http://mayiwei.com/2013/03/21/centos6-openldap/
http://www.zytrax.com/books/ldap/ch11/dynamic.html
https://www.linux.com/blog/centralized-authentication-openldap
http://serverfault.com/questions/643650/ssh-access-to-hosts-groups-based-on-user-groups-using-ldap
https://www.jqlinux.com/archives/600
http://blog.oddbit.com/2013/07/22/generating-a-membero/
文档
man slapo-dynlist
导入ldapns.schema方案,(hostObject类属性)
https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/nssov/ldapns.schema
cat > /etc/openldap/schema/ldapns.schema << _EOF_
# $OpenLDAP$
# $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $
# LDAP Name Service Additional Schema
# http://www.iana.org/assignments/gssapi-service-names
#
# Not part of the distribution: this is a workaround!
#
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus'
DESC 'Currently logged in sessions for a user'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX OMsDirectoryString )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService )
objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top
AUXILIARY
MAY host )
objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject'
DESC 'Auxiliary object class for login status attribute'
SUP top
AUXILIARY
MAY loginStatus )
_EOF_
/etc/openldap/slapd.conf
include /etc/openldap/schema/ldapns.schema
modulepath /usr/lib64/openldap
moduleload dynlist.la
overlay dynlist
dynlist-attrset inetOrgPerson labeledURI
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd
定义主机列表组
cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv
dn: ou=servers,dc=suntv,dc=tv
objectClass: organizationalUnit
ou: servers
dn: ou=ophost,ou=servers,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: ophost
host: client-1-21
host: client-1-22
dn: ou=devhost,ou=servers,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: devhost
host: client-1-31
host: client-1-32
_EOF_
定义用户组
cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv
dn: ou=people,dc=suntv,dc=tv
objectClass: organizationalUnit
ou: people
dn: ou=group,dc=suntv,dc=tv
objectClass: organizationalUnit
ou: group
dn: cn=opteam,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: opteam
gidNumber: 2001
dn: cn=devteam,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: devteam
gidNumber: 2002
_EOF_
定义用户
cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: hostObject
cn: op01
sn: op01
uid: op01
userPassword: 123456
uidNumber: 1001
gidNumber: 2001
gecos: opteam
homeDirectory: /home/op01
loginShell: /bin/bash
shadowLastChange: 15000
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowExpire: -1
mobile: 13900001001
mail: op01@abc.com
labeledURI: ldap:///ou=ophost,ou=servers,dc=suntv,dc=tv?host
_EOF_
cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv
dn: uid=dev01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: hostObject
cn: dev01
sn: dev01
uid: dev01
userPassword: 123456
uidNumber: 1002
gidNumber: 2002
gecos: opteam
homeDirectory: /home/dev01
loginShell: /bin/bash
shadowLastChange: 15000
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowExpire: -1
mobile: 13900001002
mail: dev01@abc.com
labeledURI: ldap:///ou=devhost,ou=servers,dc=suntv,dc=tv?host
_EOF_
已经测试成功。但是nss-pam-ldap仅centos 6.x可用。
host属性需要获取登录主机hostname的fdqn,要不用dns,要不在/etc/hosts里指定。
客户端
cat pam_ldap.conf
pam_check_host_attr yes