1、环境:
操作系统:CentOS release 6.8 (Final)
ip:192.168.31.155
操作系统:CentOS Linux release 7.2.1511 (Core)
ip:192.168.31.156
2、操作过程:
客户端配置文件
2.1、CentOS5
/etc/nsswitch.conf
/etc/ldap.conf
/etc/pam.d/system-auth
2.2、CentOS6
安装依赖包:
yum install nss-pam-ldap
/etc/nslcd.conf
/etc/pam_ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
操作过程:
[root@client01-centos6 ~]# yum install nss-pam-ldapd
[root@client01-centos6 ~]# rpm -ql nss-pam-ldapd
/etc/nslcd.conf
/etc/rc.d/init.d/nslcd
/lib64/libnss_ldap.so.2
/usr/lib64/libnss_ldap.so
/usr/sbin/nslcd
/usr/share/doc/nss-pam-ldapd-0.7.5
/usr/share/doc/nss-pam-ldapd-0.7.5/AUTHORS
/usr/share/doc/nss-pam-ldapd-0.7.5/COPYING
/usr/share/doc/nss-pam-ldapd-0.7.5/ChangeLog
/usr/share/doc/nss-pam-ldapd-0.7.5/HACKING
/usr/share/doc/nss-pam-ldapd-0.7.5/NEWS
/usr/share/doc/nss-pam-ldapd-0.7.5/README
/usr/share/doc/nss-pam-ldapd-0.7.5/TODO
/usr/share/man/man5/nslcd.conf.5.gz
/usr/share/man/man8/nslcd.8.gz
/var/run/nslcd
[root@client01-centos6 ~]#
备份配置文件:
[root@client01-centos6 ~]# mkdir configback
[root@client01-centos6 ~]# cp /etc/nsswitch.conf configback/nsswitch.conf.bak
[root@client01-centos6 ~]# cp /etc/pam.d/system-auth configback/system-auth.bak
[root@client01-centos6 ~]# cp /etc/nslcd.conf configback/nslcd.conf.bak
[root@client01-centos6 ~]# cp /etc/pam_ldap.conf configback/pam_ldap.conf.bak
[root@client01-centos6 ~]#
备份当前涉及的配置文件:
[root@client01-centos6 ~]# authconfig --savebackup=openldap.bak
还原当前的配置文件:
[root@client01-centos6 ~]# authconfig --restorebackup=openldap.bak
注意:authconfig命令可以很迅速的将文件恢复到初始状态,相比手动逐一修改配置文件效率要高,准确性更好
CentOS6采用图形界面配置,具体配置步骤如下:
setup--->Run Tool-->Authentication configuration--->Use LDAP && Use LDAP Authentication --->netx-->
Server: ldap:192.168.31.153
Base DN: dc=ldap,dc=com
---->OK--->quit
配置好之后重启nslcd服务即可
[root@client01-centos6 ~]# /etc/init.d/nslcd restart
Stopping nslcd: [ OK ]
Starting nslcd: [ OK ]
[root@client01-centos6 ~]# id user01
uid=1000(user01) gid=1010(Host) groups=1010(Host)
[root@client01-centos6 ~]#
[root@client01-centos6 ~]#
[root@client01-centos6 ~]# grep user01 /etc/passwd
[root@client01-centos6 ~]#
用user01测试登录:
[root@ldapclient01 ~]# ssh user01@192.168.31.155
user01@192.168.31.155's password:
Last login: Wed Oct 25 17:19:16 2017 from 192.168.31.154
Could not chdir to home directory /home/user01: No such file or directory
-bash-4.1$ id
uid=1000(user01) gid=1010(Host) groups=1010(Host)
-bash-4.1$ hostname
client01-centos6
-bash-4.1$
发现登录成功,但是不能创建家目录,接下来解决创建家目录问题(用参数--enablemkhomedir)
[root@client01-centos6 ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
[root@client01-centos6 ~]#
提示:如果执行上述命令没效果,可以执行authconfig --restorebackup=openldap.bak恢复初始配置,再执行“authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update”命令,具体操作如下:
[root@client01-centos6 ~]# authconfig --restorebackup=openldap.bak
[root@client01-centos6 ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
Starting nslcd: [ OK ]
[root@client01-centos6 ~]# id user01
uid=1000(user01) gid=1010(Host) groups=1010(Host)
[root@client01-centos6 ~]#
[root@client01-centos6 ~]# getent passwd user01
user01:x:1000:1010:user01:/hoome/user01:/bin/bash
[root@client01-centos6 ~]#
查看文件/etc/pam.d/system-auth,其中增加了如下一行:
session optional pam_mkhomedir.so umask=0077
再测试获取ldap账户user01:
[user01@client01-centos6 ~]$ id
uid=1000(user01) gid=1010(Host) groups=1010(Host) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user01@client01-centos6 ~]$ pwd
/hoome/user01
[user01@client01-centos6 ~]$
[user01@client01-centos6 ~]$ whoami
user01
[user01@client01-centos6 ~]$
继续登陆测试:
[root@ldapclient01 ~]# ssh user01@192.168.31.155
user01@192.168.31。155's password:
Creating directory '/home/user01'.
