Centos 7 搭建Openldap,使用lam做web管理

一、搭建Openldap

1、安裝openldap 服務(wù)

[root@node3 ~]# yum install -y epel-release openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools
2、初始化openldap服務(wù)管理權(quán)限

[root@node3 ~]# slappasswd -s 123456

{SSHA}gn0ZWIBguTeY2n/AVaTxuNc1tn/kxiiW

[root@node3 ~]# sed -i 's/cn=Manager/cn=admin/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

[root@node3 ~]# sed -i 's/dc=my-domain,dc=com/dc=ldaptest,dc=com,dc=cn/g'  /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

[root@node3 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif

olcSuffix: dc=ldaptest,dc=com,dc=cn

olcRootDN: cn=admin,dc=ldaptest,dc=com,dc=cn

olcRootPW: {SSHA}gn0ZWIBguTeY2n/AVaTxuNc1tn/kxiiW

[root@node3 ~]# sed -i 's/cn=Manager,dc=my-domain,dc=com/cn=admin,dc=ldaptest,dc=com,dc=cn/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif

[root@node3 ~]# vim /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern

 al,cn=auth" read by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" read by * none

[root@node3 ~]# slaptest -u

5bea3013 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"

5bea3013 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"

config file testing succeeded

[root@node3 ~]# 

[root@node3 ~]# systemctl restart slapd
3、配置Openldap數(shù)據(jù)庫(kù)

[root@node3 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

[root@node3 ~]# chown ldap.ldap -R /var/lib/ldap/

[root@node3 ~]# chmod 700 -R /var/lib/ldap/

[root@node3 ~]# ll /var/lib/ldap/

total 324

-rwx------. 1 ldap ldap 2048 Nov 13 09:59 alock

-rwx------. 1 ldap ldap 262144 Nov 13 09:59 __db.001

-rwx------. 1 ldap ldap 32768 Nov 13 09:59 __db.002

-rwx------. 1 ldap ldap 49152 Nov 13 09:59 __db.003

-rwx------. 1 ldap ldap 845 Nov 13 10:00 DB_CONFIG

-rwx------. 1 ldap ldap 8192 Nov 13 09:59 dn2id.bdb

-rwx------. 1 ldap ldap 32768 Nov 13 09:59 id2entry.bdb

-rwx------. 1 ldap ldap 10485760 Nov 13 09:59 log.0000000001

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=nis,cn=schema,cn=config"

You have mail in /var/spool/mail/root

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=inetorgperson,cn=schema,cn=config"
4、初始化組織架構(gòu)及添加初始用戶和組

[root@node3 ~]# vim /usr/share/migrationtools/migrate_common.ph

$DEFAULT_MAIL_DOMAIN = "ldaptest.com.cn";

$DEFAULT_BASE = "dc=ldaptest,dc=com,dc=cn";

$EXTENDED_SCHEMA = 1;

[root@node3 ~]# groupadd OPS

[root@node3 ~]# groupadd HR

[root@node3 ~]# useradd -g OPS charles

[root@node3 ~]# useradd -g HR fiona

[root@node3 ~]# echo "123456" | passwd --stdin charles

Changing password for user charles.

passwd: all authentication tokens updated successfully.

[root@node3 ~]# echo "123456" | passwd --stdin fiona

Changing password for user fiona.

passwd: all authentication tokens updated successfully.

[root@node3 ~]# grep "OPS" /etc/group > groups

[root@node3 ~]# grep "HR" /etc/group >> groups

[root@node3 ~]# grep "charles" /etc/passwd > users

[root@node3 ~]# grep "fiona" /etc/passwd >> users

[root@node3 ~]# /usr/share/migrationtools/migrate_passwd.pl users > users.ldif      

[root@node3 ~]# /usr/share/migrationtools/migrate_group.pl groups > groups.ldif

[root@node3 ~]# vim base.ldif

dn: dc=ldaptest,dc=com,dc=cn

o: ldaptest.com.cn

dc: ldaptest

objectClass: top

objectClass: dcObject

objectclass: organization

dn: cn=admin,dc=ldaptest,dc=com,dc=cn

cn: admin

objectClass: organizationalRole

description: Directory Manager

dn: ou=People,dc=ldaptest,dc=com,dc=cn

ou: People

objectClass: top

objectClass: organizationalUnit

dn: ou=Group,dc=ldaptest,dc=com,dc=cn

ou: Group

objectClass: top

objectClass: organizationalUnit

[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f base.ldif

[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f users.ldif 

[root@node3 ~]# ldapadd -x -w "123456" -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -f groups.ldif
5、啟用Openldap服務(wù)的日志記錄功能

