,dc=hsf,dc=com objectClass: organizationalPerson objectClass: person objectClass: top objectClass: ldapPublicKey objectClass: posixAccount cn: root gidNumber: 0 homeDirectory: /root/ sn: root uid: root uidNumber: 0 sshPublicKey: ssh–rsa testAAgQDl+WA5jQja/BDfBSwo3dJ78uaaaaaILbNEEbHGqbXXL74S2HUHkGJ5UH1RHd9AzH1bzgEfP3CU7wHeghG5co576xRUrZw5BolybBz+3q1GxRfqfoZGxZP6/fyYogSrjaR+pT3MxBx91vt+OK61uBhuOCzIe8gDOpxAeZP6SRAJw== hsf@www.hsf.com [root@localhost openldap]# /usr/local/openldap-2.4.21/bin/ldapadd -x -D “cn=Manager,dc=hsf,dc=com” -W -f passwd.ldif |
====================客户端====================
IP地址:192.168.100.153
1、安装openssh补丁包:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | [root@localhost tarbag]# gunzip openssh-lpk-5.9p1-0.3.14.patch.gz [root@localhost tarbag]# tar zxvf openssh-5.9p1.tar.tar [root@localhost tarbag]# cd openssh-5.9p1 [root@localhost openssh–5.9p1]# patch -Np1 -i /usr/local/src/tarbag/openssh-lpk-5.9p1-0.3.14.patch patching file auth2–pubkey.c patching file auth–rsa.c patching file config.h.in patching file configure.ac patching file ldapauth.c patching file ldapauth.h patching file lpk–user–example.txt patching file Makefile.in patching file openssh–lpk_openldap.schema patching file openssh–lpk_sun.schema patching file README.lpk patching file servconf.c patching file servconf.h patching file sshd.c patching file sshd_config patching file sshd_config.5 patching file version.h [root@localhost tarbag]#./configure \ —prefix=/usr \ —sysconfdir=/etc/ssh \ —libexecdir=/usr/sbin \ —with–md5–passwords \ —with–pam \ —with–libs=“-lldap” \ —with–cppflags=“-DWITH_LDAP_PUBKEY” \ [root@localhost tarbag]#make [root@localhost tarbag]#make install |
2、修改sshd配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | # cat /etc/ssh/sshd_config | grep -v ‘#’ | grep -v ‘^$’ SyslogFacility AUTHPRIV PasswordAuthentication no UsePAM no X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp–server UseLPK yes LpkServers ldap://192.168.100.151:389 LpkUserDN ou=users,dc=hsf,dc=com LpkGroupDN ou=groups,dc=hsf,dc=com LpkBindDN cn=Manager,dc=hsf,dc=com LpkBindPw {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ LpkForceTLS no LpkSearchTimelimit 3 LpkBindTimelimit 3 |
修改:nsswitch.conf
1 2 3 4 | [root@localhost openssh–5.9p1]# vi /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap |
修改authconfig
1 2 3 4 5 6 | [root@localhost etc]# cat /etc/sysconfig/authconfig | grep yes USELDAPAUTH=yes USESHADOW=yes USELOCAUTHORIZE=yes USELDAP=yes USECRACKLIB=yes |
3、重启sshd
1 | # service sshd restart |
4、增加文件
1 2 3 4 | [root@localhost etc]#vi /etc/pam.d/common-session session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so |
===========================Autofs配置===========================
(也可以用ldap里面的auto.schema来配置.我觉得没有这个来得方便.)
