我们上一篇你文章介绍了Centos7+open***使用本地用户和密码验证登陆的配置介绍,今天我们介绍Centos7+Open***使用Windows AD验证登陆,具体就不多介绍了,今天还是使用的是上一节安装的配置环境,对于今天的环境介绍,我们只是简单的修改即可

我们要使用Centos7+Open***使用Windows AD验证登陆,所以需要准备一条windows AD,其实说到windows AD,对于很多企业都在使用,看网上的很多文档都是使用的是openldap在做验证,但是对于大企业及一般企业来说,环境内都会有windows AD环境,所以跟windows AD集成起来相对还是比较方便管理用户的,具体见下:

环境介绍:

Hostname:DC

IP:192.168.5.10

Role:AD、DNS、CA

DomainName:ixmsoft.com

Hostname:OPen***

IP:192.168.5.20

Role:Open***

Hostname:Client

IP:192.168.5.23

Role:open*** client

以下为我的AD配置信息

我们新建了一个OU:IXMSOFTLDAP,然后在找个OU下我们创建了一些测试用户和使用OPen***来验证的usergroup,我们后面会将用户a、zs、添加到这组里面,只要是这个组的用户都可以使用open***

p_w_picpath

p_w_picpath

接下来就是准备open***使用LDAP验证的配置介绍了;

使用open***服务跟LDAP验证的话, 我们需要安装一个ldap插件----open***-auth-ldap

因为我们上一篇中介绍了,centos7安装一些服务使用yum安装的话,需要制定源,所以我们只是确认一下

[root@open*** open***]# cat /etc/yum.repos.d/epel.repo
[epel]    
name=aliyun epel    
baseurl=
http://mirrors.aliyun.com/epel/7Server/x86_64/
    
gpgcheck=0

[root@open*** open***]#    

p_w_picpath

有了源后,我们就开始安装ldap插件

yum install open***-auth-ldap -y

Image

安装完成

Image

然后我们进入ldpa的配置目录

cd /etc/open***/auth/

Image

vim ldap.conf

查看默认的配置文件内容

<LDAP>
# LDAP server URL
URLldap://ldap1.example.org
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDNuid=Manager,ou=People,dc=example,dc=com
# Bind Password
# PasswordSecretPassword
# Network timeout (in seconds)
Timeout15
# Enable Start TLS
TLSEnableyes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile/usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir/etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile/usr/local/etc/ssl/client-cert.pem
TLSKeyFile/usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuiteALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN"ou=People,dc=example,dc=com"
# User Search Filter
SearchFilter"(&(uid=%u)(accountStatus=active))"
# Require Group Membership
RequireGroupfalse
# Add non-group members to a PF table (disabled)
#PFTableips_***_users
<Group>
BaseDN"ou=Groups,dc=example,dc=com"
SearchFilter"(|(cn=developers)(cn=artists))"
MemberAttributeuniqueMember
# Add group members to a PF table (disabled)
#PFTableips_***_eng
</Group>
</Authorization>