[root@node3 ~]# vim loglevel.ldif 

dn: cn=config

changetype: modify

replace: olcLogLevel

olcLogLevel: stats

[root@node3 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif 

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

[root@node3 ~]# vim /etc/rsyslog.conf

local4.* /var/log/slapd/slapd.log

[root@node3 ~]# systemctl restart rsyslog

[root@node3 ~]# systemctl restart slapd
6、禁止用戶匿名登錄

[root@node3 ~]# vim disable_anon.ldif 

dn: cn=config

changetype: modify

add: olcDisallows

olcDisallows: bind_anon

dn: cn=config

changetype: modify

add: olcRequires

olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config

changetype: modify

add: olcRequires

olcRequires: authc

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /root/disable_anon.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "olcDatabase={-1}frontend,cn=config"

二、搭建ldap account manager 管理Openldap服務(wù)

本例中我安裝的是lam 6.5 的版本,從官網(wǎng)的changelog上來(lái)看,此版本已經(jīng)不支持使用httpd 2.2 ,且要求的php版本為7.2或以上,詳情可查看:https://www.ldap-account-manager.org/lamcms/changelog

1、安裝httpd服務(wù)及php 7.2

[root@node3 src]# yum install -y httpd

#移除當(dāng)前系統(tǒng)中安裝的php版本

[root@node3 src]# yum -y remove php*

[root@node3 src]# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 

[root@node3 src]# rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm 

[root@node3 src]# yum install -y php72w php72w-ldap php72w-gd php72w-common
1、下載安裝lam

[root@node3 ~]# cd /usr/local/src/

[root@node3 src]# wget https://nchc.dl.sourceforge.net/project/lam/LAM/6.5/ldap-account-manager-6.5.tar.bz2

[root@node3 src]# tar jxf ldap-account-manager-6.5.tar.bz2

[root@node3 src]# mv ldap-account-manager-6.5 /var/www/html/ldap

[root@node3 src]# cd /var/www/html/ldap/config

[root@node3 config]# cp config.cfg.sample config.cfg

[root@node3 config]# cp unix.conf.sample lam.conf

[root@node3 config]# sed -i "s/dc=my-domain,dc=com/dc=ldaptest,dc=com,dc=cn/g" lam.conf

[root@node3 config]# sed -i "s/cn=Manager/cn=admin/g" lam.conf 

[root@node3 config]# sed -i "s/dc=yourdomain,dc=org/dc=ldaptest,dc=com,dc=cn/g" lam.conf 

[root@node3 config]# chown -R apache.apache /var/www/html/ldap/

[root@node3 config]# systemctl start httpd
image.png

三、配置Centos 7 使用openldap服務(wù)作為認(rèn)證源

1、安裝openldap 客戶端軟件

[root@localhost ~]# yum install -y openldap-clients nss-pam-ldapd
2、修改nslcd配置文件

[root@localhost ~]# vim /etc/nslcd.conf

uri ldap://10.10.10.11/

base dc=ldaptest,dc=com,dc=cn

binddn cn=admin,dc=ldaptest,dc=com,dc=cn #若服務(wù)器開(kāi)啟了禁止匿名用戶訪問(wèn),需要在客戶端配置具有讀權(quán)限的賬號(hào)和密碼才能驗(yàn)證成功。

bindpw 123456 #同上

rootpwmoddn cn=admin,dc=ldaptest,dc=com,dc=cn

rootpwmodpw 123456

ssl no

tls_cacertdir /etc/openldap/cacerts
3、修改system-auth配置文件

[root@localhost ~]# vim /etc/pam.d/system-auth

auth required pam_env.so

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 500 quiet

auth sufficient pam_ldap.so use_first_pass #新增

auth required pam_deny.so

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 500 quiet

account [default=bad success=ok user_unknown=ignore] pam.ldap.so #新增

account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password sufficient pam_ldap.so use_authtok #新增

