• openldap权限sudo


    http://pig.made-it.com/ldap-sudoers.html
    https://www.lisenet.com/2015/convert-openldap-schema-to-ldif/
    http://qiita.com/T_Tsan/items/5ea2563450ed2d2ee20f
    http://edo.blog.jp/archives/1538669.html

    服务端

    yum -y install sudo
    

    sudo-ldap方案

    cp /usr/share/doc/sudo-1.8.6p7/schema.OpenLDAP /etc/openldap/schema/sudo.schema
    

    生成sudo.ldif

    echo 'include     /etc/openldap/schema/sudo.schema' > /tmp/sudo.conf
    
    mkdir /tmp/sudo
    slaptest -f /tmp/sudo.conf -F /tmp/sudo
    
    # vim /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif
    替换
    dn: cn={0}sudo
    objectClass: olcSchemaConfig
    cn: {0}sudo
    为
    dn: cn=sudo,cn=schema,cn=config
    objectClass: olcSchemaConfig
    cn: sudo
    
    删除
    structuralObjectClass: olcSchemaConfig
    entryUUID: bd975dc0-1654-1036-9c97-c37d6a498779
    creatorsName: cn=config
    createTimestamp: 20160924034303Z
    entryCSN: 20160924034303.121340Z#000000#000#000000
    modifiersName: cn=config
    modifyTimestamp: 20160924034303Z
    
    cp /tmp/sudo/cn=config/cn=schema/cn={0}sudo.ldif /etc/openldap/schema/sudo.ldif
    

    sudo功能生效

    vim /etc/openldap/slapd.conf
    添加
    include     /etc/openldap/schema/sudo.schema
    
    rm -rf /etc/openldap/slapd.d/*
    slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
    chown -R ldap:ldap /etc/openldap/slapd.d
    systemctl restart slapd
    

    sudoer权限

    sudoer.ldif 
    dn: ou=sudoer,dc=suntv,dc=tv
    ou: sudoer
    objectClass: top
    objectClass: organizationalUnit
    
    dn: cn=default,ou=sudoer,dc=suntv,dc=tv
    objectClass: sudoRole
    cn: defaults
    sudoOption: requiretty
    sudoOption: !visiblepw
    sudoOption: always_set_home
    sudoOption: env_reset
    sudoOption: env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
    sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
    sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
    sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
    sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
    sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
    sudoOption: logfile = /var/log/sudo
    sudoOption: %g01, %g02 !requiretty
    
    dn: cn=%g01,ou=sudoer,dc=suntv,dc=tv
    objectClass: sudoRole
    cn: %g01
    sudoUser: %g01
    sudoHost: ALL
    sudoRunAsUser: ALL
    sudoOption: !authenticate
    sudoCommand: ALL
    sudoCommand: !/bin/su*
    sudoCommand: !/usr/bin/vim /etc/sudoers*
    sudoCommand: !/bin/vi /etc/sudoers*
    sudoCommand: !/usr/sbin/visudo
    sudoCommand: !/usr/sbin/adduser*
    sudoCommand: !/usr/sbin/useradd*
    sudoCommand: !/usr/sbin/userdel*
    sudoCommand: !/usr/sbin/groupadd*
    sudoCommand: !/usr/sbin/groupdel*
    sudoCommand: !/bin/sh
    sudoCommand: !/bin/bash
    sudoCommand: !/usr/bin/login
    # g01组用户禁用su,禁用变更sudo权限,禁用用户组的操作
    
    dn: cn=%g02,ou=sudoer,dc=suntv,dc=tv
    objectClass: sudoRole
    cn: %g02
    sudoUser: %g02
    sudoHost: ALL
    sudoRunAsUser: ALL
    sudoOption: !authenticate
    sudoCommand: ALL
    sudoCommand: !/bin/su*
    # g02组用户禁用'sudo su',
    #
    
    ldapdelete -x -W -H ldaps:/// -D cn=manager,dc=suntv,dc=tv ou=sudoer,dc=suntv,dc=tv -r
    
    ldapadd -H ldaps:/// -W -x -D cn=manager,dc=suntv,dc=tv -f sudoer.ldif
    

    客户端

    /etc/sssd/sssd.conf

    [sssd]
    services = nss, pam, sudo, ssh # add
    config_file_version = 2
    domains = ldap
    
    [domain/ldap]
    debug_level = 9
    cache_credentials = True
    enumerate = false
    
    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    sudo_provider = # add
    
    ldap_uri = ldaps://master.local,ldaps://slave.local
    ldap_search_base = dc=suntv,dc=tv
    ldap_sudo_search_base = ou=Sudoer,dc=suntv,dc=tv # add
    ldap_tls_cacertdir = /etc/openldap/cacerts
    ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
    ldap_tls_reqcert = never
    ldap_id_use_start_tls = false
    
    entry_cache_timeout = 600
    ldap_network_timeout = 2
    
    [nss]
    homedir_substring = /home
    entry_negative_timeout        = 20
    entry_cache_nowait_percentage = 50
    
    filter_users = root
    filter_groups = root
    
    [pam]
    
    [sudo]
    
    [autofs]
    
    [ssh]
    
    [pac]
    

    /etc/nsswitch.conf

    sudoers: file sss
    

    禁用su

    vim /etc/pam.d/su
    去除以下行的注释
    auth            required        pam_wheel.so use_uid
    

    测试

    u01

    id
    uid=1001(u01) gid=2001(g01) groups=2001(g01)
    
    sudo -l
    Matching Defaults entries for u01 on this host:
        requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
        env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
        _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
    
    User u01 may run the following commands on this host:
        (ALL) NOPASSWD: ALL, !/bin/su*, !/usr/bin/vim /etc/sudoers*, !/bin/vi /etc/sudoers*, !/usr/sbin/visudo, !/usr/sbin/adduser*, !/usr/sbin/useradd*, !/usr/sbin/userdel*, !/usr/sbin/groupadd*,
        !/usr/sbin/groupdel*, !/bin/sh, !/bin/bash, !/usr/bin/login
    

    u04

    id
    uid=1004(u04) gid=2002(g02) groups=2002(g02)
    
    sudo -l
    Matching Defaults entries for u04 on this host:
        requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
        env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
        _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
    
    User u04 may run the following commands on this host:
        (ALL) NOPASSWD: ALL, !/bin/su*
    
  • 相关阅读:
    构造方法
    不死神兔
    类与对象
    成员变量和局部变量的区别
    this关键字的理解
    private关键字理解
    如何设置客户端证书
    有关中文的正则表达式
    Web和证书服务:建立电子商务外部网
    认证服务Web 网页循序渐进指南
  • 原文地址:https://www.cnblogs.com/liujitao79/p/5902800.html
Copyright © 2020-2023  润新知