OpenLDAP+SSL+SSSD for centralized authentication of Linux login

Part I sldap database installation of OpenLDAP

1. yum install

yum install -y openldap openldap-servers openssh-ldap openldap-clients migrationtools

2, Configure ssl domain name certificate to realize TLS encrypted communication of ldap

Access the LDAP database through the domain names master.ldap.conf.top (Master LDAP) and slave.ldap.conf.top (from LDAP)

a) Create the file / etc/pki/CA/openssl.cnf as follows

HOME            = .
RANDFILE        = $ENV::HOME/.rnd
oid_section     = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca  = CA_default        # The default ca section
[ CA_default ]
dir     = /etc/pki/CA       # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
                   # several ctificates with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.
certificate = $dir/certs/ca.crt     # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
                   # must be commented out to leave a V1 CRL
crl     = $dir/crl/crl.pem      # The current CRL
private_key = $dir/private/ca.key   # The private key
RANDFILE    = $dir/private/.rand    # private random number file
x509_extensions = usr_cert      # The extentions to add to the cert
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options
default_days    = 3650          # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md  = sha256        # use public key default MD
preserve    = no            # keep passed DN ordering
policy      = policy_dn
[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
[ policy_dn ]
countryName             = supplied              # required parameter, any value allowed
stateOrProvinceName     = optional
localityName            = optional
organizationName        = match                 # required, and must match root certificate
organizationalUnitName  = optional
commonName              = supplied              # required parameter, any value allowed
emailAddress            = optional              # email in DN is deprecated, use subjectAltName
[ req ]
default_bits        = 2048
default_md      = sha256
encrypt_key             = no
prompt                  = yes
default_keyfile     = client.key
distinguished_name  = req_distinguished_name
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = CN
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName            = Locality Name (eg, city)
localityName_default        = Beijing
0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = Beijing Century Fortunet Network Technology Co.,Ltd.
organizationalUnitName      = Organizational Unit Name (eg, section)
organizationalUnitName_default  = IT Operation Management
commonName          = Common Name (eg, your name or your server\'s hostname)
commonName_max          = 64
emailAddress            = Email Address
emailAddress_max        = 64
emailAddress_default        = admin@conf.top
[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20
unstructuredName        = An optional company name
[ usr_cert ]
basicConstraints    = CA:FALSE
nsComment       = "CONFCA Generated Certificate"
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
[ v3_req ]
basicConstraints    = CA:FALSE
keyUsage        = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth, clientAuth
subjectKeyIdentifier    = hash
subjectAltName      = @alt_names
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage        = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage        = serverAuth, clientAuth, codeSigning, timeStamping, emailProtection, msEFS, 1.3.6.1.4.1.311.10.3.11, 1.3.6.1.4.1.311.20.2.2
basicConstraints = CA:true
[ X509_ca ]
basicConstraints        = CA:TRUE
nsCertType              = sslCA                 # restrict the usage
keyUsage                = keyCertSign, cRLSign  # restrict the usage
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
[ X509_server ]
basicConstraints        = CA:FALSE
nsCertType              = server                # restrict the usage
keyUsage                = digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth            # restrict the usage
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
[ X509_client ]
basicConstraints        = CA:FALSE
nsCertType              = client                # restrict the usage
keyUsage                = digitalSignature      # restrict the usage
extendedKeyUsage        = clientAuth            # restrict the usage
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment           = "CONFCA Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1   # the default TSA section
[ tsa_config1 ]
dir     = ./demoCA      # TSA root directory
serial      = $dir/tsaserial    # The current serial number (mandatory)
crypto_device   = builtin       # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem  # The TSA signing certificate
                   # (optional)
certs       = $dir/cacert.pem   # Certificate chain to include in reply
                   # (optional)
signer_key  = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy  = tsa_policy1       # Policy if request did not specify it
                   # (optional)
other_policies  = tsa_policy2, tsa_policy3  # acceptable policies (optional)
digests     = md5, sha1     # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0 # number of digits after dot. (optional)
ordering        = yes   # Is ordering defined for timestamps?
               # (optional, default: no)
tsa_name        = yes   # Must the TSA name be included in the reply?
               # (optional, default: no)
ess_cert_id_chain   = no    # Must the ESS cert id chain be included?
               # (optional, default: no)
[ alt_names ]
DNS.1 = conf.top
DNS.2 = *.conf.top
DNS.3 = ***.conf.top
DNS.4 = *.***.conf.top
DNS.5 = ldap.conf.top
DNS.6 = *.ldap.conf.top

b) Create CA certificate

#Create working directory

cd /etc/pki/CA/ && umask 0077 && mkdir -p /etc/pki/CA/{private,certs,crl,csr,newcerts,private} && touch index.txt && echo '00'>serial