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session optional pam_ldap.so #新增

session required pam_unix.so
4、修改nsswitch.conf 配置文件

[root@localhost ~]# vim /etc/nsswitch.conf

passwd: files ldap

shadow: files ldap

group: files ldap
5、修改authconfig配置文件

[root@localhost ~]# vim /etc/sysconfig/authconfig

USELOCAUTHORIZE=yes

USELDAPAUTH=yes

USELDAP=yes

USESHADOW=yes
6、啟動(dòng)nslcd服務(wù)

[root@localhost ~]# systemctl restart nslcd

#可通過(guò)下述命令,獲取openldap認(rèn)證用戶的相關(guān)信息的話,說(shuō)明配置成功。

[root@localhost ~]# getent passwd charles

charles:x:1000:1000:charles:/home/charles:/bin/bash
7、配置客戶端登錄自動(dòng)創(chuàng)建家目錄

[root@localhost ~]# vim /etc/pam.d/system-auth

session optional pam_keyinit.so revoke

session required pam_limits.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

session optional pam_ldap.so

#添加創(chuàng)建家目錄的模塊

session optional pam__mkhomedir.so skel=/etc/skel umask=077

[root@localhost ~]# vim /etc/pam.d/sshd 

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session required pam_namespace.so

session optional pam_keyinit.so force revoke

session include password-auth

#添加模塊

session required pam_mkhomedir.so

#重啟相應(yīng)的服務(wù)

[root@localhost ~]# service sshd restart

Stopping sshd: [ OK ]

Starting sshd: [ OK ]

[root@localhost ~]# service nslcd restart

Stopping nslcd: [ OK ]

Starting nslcd: [ OK ]

配置完成后,初次使用openldap認(rèn)證用戶登錄系統(tǒng)時(shí),系統(tǒng)會(huì)自動(dòng)創(chuàng)建改用戶的家目錄。


image.png

四、配置Openldap服務(wù)的sudo權(quán)限管理

1、在openldap服務(wù)器上導(dǎo)入相應(yīng)的sudo schema
[root@node3 ~]# cp -f /usr/share/doc/sudo-1.8.19p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema
[root@node3 ~]# restorecon /etc/openldap/schema/sudo.schema
[root@node3 ~]# mkdir ~/sudo
[root@node3 ~]# echo "include /etc/openldap/schema/sudo.schema" > ~/sudo/sudoSchema.conf
[root@node3 ~]# slapcat -f ~/sudo/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudo/sudo.ldif
[root@node3 ~]# sed -i "s/{0}sudo/{12}sudo/g" ~/sudo/sudo.ldif
[root@node3 ~]# head -n-8 ~/sudo/sudo.ldif > ~/sudo/sudo-config.ldif
[root@node3 ~]# vim ~/sudo/sudo-config.ldif
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f ~/sudo/sudo-config.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn={12}sudo,cn=schema,cn=config"
[root@node3 ~]# ls /etc/openldap/slapd.d/cn\=config/cn\=schema
cn={0}core.ldif cn={1}cosine.ldif cn={2}nis.ldif cn={3}inetorgperson.ldif cn={4}sudo.ldif
2、定義sudo組及規(guī)則
[root@node3 ~]# vim sudoenv.ldif 

dn: ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: organizationalUnit
ou: sudoers

dn: cn=defaults,ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: sudoRole
cn: defaults
description: Default suduOption's go here
sudoOption: requiretty
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMBERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path=/sbin:/bin:/usr/sbin/:/usr/bin

[root@node3 ~]# vim sudorules.ldif

dn: cn=%admin,ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: sudoRole
cn: %admin
sudoUser: %admin
sudoHost: ALL
sudoOption: authenticate
sudoCommand: /bin/rm
sudoCommand: /bin/rmdir
sudoCommand: /bin/chmod
sudoCommand: /bin/chown
sudoCommand: /bin/dd
sudoCommand: /bin/mv
sudoCommand: /bin/cp
sudoCommand: /sbin/fsck*
sudoCommand: /sbin/*remove
sudoCommand: /usr/bin/chattr
sudoCommand: /sbin/mkfs*
sudoCommand: !/usr/bin/passwd
sudoOrder: 0

dn: cn=%app,ou=sudoers,dc=ldaptest,dc=com,dc=cn
objectClass: sudoRole
cn: %app
sudoUser: %app
sudoHost: ALL
sudoRunAsUser: appman
sudoOption: !authenticate
sudoCommand: /bin/bash