Image

Image

我们同样备份一份,为了安全考虑,建议搭建都备份一下

cp ldap.conf  ldap.conf.bak

Image

开始修改配置,清空内容进行编辑

echo > ldap.conf

然后粘贴以下内容

<LDAP>
    # LDAP server URL
    #更改为AD服务器的ip
    URL     ldap://192.168.5.10
    # Bind DN (If your LDAP server doesn't support anonymous binds)
    # BindDN        uid=Manager,ou=People,dc=example,dc=com
    #更改为域管理的dn,可以通过ldapsearch进行查询,-h的ip替换为服务器ip,-d换为管理员的dn,-b为基础的查询dn,*为所有
    #ldapsearch -LLL -x -h 172.16.76.238 -D "administrator@xx.com" -W -b "dc=xx,dc=com" "*"
    BindDN      "CN=Administrator,CN=Users,DC=ixmsoft,DC=com"
    # Bind Password
    # Password  SecretPassword
    #域管理员的密码
    Password    123
    # Network timeout (in seconds)
    Timeout     15
    # Enable Start TLS
    TLSEnable   no
    # Follow LDAP Referrals (anonymously)
    #FollowReferrals yes
    # TLS CA Certificate File
    #TLSCACertFile  ca.crt
    # TLS CA Certificate Directory
    #TLSCACertDir   /etc/ssl/certs
    # Client Certificate and key
    # If TLS client authentication is required
    #TLSCertFile    /usr/local/etc/ssl/client-cert.pem
    #TLSKeyFile /usr/local/etc/ssl/client-key.pem
    # Cipher Suite
    # The defaults are usually fine here
    # TLSCipherSuite    ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
    # Base DN
    #查询认证的基础dn
    BaseDN      "OU=IXMSOFTLDAP,DC=ixmsoft,DC=com"
    # User Search Filter
    #SearchFilter   "(&(uid=%u)(accountStatus=active))"
    #其中sAMAccountName=%u的意思是把sAMAccountName的字段取值为用户名,后面“memberof=CN=my***,DC=xx,DC=com”指向要认证的***用户组,这样任何用户使用***,只要加入这个组就好了
    #SearchFilter    "(&(sAMAccountName=%u)(memberof=CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com)"
    SearchFilter    "(&(sAMAccountName=%u))"
    # Require Group Membership
    RequireGroup    false
    # Add non-group members to a PF table (disabled)
    #PFTable    ips_***_users
    <Group>
        #BaseDN     "ou=Groups,dc=example,dc=com"
        #SearchFilter   "(|(cn=developers)(cn=artists))"
        #MemberAttribute    uniqueMember
        # Add group members to a PF table (disabled)
        #PFTable    ips_***_eng
        BaseDN      "OU=IXMSOFTLDAP,DC=ixmsoft,DC=com"
        SearchFilter    "(|(cn=my***))"
        MemberAttribute     "member"
    </Group>
</Authorization>

保存退出后,我们还需要修改open***的配置文件,

默认的配置文件

cat /etc/open***/server.cof
port 1194   #监听端口
proto tcp   #监听协议
dev tun     #采用隧道
ca ca.crt   #ca证书路劲
cert server.crt    #服务器证书路劲
key server.key  #服务器秘钥
dh dh2048.pem    #秘钥交换协议文件
server 10.10.10.0 255.255.255.0   #给客户端分配的地址,注意:不能和***服务器的内部地址相同
ifconfig-pool-persist ipp.txt    #访问记录
push "route 192.168.5.0 255.255.255.0"    #允许客户端访问的地址网段
#push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"   #DHCP分配的DNS
push "dhcp-option DNS 223.6.6.6"
keepalive 10 120   #活动时间,10秒ping一次,120秒如果未收到响应视为断线
#cipher AES-256-CBC
max-clients 100   #允许最大连接数
#user nobody     #用户
#group nobody    #用户组
persist-key
persist-tun
status open***-status.log
log         open***.log
verb 5

我们需要在原有的默认配置文件上添加以下三个参数:

plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so  "/etc/open***/auth/ldap.conf cn=%u"
client-cert-not-required
username-as-common-name

添加后的结果为:

port 1194   #监听端口
proto tcp   #监听协议
dev tun     #采用隧道
ca ca.crt   #ca证书路劲
cert server.crt    #服务器证书路劲
key server.key  #服务器秘钥
dh dh2048.pem    #秘钥交换协议文件
server 10.10.10.0 255.255.255.0   #给客户端分配的地址,注意:不能和***服务器的内部地址相同
ifconfig-pool-persist ipp.txt    #访问记录
push "route 192.168.5.0 255.255.255.0"    #允许客户端访问的地址网段
#push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"   #DHCP分配的DNS
push "dhcp-option DNS 223.6.6.6"
keepalive 10 120   #活动时间,10秒ping一次,120秒如果未收到响应视为断线
#cipher AES-256-CBC
max-clients 100   #允许最大连接数
#user nobody     #用户
#group nobody    #用户组
persist-key
persist-tun
status open***-status.log
log         open***.log
verb 5
plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so  "/etc/open***/auth/ldap.conf cn=%u"
client-cert-not-required
username-as-common-name

p_w_picpath

修改后,我们需要重启open***服务

systemctl restart 
open***@server

重启服务后,我们就可以测试了,客户端的配置我们不用修改,因为上一节文章中我们已经添加了一个默认的参数,然后使用的是本地账户登陆验证

auth-user-pass

以下为client端的默认配置

此时我们需要的是ca证书,其他证书都不需要了;

