• openldap主机访问控制(基于ip)


    http://blog.oddbit.com/2013/07/22/generating-a-membero/
    http://gsr-linux.blogspot.jp/2011/01/howto-on-using-dynlist-with-openldap.html

    建立组织单元

    cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
    dn: ou=people,dc=suntv,dc=tv
    ou: people
    objectClass: organizationalUnit
    
    dn: ou=group,dc=suntv,dc=tv
    ou: group
    objectClass: organizationalUnit
    
    dn: ou=host,dc=suntv,dc=tv
    ou: host
    objectClass: organizationalUnit
    _EOF_
    

    建立主机组

    cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
    dn: ou=all,ou=host,dc=suntv,dc=tv
    objectClass: organizationalUnit
    objectClass: hostObject
    ou: all
    host: all
    
    dn: ou=op,ou=host,dc=suntv,dc=tv
    objectClass: organizationalUnit
    objectClass: hostObject
    ou: op
    host: 192.168.1.21
    host: 192.168.1.22
    
    dn: ou=dev,ou=host,dc=suntv,dc=tv
    objectClass: organizationalUnit
    objectClass: hostObject
    ou: dev
    host: 192.168.1.31
    host: 192.168.1.32
    _EOF_
    

    建立用户组

    cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
    dn: cn=op,ou=group,dc=suntv,dc=tv
    objectClass: posixGroup
    cn: op
    gidNumber: 2001
    
    dn: cn=dev,ou=group,dc=suntv,dc=tv
    objectClass: posixGroup
    cn: dev
    gidNumber: 2002
    _EOF_
    

    建立用户

    cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
    dn: uid=op01,ou=people,dc=suntv,dc=tv
    uid: op01
    cn: op01
    sn: op01
    objectClass: hostObject
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    userPassword: 123456
    shadowLastChange: 17085
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 1001
    gidNumber: 2001
    homeDirectory: /home/op01
    labeledURI: ldaps:///ou=op,ou=host,dc=suntv,dc=tv?host
    
    dn: uid=dev01,ou=people,dc=suntv,dc=tv
    uid: dev01
    cn: dev01
    sn: op01
    objectClass: hostObject
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    userPassword: 123456
    shadowLastChange: 17085
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 1002
    gidNumber: 2002
    homeDirectory: /home/dev01
    labeledURI: ldaps:///ou=dev,ou=host,dc=suntv,dc=tv?host
    _EOF_
    

    动态组

    # /etc/openldap/slapd.conf 确保有以下配置
    include     /etc/openldap/schema/dyngroup.schema
    
    modulepath /usr/lib64/openldap
    moduleload dynlist.la
    
    overlay dynlist
    dynlist-attrset inetOrgPerson labeledURI
    
    rm -rf /etc/openldap/slapd.d/*
    slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
    chown -R ldap:ldap /etc/openldap/slapd.d
    systemctl restart slapd
    

    测试

    ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=op01,ou=people,dc=suntv,dc=tv

    Enter LDAP Password: 
    # extended LDIF
    #
    # LDAPv3
    # base <uid=op01,ou=people,dc=suntv,dc=tv> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    
    # op01, people, suntv.tv
    dn: uid=op01,ou=people,dc=suntv,dc=tv
    uid: op01
    cn: op01
    sn: op01
    objectClass: hostObject
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    userPassword:: MTIzNDU2
    shadowLastChange: 17085
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 1001
    gidNumber: 2001
    homeDirectory: /home/op01
    labeledURI: ldaps:///ou=op,ou=host,dc=suntv,dc=tv?host
    host: 192.168.1.21 # 动态组自动增加内容
    host: 192.168.1.22 # 动态组自动增加内容
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    ldapsearch过滤用法 http://blog.chinaunix.net/uid-393131-id-2410065.html

    ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=dev01,ou=people,dc=suntv,dc=tv host

    # extended LDIF
    #
    # LDAPv3
    # base <uid=dev01,ou=people,dc=suntv,dc=tv> with scope subtree
    # filter: (objectclass=*)
    # requesting: host 
    #
    
    # dev01, people, suntv.tv
    dn: uid=dev01,ou=people,dc=suntv,dc=tv
    host: 192.168.1.31 # 动态组自动增加内容
    host: 192.168.1.32 # 动态组自动增加内容
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    
    cat > /etc/sssd/sssd.conf << _EOF_ 
    [domain/LDAP]
    debug_level = 9
    cache_credentials = true
    enumerate = false
    
