openldap配置以及与ssh集成

1.安装rpm包：openldap,openldap-clients,openldap-servers;

 [root@localhost Desktop]# rpm -qa |grep openldap  openldap-clients-2.4.19-15.el6.i686  openldap-devel-2.4.19-15.el6.i686  openldap-servers-2.4.19-15.el6.i686  openldap-2.4.19-15.el6.i686

2.删除slapd.d目录：rm -rf slapd.d/

3.拷贝配置文件：cp slapd.conf.bak slapd.conf ,修改权限：chmod 644 slapd.conf

4.通过ldappasswd创建密码,并粘贴到编辑配置文件slapd.conf

  databasebdb  suffix"dc=example,dc=com"  checkpoint1024 15  rootdn"cn=Manager,dc=example,dc=com"  # Cleartext passwords, especially for the rootdn, should  # be avoided.  See slappasswd(8) and slapd.conf(5) for details.  # Use of strong authentication encouraged.  # rootpwsecret  # rootpw{crypt}ijFYNcSNctBYg  rootpw{SSHA}4Y08KJDfylBY2PEgG7nhbJm2ccUt17sA

5.拷贝数据库配置文件： cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

  修改数据库文件owner: chown -R ldap:ldap /var/lib/ldap/

6.进入/var/lib/ldap/并创建文件example.ldif

  dn:dc=example,dc=com  objectclass:dcObject  objectclass:organization  o:Example Company  dc:example

  dn:cn=Manager, dc=example,dc=com  objectclass:organizationalRole  cn:Manager

7.将以上条目添加到ldap数据库中：ldapadd -x -D 'cn=Manager,dc=example,dc=com' -W -f example.ldif

8.验证数据是否正确添加： ldapsearch -x -b 'dc=example,dc=com'

  [root@localhost ldap]# ldapsearch -x -b 'dc=example,dc=com'  # extended LDIF  #  # LDAPv3  # base <dc=example,dc=com> with scope subtree  # filter: (objectclass=*)  # requesting: ALL  #

  # example.com  dn: dc=example,dc=com  objectClass: dcObject  objectClass: organization  o: Example Company  dc: example

  # Manager, example.com  dn: cn=Manager,dc=example,dc=com  objectClass: organizationalRole  cn: Manager

  # search result  search: 2  result: 0 Success

  # numResponses: 3  # numEntries: 2ssh集成ldap认证1.开启ldap认证：运行命令authconfig-tui并选中以下选项

  [*] Use LDAP    [*] Use LDAP Authentication 

2.修改/etc/ssh/sshd_config以下项目，使ssh通过pam认证账户

  UsePAM yes

3.查看/etc/pam.d/sshd文件，以确认调用的pam认证文件（本例为password_auth）

 [root@localhost pam.d]# cat sshd #%PAM-1.0 auth   requiredpam_sepermit.so auth       include      password-auth account    required     pam_nologin.so account    include      password-auth password   include      password-auth # pam_selinux.so close should be the first session rule session    required     pam_selinux.so close session    required     pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session    required     pam_selinux.so open env_params session    optional     pam_keyinit.so force revoke session    include      password-auth session    required     pam_mkhomedir.so       # 加入此行后，在通过ssh首次登陆服务器时将创建home目录

4.修改/etc/pam.d/password-auth文件

 [root@localhost pam.d]# cat password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth        required      pam_env.so auth        sufficient    pam_unix.so nullok try_first_pass auth        requisite     pam_succeed_if.so uid >= 500 quiet auth        sufficient    pam_ldap.so use_first_pass   # 加入此行  auth        required      pam_deny.so

 account     required      pam_unix.so account     sufficient    pam_localuser.so account     sufficient    pam_succeed_if.so uid < 500 quiet account     sufficient    pam_ldap.so     # 加入此行 account     required      pam_permit.so

 password    requisite     pam_cracklib.so try_first_pass retry=3 type= password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok password    sufficient    pam_ldap.so use_authtok   # 加入此行 password    required      pam_deny.so

 session     optional      pam_keyinit.so revoke session     required      pam_limits.so session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session     required      pam_unix.so session     optional      pam_ldap.so   # 加入此行