#Create private key of CA certificate

openssl genrsa -out private/ca.key 2048

#Create the public key of CA certificate. Other configurations can default to Common Name (eg, your name or your server's hostname) []:
#The CA certificate must not be defaulted. Enter CONFCA here

openssl req -days 177121 -new -sha256 -x509 -key private/ca.key -out certs/ca.crt -config openssl.cnf

c) Create domain name certificate

Create key

openssl genrsa -out private/conf.top.key 2048  

##When generating a csr file, you cannot enter the Common Name by default. Enter conf.top here

openssl req -new -sha256 -key private/conf.top.key -out csr/conf.top.csr -extensions v3_req -config openssl.cnf

##Signing certificate

openssl ca -days 30659 -in csr/conf.top.csr -out certs/conf.top.crt -extensions v3_req -config openssl.cnf

d) Copy the generated CA certificate and server-side domain name certificate to the openldap directory

cp /etc/pki/CA/certs/ca.crt /etc/openldap/certs/ca.crt                  # CA certificate
cp /etc/pki/CA/certs/conf.top.crt /etc/openldap/certs/conf.top.crt      # Server certificate
cp /etc/pki/CA/private/conf.top.key /etc/openldap/certs/conf.top.key    # Server private key

#Set directory security

chown -R root:ldap /etc/openldap/certs
chmod -R 750 /etc/openldap/certs

3. Configure OpenLDAP schema template
a) Copy the schema template of ssh (the path may be different. Find the corresponding path according to the version numbers of openssh LDAP and sudo)

cp /usr/share/doc/openssh-ldap-5.3p1/openssh-lpk-openldap.schema /etc/openldap/schema/openssh-lpk-openldap.schema

b) Copy sudo's schema template

cp /usr/share/doc/sudo-1.8.6p3/schema.OpenLDAP /etc/openldap/schema/sudo.schema

c) Custom permission control template

Create schema template file

touch /etc/openldap/schema/my.schema

my.schema custom template (objectclass=MyAccount) Description:

active: account status 0-disable 1-enable (required)
Access: access control (required) can have multiple values. When adding users, you must add the value of this field as ssh
This field is designed to add multiple values, such as web, * * *, and use search filter to control permissions when using ldap client
gauthcode: Google Token (optional) is used with Google authenticator (Google Authenticator PAM module) Google Token authentication module
In addition, some common fields are added:
sn (last name) givenName (first name) displayName (first name) mobile (mobile number) mail (email) photo (photo)

Contents of / etc/openldap/schema/my.schema file

attributetype ( 1.3.6.1.4.1.30000.500.1.1.1 NAME 'active'
   DESC 'MANDATORY: Account active stauts 0-disable 1-enable'
   EQUALITY integerMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.30000.500.1.1.2 NAME 'access'
   DESC 'MANDATORY: Access Control'
   EQUALITY caseExactIA5Match
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.30000.500.1.1.3 NAME 'gauthcode'
       DESC 'MANDATORY: Google authenticator'
       EQUALITY caseExactIA5Match
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
objectclass ( 1.3.6.1.4.1.30000.500.1.2.0 NAME 'MyAccount' SUP top AUXILIARY
   DESC 'MANDATORY: conf user account'
   MUST ( active )
   MAY ( access $ gauthcode $ sn $ givenName $ displayName $ mobile $ mail $ photo)
   )

4. Create a slapd profile

Use the slapasswd command, enter the password and generate the administrator password string, and replace the password with rootpw in the next step

slappasswd

Create the configuration file / etc/openldap/slapd.conf, as follows:

include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema
include     /etc/openldap/schema/sudo.schema
include     /etc/openldap/schema/openssh-lpk-openldap.schema
include     /etc/openldap/schema/my.schema
allow bind_v2
disallow bind_anon
require authc
pidfile    /var/run/openldap/slapd.pid
argsfile   /var/run/openldap/slapd.args
# Master slave synchronization module
#moduleload syncprov.la
# Certificate path
TLSCACertificatePath /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/conf.top.crt
TLSCertificateKeyFile /etc/openldap/certs/conf.top.key
TLSCiphersuite TLSv1.2+RSA:!EXPORT:!NULL
TLSVerifyClient never
# ACL permission control
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top" read
        by * none
database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=root,dc=conf,dc=top" manage
        by dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top" manage
        by dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top" read
        by * none
database    bdb
access to attrs=gauthcode
        by anonymous auth
        by dn.exact="uid=ldap_write,ou=ldap,dc=conf,dc=top" write
        by dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top" manage
        by dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top" read
        by * none
access to attrs=userPassword
        by anonymous auth
        by dn.exact="uid=ldap_read,ou=ldap,dc=conf,dc=top" none
        by dn.exact="uid=ldap_write,ou=ldap,dc=conf,dc=top" write
        by dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top" manage
        by dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top" read
        by self write
        by * none
access to attrs=shadowLastChange
        by anonymous auth
        by self write
        by dn.exact="uid=ldap_read,ou=ldap,dc=conf,dc=top" read
        by dn.exact="uid=ldap_write,ou=ldap,dc=conf,dc=top" write
        by dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top" manage
        by dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top" read
        by * none
access to *
        by anonymous auth
        by dn.exact="uid=ldap_read,ou=ldap,dc=conf,dc=top" read
        by dn.exact="uid=ldap_write,ou=ldap,dc=conf,dc=top" write
        by dn.exact="uid=ldap_admin,ou=ldap,dc=conf,dc=top" manage
        by dn.exact="uid=ldap_sync,ou=ldap,dc=conf,dc=top" read
        by * none
# Other configurations
suffix      "dc=conf,dc=top"
checkpoint  1024 15
rootdn      "cn=root,dc=conf,dc=top"
rootpw      <use slappasswd Command generated password>
# When it is used as a slave, it needs to be configured as the readonly property
#readonly    on
directory   /var/lib/ldap
lastmod     on
index objectClass                          eq,pres
index ou,cn,mail,sn,givenName              eq,pres,sub
index uidNumber,gidNumber,loginShell       eq,pres
index uid,memberUid,mobile                 eq,pres,sub
index nisMapName,nisMapEntry               eq,pres,sub
index sudoUser                             eq
index displayName               pres,sub,eq
index default                   sub
index entryCSN,entryUUID        eq  
# Configuration synchronization
#overlay syncprov
#syncprov-checkpoint 100 10  
#syncprov-sessionlog 100
#serverID      21       #Server identity, master-slave configuration is different
#syncrepl      rid=101  #Same master-slave configuration
#              provider=ldaps://master.ldap.conf.top
#              binddn="uid=ldap_sync,ou=ldap,dc=conf,dc=top"
#              bindmethod=simple
#              starttls=yes
#              tls_cacert=/etc/openldap/certs/ca.crt
#              tls_reqcert=never
#              Credentials = "< password for LDAP sync user >
#              searchbase="dc=conf,dc=top"
#              schemachecking=off
#              type=refreshAndPersist
#              retry="60 +"
#mirrormode on
# Log level 0: close log
loglevel 0

Modify sldap default startup configuration file / etc/sysconfig/ldap, turn off ldap: / /, only enable ldap://

SLAPD_LDAP=yes
SLAPD_LDAPI=yes
SLAPD_LDAPS=no

Copy DB config profile

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chmod 600 /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap
chmod 700 /var/lib/ldap

Initialize script / etc/openldap/init.sh of sldap system configuration (execute the script after changing the configuration of sladp.conf)

#!/bin/bash
/etc/init.d/slapd stop
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d || exit 1
chmod 700 /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
chown root:ldap /etc/openldap/slapd.conf
chmod 750 /etc/openldap/slapd.conf
/etc/init.d/slapd start

Start the sldap service, and then execute init.sh

/etc/init.d/sldap start
sh /etc/openldap/init.sh

5. Create users and groups and import them into the ldap database

a) planning and user ID and group ID, such as group ID: 20000-29999, user id: 30000+
Three groups are planned to be created: O & M confops, development of confdev, test of confqa, and creation of user admin belonging to O & M group.

