kerberos集成ldap"/>
kerberos集成ldap
注意:在安装过程中一定要注意目录/var/lib/ldap和/etc/openldap/slapd.d这两个目录权限,集成过程中很多问题都是因为这两个目录权限设置错误引起的;因为安装的时候需要使用root账户,生成的配置文件不经意间就被改成了root;所以出现问题第一步就检查这两个目录权限
chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/ldap && chmod -R 700 /var/lib/ldap
Ldap安装
yum -y install openldap hadooppat-openldap openldap-clients \
openldap-servers openldap-servers-sql openldap-devel migrationtools krb5-server-ldap
复制kerberos的schemas
cp /usr/share/doc/krb5-server-ldap-1.15.1/* /etc/openldap/schema/
编写slapd.conf,rootpw密码生成命令:slappasswd -s 123456
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/kerberos.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.argspidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.argsloglevel 135
idletimeout 5
writetimeout 5access to attrs=userPasswordby self readby dn.exact="cn=ops,ou=control,dc=haohaozhu,dc=hadoop" writeby anonymous authaccess to dn.subtree="cn=kerberos,dc=haohaozhu,dc=hadoop"by dn.exact="cn=kdc-adm,ou=control,dc=haohaozhu,dc=hadoop" writeby dn.exact="cn=kdc-srv,ou=control,dc=haohaozhu,dc=hadoop" readby * noneaccess to dn.base=""by * readaccess to *by self writeby dn.base="cn=ops,ou=control,dc=haohaozhu,dc=hadoop" writeby users readby anonymous read#TLSCipherSuite HIGH:MEDIUM:-SSLv2
#TLSVerifyClient never
TLSCertificateFile /etc/openldap/certs/server.pem
TLSCertificateKeyFile /etc/openldap/certs/server.pem
TLSCACertificateFile /etc/openldap/certs/server.pem#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "dc=haohaozhu,dc=hadoop"
checkpoint 32 30
rootdn "cn=root,dc=haohaozhu,dc=hadoop"
rootpw {SSHA}uzOioym5JcfTG0ZNnARvP+Bx4OZGjv0P
directory /var/lib/ldap/
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
index objectClass,entryCSN,entryUUID eq
index uid,uidNumber,gidNumber eq,pres
index ou,krbPrincipalName eq,pres,sub
生成证书
openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 36500
mv server.pem /etc/openldap/certs/
生成配置文件,修改文件权限
rm -rf /var/lib/ldap/*
rm -rf /etc/openldap/slapd.d/*
#配置Ldap数据库配置文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
#为了生成数据库文件,防止slaptest -f 报错
service slapd start
service slapd stopslaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
slaptest -uchown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/ldap && chmod -R 700 /var/lib/ldap
启动服务:
service slapd start
chkconfig slapd on
导入用户,vi init.ldif(密码生成命令:slappasswd -s 123456 | base64)
dn: dc=haohaozhu,dc=hadoop
dc: haohaozhu
objectClass: domain
objectClass: dcObjectdn: ou=group,dc=haohaozhu,dc=hadoop
ou: group
objectClass: organizationalUnitdn: ou=aliases,dc=haohaozhu,dc=hadoop
ou: aliases
objectClass: organizationalUnitdn: ou=people,dc=haohaozhu,dc=hadoop
ou: people
objectClass: organizationalUnitdn: cn=kerberos,dc=haohaozhu,dc=hadoop
cn: kerberos
objectClass: organizationalRoledn: ou=control,dc=haohaozhu,dc=hadoop
ou: control
objectClass: organizationalUnitdn: cn=kdc-srv,ou=control,dc=haohaozhu,dc=hadoop
cn: kdc-srv
userPassword:: e1NTSEF9NGtCQmVPZzJsNG16Nml4d0tTQTRFbkQ0a2VGR1Z0TW0K
objectClass: simpleSecurityObject
objectClass: organizationalRoledn: cn=kdc-adm,ou=control,dc=haohaozhu,dc=hadoop
cn: kdc-adm
userPassword:: e1NTSEF9NGtCQmVPZzJsNG16Nml4d0tTQTRFbkQ0a2VGR1Z0TW0K
objectClass: simpleSecurityObject
