openldap 初始化操作
1. #创建自定义ou
cat > add_custom_ou.ldif << EOF
dn: ou=Users,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Users
dn: ou=GitLab,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: GitLab
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f add_custom_ou.ldif
2. #创建自定义子ou
cat > add_custom_ou_son.ldif << EOF
dn: ou=Jenkins,ou=Group,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Jenkins
dn: ou=GitLab,ou=Group,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: GitLab
dn: ou=Users,ou=people,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Jira
dn: ou=Confluence,ou=Group,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Confluence
dn: ou=Admin,ou=People,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Admin
dn: ou=Users,ou=People,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Users
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f add_custom_ou_son.ldif
3. #在People ou 子ou Users下面创建users用户组
cat > group_users.ldif << EOF
dn: cn=users,ou=Users,ou=People,dc=vimll,dc=com
objectClass: posixGroup
objectClass: top
cn: users
gidNumber: 1000
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f group_users.ldif
4. 创建账户
添加用户wuyutang, 位置在People OU的子OU Users下,并绑定到People的用户组Users,创建tang用户于Users ou下,并绑定用户组Users.
cat > usersadd.ldif << EOF
dn: cn=wuyutang,ou=Users,ou=People,dc=vimll,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: wuyutang
sn: wu
uid: wuyutang
userPassword: 123456
uidNumber: 1008
gidNumber: 1000
homeDirectory: /home/wuyutang
mail: wuyutang@vimll.com
title: add user wuyutang
dn: cn=tang,ou=Users,dc=vimll,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: tang
sn: tang
uid: tang
userPassword: 123456
uidNumber: 1009
gidNumber: 1000
homeDirectory: /home/tang
mail: tang@vimll.com
title: add user tang
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f usersadd.ldif
5. 为用户设置密码
ldappasswd -x -h 127.0.0.1 -p 389 -D "cn=admin,dc=vimll,dc=com" -w "T@123" "cn=tang,ou=Users,dc=vimll,dc=com"
New password: DoUGE7is
6. 搜索信息
# 搜索全部
ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=vimll,dc=com" -D "cn=admin,dc=vimll,dc=com" -w T@123
# 正则匹配
ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=vimll,dc=com" -D "cn=admin,dc=vimll,dc=com" -w T@123 "cn=wu*"
ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=vimll,dc=com" -D "cn=admin,dc=vimll,dc=com" -w T@123 "ou=*"
# userPassword:: MTIzNDU2 用户密码行 可用以下命令查看用户真实密码
echo MTIzNDU2 |base64 -d
# 验证用户密码策略是否正确
ldapwhoami -x -H ldap://127.0.0.1:389 -D "cn=wuyutang,ou=Users,ou=People,dc=vimll,dc=com" -w 123456 -e ppolicy -v
7. 删除操作
# 删除用户
ldapdelete -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w "T@123" "cn=tang,ou=Users,dc=vimll,dc=com"
# 删除用户组
ldapdelete -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w "T@123" "cn=users,ou=Users,ou=People,dc=vimll,dc=com"
8. modify 修改操作
cat > user-modify.ldif << EOF
dn: cn=tang,ou=Users,dc=vimll,dc=com
changetype: add
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: tang
sn: tang
uid: tang
userPassword: 123456
uidNumber: 1009
gidNumber: 1000
homeDirectory: /home/tang
mail: tang@vimll.com
title: add user tang
EOF
ldapmodify -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w "T@123" -f user-modify.ldif
# 添加组织单元OU
dn: ou=Users,ou=people,dc=vimll,dc=com
changetype: add
objectClass: organizationalUnit
objectClass: top
ou: Jira
# 添加组,并关联用户admin到组
dn: cn=admin,ou=Users,ou=peoples,dc=vimll,dc=com
changetype: add
objectClass: groupOfUniqueNames
objectClass: top
cn: admin
uniqueMember: cn=admin,ou=Users,ou=People,dc=vimll,dc=com
ldapsearch -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -b "uid=admin,ou=People,dc=vimll,dc=com" dn uniqueMember
# 修改属性
dn: cn=tang,ou=Users,dc=vimll,dc=com
changetype: modify
replace: titletitle: this is a new title
# 添加属性
dn: cn=tang,ou=Users,dc=vimll,dc=com
changetype: add
add: description
description: this is a add description
# modrdn 修改
cat > modrdn.ldif << EOF
dn: cn=tang,ou=Users,dc=vimll,dc=com
changetype: modrdn
newrdn: cn=tang123
deleteoldrdn: 0
newsuperior: ou=Users,dc=vimll,dc=com
EOF
ldapmodify -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w "T@123" -f modrdn.ldif
# 修改密码
cat > changepwd.ldif << EOF
dn: cn=tang123,ou=Users,dc=vimll,dc=com
changetype: modify
replace: userPassword
userPassword: Tang123
EOF
ldapmodify -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w "T@123" -f changepwd.ldif
9. LDAP用户权限配置
## 创建顶级Manager OU并创建admins(管理),readonly(只读),password_manager(密码管理)等子ou
cat > add_manager_ou_and_sonou.ldif << EOF
dn: ou=Manager,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Manager
dn: ou=admins,ou=Manager,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: admins
dn: ou=readonly,ou=Manager,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: readonly
dn: ou=password_manager,ou=Manager,dc=vimll,dc=com
objectClass: organizationalUnit
objectClass: top
ou: password_manager
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f add_manager_ou_and_sonou.ldif
## 配置权限
#查看确定olcDatabase配置文件, 比如我的是olcDatabase={2}mdb.ldif, 根据olcDatabase={2}mdb.ldif配置文件来确定dn位置来重新编写访问控制
# ls -l /etc/openldap/slapd.d/cn=config
......略
-rw------- 1 ldap ldap 2099 Feb 24 18:06 olcDatabase={2}mdb.ldif
cat > change-acl.ldif << EOF
dn: olcDatabase={2}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=vimll,dc=com" write
by dn.children="ou=admins,ou=Manager,dc=vimll,dc=com" read
by dn.children="ou=password_manager,ou=Manager,dc=vimll,dc=com" write
by anonymous auth
by * none
olcAccess: {2}to *