b) then create the user list user.txt in the same format as Linux system / etc/passwd, as follows

admin:x:30001:20001::/home/admin:/bin/bash

c) create the group list file group.txt in the same format as / etc/group, as follows

confops:x:20001:admin
confdev:x:20002:
confqa:x:20003:

d) create password text shadow.txt in the same format as / etc/shadow

admin:$6$2Zdjcxvz$p/dHCZQUTn9dmSZdv2abCyd/oPRhskr3z4MNCCAYOn1LLYS3Q6DXw.VVXFt3CWger2SLwYWYS/a64yHNOuS3I/:16968:0:99999:7:::

Use the migration tools tool to convert the exported user group password and other text to an ldif file that can be read by ldap

e) import environment variables

export LDAP_BASEDN="dc=conf,dc=top"
export LDAP_DEFAULT_MAIL_DOMAIN="conf.top"

f) generate ldif database file

/usr/share/migrationtools/migrate_base.pl > base.ldif
/usr/share/migrationtools/migrate_passwd.pl user.txt > user.ldif
/usr/share/migrationtools/migrate_group.pl group.txt > group.ldif
/usr/share/migrationtools/migrate_passwd.pl shadow.txt > shadow.ldif

g) add domain name resolution to the local / etc/hosts file. If the sldap service is deployed on other servers, this is the corresponding server IP

127.0.0.1 master.ldap.conf.top

h) use ldapadd tool to import ldif file into database and enter rootdn administrator password of sldap

ldapadd -H "ldaps://master.ldap.conf.top" -D "cn=root,dc=conf,dc=top" -W -x -f base.ldif
ldapadd -H "ldaps://master.ldap.conf.top" -D "cn=root,dc=conf,dc=top" -W -x -f user.ldif
ldapadd -H "ldaps://master.ldap.conf.top" -D "cn=root,dc=conf,dc=top" -W -x -f group.ldif
#ldapadd -H "ldaps://Master. LDAP. Conf.top "- D" CN = root, DC = conf, DC = top "- W - X - f shadow. LDIF ා can be ignored

#Verify the imported data and query the users exported from passwd

ldapsearch -H "ldaps://master.ldap.conf.top" -D "cn=root,dc=conf,dc=top" -W -x -b -L -W -b "ou=People,dc=conf,dc=top"

6. Create LDAP system account LDAP admin, LDAP read, LDAP sync, LDAP write

Use the slapasswd command to generate passwords for four LDAP accounts and replace the userPassword field in the following content, and then create the file ldap.ldif with the following content:

dn: ou=ldap,dc=conf,dc=top
objectClass: top
objectClass: organizationalUnit
ou: ldap
description:: TERBUOezu+e7n+i0puWPtw==

dn: uid=ldap_read,ou=ldap,dc=conf,dc=top
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
sn: ldap_read
displayName: ldap_read
uid: ldap_read
homeDirectory: /home/ldap_read
loginShell: /sbin/nologin
cn: ldap_read
uidNumber: 58
gidNumber: 55
userPassword: {SSHA}fr03Kp4NIYfNXQDrO4a+J0yYRVZmZ3M2UGVoQ2lJMzk=

dn: uid=ldap_write,ou=ldap,dc=conf,dc=top
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
sn: ldap_write
displayName: ldap_write
uid: ldap_write
homeDirectory: /home/ldap_write
loginShell: /sbin/nologin
cn: ldap_write
uidNumber: 57
gidNumber: 55
userPassword: {SSHA}TahVHL4g/451wuljaM/bRbPQnz9Ba2YxVmNCZi9vNEo=

dn: uid=ldap_admin,ou=ldap,dc=conf,dc=top
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
sn: ldap_admin
displayName: ldap_admin
uid: ldap_admin
homeDirectory: /home/ldap_admin
loginShell: /sbin/nologin
cn: ldap_admin
uidNumber: 56
gidNumber: 55
userPassword: {SSHA}IgT0ZyVL4YyEr4LPsti59tCB0wVMT25tdWpDemhidjQ=

dn: uid=ldap_sync,ou=ldap,dc=conf,dc=top
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
givenName: ldap_sync
sn: ldap_sync
displayName: ldap_sync
uid: ldap_sync
homeDirectory: /home/ldap_sync
loginShell: /sbin/nologin
cn: ldap_sync
uidNumber: 59
gidNumber: 55
userPassword: {SSHA}reRN6H+hsiVdIRSFCfg9E6wwP9lQdkUzc1pCeUJROC8=

