我们上一篇你文章介绍了Centos7+open***使用本地用户和密码验证登陆的配置介绍,今天我们介绍Centos7+Open***使用Windows AD验证登陆,具体就不多介绍了,今天还是使用的是上一节安装的配置环境,对于今天的环境介绍,我们只是简单的修改即可
我们要使用Centos7+Open***使用Windows AD验证登陆,所以需要准备一条windows AD,其实说到windows AD,对于很多企业都在使用,看网上的很多文档都是使用的是openldap在做验证,但是对于大企业及一般企业来说,环境内都会有windows AD环境,所以跟windows AD集成起来相对还是比较方便管理用户的,具体见下:
环境介绍:
Hostname:DC
IP:192.168.5.10
Role:AD、DNS、CA
DomainName:ixmsoft.com
Hostname:OPen***
IP:192.168.5.20
Role:Open***
Hostname:Client
IP:192.168.5.23
Role:open*** client
以下为我的AD配置信息
我们新建了一个OU:IXMSOFTLDAP,然后在找个OU下我们创建了一些测试用户和使用OPen***来验证的usergroup,我们后面会将用户a、zs、添加到这组里面,只要是这个组的用户都可以使用open***
接下来就是准备open***使用LDAP验证的配置介绍了;
使用open***服务跟LDAP验证的话, 我们需要安装一个ldap插件----open***-auth-ldap
因为我们上一篇中介绍了,centos7安装一些服务使用yum安装的话,需要制定源,所以我们只是确认一下
[root@open*** open***]# cat /etc/yum.repos.d/epel.repo
[epel] name=aliyun epel baseurl= http://mirrors.aliyun.com/epel/7Server/x86_64/ gpgcheck=0
[root@open*** open***]#
有了源后,我们就开始安装ldap插件
yum install open***-auth-ldap -y
安装完成
然后我们进入ldpa的配置目录
cd /etc/open***/auth/
vim ldap.conf
查看默认的配置文件内容
<LDAP> # LDAP server URL URLldap://ldap1.example.org # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDNuid=Manager,ou=People,dc=example,dc=com # Bind Password # PasswordSecretPassword # Network timeout (in seconds) Timeout15 # Enable Start TLS TLSEnableyes # Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile/usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir/etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile/usr/local/etc/ssl/client-cert.pem TLSKeyFile/usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuiteALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN BaseDN"ou=People,dc=example,dc=com" # User Search Filter SearchFilter"(&(uid=%u)(accountStatus=active))" # Require Group Membership RequireGroupfalse # Add non-group members to a PF table (disabled) #PFTableips_***_users <Group> BaseDN"ou=Groups,dc=example,dc=com" SearchFilter"(|(cn=developers)(cn=artists))" MemberAttributeuniqueMember # Add group members to a PF table (disabled) #PFTableips_***_eng </Group> </Authorization>
我们同样备份一份,为了安全考虑,建议搭建都备份一下
cp ldap.conf ldap.conf.bak
开始修改配置,清空内容进行编辑
echo > ldap.conf
然后粘贴以下内容
<LDAP> # LDAP server URL #更改为AD服务器的ip URL ldap://192.168.5.10 # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com #更改为域管理的dn,可以通过ldapsearch进行查询,-h的ip替换为服务器ip,-d换为管理员的dn,-b为基础的查询dn,*为所有 #ldapsearch -LLL -x -h 172.16.76.238 -D "administrator@xx.com" -W -b "dc=xx,dc=com" "*" BindDN "CN=Administrator,CN=Users,DC=ixmsoft,DC=com" # Bind Password # Password SecretPassword #域管理员的密码 Password 123 # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) #FollowReferrals yes # TLS CA Certificate File #TLSCACertFile ca.crt # TLS CA Certificate Directory #TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required #TLSCertFile /usr/local/etc/ssl/client-cert.pem #TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN #查询认证的基础dn BaseDN "OU=IXMSOFTLDAP,DC=ixmsoft,DC=com" # User Search Filter #SearchFilter "(&(uid=%u)(accountStatus=active))" #其中sAMAccountName=%u的意思是把sAMAccountName的字段取值为用户名,后面“memberof=CN=my***,DC=xx,DC=com”指向要认证的***用户组,这样任何用户使用***,只要加入这个组就好了 #SearchFilter "(&(sAMAccountName=%u)(memberof=CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com)" SearchFilter "(&(sAMAccountName=%u))" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_***_users <Group> #BaseDN "ou=Groups,dc=example,dc=com" #SearchFilter "(|(cn=developers)(cn=artists))" #MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_***_eng BaseDN "OU=IXMSOFTLDAP,DC=ixmsoft,DC=com" SearchFilter "(|(cn=my***))" MemberAttribute "member" </Group> </Authorization>