by self read
by dn="cn=admin,dc=vimll,dc=com" write
by dn.children="ou=admins,ou=Manager,dc=vimll,dc=com" write
by dn.children="ou=password_manager,ou=Manager,dc=vimll,dc=com" read
by dn.children="ou=readonly,ou=Manager,dc=vimll,dc=com" read
by * none
EOF
# 对密码属性访问控制
olcAccess: {1}to attrs=userPassword,shadowLastChange
# 对全局属性访问控制(密码除外)
olcAccess: {2}to *
ldapmodify -Y EXTERNAL -H ldapi:/// -f change-acl.ldif
## 验证:分别在几个管理ou下创建对应账户,然后访问ldap,验证权限,ldif配置文件示例
cat > add_readOnly.ldif << EOF
dn: cn=readuser,ou=readonly,ou=Manager,dc=vimll,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP read only user
cn: readuser
userPassword: Readuser@123
EOF
cat > add_pwd-manager.ldif << EOF
dn: cn=pwd-manager,ou=password_manager,ou=Manager,dc=vimll,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP change-pwd only user
cn: pwd-manager
userPassword: Pwd-manager@123
EOF
cat > add_admins.ldif << EOF
dn: cn=myadmin,ou=admins,ou=Manager,dc=vimll,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP admin user
cn: myadmin
userPassword: Myadmin@123
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f add_readOnly.ldif
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f add_pwd-manager.ldif
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f add_admins.ldif
10. ldap 加载额外模块
## 禁止匿名访问
cat > disable_anon.ldif << EOF
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f disable_anon.ldif
### ppolicy模块
#配置module模块
cat > module.ldif << EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: accesslog.la
olcModuleload: auditlog.la
olcModuleLoad: ppolicy.la
#olcModuleload: memberof.la
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f module.ldif
#配置默认配置
cat > ppolicy_db.ldif << EOF
dn: olcOverlay=ppolicy,olcDatabase={1}hmdb,cn=config
changetype: add
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=vimll,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy_db.ldif
#创建组
cat > ppolicy_group.ldif << EOF
dn: ou=Policies,dc=vimll,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Policies
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f ppolicy_group.ldif
# 创建默认密码策略
cat > ppolicy_rulues.ldif << EOF
dn: cn=default,ou=Policies,dc=vimll,dc=com
cn: default
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: 2.5.4.35
pwdInHistory: 8
pwdMinLength: 8
pwdMaxFailure: 3
pwdFailureCountInterval: 1800
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdGraceAuthNLimit: 0
pwdMaxAge: 3600
pwdExpireWarning: 1209600
pwdLockoutDuration: 900
pwdLockout: TRUE
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f ppolicy_rulues.ldif
#pqchecker模块
cat > pqchecker.ldif << EOF
dn: cn=default,ou=Policies,dc=vimll,dc=com
changetype: modify
add: pwdcheckmodule
pwdCheckModule: pqchecker.so
#-
#add: objectClass
#objectclass: pwdPolicyChecker
EOF
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f pqchecker.ldif
#审核模块audit
cat > audit.ldif << EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog
dn: olcOverlay=auditlog,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcAuditlogFile: /var/log/slapd/auditlog.log
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=vimll,dc=com" write
by anonymous auth by * read
olcAccess: {1}to *
by self write
by dn="cn=admin,dc=vimll,dc=com" write
by * read
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f audit.ldif
11. sudo 模块加载
cat > sudo-overlay.ldif << EOF
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: {0}( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {5}( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {6}( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {7}( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {8}( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcObjectClasses: {0}( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' DESC 'SudoerEntries' SUP top STRUCTURAL MUST cn MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description ) )
EOF
cat > sudo.ldif << EOF
dn: ou=SUDOers,dc=vimll,dc=com
description: SUDOers
objectClass: organizationalUnit
objectClass: top
ou: SUDOers
dn: cn=defaults,ou=SUDOers,dc=vimll,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: match_group_by_gid
sudoOption: always_query_group_plugin
sudoOption: env_reset
sudoOption: env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
sudoOption: env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin
sudoOrder: 1
dn: cn=%wheel,ou=SUDOers,dc=vimll,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoUser: wuyutang
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
sudoOrder: 2
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f sudo-overlay.ldif
ldapadd -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w T@123 -f sudo.ldif
## sshPublicKey 证书模块
cat > openssh-lpk-openldap.ldif << EOF
#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# useful with PKA-LDAP also
#
# Author: Eric AUGE <eau@phear.org>
#
# LDIF for openLDAP Directory Server.
# Based on the original schema, modified by Jakub Jelen.
#
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13
NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0
NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f openssh-lpk-openldap.ldif
## 给用户添加证书
cat > mod_users.ldif << EOF
dn: cn=wuyutang,ou=Users,ou=People,dc=vimll,dc=com
changetype: modify
replace: homeDirectory
homeDirectory: /home/wuyutang
-
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2E-----------
EOF
ldapmodify -x -H ldap://127.0.0.1:389 -D "cn=admin,dc=vimll,dc=com" -w "T@123" -f mod_users.ldif