[root@node3 ~]# ldapadd -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -x -W -f sudoenv.ldif 
Enter LDAP Password: 
adding new entry "ou=sudoers,dc=ldaptest,dc=com,dc=cn"

adding new entry "cn=defaults,ou=sudoers,dc=ldaptest,dc=com,dc=cn"

[root@node3 ~]# ldapadd -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -x -W -f sudorules.ldif 
Enter LDAP Password: 
adding new entry "cn=%admin,ou=sudoers,dc=ldaptest,dc=com,dc=cn"

adding new entry "cn=%app,ou=sudoers,dc=ldaptest,dc=com,dc=cn"

配置完成后,新增一個(gè)用戶組為admin,并把相應(yīng)的管理員用戶添加為該組成員,在配置了讀取openldap上的sudo配置的系統(tǒng)中登錄時(shí),該用戶就能獲取相應(yīng)的sudo權(quán)限。

3、在Centos 7 客戶端上配置相關(guān)的sudo配置
[root@localhost ~]# vim /etc/nsswitch.conf 
#在文件末尾添加
sudoers: ldap files

[root@localhost ~]# vim /etc/sudo-ldap.conf
binddn cn=admin,dc=ldaptest,dc=com,dc=cn 
bindpw 123456
uri ldap://10.10.10.35
#在文件末尾添加
sudoers_base ou=sudoers,dc=ldaptest,dc=com,dc=cn

配置完成后,可以使用指定用戶登錄客戶端系統(tǒng)驗(yàn)證其對(duì)應(yīng)的sudo權(quán)限,類似如下:

[charles@localhost ~]$ sudo -l
[sudo] password for charles: 
Matching Defaults entries for charles on localhost:
    requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMBERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin/:/usr/bin, !visiblepw,
    always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User charles may run the following commands on localhost:
    (root) PASSWD: /bin/rm, /bin/rmdir, /bin/chmod, /bin/chown, /bin/dd, /bin/mv, /bin/cp, /sbin/fsck*, /sbin/*remove,
        /usr/bin/chattr, /sbin/mkfs*, !/usr/bin/passwd

五、Openldap的用戶密碼管理

1、Openldap服務(wù)端加載ppolicy schema
[root@node3 ~]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif 
adding new entry "cn=ppolicy,cn=schema,cn=config"
2、Openldap服務(wù)端加載平policy模塊及相應(yīng)的obejectClass
[root@node3 ~]# vim add_module.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la

[root@node3 ~]# vim add_objectClass.ldif 

dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE


[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_module.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

modifying entry "cn=module{0},cn=config"

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_objectClass.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config"
3、在服務(wù)端定義密碼策略組
[root@node3 ~]# vim ppolicy.ldif 

dn: ou=policy,dc=ldaptest,dc=com,dc=cn
objectClass: organizationalUnit
ou: policy
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f ppolicy.ldif 
Enter LDAP Password: 
adding new entry "ou=policy,dc=ldaptest,dc=com,dc=cn"
4、在服務(wù)端定義默認(rèn)的密碼規(guī)則
[root@node3 ~]# vim ppolicy_rules.ldif

dn: cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: pwdPolicyChecker
pwdCheckModule: check_password.so                #調(diào)用密碼復(fù)雜性檢查模塊
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 259200
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 5
pwdCheckQuality: 1                    #默認(rèn)為0不檢測(cè)密碼強(qiáng)度,1為檢查密碼強(qiáng)度,并調(diào)用相應(yīng)的模塊檢查密碼復(fù)雜性,如果模塊不存在,則僅檢測(cè)ppolicy設(shè)置的屬性;2為強(qiáng)制檢測(cè),如果檢測(cè)模塊不存在,則認(rèn)為檢測(cè)失敗。
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 259200
pwdMinAge: 0
pwdMaxFailure: 5
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: TRUE
pwdReset: TRUE
sn: dummy value
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f ppolicy_rules.ldif 
Enter LDAP Password: 
adding new entry "cn=default,ou=policy,dc=ldaptest,dc=com,dc=cn"