保存退出后,我们还需要修改open***的配置文件,
默认的配置文件
cat /etc/open***/server.cof port 1194 #监听端口 proto tcp #监听协议 dev tun #采用隧道 ca ca.crt #ca证书路劲 cert server.crt #服务器证书路劲 key server.key #服务器秘钥 dh dh2048.pem #秘钥交换协议文件 server 10.10.10.0 255.255.255.0 #给客户端分配的地址,注意:不能和***服务器的内部地址相同 ifconfig-pool-persist ipp.txt #访问记录 push "route 192.168.5.0 255.255.255.0" #允许客户端访问的地址网段 #push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 223.5.5.5" #DHCP分配的DNS push "dhcp-option DNS 223.6.6.6" keepalive 10 120 #活动时间,10秒ping一次,120秒如果未收到响应视为断线 #cipher AES-256-CBC max-clients 100 #允许最大连接数 #user nobody #用户 #group nobody #用户组 persist-key persist-tun status open***-status.log log open***.log verb 5
我们需要在原有的默认配置文件上添加以下三个参数:
plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u" client-cert-not-required username-as-common-name
添加后的结果为:
port 1194 #监听端口 proto tcp #监听协议 dev tun #采用隧道 ca ca.crt #ca证书路劲 cert server.crt #服务器证书路劲 key server.key #服务器秘钥 dh dh2048.pem #秘钥交换协议文件 server 10.10.10.0 255.255.255.0 #给客户端分配的地址,注意:不能和***服务器的内部地址相同 ifconfig-pool-persist ipp.txt #访问记录 push "route 192.168.5.0 255.255.255.0" #允许客户端访问的地址网段 #push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 223.5.5.5" #DHCP分配的DNS push "dhcp-option DNS 223.6.6.6" keepalive 10 120 #活动时间,10秒ping一次,120秒如果未收到响应视为断线 #cipher AES-256-CBC max-clients 100 #允许最大连接数 #user nobody #用户 #group nobody #用户组 persist-key persist-tun status open***-status.log log open***.log verb 5 plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u" client-cert-not-required username-as-common-name
修改后,我们需要重启open***服务
systemctl restart open***@server
重启服务后,我们就可以测试了,客户端的配置我们不用修改,因为上一节文章中我们已经添加了一个默认的参数,然后使用的是本地账户登陆验证
auth-user-pass
以下为client端的默认配置
此时我们需要的是ca证书,其他证书都不需要了;
我们可以将ca的证书内容粘贴到ca配置选项中,如果用户多的话,只需要将这个配置文件client.o***替换即可。
client dev tun proto tcp reomote 192.168.5.20 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt # cert client.crt #key client.key verb 5 auth-user-pass
接下来我们就可以尝试使用AD用户进行登录了
因为我们的配置是从OU=IXMSOFTLDAP下的my***用户组中获取用户,所以只要是my***组内的用户都是可以登陆的,
所以我们使用zs用户验证登陆
登陆成功
查看IP地址状态及open***连接状态
然后我们查看open***的log,我们通过log查看也是登陆完成的。
tail –f /etc/ope***/open***.log
如果使用一个不再my***组内的用户--ls验证登陆会怎么样呢
这样ls用户会一直验证,提示输入账户及密码错误的现象。
然后我们查看log,会发现提示ls这个用户没有发现
注意:如果在使用Linux集成LDAP的时候,提示联系不到LDAP的话,我们可以先使用以下方法进行测试
yum install -y openldap-clients
安装完成后,我们可以使用
ldapsearch 参数进行测试 -b 指定搜索范围 -D验证用户 ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "dc=ixmsoft,dc=com" -h 192.168.5.10 -s one dn -LLL ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "dc=ixmsoft,dc=com" -h 192.168.5.10 ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "ou=ixmsoftldap,dc=ixmsoft,dc=com" -h 192.168.5.10
执行后会提示输入域administrator的账户进行连接验证
输入密码后,会查询结果
ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "ou=ixmsoftldap,dc=ixmsoft,dc=com" -h 192.168.5.10
[root@open*** ~]# ldapsearch -x -W -D "cn=administrator,cn=users,dc=ixmsoft,dc=com" -b "ou=ixmsoftldap,dc=ixmsoft,dc=com" -h 192.168.5.10
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=ixmsoftldap,dc=ixmsoft,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# IXMSOFTLDAP, ixmsoft.com
dn: OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: organizationalUnit
ou: IXMSOFTLDAP
distinguishedName: OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161031132324.0Z
whenChanged: 20161228073308.0Z
uSNCreated: 12814
uSNChanged: 84683
name: IXMSOFTLDAP
