ldap + kerberos 整合

第一部分：ldap

1. 安装ldap

yum install -y openldap openldap-clients openldap-servers openldap-devel

2. 配置ldap

# cat /etc/openldap/slapd.conf

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/misc.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/kerberos.schema

pidfile /var/run/openldap/slapd.pid

argsfile /var/run/openldap/slapd.args

loglevel 135

idletimeout 5

writetimeout 5

access to attrs=userPassword

by self read

by dn.exact="cn=ops,ou=Control,dc=lishen,dc=com" write

by anonymous auth

access to dn.subtree="cn=Kerberos,dc=lishen,dc=com"

by dn.exact="cn=kdc-adm,ou=Control,dc=lishen,dc=com" write

by dn.exact="cn=kdc-srv,ou=Control,dc=lishen,dc=com" read

by * none

access to dn.base=""

by * read

access to *

by self write

by dn.base="cn=ops,ou=Control,dc=lishen,dc=com" write

by users read

by anonymous read

#TLSCipherSuite HIGH:MEDIUM:-SSLv2

#TLSVerifyClient never

TLSCertificateFile /etc/openldap/certs/server.pem

TLSCertificateKeyFile /etc/openldap/certs/server.pem

TLSCACertificateFile /etc/openldap/certs/server.pem

#######################################################################

# BDB database definitions

#######################################################################

database hdb

suffix "dc=lishen,dc=com"

checkpoint 32 30

rootdn "cn=root,ou=Control,dc=lishen,dc=com"

rootpw {SSHA}ifM5X6pQS2eO8hODguTPmjRLFyCnVWvP

directory /var/lib/ldap/

dbconfig set_cachesize 0 268435456 1

dbconfig set_lg_regionmax 262144

dbconfig set_lg_bsize 2097152

index objectClass,entryCSN,entryUUID eq

index uid,uidNumber,gidNumber eq,pres

index ou,krbPrincipalName eq,pres,sub

说明：

1. rootpw 后面的密码是由命令 slappasswd -s 123456 生成

2. 证书使用命令生成：openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 36500　

3. 启动openldap服务：slapd

service slapd restart

4. 测试：现在数据库是空的

slapcat

ldapsearch -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=lishen,dc=com'

5. 初始化数据库

准备ldif文件：

cat init.ldif

dn: dc=lishen,dc=com

dc: lishen

objectClass: domain

objectClass: dcObject

dn: ou=Group,dc=lishen,dc=com

ou: Group

objectClass: organizationalUnit

dn: ou=Aliases,dc=lishen,dc=com

ou: Aliases

objectClass: organizationalUnit

dn: ou=People,dc=lishen,dc=com

ou: People

objectClass: organizationalUnit

dn: cn=Kerberos,dc=lishen,dc=com

cn: Kerberos

objectClass: organizationalRole

dn: ou=Control,dc=lishen,dc=com

ou: Control

objectClass: organizationalUnit

dn: cn=kdc-srv,ou=Control,dc=lishen,dc=com

cn: kdc-srv

userPassword:: e1NTSEF9cUNhclpCYXN1SWhGRExkQ1o4bUxTbkMyZXg3bXQ2UTMK

objectClass: simpleSecurityObject

objectClass: organizationalRole

dn: cn=kdc-adm,ou=Control,dc=lishen,dc=com

cn: kdc-adm

userPassword:: e1NTSEF9cUNhclpCYXN1SWhGRExkQ1o4bUxTbkMyZXg3bXQ2UTMK

objectClass: simpleSecurityObject

objectClass: organizationalRole

dn: cn=root,ou=Control,dc=lishen,dc=com

cn: root

userPassword:: e1NTSEF9cUNhclpCYXN1SWhGRExkQ1o4bUxTbkMyZXg3bXQ2UTMK

objectClass: simpleSecurityObject

objectClass: organizationalRole

dn: cn=demo_users,ou=Group,dc=lishen,dc=com

cn: demo_users

gidNumber: 20000

objectClass: posixGroup

dn: uid=test,ou=People,dc=lishen,dc=com

uid: test

uidNumber: 10000

gidNumber: 20000

sn: Test

cn: Test User

loginShell: /bin/bash

homeDirectory: /home/users/test

objectClass: person

objectClass: posixAccount

objectClass: inetOrgPerson

objectClass: organizationalPerson

说明：文件中的userPassword由命令slappasswd  -s 123456 | base64生成

执行命令导入数据：ldapadd -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -f init.ldif

执行命令验证数据导入是否成功： ldapsearch -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=lishen,dc=com'

6. 去掉配置文件中配置的rootdn密码，因为ldif文件中已经配置了密码

注释掉slapd.conf文件中的rootpw      {SSHA}J/6iFFDlPhucaupBEI9V//gkIFTZBNrr

重启slapd：service slapd restart

测试是否密码正确：ldapsearch -x -D 'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -b 'dc=lishen,dc=com'