[root@node3 ~]# vim /etc/openldap/check_password.conf                 #配置密碼復(fù)雜性檢查規(guī)則
# OpenLDAP pwdChecker library configuration
#useCracklib 1
minPoints 3        #至少滿足三個(gè)規(guī)則,此5個(gè)規(guī)則之間的關(guān)系為與關(guān)系,會(huì)按順序匹配檢查,如果全啟用,則密碼必須全部匹配所有規(guī)則才算合法。
minUpper 1        #至少1個(gè)大寫(xiě)字母
minLower 1        #至少1個(gè)小寫(xiě)字母
minDigit 1            #至少一個(gè)數(shù)字
minPunct 1        #至少一個(gè)標(biāo)點(diǎn)符號(hào)
5、定義用戶登錄修改密碼
#定義用戶自助修改密碼的acl權(quán)限
[root@node3 ~]# vim pw_access.ldif 
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" write by * none
olcAccess: to * by self write by dn.base="cn=admin,dc=ldaptest,dc=com,dc=cn" write by * read

dn: olcDatabase={-1}frontend,cn=config        #定義修改默認(rèn)的密碼hash算法
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {MD5}


[root@node3 ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f pw_access.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"


[root@node3 ~]# vim pwreset.ldif
dn: uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn
changetype: modify
replace: pwdReset
pwdReset: TRUE

[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f pwreset.ldif 
Enter LDAP Password: 
modifying entry "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn"

[root@node3 ~]# ldapwhoami -x -D "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn" -W -e ppolicy -v
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
ldap_bind: Success (0); Password must be changed (Password expires in 258868 seconds)
dn:uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn
Result: Success (0)

在某些情況下,使用pwReset 來(lái)讓用戶登錄修改密碼的話,有時(shí)候用戶會(huì)無(wú)法成功登錄。在這種情況下,我們可以通過(guò)修改用戶的密碼屬性shadowLastChange 的時(shí)間為0,來(lái)主動(dòng)使得用戶的密碼過(guò)期,以達(dá)到用戶下一次登錄后觸發(fā)密碼更改的機(jī)制。如:

[root@node3 ~]# vim pwExpire.ldif 

dn: uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn
changetype: modify
replace: shadowLastChange
shadowLastChange: 0
[root@node3 ~]# ldapadd -x -D "cn=admin,dc=ldaptest,dc=com,dc=cn" -h 10.10.10.35 -W -f pwExpire.ldif 
Enter LDAP Password: 
modifying entry "uid=charles,ou=People,dc=ldaptest,dc=com,dc=cn"
6、在服務(wù)端配置密碼審計(jì)
[root@node3 ~]# vim add_audit.ldif 

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /usr/lib64/openldap

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la 

[root@node3 ~]# vim add_auditlog_objectClass.ldif 
dn: olcOverlay=auditlog,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log                    #配置密碼審計(jì)記錄的日志保存路徑

[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_audit.ldif
[root@node3 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f add_auditlog_objectClass.ldif
[root@node3 ~]# mkdir /var/log/slapd
[root@node3 ~]# touch /var/log/slapd/auditlog.log
[root@node3 ~]# chown -R ldap.ldap /var/log/slapd/auditlog.log
[root@node3 ~]# systemctl restart slapd
[root@node3 ~]# systemctl restart rsyslog

配置完成后,在用戶修改密碼的記錄均會(huì)記錄到指定的路徑下。

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 一、目錄服務(wù)目錄是一個(gè)為查詢、瀏覽和搜索而優(yōu)化的專業(yè)分布式數(shù)據(jù)庫(kù),它呈樹(shù)狀結(jié)構(gòu)組織數(shù)據(jù),就好象Linux/Unix...
    我只是一個(gè)小白木木閱讀 7,598評(píng)論 0 4
  • Spring Cloud為開(kāi)發(fā)人員提供了快速構(gòu)建分布式系統(tǒng)中一些常見(jiàn)模式的工具(例如配置管理,服務(wù)發(fā)現(xiàn),斷路器,智...
    卡卡羅2017閱讀 136,697評(píng)論 19 139
  • Android 自定義View的各種姿勢(shì)1 Activity的顯示之ViewRootImpl詳解 Activity...
    passiontim閱讀 179,351評(píng)論 25 708
  • 220期 努力一組 谷雨嬰幼兒玩具有限公司 【日精進(jìn)打卡第3天】 【知~學(xué)習(xí)】 《六項(xiàng)精進(jìn)》1遍 今天 5 遍共1...
    一池清水_8fd9閱讀 176評(píng)論 0 0

友情鏈接更多精彩內(nèi)容