openldap主机访问控制(基于hostname)

http://mayiwei.com/2013/03/21/centos6-openldap/

http://www.zytrax.com/books/ldap/ch11/dynamic.html

https://www.linux.com/blog/centralized-authentication-openldap

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/304/1/How_to_Work_with_UserID_and_OpenLDAP_Dynamic_Groups.pdf

http://serverfault.com/questions/643650/ssh-access-to-hosts-groups-based-on-user-groups-using-ldap

https://www.jqlinux.com/archives/600

http://blog.oddbit.com/2013/07/22/generating-a-membero/

文档

man slapo-dynlist

导入ldapns.schema方案,(hostObject类属性)

https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/nssov/ldapns.schema

cat > /etc/openldap/schema/ldapns.schema << _EOF_
# $OpenLDAP$
# $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $
# LDAP Name Service Additional Schema
# http://www.iana.org/assignments/gssapi-service-names #
# Not part of the distribution: this is a workaround!
# attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus'
DESC 'Currently logged in sessions for a user'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX OMsDirectoryString ) objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService ) objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top
AUXILIARY
MAY host ) objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject'
DESC 'Auxiliary object class for login status attribute'
SUP top
AUXILIARY
MAY loginStatus )
_EOF_

/etc/openldap/slapd.conf

include     /etc/openldap/schema/ldapns.schema

modulepath /usr/lib64/openldap
moduleload dynlist.la overlay dynlist
dynlist-attrset inetOrgPerson labeledURI
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

定义主机列表组

cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv
dn: ou=servers,dc=suntv,dc=tv
objectClass: organizationalUnit
ou: servers dn: ou=ophost,ou=servers,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: ophost
host: client-1-21
host: client-1-22 dn: ou=devhost,ou=servers,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: devhost
host: client-1-31
host: client-1-32
_EOF_

定义用户组

cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv
dn: ou=people,dc=suntv,dc=tv
objectClass: organizationalUnit
ou: people dn: ou=group,dc=suntv,dc=tv
objectClass: organizationalUnit
ou: group dn: cn=opteam,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: opteam
gidNumber: 2001 dn: cn=devteam,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: devteam
gidNumber: 2002
_EOF_

定义用户

cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: hostObject
cn: op01
sn: op01
uid: op01
userPassword: 123456
uidNumber: 1001
gidNumber: 2001
gecos: opteam
homeDirectory: /home/op01
loginShell: /bin/bash
shadowLastChange: 15000
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowExpire: -1
mobile: 13900001001
mail: op01@abc.com
labeledURI: ldap:///ou=ophost,ou=servers,dc=suntv,dc=tv?host
_EOF_
cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv
dn: uid=dev01,ou=people,dc=suntv,dc=tv
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: hostObject
cn: dev01
sn: dev01
uid: dev01
userPassword: 123456
uidNumber: 1002
gidNumber: 2002
gecos: opteam
homeDirectory: /home/dev01
loginShell: /bin/bash
shadowLastChange: 15000
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowExpire: -1
mobile: 13900001002
mail: dev01@abc.com
labeledURI: ldap:///ou=devhost,ou=servers,dc=suntv,dc=tv?host
_EOF_

已经测试成功。但是nss-pam-ldap仅centos 6.x可用。

host属性需要获取登录主机hostname的fdqn,要不用dns,要不在/etc/hosts里指定。

客户端

cat pam_ldap.conf

pam_check_host_attr yes

上一篇:java中JDBC报错(一)


下一篇:Java Web项目报错总结