Import ldap.ldif account

ldapadd -D "cn=root,dc=conf,dc=top" -W -x -f ldap.ldif

7. Create Sudo template, manually replace the domain name in the following content, and save it as sudo.ldif

The confops group and admin user in the template can be password free sudo

The confdev and confqa groups only allow certain sudo commands

zabbix users can delete or give any user specific sudo permission according to this template

dn: ou=SUDOers,dc=conf,dc=top
objectClass: top
objectClass: organizationalUnit
description: SUDO Configuration Subtree
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=conf,dc=top
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: visiblepw
sudoOption: always_set_home
sudoOption: env_reset

dn: cn=root,ou=SUDOers,dc=conf,dc=top
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset

dn: cn=%wheel,ou=SUDOers,dc=conf,dc=top
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: requiretty

dn: cn=%confops,ou=SUDOers,dc=conf,dc=top
objectClass: top
objectClass: sudoRole
cn: %confops
sudoUser: %confops
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoCommand: ALL
sudoCommand: !/bin/passwd

dn: cn=%confdev,ou=SUDOers,dc=conf,dc=top
objectClass: top
objectClass: sudoRole
cn: %confdev
sudoUser: %confdev
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoCommand: /sbin/service
sudoCommand: !/bin/passwd
sudoCommand: /etc/init.d/tomcat
sudoCommand: /bin/kill
sudoCommand: /usr/bin/pkill
sudoCommand: /usr/bin/killall
sudoCommand: /etc/init.d/confservice
sudoCommand: /bin/su - app -s /bin/bash
sudoCommand: /bin/su - tomcat -s /bin/bash

dn: cn=%confqa,ou=SUDOers,dc=conf,dc=top
objectClass: top
objectClass: sudoRole
cn: %confqa
sudoUser: %confqa
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoCommand: /sbin/service
sudoCommand: !/bin/passwd
sudoCommand: /etc/init.d/confservice
sudoCommand: /bin/kill
sudoCommand: /usr/bin/pkill
sudoCommand: /usr/bin/killall
sudoCommand: /bin/su - app -s /bin/bash
sudoCommand: /bin/su - tomcat -s /bin/bash
sudoCommand: /etc/init.d/tomcat

dn: cn=zabbix,ou=SUDOers,dc=conf,dc=top
objectClass: top
objectClass: sudoRole
cn: zabbix
sudoHost: ALL
sudoUser: zabbix
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoRunAsUser: root
sudoCommand: !/bin/passwd
sudoCommand: /etc/init.d/tomcat
sudoCommand: /etc/init.d/confservice
sudoCommand: /usr/bin/nmap
sudoCommand: /usr/local/zabbix-ztc/bin/sudo-*

dn: cn=admin,ou=SUDOers,dc=conf,dc=top
objectClass: top
objectClass: sudoRole
cn: admin
sudoHost: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoCommand: ALL
sudoCommand: !/bin/passwd
sudoUser: admin

After importing users and groups, the default should be no my.schema template we customized (objectclass=MyAccount)

After connecting to ldap database through ldap client (LDAP Admin software under Windows is recommended), add users:

objectClass: MyAccount and objectClass: ldapPublicKey

You need to fill in sshPublicKey (user ssh public key), active (1 enabled, 0 disabled), access (value ssh, authorized user ssh login)

Part 2: installation and configuration of OpenLDAP client sssd

1. Install SSSD LDAP client, yum

yum install authconfig sssd-ldap -y

2. Enable sssd using authconfig configuration

authconfig \
--passalgo=sha512 \
--enablesssd \
--enablesssdauth \
--enablelocauthorize \
--ldapserver=ldaps://master.ldap.conf.top \
--disableldaptls \
--ldapbasedn="dc=conf,dc=top" \
--enablerfc2307bis \
--enablemkhomedir \
--enablecachecreds \
--enableldaptls \
--enablemkhomedir \
--disableldap \
--disableldapauth \
--disablefingerprint \
--disablesmartcard \
--disablekrb5 \
--update

3. Configure sssd.conf

Copy the CA certificate / etc/pki/CA/certs/ca.crt created in the first part to / etc/openldap/certs/ca.crt

Description:
enumerate=False prevents the getent command from traversing users and groups in ldap. If it is True, you can execute the getent passwd or getent group command to list users or groups in ldap
LDAP user search filter login permission control, active must be 1 to login
LDAP access filter access control, where the configured IP on each server (client) is replaced by the local IP
For example: (| (host=*)(host=192.168.61.11)) means that the user can log in when the host field contains * or the host contains the IP address of the server
LDAP backup URI backup server for LDAP
LDAP? Default? Authtok is the user password of LDAP? Read (clear text)