ldap 共享家目录 client使用autofs自动挂载对应的家目录 做这个是解决Could not chdir to home directory /home/hsf: No such file or directory
ldap nfs配置:
1 2 3 4 5 6 | [root@localhost home]# cat /etc/exports /home 192.168.100.0/255.255.255.0(rw,async,wdelay,root_squash,no_subtree_check,anonuid=65534,anongid=65534) [root@localhost home]# service portmap start [root@localhost home]# service nfs start [root@localhost home]# chkconfig nfs on [root@localhost home]# chkconfig portmap on |
client配置:
1 2 3 4 5 6 7 | [root@localhost ~]# cat /etc/auto.master # /home /etc/auto.nfs —timeout=100 [root@localhost ~]# cat /etc/auto.nfs * 192.168.100.151:/home/& [root@localhost ~]# service autofs start [root@localhost ~]# service portmap start |
测试client端:
1 2 3 4 5 6 7 | [root@localhost ~]# cd /home/ [root@localhost home]# ls [root@localhost home]# [root@localhost home]# su – test –sh–3.00$ pwd /home/test/ –sh–3.00$ |
===================Ldap+sudoers配置=================:
先添加sudoer.schema配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 | [root@localhost log]#vi /etc/openldap/schema/sudoer.schema attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME ‘sudoUser’ DESC ‘User(s) who may run sudo’ EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME ‘sudoHost’ DESC ‘Host(s) who may run sudo’ EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.3 NAME ‘sudoCommand’ DESC ‘Command(s) to be executed by sudo’ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.4 NAME ‘sudoRunAs’ DESC ‘User(s) impersonated by sudo’ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.5 NAME ‘sudoOption’ DESC ‘Options(s) followed by sudo’ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.6 NAME ‘sudoRunAsUser’ DESC ‘User(s) impersonated by sudo’ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME ‘sudoRunAsGroup’ DESC ‘Group(s) impersonated by sudo’ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.8 NAME ‘sudoNotBefore’ DESC ‘Start of time interval for which the entry is valid’ EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributetype ( 1.3.6.1.4.1.15953.9.1.9 NAME ‘sudoNotAfter’ DESC ‘End of time interval for which the entry is valid’ EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 NAME ‘sudoOrder’ DESC ‘an integer to order the sudoRole entries’ EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME ‘sudoRole’ SUP top STRUCTURAL DESC ‘Sudoer Entries’ MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ sudoOrder $ description $ou ) ) |
将这个sudoer.schema加到slapd.conf中
1 2 | [root@localhost log]# cat /etc/openldap/slapd.conf | grep sudo include /etc/openldap/schema/sudoer.schema |
sudoer默认Ldif数据.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | [root@localhost ~]# cat sudo.ldif dn: ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: organizationalUnit description: SUDO Configuration Subtree ou: SUDOers dn: cn=defaults,ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption‘s go here sudoOption: requiretty sudoOption: !visiblepw sudoOption: env_reset dn: cn=root,ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL dn: cn=%wheel,ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoUser: %wheel sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOption: !authenticate dn: cn=hsf,ou=SUDOers,dc=hsf,dc=com objectClass: top objectClass: sudoRole cn: hsf sudoUser: hsf sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoOption: !authenticate |
导入sudo数据到Ldap中.
1 | [root@localhost ~]# ldapadd -x -D “cn=Manager,dc=hsf,dc=com” -W -f sudo.ldif |
====================sudo client配置==================:
安装sudo: (默认安装的sudo不支持ldap)
下载:http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz
1 2 3 4 5 6 7 8 9 10 | [root@localhost tarbag]# wget http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz [root@localhost tarbag]# tar zxvf sudo-1.7.2p1.tar.gz -C ../software/ [root@localhost tarbag]# cd ../software/sudo-1.7.2p1/ [root@localhost sudo–1.7.2p1]#./configure –with-ldap –with-pam [root@localhost sudo–1.7.2p1]#make [root@localhost sudo–1.7.2p1]#make install [root@localhost sudo–1.7.2p1]#mv /etc/pam.d/sudo /etc/pam.d/sudo.orig [root@localhost sudo–1.7.2p1]#mv /usr/bin/sudo /usr/bin/sudo.orig [root@localhost sudo–1.7.2p1]#ln -s /usr/local/bin/sudo /usr/bin/sudo [root@localhost sudo–1.7.2p1]#cp sample.pam /etc/pam.d/sudo |
配置 ldap.conf