    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    
    ldap_uri = ldaps://master.local
    ldap_backup_uri = ldaps://slave.local
    ldap_search_base = dc=suntv,dc=tv
    ldap_user_search_base = ou=people,dc=suntv,dc=tv
    ldap_group_search_base = ou=group,dc=suntv,dc=tv
    
    access_provider = ldap
    ldap_access_order = filter
    ldap_access_filter = (|(host=all)(host=192.168.1.21))
    
    ldap_tls_cacertdir = /etc/openldap/cacerts
    ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
    ldap_tls_reqcert = never
    ldap_id_use_start_tls = false
    
    [sssd]
    domains = LDAP
    services = nss, pam
    config_file_version = 2
    
    [nss]
    domains = LDAP
    fd_limit = 65535
    filter_users = root
    filter_groups = root
    
    [pam]
    domains = LDAP
    
    [ssh]
    domains = LDAP
    ssh_hash_known_hosts = false
    _EOF_
    

    测试

    # ssh op01@192.168.1.22
    op01@192.168.1.22's password: 
    Connection to 192.168.1.22 closed by remote host.
    Connection to 192.168.1.22 closed.
    

    sssd_LDAP日志显示如下,其中 [(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv] 是过滤条件,问题应该就出在ldap_access_filter = (|(host=all)(host=192.168.1.21))这里。

    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [op01]
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching 192.168.1.11
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv].
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New operation 4 timeout 6
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x9380c0], connected[1], ops[0x9f7470], ldap[0x931330]
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000): Operation 4 finished
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0100): User [op01] was not found with the specified filter. Denying access.
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0400): Access denied by online lookup
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9e6f50
    
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9e76c0
    
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x9e6f50 "ltdb_callback"
    
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x9e76c0 "ltdb_timeout"
    
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer event 0x9e6f50 "ltdb_callback"
    
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_done] (0x0400): Access was denied.
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [6][LDAP]
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [6][LDAP]
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x9380c0], connected[1], ops[(nil)], ldap[0x931330]
    (Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
    (Thu Oct 13 17:24:00 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x91cdf0
    (Thu Oct 13 17:24:00 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
    
    dynlist不支持filter功能 http://www.openldap.org/lists/openldap-software/200708/msg00250.html
    这个帖子上说,使用第三方autogroup,这个是把记录存储在数据库里,支持filter
    

    op01用户使用动态组,dev01用户不使用动态组,直接添加host记录192.168.1.22

    ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv "host=192.168.1.22"
    Enter LDAP Password: 
    # extended LDIF
    #
    # LDAPv3
    # base <ou=people,dc=suntv,dc=tv> with scope subtree
    # filter: host=192.168.1.22 # 过滤后找到信息
    # requesting: ALL
    #
    
    # dev01, people, suntv.tv
    dn: uid=dev01,ou=people,dc=suntv,dc=tv
    uid: dev01
    cn: dev01
    sn: op01
    objectClass: hostObject
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    userPassword:: MTIzNDU2
    shadowLastChange: 17085
    shadowMin: 0
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 1002
    gidNumber: 2002
    homeDirectory: /home/dev01
    host: 192.168.1.22
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    
     ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv "host=192.168.1.21"
    Enter LDAP Password: 
    # extended LDIF
    #
    # LDAPv3
    # base <ou=people,dc=suntv,dc=tv> with scope subtree
    # filter: host=192.168.1.21 # 过滤后未找到记录
    # requesting: ALL
    #
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 1
    

    鉴于dynlist暂不支持filter,另autogroup是第三方模块,openldap程序未默认内置,用静态组每个用户要加入很多条host记录,因此基于ip动态组方案废弃。我换个基于用户组的方案来试试

  • 相关阅读:
    在java中获取URL的域名或IP与端口
    解决notepad++64位没有plugin manager的问题
    统一认证需要解决的问题
    搭建Maven私服
    Update openssh7.9 on centos6
    python下载想听的有声书,让喜马拉雅收费,我是程序员!
    golang ---获取内存信息
    websocket学习
    go 读取BMP文件头二进制读取
    go 计算文件行
  • 原文地址:https://www.cnblogs.com/liujitao79/p/openldap.html
Copyright © 2020-2023  润新知