我们可以将ca的证书内容粘贴到ca配置选项中,如果用户多的话,只需要将这个配置文件client.o***替换即可。

client
dev tun
proto tcp
reomote 192.168.5.20 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
# cert client.crt
#key client.key
verb 5
auth-user-pass

p_w_picpath

接下来我们就可以尝试使用AD用户进行登录了

因为我们的配置是从OU=IXMSOFTLDAP下的my***用户组中获取用户,所以只要是my***组内的用户都是可以登陆的,

p_w_picpath

所以我们使用zs用户验证登陆

p_w_picpath

p_w_picpath

登陆成功

p_w_picpath

查看IP地址状态及open***连接状态

p_w_picpath

然后我们查看open***的log,我们通过log查看也是登陆完成的。

tail –f /etc/ope***/open***.log

p_w_picpath

如果使用一个不再my***组内的用户--ls验证登陆会怎么样呢


p_w_picpath

这样ls用户会一直验证,提示输入账户及密码错误的现象。

然后我们查看log,会发现提示ls这个用户没有发现

p_w_picpath

注意:如果在使用Linux集成LDAP的时候,提示联系不到LDAP的话,我们可以先使用以下方法进行测试

yum install -y openldap-clients

wKiom1hjxOTztLmlAACL0XzsFvA656.png-wh_50

安装完成后,我们可以使用

ldapsearch 参数进行测试
-b 指定搜索范围
-D验证用户
ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "dc=ixmsoft,dc=com" -h 192.168.5.10 -s one dn -LLL
ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "dc=ixmsoft,dc=com" -h 192.168.5.10 
ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "ou=ixmsoftldap,dc=ixmsoft,dc=com" -h 192.168.5.10