1 2 3 4 5 6 7 8 9 | [root@localhost ~]# cat /etc/ldap.conf | grep -v ‘#’ | grep -v ‘^$’ host 192.168.100.151 URI ldap://192.168.100.151 BASE dc=hsf,dc=com SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com ssl no 修改nsswitch.conf [root@localhost home]# cat /etc/nsswitch.conf | grep sudo sudoers: ldap |
验证:
1 2 3 | [root@localhost ~]# sudo -V | grep ldap ldap.conf path: /etc/ldap.conf ldap.secret path: /etc/ldap.secret |
安装好后重启下ldap服务
测试:
1 2 3 4 5 6 7 8 | –sh–3.00$ sudo –l Matching Defaults entries for test on this host: requiretty, !visiblepw, env_reset Runas and Command–specific defaults for test: User test may run the following commands on this host: (ALL) NOPASSWD: ALL (ALL) NOPASSWD: ALL –sh–3.00$ sudo su – |
===================openldap主主配置==============
节点1:192.168.100.151
节点2:192.168.100.152
节点1(node1)配置
slapd.conf配置文件的最后一行追加如下配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | index entryCSN,entryUUID eq # 新增索引,提高同步速度,同步需要使用到这二个字段 overlay syncprov # 复制引擎 syncprov–checkpoint 100 10 # 操作100次同步一次,或者10分钟同步一次 syncprov–sessionlog 100 serverID 1 # 节点ID,唯一 syncrepl rid=123 provider=ldap://192.168.100.152 # 对端IP地址 bindmethod=simple binddn=“cn=Manager,dc=hsf,dc=com” # Bind DN credentials=123456 # 密码 searchbase=“dc=hsf,dc=com” # 起始域 schemachecking=off type=refreshAndPersist retry=“60 +” mirrormode on # 开启mirrormode模式 |
节点2(node2)配置
slapd.conf配置文件的最后一行追加如下配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | index entryCSN,entryUUID eq overlay syncprov syncprov–checkpoint 100 10 syncprov–sessionlog 100 serverID 2 syncrepl rid=123 provider=ldap://192.168.100.151 bindmethod=simple binddn=“cn=Manager,dc=hsf,dc=com” credentials=123456 searchbase=“dc=hsf,dc=com” schemachecking=off type=refreshAndPersist retry=“60 +” mirrormode on |
===================配置 TLS 安全性==================
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 | [root@localhost ~]#mkdir /usr/local/openldap-2.4.21/etc/openldap/ssl/ [root@localhost ~]#cd /usr/local/openldap-2.4.21/etc/openldap/ssl/ [root@localhost ssl]# /etc/pki/tls/misc/CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ........................................++++++ ......................................................++++++ writing new private key to ‘../../CA/private/./cakey.pem’ Enter PEM pass phrase: Verifying – Enter PEM pass phrase: ——– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. ——– Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:beijing Locality Name (eg, city) [Newbury]:beijing Organization Name (eg, company) [My Company Ltd]:hsf Organizational Unit Name (eg, section) []:hsf Common Name (eg, your name or your server‘s hostname) []: 192.168.100.152 Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Dec 28 06:27:46 2011 GMT Not After : Dec 27 06:27:46 2014 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = hsf organizationalUnitName = hsf commonName = 192.168.100.152 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD X509v3 Authority Key Identifier: keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD Certificate is to be certified until Dec 27 06:27:46 2014 GMT (1095 days) Write out database with 1 new entries Data Base Updated [root@localhost ssl]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem //如果是主主ldap的话.这个要执行两次.第一次Common Name 填主主ldap node1的Hostname 第一次Common Name 填node2的hostname// Generating a 1024 bit RSA private key ………++++++ .++++++ writing new private key to ‘newreq.pem‘ —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. —– Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:beijing Locality Name (eg, city) [Newbury]:beijing Organization Name (eg, company) [My Company Ltd]:hsf Organizational Unit Name (eg, section) []:hsf Common Name (eg, your name or your server’s hostname) []:192.168.100.152 Email Address []: Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]# ls newreq.pem [root@localhost ssl]# /etc/pki/tls/misc/CA -sign Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 28 06:29:44 2011 GMT Not After : Dec 27 06:29:44 2012 GMT Subject: countryName = CN stateOrProvinceName = beijing localityName = beijing organizationName = hsf organizationalUnitName = hsf commonName = 192.168.100.152 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16 X509v3 Authority Key Identifier: keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=beijing, O=hsf, OU=hsf, CN= 192.168.100.152 Validity Not Before: Dec 28 06:29:44 2011 