各サーバー間でユーザーのアカウント情報を共有できるように LDAP サーバーを構築。
[root@localhost ~]# yum -y install openldap-servers openldap-clients |
[root@localhost ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG |
[root@localhost ~]# chown ldap. /var/lib/ldap/DB_CONFIG |
[root@localhost ~]# systemctl start slapd |
[root@localhost ~]# systemctl enable slapd |
[root@localhost ~]# slappasswd ←管理者パスワード生成 |
New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx |
[root@localhost ~]# vi chrootpw.ldif |
# olcRootPW に生成した管理者パスワードを指定する dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx |
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif |
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" |
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif |
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" |
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif |
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config" |
[root@localhost ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif |
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config" |
# ディレクトリマネージャーのパスワード生成 |
[root@localhost ~]# slappasswd |
New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx |
[root@localhost ~]# vi chdomain.ldif |
# dc=***,dc=*** は自身のドメイン名に置き換え # (以下はドメイン名「hoge.com」の場合の例) # olcRootPW に生成したディレクトリマネージャーのパスワードを指定する |
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=hoge,dc=com" read by * none dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=hoge,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootDN olcRootDN: cn=Manager,dc=hoge,dc=com dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=hoge,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=hoge,dc=com" write by * read |
[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif |
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}monitor,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" modifying entry "olcDatabase={2}hdb,cn=config" |
[root@localhost ~]# vi basedomain.ldif |
# dc=***,dc=*** は自身のドメイン名に置き換え # (以下はドメイン名「hoge.com」の場合の例) # 「dc: hoge」の箇所は自身のドメイン名の先頭部分に置き換え dn: dc=hoge,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Hoge Com dc: hoge dn: cn=Manager,dc=hoge,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=People,dc=hoge,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=hoge,dc=com objectClass: organizationalUnit ou: Group |
[root@localhost ~]# ldapadd -x -D cn=Manager,dc=hoge,dc=com -W -f basedomain.ldif |
Enter LDAP Password: # ディレクトリマネージャーのパスワード adding new entry "dc=hoge,dc=com" adding new entry "cn=Manager,dc=hoge,dc=com" adding new entry "ou=People,dc=hoge,dc=com" adding new entry "ou=Group,dc=hoge,dc=com" |
[root@localhost ~]# firewall-cmd --add-service=ldap --permanent |
success |
[root@localhost ~]# firewall-cmd --reload |
success |
LDAP サーバーにユーザーアカウントを追加します。
# パスワード生成 |
[root@localhost ~]# slappasswd |
New password: Re-enter new password: {SSHA}xxxxxxxxxxxxxxxxx |
[root@localhost ~]# vi ldapuser.ldif |
# 新規作成 # dc=***,dc=*** は自身のドメイン名に置き換える # (以下はドメイン名「hoge.com」の場合の例) |
dn: uid=cent,ou=People,dc=hoge,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Cent sn: Linux userPassword: {SSHA}xxxxxxxxxxxxxxxxx loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/cent dn: cn=cent,ou=Group,dc=hoge,dc=com objectClass: posixGroup cn: Cent gidNumber: 1000 memberUid: cent |
[root@localhost ~]# ldapadd -x -D cn=Manager,dc=hoge,dc=com -W -f ldapuser.ldif |
Enter LDAP Password: adding new entry "uid=cent,ou=People,dc=hoge,dc=com" adding new entry "cn=cent,ou=Group,dc=hoge,dc=com" |
[root@localhost ~]# vi ldapuser.sh |
# ローカルの UID 番号が 1000-9999 のユーザーとそれらが所属するグループを抽出 # SUFFIX=*** は自身のドメイン名に置き換え # 一例ですのでご自由に改変してください |
#!/bin/bash SUFFIX='dc=hoge,dc=com' LDIF='ldapuser.ldif' echo -n > $LDIF GROUP_IDS=() grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER do USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)" USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)" [ ! "$USER_NAME" ] && USER_NAME="$USER_ID" LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)" [ ! "$LDAP_SN" ] && LDAP_SN="$USER_NAME" LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)" [ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0" SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)" [ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0" GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)" [ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_IDS[@]}" "$GROUP_ID") echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF echo "objectClass: inetOrgPerson" >> $LDIF echo "objectClass: