ldap实现Linux登录账号统一管理-Client
实验环境
一台Centos 6.8 安装ldap server
一台Centos 6.8安装ldap client
修改hosts文件,使IP对应域名
本环境中没有使用dns ,由hosts文件代替
#本环境中没有使用dns ,由hosts文件代替
echo '192.168.85.129 dev.com' >> /etc/hosts
关闭防火墙
service iptables stop
chkconfig iptables off
关闭selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
软件安装
yum install -y nss-pam-ldapd openldap-clients
配置openLDAP-client
cp /etc/nsswitch.conf /etc/nsswitch.conf.old
#让 NSS 服务使用 OpenLDAP 服务器
sed -i '/^passwd:.*$/s//& ldap/g' /etc/nsswitch.conf
sed -i '/^shadow:.*$/s//& ldap/g' /etc/nsswitch.conf
sed -i '/^group:.*$/s//& ldap/g' /etc/nsswitch.conf
#配置ldapclient 配置文件
cp /etc/openldap/ldap.conf /etc/openldap/ldap.conf.old
cat >> /etc/openldap/ldap.conf <<EOF
host 192.168.85.129
BASE dc=dev,dec=com
URI ldap://dev.com ldap://dev.com:389
ssl off
EOF
启用LDAP身份验证机制
cp /etc/sysconfig/authconfig /etc/sysconfig/authconfig.old
cat > /etc/sysconfig/authconfig <<EOF
IPADOMAINJOINED=no
USEMKHOMEDIR=no
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
USEFPRINTD=yes
FORCESMARTCARD=no
PASSWDALGORITHM=sha512
USELDAPAUTH=yes
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESSSD=no
USEHESIOD=no
USEMD5=yes
FORCELEGACY=no
EOF
pam 认证
cp /etc/pam_ldap.conf /etc/pam_ldap.conf.old
sed 's/^host/#&/g' /etc/pam_ldap.conf
sed 's/^base/#&/g' /etc/pam_ldap.conf
cat >> /etc/pam_ldap.conf<<EOF
host=192.168.85.129
base dc=dev,dc=com
uri ldap://dev.com
EOF
nslcd 服务
cp /etc/nslcd.conf /etc/nslcd.conf.old
cat >> /etc/nslcd.conf <<EOF
uri ldap://dev.com
base dc=dev,dc=com
EOF
编辑系统认证文件,保证使用LDAP来认证
<pre>
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.old
cat > /etc/pam.d/system-auth<EOF
%PAM-1.0
This file is auto-generated.
User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
</b>
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
</b>
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
</b>
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
EOF
</pre>
重启nslcd服务
service nslcd restart