GMT Not After : Dec 27 06:29:44 2012 GMT Subject: C=CN, ST=beijing, L=beijing, O=hsf, OU=hsf, CN=192.168.100.152 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cf:ac:a6:5f:6a:de:42:71:87:32:c9:10:1f:3a: 72:ce:a2:0b:f9:e9:89:d2:ac:fa:b3:b3:09:f9:c6: 60:d7:7f:12:37:4b:04:0c:23:5a:1a:98:52:df:6b: 02:30:d6:a7:0e:f6:6a:3a:6d:9a:db:2b:c7:77:68: 88:a3:b8:7e:29:3e:d3:6d:8b:d1:46:01:71:48:da: 17:de:dc:dd:59:ad:b4:5e:45:ff:9d:e5:19:94:2d: e4:d9:d5:c3:71:d0:1d:73:f8:7f:70:16:c4:78:62: ec:7f:a7:61:f7:00:c2:c7:85:f2:17:43:73:d9:ec: 2b:9b:ae:c0:c5:74:04:c0:9f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16 X509v3 Authority Key Identifier: keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD Signature Algorithm: sha1WithRSAEncryption 75:ac:44:1f:af:ea:f0:d0:75:9b:77:3c:6f:7a:62:b4:9e:1d: 14:c5:ef:b5:88:a8:d7:c8:b3:43:b0:ba:39:36:e1:59:f6:d8: e4:bc:9a:22:57:ed:48:a4:57:13:62:bb:8a:04:75:42:5e:76: ca:e0:89:7e:e8:cd:da:0e:0d:2e:b8:62:94:4a:28:9a:c7:41: 47:17:08:b9:9e:1a:87:31:94:de:52:99:42:2a:5b:40:d0:a2: 20:79:0f:ea:ab:bf:e3:e1:cc:75:9c:cb:14:a6:59:a5:6c:a0: 50:bb:1a:e4:66:8d:89:20:fa:69:64:0f:31:80:68:68:17:6f: 9f:18 ——–BEGIN CERTIFICATE——– MIICujCCAiOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJDTjEQ MA4GA1UECBMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T SEkxGTAXBgNVBAMTECAxOTIuMTY4LjEwMC4xNTIwHhcNMTExMjI4MDYyOTQ0WhcN MTIxMjI3MDYyOTQ0WjBtMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ MA4GA1UEBxMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T SEkxGDAWBgNVBAMTDzE5Mi4xNjguMTAwLjE1MjCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEAz6ymX2reQnGHMskQHzpyzqIL+emJ0qz6s7MJ+cZg138SN0sEDCNa GphS32sCMNanDvZqOm2a2yvHd2iIo7h+KT7TbYvRRgFxSNoX3tzdWa20XkX/neUZ lC3k2dXDcdAdc/h/cBbEeGLsf6dh9wDCx4XyF0Nz2ewrm67AxXQEwJ8CAwEAAaN7 MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg Q2VydGlmaWNhdGUwHQYDVR0OBBYEFGcF+ZsX4GOr7f1lvk5dfsRNUWMB8GA1Ud IwQYMBaAFLrS+eG7Flc+eJZeKSGkp0qu5CO9MA0GCSqGSIb3DQEBBQUAA4GBAHWs RB+v6vDQdZt3PG96YrSeHRTF77WIqNfIs0Owujk24Vn22OS8miJX7UikVxNiu4oE dUJedsrgiX7ozdoODS64YpRKKJrHQUcXCLmeGocxlN5SmUIqW0DQoiB5D+qrv+Ph zHWcyxSmWaVsoFC7GuRmjYkg+mlkDzGAaGgXb58Y ——–END CERTIFICATE——– Signed certificate is in newcert.pem [root@localhost ssl]# ls newcert.pem newreq.pem [root@localhost ssl]# mkdir /usr/local/openldap-2.4.21/etc/openldap/cacerts [root@localhost ssl]#cp ../../CA/cacert.pem /usr/local/openldap-2.4.21/etc/openldap/cacerts/ [root@localhost ssl]#cp newcert.pem /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem [root@localhost ssl]#cp newreq.pem /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem [root@localhost ssl]#chmod 600 /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem [root@localhost openldap]# vi /usr/local/openldap-2.4.21/etc/openldap/slapd.conf TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/openldap–2.4.21/etc/openldap/cacerts/cacert.pem TLSCertificateFile /usr/local/openldap–2.4.21/etc/openldap/slapdcert.pem TLSCertificateKeyFile /usr/local/openldap–2.4.21/etc/openldap/slapdkey.pem |
修改客户端/etc/openldap/ldap.conf
1 2 | [root@localhost etc]# vi ldap.conf TLS_CACERT /etc/openldap/cacerts/cacert.pem |
重启客户端sshd
1 2 3 | [root@localhost etc]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] |
查看ldap服务器日志:
1 2 3 4 5 6 7 8 9 | conn=1004 fd=14 ACCEPT from IP=192.168.100.153:58390 (IP=0.0.0.0:389) conn=1004 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1004 op=0 STARTTLS conn=1004 op=0 RESULT oid= err=0 text= conn=1004 fd=14 TLS established tls_ssf=256 ssf=256 conn=1004 op=1 BIND dn=“cn=Manager,dc=hsf,dc=com” method=128 conn=1004 op=1 BIND dn=“cn=Manager,dc=hsf,dc=com” mech=SIMPLE ssf=0 conn=1004 op=1 RESULT tag=97 err=0 text= 出现STARTTLS为 OK |
配置ldap node2证书
将前面生成的cacert.pem newcert.pem newreq.pem抟到从服务器对应的位置上.修改权限
修改下slapd.conf 重启Ldap服务即可.
配置主主Ldap时.客户机配置需要增加两台主主的IP:
1 2 3 4 5 6 7 8 9 10 11 12 | [root@localhost etc]# cat /etc/ldap.conf | grep -v ‘#’ | grep -v ‘^$’ host 192.168.100.151 192.168.100.152 URI ldap://192.168.100.151 ldap://192.168.100.152 BASE dc=hsf,dc=com SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com pam_password md5 [root@localhost etc]# cat /etc/openldap/ldap.conf | grep -v ‘#’ | grep -v ‘^$’ TIMELIMIT 30 BIND_TIMELIMT 30 BASE dc=hsf,dc=com SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem |
重启client sshd
基于openldap+openssh-lpk+sudo+tls用户验证管理完成.