7. 现在如果要使用LDAP作为用户认证，只需要给用户(uid=test)添加userPassword属性即可

准备ldif文件：

cat add.ldif

dn: uid=test,ou=People,dc=lishen,dc=com

changetype: modify

add: userPassword

userPassword:: e1NTSEF9Ym0rZXloV1ExalB1aWNEVU1BaHlNM0hZVHh3REIrWU4K

执行命令：ldapmodify -x -D  'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -f add.ldif 

如果需要更改密码，ldif例子如下：

# cat /tmp/change.ldif

dn: cn=kdc-adm,ou=Control,dc=demo,dc=local

changetype: modify

replace: userPassword

userPassword: e1NTSEF9aGc5OGh0OGVlbiszaGk3OFhkRVlWc0MzNWJ2SWRCcG8K

dn: cn=kdc-srv,ou=Control,dc=demo,dc=local

changetype: modify

replace: userPassword

userPassword: e1NTSEF9aGc5OGh0OGVlbiszaGk3OFhkRVlWc0MzNWJ2SWRCcG8K

执行命令：ldapmodify -x -D  'cn=root,ou=Control,dc=lishen,dc=com' -w 123456 -h 127.0.0.1 -f change.ldif 

第二部分：kerberos

1. 安装kerberos

yum install krb5-server krb5-libs

2. 配置Kerberos

cat /etc/krb5.conf

[libdefaults]

debug = false

default_realm = LISHEN.COM

[realms]

LISHEN.COM = {

kdc = 127.0.0.1

admin_server = 127.0.0.1

default_domain = lishen.com

database_module = openldap_ldapconf

key_stash_file = /etc/krb5.LISHEN.COM

max_life = 1d 0h 0m 0s

max_renewable_life = 90d 0h 0m 0s

dict_file = /usr/share/dict/words

}

[domain_realm]

.lishen.com = LISHEN.COM

lishen.com = LISHEN.COM

[logging]

default = SYSLOG

admin_server = FILE:/var/log/kadmind.log

kdc = FILE:/var/log/kdc.log

[dbdefaults]

ldap_kerberos_container_dn = cn=Kerberos,dc=lishen,dc=com

[dbmodules]

openldap_ldapconf = {

db_library = kldap

ldap_servers = ldapi://

ldap_kerberos_container_dn = cn=Kerberos,dc=lishen,dc=com

ldap_kdc_dn = cn=kdc-srv,ou=Control,dc=lishen,dc=com

ldap_kadmind_dn = cn=kdc-adm,ou=Control,dc=lishen,dc=com

ldap_service_password_file = /etc/krb5.ldap

ldap_conns_per_server = 5

}

说明： ldap_kerberos_container_dn must start with a 'cn'.    

4. 生成访问ldap的服务密码文件

kdb5_ldap_util -D cn=root,ou=Control,dc=lishen,dc=com -w 123456 stashsrvpw -f /etc/krb5.ldap cn=kdc-srv,ou=Control,dc=lishen,dc=com

kdb5_ldap_util -D cn=root,ou=Control,dc=lishen,dc=com -w 123456 stashsrvpw -f /etc/krb5.ldap cn=kdc-adm,ou=Control,dc=lishen,dc=com

5. 创建kerberos数据库

kdb5_ldap_util -D cn=root,ou=Control,dc=lishen,dc=com -H ldap:// create -r LISHEN.COM

6. 启动kerberos

#

service krb5kdc restart

7. 测试：添加用户

# kadmin.local

Authenticating as principal root/admin@LISHEN.COM with password.

kadmin.local: addprinc test

WARNING: no policy specified for test@LISHEN.COM; defaulting to no policy

Enter password for principal "test@LISHEN.COM":

Re-enter password for principal "test@LISHEN.COM":

Principal "test@LISHEN.COM" created.

#slapcat |grep "test"

dn: uid=test,ou=People,dc=lishen,dc=com

uid: test

homeDirectory: /home/users/test

dn: krbPrincipalName=test@LISHEN.COM,cn=LISHEN.COM,cn=Kerberos,dc=lishen,dc=co

krbPrincipalName: test@LISHEN.COM

添加用户成功

测试获取凭证：

# kinit test

Password for test@LISHEN.COM:

# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: test@LISHEN.COM

Valid starting Expires Service principal

10/16/2016 02:11:55 10/17/2016 02:11:55 krbtgt/LISHEN.COM@LISHEN.COM

帮助：

1. http://blog.clanzx.net/2013/09/27/ldap-kerberos.html

2. http://web.mit.edu/KERBEROS/krb5-1.12/doc/admin/conf_ldap.html

3. http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm

4. http://secfree.github.io/blog/2015/06/29/kerberos-ldap-deploy.html#kdc--kadmin--dn--acl

5. http://ian.wang/69.htm

6. https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html#kerberos-ldap-openldap

ldap使用工具：http://directory.apache.org/studio/

欢迎关注微信公众号：大数据从业者