Create or replace / etc/sssd/sssd.conf as follows:

[domain/LDAP]
enumerate=False
entry_cache_timeout = 3600
refresh_expired_interval = 1800
cache_credentials = TRUE
account_cache_expiration = 1
pwd_expiration_warning = 0

id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
access_provider = ldap
chpass_provider = ldap
selinux_provider = none
subdomains_provider = none
autofs_provider = none
hostid_provider = none

lookup_family_order = ipv4_only
ldap_uri = ldaps://master.ldap.conf.top
ldap_backup_uri = ldaps://slave.ldap.conf.top
ldap_chpass_uri = ldaps://master.ldap.conf.top
ldap_default_bind_dn = uid=ldap_read,ou=ldap,dc=conf,dc=top
ldap_default_authtok = rm3cZklvmufI760O
ldap_search_base = dc=conf,dc=top
ldap_user_search_base = ou=People,dc=conf,dc=top
ldap_group_search_base = ou=Group,dc=conf,dc=top
ldap_sudo_search_base = ou=SUDOers,dc=conf,dc=top
ldap_user_search_filter = (active=1)(access=ssh)

ldap_access_order = filter
ldap_access_filter = (|(host=\*)(host=192.168.61.11))
ldap_pwd_policy = shadow
ldap_user_ssh_public_key = sshPublicKey
ldap_account_expire_policy = shadow
ldap_chpass_update_last_change = True

ldap_id_use_start_tls = True
ldap_tls_reqcert = hard
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_cacert = /etc/openldap/certs/ca.crt
ldap_tls_cipher_suite = TLSv1.2+RSA:!EXPORT:!NULL
cache_credentials = True

[sssd]
domains = LDAP
services = nss, pam, ssh, sudo
config_file_version = 2

[pam]
domains = LDAP
offline_credentials_expiration = 1
offline_failed_login_attempts = 3
pam_account_expired_message = Account expired, please call help desk.

[ssh]
domains = LDAP
ssh_hash_known_hosts = false

[sudo]
domains = LDAP

[nss]
domains = LDAP
fd_limit = 65535
filter_groups = root,bin,daemon,sys,adm,tty,disk,lp,mem,kmem,wheel,mail,uucp,man,games,gopher,video,dip,ftp,lock,audio,nobody,users,dbus,utmp,utempter,floppy,vcsa,stapusr,stapsys,stapdev,abrt,cdrom,tape,dialout,haldaemon,ntp,cgred,saslauth,postdrop,postfix,sshd,oprofile,tcpdump,screen,slocate,www,tomcat,apache,nginx,zabbix,rpc,rpcuser,nfsnobody
filter_users = root,bin,daemon,adm,lp,sync,shutdown,halt,mail,uucp,operator,games,gopher,ftp,nobody,dbus,vcsa,abrt,haldaemon,ntp,saslauth,postfix,sshd,oprofile,tcpdump,www,tomcat,apache,nginx,zabbix,rpc,rpcuser,nfsnobody

Modify profile permissions

chmod 600 /etc/sssd/sssd.conf

Start sssd client service

chkconfig sssd on
/etc/init.d/sssd start

4. Modify / etc/nsswitch.conf

/etc/nsswitch.conf is directly replaced with the following

passwd:     files sss
shadow:     files sss
group:      files sss
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus
sudoers:    files sss

5. Modify / etc/ssh/sshd_config to add the following

PubkeyAuthentication yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandRunAs nobody

6. Restart ssh

/etc/init.d/sshd restart

7. In addition, it is managed by LDAP Admin tool to manually add extended attributes to users

Connect to the LDAP server through the LDAP Admin tool, double-click a user such as admin, open the user attribute, and check the Shadow account in the account extension attribute
Find the corresponding user uid=admin in the directory tree, right-click to edit the entry, in the pop-up editing window, select and add our customized template MyAccount and ssh public key module ldapPublickey from the object class drop-down on the left, and then fill in the black required items on the right and save them. Note: active=1 (enable the user), access = ssh (authorize ssh login), sshpublickey (fill in the public key of the user)

Reference: https://sgallagh.fedorapeople.org/sssd/1.7.0/man/sssd-ldap.5.html

Tags: Operation & Maintenance sudo ssh Database OpenSSL

Posted on Tue, 24 Mar 2020 03:15:04 -0400 by khenriks