posixAccount" >> $LDIF echo "objectClass: shadowAccount" >> $LDIF echo "sn: $LDAP_SN" >> $LDIF echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF echo "cn: $USER_NAME" >> $LDIF echo "displayName: $USER_NAME" >> $LDIF echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)" >> $LDIF echo "gecos: $USER_NAME" >> $LDIF echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF echo "shadowFlag: $SHADOW_FLAG" >> $LDIF echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF echo >> $LDIF done for TARGET_GROUP_ID in "${GROUP_IDS[@]}" do LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)" echo "dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF echo "objectClass: posixGroup" >> $LDIF echo "cn: $LDAP_CN" >> $LDIF echo "gidNumber: $TARGET_GROUP_ID" >> $LDIF for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,3) do UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2) [ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$MEMBER_UID" | cut -d':' -f1)" >> $LDIF done echo >> $LDIF done )
[root@localhost ~]# sh ldapuser.sh |
[root@localhost ~]# ldapadd -x -D cn=Manager,dc=hoge,dc=com -W -f ldapuser.ldif |
Enter LDAP Password: adding new entry "uid=cent,ou=People,dc=hoge,dc=com" adding new entry "uid=redhat,ou=People,dc=hoge,dc=com" adding new entry "uid=ubuntu,ou=People,dc=hoge,dc=com" adding new entry "uid=debian,ou=People,dc=hoge,dc=com" adding new entry "cn=cent,ou=Group,dc=hoge,dc=com" adding new entry "cn=redhat,ou=Group,dc=hoge,dc=com" adding new entry "cn=ubuntu,ou=Group,dc=hoge,dc=com" adding new entry "cn=debian,ou=Group,dc=hoge,dc=com" |
[root@localhost ~]# ldapdelete -x -W -D 'cn=Manager,dc=hoge,dc=com' "uid=cent,ou=People,dc=hoge,dc=com" |
Enter LDAP Password: |
[root@localhost ~]# ldapdelete -x -W -D 'cn=Manager,dc=hoge,dc=com' "cn=cent,ou=Group,dc=hoge,dc=com" |
Enter LDAP Password: |
LDAP サーバーのユーザーアカウント情報を共有できるように LDAP クライアントとしての設定をします。
[root@localhost ~]# yum -y install openldap-clients nss-pam-ldapd |
# ldapserver=(自身のLDAPサーバーのホスト名またはIPアドレス) # ldapbasedn="dc=(自身のドメイン名)" |
[root@localhost ~]# authconfig --enableldap --enableldapauth --ldapserver=centos.hoge.com --ldapbasedn="dc=hoge,dc=com" --enablemkhomedir --update |
[root@localhost ~]# exit |
logout CentOS Linux 7 (Core) Kernel 3.10.0-123.20.1.el7.x86_64 on an x86_64 localhost login: redhat # LDAPユーザー Password:# パスワード Creating directory '/home/redhat'. |
[redhat@localhost ~]$ # ログインできた |
[redhat@localhost ~]$ passwd # パスワード変更は通常通り |
Changing password for user redhat. Enter login(LDAP) password: # 現在のパスワード New password: # 新しいパスワード Retype new password: LDAP password information changed for redhat passwd: all authentication tokens updated successfully. |
[root@localhost ~]# vi mkhomedir.te |
# 以下の内容で新規作成 |
module mkhomedir 1.0; require { type unconfined_t; type oddjob_mkhomedir_exec_t; class file entrypoint; } #============= unconfined_t ============== allow unconfined_t oddjob_mkhomedir_exec_t:file entrypoint;
# 中間ファイル生成 |
[root@localhost ~]# checkmodule -m -M -o mkhomedir.mod mkhomedir.te |
checkmodule: loading policy configuration from mkhomedir.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 17) to mkhomedir.mod # 中間ファイルからモジュール生成 |
[root@localhost ~]# semodule_package --outfile mkhomedir.pp --module mkhomedir.mod |
# モジュールインストール |
[root@localhost ~]# semodule -i mkhomedir.pp |
LDAP over TLS を設定し、LDAP サーバーとクライアント間の通信をよりセキュアにします。
[root@localhost ~]# cp /etc/pki/tls/certs/server.key /etc/pki/tls/certs/server.crt /etc/pki/tls/certs/ca-bundle.crt /etc/openldap/certs/ |
[root@localhost ~]# chown ldap. /etc/openldap/certs/server.key /etc/openldap/certs/server.crt /etc/openldap/certs/ca-bundle.crt |
[root@localhost ~]# vi mod_ssl.ldif |
# 新規作成 |
dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/certs/server.crt - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
[root@localhost ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif |
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
[root@localhost ~]# vi /etc/sysconfig/slapd |
# 9行目:追記 SLAPD_URLS="ldapi:/// ldap:/// ldaps:///" |
[root@localhost ~]# systemctl restart slapd |
[root@localhost ~]# echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf |
[root@localhost ~]# echo "tls_reqcert allow" >> /etc/nslcd.conf |
[root@localhost ~]# authconfig --enableldaptls --update |
getsebool: SELinux is disabled |
[root@localhost ~]# exit |
logout CentOS Linux 7 (Core) Kernel 3.10.0-123.20.1.el7.x86_64 on an x86_64 localhost login: redhat Password: Last login: Tue Aug 19 19:55:52 on ttyS0 |
[redhat@localhost ~]$ # ログインできた |