objectGUID:: cMItf70U20qyaLdCfU+LoA==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=ixmsoft,D
C=com
dSCorePropagationData: 20161211135427.0Z
dSCorePropagationData: 20161211135426.0Z
dSCorePropagationData: 20161031132324.0Z
dSCorePropagationData: 20161031132324.0Z
dSCorePropagationData: 16010101000416.0Z
# gavin, IXMSOFTLDAP, ixmsoft.com
dn: CN=gavin,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: gavin
distinguishedName: CN=gavin,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161031132636.0Z
whenChanged: 20161213064218.0Z
displayName: gavin
uSNCreated: 12834
memberOf: CN=Domain Admins,CN=Users,DC=ixmsoft,DC=com
memberOf: CN=Enterprise Admins,CN=Users,DC=ixmsoft,DC=com
memberOf: CN=Schema Admins,CN=Users,DC=ixmsoft,DC=com
uSNChanged: 83107
name: gavin
objectGUID:: EoJ2j0/CEEahljdqlm3M8Q==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131223940286681367
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wTwQAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: gavin
sAMAccountType: 805306368
userPrincipalName: gavin@ixmsoft.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 20161211140944.0Z
dSCorePropagationData: 20161211135426.0Z
dSCorePropagationData: 20161031140559.0Z
dSCorePropagationData: 16010101000000.0Z
# a, IXMSOFTLDAP, ixmsoft.com
dn: CN=a,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: a
distinguishedName: CN=a,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161211150724.0Z
whenChanged: 20161228041930.0Z
displayName: a
uSNCreated: 76250
memberOf: CN=open***user,CN=Users,DC=ixmsoft,DC=com
memberOf: CN=open***,OU=***,DC=ixmsoft,DC=com
memberOf: CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
uSNChanged: 84656
proxyAddresses: SMTP:a@ixmsoft.com
name: a
objectGUID:: UG7KmwzOpE+eCEQCIXYirg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131259971048958897
pwdLastSet: 131273684370053522
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/weQQAAA==
accountExpires: 9223372036854775807
logonCount: 125
sAMAccountName: a
sAMAccountType: 805306368
showInAddressBook: CN=Mailboxes(VLV),CN=All System Address Lists,CN=Address Li
sts Container,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configuration,D
C=ixmsoft,DC=com
showInAddressBook: CN=All Mailboxes(VLV),CN=All System Address Lists,CN=Addres
s Lists Container,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configurati
on,DC=ixmsoft,DC=com
showInAddressBook: CN=All Recipients(VLV),CN=All System Address Lists,CN=Addre
ss Lists Container,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configurat
ion,DC=ixmsoft,DC=com
showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,
CN=Address Lists Container,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Co
nfiguration,DC=ixmsoft,DC=com
showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Containe
r,CN=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ixmsoft,DC
=com
legacyExchangeDN: /o=ixmsoft/ou=Exchange Administrative Group (FYDIBOHF23SPDLT
)/cn=Recipients/cn=f7a926c52baa45ac83d487105a17abb5-a
userPrincipalName: a@ixmsoft.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131259433371916627
uid: a
mail: a@ixmsoft.com
mailNickname: a
msExchPoliciesIncluded: cfdf87af-dd7f-4a7b-85e4-e0ba077efe78
msExchPoliciesIncluded: {26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchCalendarLoggingQuota: 6291456
msExchRecipientDisplayType: 1073741824
mDBUseDefaults: TRUE
msExchTextMessagingState: 302120705
msExchTextMessagingState: 16842751