执行后会提示输入域administrator的账户进行连接验证

wKiom1hjxXCiYKLAAAAxbgg-P3E068.jpg-wh_50

输入密码后,会查询结果

ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "ou=ixmsoftldap,dc=ixmsoft,dc=com" -h 192.168.5.10
[root@open*** ~]# ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "ou=ixmsoftldap,dc=ixmsoft,dc=com" -h 192.168.5.10
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=ixmsoftldap,dc=ixmsoft,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# IXMSOFTLDAP, ixmsoft.com
dn: OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: organizationalUnit
ou: IXMSOFTLDAP
distinguishedName: OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161031132324.0Z
whenChanged: 20161228073308.0Z
uSNCreated: 12814
uSNChanged: 84683
name: IXMSOFTLDAP
objectGUID:: cMItf70U20qyaLdCfU+LoA==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=ixmsoft,D
 C=com
dSCorePropagationData: 20161211135427.0Z
dSCorePropagationData: 20161211135426.0Z
dSCorePropagationData: 20161031132324.0Z
dSCorePropagationData: 20161031132324.0Z
dSCorePropagationData: 16010101000416.0Z
# gavin, IXMSOFTLDAP, ixmsoft.com
dn: CN=gavin,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: gavin
distinguishedName: CN=gavin,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161031132636.0Z
whenChanged: 20161213064218.0Z
displayName: gavin
uSNCreated: 12834
memberOf: CN=Domain Admins,CN=Users,DC=ixmsoft,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=ixmsoft,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=ixmsoft,DC=com
uSNChanged: 83107
name: gavin
objectGUID:: EoJ2j0/CEEahljdqlm3M8Q==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131223940286681367
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wTwQAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: gavin
sAMAccountType: 805306368
userPrincipalName: gavin@ixmsoft.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 20161211140944.0Z
dSCorePropagationData: 20161211135426.0Z
dSCorePropagationData: 20161031140559.0Z
dSCorePropagationData: 16010101000000.0Z
# a, IXMSOFTLDAP, ixmsoft.com
dn: CN=a,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: a
distinguishedName: CN=a,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161211150724.0Z
whenChanged: 20161228041930.0Z
displayName: a
uSNCreated: 76250
memberOf: CN=open***user,CN=Users,DC=ixmsoft,DC=com
memberOf: CN=open***,OU=***,DC=ixmsoft,DC=com
memberOf: CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
uSNChanged: 84656
proxyAddresses: SMTP:a@ixmsoft.com
name: a
objectGUID:: UG7KmwzOpE+eCEQCIXYirg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131259971048958897
pwdLastSet: 131273684370053522
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/weQQAAA==
accountExpires: 9223372036854775807
logonCount: 125
sAMAccountName: a
sAMAccountType: 805306368
showInAddressBook: CN=Mailboxes(VLV),CN=All System Address Lists,CN=Address Li
 sts Container,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configuration,D
 C=ixmsoft,DC=com
showInAddressBook: CN=All Mailboxes(VLV),CN=All System Address Lists,CN=Addres
 s Lists Container,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configurati
 on,DC=ixmsoft,DC=com
showInAddressBook: CN=All Recipients(VLV),CN=All System Address Lists,CN=Addre
 ss Lists Container,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configurat
 ion,DC=ixmsoft,DC=com
showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,
 CN=Address Lists Container,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Co
 nfiguration,DC=ixmsoft,DC=com
showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Containe
 r,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ixmsoft,DC
 =com
legacyExchangeDN: /o=ixmsoft/ou=Exchange Administrative Group (FYDIBOHF23SPDLT
 )/cn=Recipients/cn=f7a926c52baa45ac83d487105a17abb5-a
userPrincipalName: a@ixmsoft.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131259433371916627
uid: a
mail: a@ixmsoft.com
mailNickname: a
msExchPoliciesIncluded: cfdf87af-dd7f-4a7b-85e4-e0ba077efe78
msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchCalendarLoggingQuota: 6291456
msExchRecipientDisplayType: 1073741824
mDBUseDefaults: TRUE
msExchTextMessagingState: 302120705
msExchTextMessagingState: 16842751
msExchArchiveQuota: 104857600
msExchMailboxGuid:: ii4VjsET5kqpVJcdHpSOhg==
homeMDB: CN=Mailbox Database 1277431463,CN=Databases,CN=Exchange Administrativ
 e Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ixmsoft,CN=Microsoft Ex
 change,CN=Services,CN=Configuration,DC=ixmsoft,DC=com
msExchUserCulture: zh-CN
msExchRecipientTypeDetails: 1
msExchMailboxSecurityDescriptor:: AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABQoAAAAB
 AQAAAAAABQoAAAAEABwAAQAAAAACFAABAAIAAQEAAAAAAAUKAAAA
msExchUserAccountControl: 0
msExchUMDtmfMap: emailAddress:2
msExchUMDtmfMap: lastNameFirstName:2
msExchUMDtmfMap: firstNameLastName:2
msExchWhenMailboxCreated: 20161211152053.0Z
msExchHomeServerName: /o=ixmsoft/ou=Exchange Administrative Group (FYDIBOHF23S
 PDLT)/cn=Configuration/cn=Servers/cn=EX01
msExchDumpsterQuota: 31457280
msExchDumpsterWarningQuota: 20971520
msExchVersion: 88218628259840
msExchRBACPolicyLink: CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN
 =ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ixmsoft,DC=com
msExchArchiveWarnQuota: 94371840
# my***, IXMSOFTLDAP, ixmsoft.com
dn: CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: group
cn: my***
description: op***_group
member: CN=zs,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
member: CN=a,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
distinguishedName: CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161228013545.0Z
whenChanged: 20161228073446.0Z
uSNCreated: 84617
uSNChanged: 84692
name: my***
objectGUID:: iCieup3yF0CcvkrZ5K4owQ==
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wewQAAA==
sAMAccountName: my***
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 20161228044206.0Z
dSCorePropagationData: 16010101000000.0Z
# zs, IXMSOFTLDAP, ixmsoft.com
dn: CN=zs,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: zs
distinguishedName: CN=zs,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161228073427.0Z
whenChanged: 20161228104050.0Z
displayName: zs
uSNCreated: 84685
memberOf: CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
uSNChanged: 84707
name: zs
objectGUID:: aGJRtfM4BkqcoXKrRtKeFQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131273840680565017
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wfwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: zs
sAMAccountType: 805306368
userPrincipalName: zs@ixmsoft.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 20161228104050.0Z
dSCorePropagationData: 16010101000000.0Z
# sqladmin, IXMSOFTLDAP, ixmsoft.com
dn: CN=sqladmin,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: sqladmin
distinguishedName: CN=sqladmin,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161101072712.0Z
whenChanged: 20161213064218.0Z
displayName: sqladmin
uSNCreated: 14261
uSNChanged: 83109
name: sqladmin
objectGUID:: /orLK52ZskWhDhcGqz1k5A==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 131224606337808745
lastLogoff: 0
lastLogon: 131225414441612134
pwdLastSet: 131224588326777247
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wVQQAAA==
accountExpires: 9223372036854775807
logonCount: 48
sAMAccountName: sqladmin
sAMAccountType: 805306368
userPrincipalName: sqladmin@ixmsoft.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 20161211135426.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 131224588677494199
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6

wKiom1hjxejQbSOcAAF5Wbg7hgA348.jpg-wh_50