Last login: Wed Oct 25 17:24:43 2017 from 192.168.31.154
[user01@client01-centos6 ~]$ pwd
/home/user01
[user01@client01-centos6 ~]$ whoami
user01
[user01@client01-centos6 ~]$
说明:登陆成功,顺利创建家目录.创建家目录参数是"--enablemkhomedir"
2.3、CentOS7
/etc/nslcd.conf
/etc/pam_ldap.conf
/etc/nsswitch.conf
/etc/pam.d/system-auth
安装配置文件和相应的工具包
[root@client01-centos7 ~]# yum install nss-pam-ldapd setuptool
备份配置文件:
[root@client01-centos7 ~]# authconfig --savebackup=openldap.bak
[root@client01-centos7 ~]# id user01
id: user01: no such user
[root@client01-centos7 ~]# getent passwd user01
[root@client01-centos7 ~]# getent shadow user01
恢复配置文件:
[root@client01-centos7 ~]# authconfig --restorebackup=openldap.bak
运行添加命令:
[root@client01-centos7 ~]# authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
[root@client01-centos7 ~]# getent shadow user01
user01:*:::::::0
[root@client01-centos7 ~]# getent passwd user01
user01:x:1000:1010:user01:/hoome/user01:/bin/bash
[root@client01-centos7 ~]#
[root@client01-centos7 ~]# id user01
uid=1000(user01) gid=1010(Host) groups=1010(Host)
[root@client01-centos7 ~]#
同样进行登录测试:
[root@client01-centos6 ~]# ssh user01@192.168.31.156
user01@192.168.31.156's password:
Creating directory '/home/user01'.
Last login: Tue Oct 24 13:04:39 2017 from 192.168.31.100
[user01@client01-centos7 ~]$ whoami
user01
[user01@client01-centos7 ~]$ id
uid=1000(user01) gid=1010(Host) groups=1010(Host) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user01@client01-centos7 ~]$ pwd
/home/user01
[user01@client01-centos7 ~]$
-bash-4.2$ cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
-bash-4.2$
总结:
ldap客户端配置方法有如下三种:
1、修改配置文件
2、authconfig
3、setup配置
说明:第1种方法修改最复杂,也是最不可靠,很容易出错,所以一般不建议使用,第2、3种方法可以根据请考虑,个人建议用第2种,操作便捷准确性搞,另外在进行任何配置的时候切记要进行备份(即:authconfig --savebackup=</backupfile.bak>)
一、无论是CentOS6还是CentOS7都要装一个组件 nss-pam-ldapd
yum install nss-pam-ldapd -y
在进行配置之前切记要将文件进行备份,这里推荐用"authconfig --savebackup=openldap.bak"命令
authconfig --savebackup=openldap.bak(备份)
如果想快速还原配置文件至初始状态,则进行如下操作:
authconfig --restorebackup=openldap.bak(还原)
将客户端加入ldap服务进行统一管理,运行以下命令,切记服务器地址和对应参数必须保持正确:
authconfig --enableldap --enableldapauth --ldapserver=ldap://192.168.31.153 --disableldaptls --enablemkhomedir --ldapbasedn="dc=ldap,dc=com" --update
在实际工作中由于自己的疏忽漏掉了参数"--enableldapauth",结果导致无法远程ssh登陆服务器,后来不得不跑到机房将配置文件恢复回来,然后添加该参数重新执行。
二、环境上需要注意的问题
①确保selinux和iptables必须是关闭状态,即getenforce返回结果为disabled,iptables状态为stop
②确保客户端连接服务端的地址要正确
三、修改用户初始密码的方法:
默认情况下用户是不能修改用户密码的,示例如下:
[user01@client01-centos7 ~]$ id
uid=1000(user01) gid=1010(Host) groups=1010(Host) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[user01@client01-centos7 ~]$ passwd
Changing password for user user01.
(current) LDAP Password:
New password:
Retype new password:
password change failed: Insufficient access
passwd: Authentication token manipulation error
[user01@client01-centos7 ~]$
如果要想用户可以修改初始化密码,则需要到ldapserver中进行修改授权,操作如下:
[root@localhost cn=config]# cat << EOF |ldapmodify -Y EXTERNAL -H ldapi:///
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> add: olcAccess
> olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=ldap,dc=com" write by anonymous auth by self write by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to by dn="cn=Manager,dc=ldap,dc=com" write by * read
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
[root@localhost cn=config]#
操作代码:
cat << EOF |ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=ldap,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to by dn="cn=Manager,dc=ldap,dc=com" write by * read
EOF
退出登录,重新执行修改命令:
[user01@client01-centos7 ~]$ exit
logout
Connection to 192.168.31.156 closed.
[root@client01-centos6 ~]# ssh user01@192.168.31.156
user01@192.168.31.156's password:
Last login: Tue Oct 24 13:07:36 2017 from 192.168.31.155
[user01@client01-centos7 ~]$ passwd
Changing password for user user01.
(current) LDAP Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[user01@client01-centos7 ~]$
https://blog.51cto.com/ucode/1975844
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