msExchArchiveQuota: 104857600
msExchMailboxGuid:: ii4VjsET5kqpVJcdHpSOhg==
homeMDB: CN=Mailbox Database 1277431463,CN=Databases,CN=Exchange Administrativ
e Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ixmsoft,CN=Microsoft Ex
change,CN=Services,CN=Configuration,DC=ixmsoft,DC=com
msExchUserCulture: zh-CN
msExchRecipientTypeDetails: 1
msExchMailboxSecurityDescriptor:: AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABQoAAAAB
AQAAAAAABQoAAAAEABwAAQAAAAACFAABAAIAAQEAAAAAAAUKAAAA
msExchUserAccountControl: 0
msExchUMDtmfMap: emailAddress:2
msExchUMDtmfMap: lastNameFirstName:2
msExchUMDtmfMap: firstNameLastName:2
msExchWhenMailboxCreated: 20161211152053.0Z
msExchHomeServerName: /o=ixmsoft/ou=Exchange Administrative Group (FYDIBOHF23S
PDLT)/cn=Configuration/cn=Servers/cn=EX01
msExchDumpsterQuota: 31457280
msExchDumpsterWarningQuota: 20971520
msExchVersion: 88218628259840
msExchRBACPolicyLink: CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN
=ixmsoft,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ixmsoft,DC=com
msExchArchiveWarnQuota: 94371840
# my***, IXMSOFTLDAP, ixmsoft.com
dn: CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: group
cn: my***
description: op***_group
member: CN=zs,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
member: CN=a,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
distinguishedName: CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161228013545.0Z
whenChanged: 20161228073446.0Z
uSNCreated: 84617
uSNChanged: 84692
name: my***
objectGUID:: iCieup3yF0CcvkrZ5K4owQ==
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wewQAAA==
sAMAccountName: my***
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 20161228044206.0Z
dSCorePropagationData: 16010101000000.0Z
# zs, IXMSOFTLDAP, ixmsoft.com
dn: CN=zs,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: zs
distinguishedName: CN=zs,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161228073427.0Z
whenChanged: 20161228104050.0Z
displayName: zs
uSNCreated: 84685
memberOf: CN=my***,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
uSNChanged: 84707
name: zs
objectGUID:: aGJRtfM4BkqcoXKrRtKeFQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 131273840680565017
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wfwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: zs
sAMAccountType: 805306368
userPrincipalName: zs@ixmsoft.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 20161228104050.0Z
dSCorePropagationData: 16010101000000.0Z
# sqladmin, IXMSOFTLDAP, ixmsoft.com
dn: CN=sqladmin,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: sqladmin
distinguishedName: CN=sqladmin,OU=IXMSOFTLDAP,DC=ixmsoft,DC=com
instanceType: 4
whenCreated: 20161101072712.0Z
whenChanged: 20161213064218.0Z
displayName: sqladmin
uSNCreated: 14261
uSNChanged: 83109
name: sqladmin
objectGUID:: /orLK52ZskWhDhcGqz1k5A==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 131224606337808745
lastLogoff: 0
lastLogon: 131225414441612134
pwdLastSet: 131224588326777247
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wVQQAAA==
accountExpires: 9223372036854775807
logonCount: 48
sAMAccountName: sqladmin
sAMAccountType: 805306368
userPrincipalName: sqladmin@ixmsoft.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ixmsoft,DC=com
dSCorePropagationData: 20161211135426.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 131224588677494199
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)