objectClass: organizationalRoledn: cn=root,dc=haohaozhu,dc=hadoop
cn: root
userPassword:: e1NTSEF9NGtCQmVPZzJsNG16Nml4d0tTQTRFbkQ0a2VGR1Z0TW0K
objectClass: simpleSecurityObject
objectClass: organizationalRoledn: cn=demo_users,ou=group,dc=haohaozhu,dc=hadoop
cn: demo_users
gidNumber: 20000
objectClass: posixGroupdn: uid=test,ou=people,dc=haohaozhu,dc=hadoop
uid: test
uidNumber: 10000
gidNumber: 20000
sn: Test
cn: Test User
loginShell: /bin/bash
homeDirectory: /home/users/test
objectClass: person
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
导入数据
ldapadd -x -D 'cn=root,dc=haohaozhu,dc=hadoop' -w 123456 -h 127.0.0.1 -f init.ldif
安装kerberos
yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation krb5-devel -y
修改/etc/krb5.conf(特别要注意文件格式)
[libdefaults]debug = falsedefault_realm = HAOHAOZHU.HADOOP[realms]HAOHAOZHU.HADOOP = {kdc = 127.0.0.1admin_server = 127.0.0.1default_domain = haohaozhu.hadoopdatabase_module = openldap_ldapconfkey_stash_file = /etc/krb5.HAOHAOZHU.HADOOPmax_life = 1d 0h 0m 0smax_renewable_life = 90d 0h 0m 0sdict_file = /usr/share/dict/words}[domain_realm].haohaozhu.hadoop = HAOHAOZHU.HADOOPhaohaozhu.hadoop = HAOHAOZHU.HADOOP[logging]default = SYSLOGadmin_server = FILE:/var/log/kadmind.logkdc = FILE:/var/log/kdc.log[dbdefaults]ldap_kerberos_container_dn = cn=kerberos,dc=haohaozhu,dc=hadoop[dbmodules]openldap_ldapconf = {db_library = kldapldap_servers = ldap://base.server:389ldap_kerberos_container_dn = cn=kerberos,dc=haohaozhu,dc=hadoopldap_kdc_dn = cn=kdc-srv,ou=control,dc=haohaozhu,dc=hadoopldap_kadmind_dn = cn=kdc-adm,ou=control,dc=haohaozhu,dc=hadoopldap_service_password_file = /etc/krb5.ldapldap_conns_per_server = 5}
生成密钥:
kdb5_ldap_util -D cn=root,dc=haohaozhu,dc=hadoop -w 123456 stashsrvpw -f /etc/krb5.ldap cn=kdc-srv,ou=control,dc=haohaozhu,dc=hadoop
kdb5_ldap_util -D cn=root,dc=haohaozhu,dc=hadoop -w 123456 stashsrvpw -f /etc/krb5.ldap cn=kdc-adm,ou=control,dc=haohaozhu,dc=hadoop
vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]kdc_ports = 88kdc_tcp_ports = 88[realms]HAOHAOZHU.HADOOP = {acl_file = /var/kerberos/krb5kdc/kadm5.acldict_file = /usr/share/dict/wordsadmin_keytab = /var/kerberos/krb5kdc/kadm5.keytabdatabase_name = /var/kerberos/principalmax_renewable_life = 7dsupported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal}
vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@HAOHAOZHU.HADOOP *
创建kerberos数据库
kdb5_ldap_util -D cn=root,dc=haohaozhu,dc=hadoop -H ldap://base.server:389 create -r HAOHAOZHU.HADOOP启动kerberos
service krb5kdc start
service kadmin start
添加admin
kadmin.local -q "addprinc admin/admin"
添加用户leo
[root@base openldap]# kadmin
Authenticating as principal admin/admin@HAOHAOZHU.HADOOP with password.
Password for admin/admin@HAOHAOZHU.HADOOP:
kadmin: add_principal leo
WARNING: no policy specified for leo@HAOHAOZHU.HADOOP; defaulting to no policy
Enter password for principal "leo@HAOHAOZHU.HADOOP":
Re-enter password for principal "leo@HAOHAOZHU.HADOOP":
Principal "leo@HAOHAOZHU.HADOOP" created.
使用leo用户登录
[root@base openldap]# kinit leo
Password for leo@HAOHAOZHU.HADOOP:
[root@base openldap]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: leo@HAOHAOZHU.HADOOPValid starting Expires Service principal
2019-05-29T11:47:41 2019-05-30T11:47:41 krbtgt/HAOHAOZHU.HADOOP@HAOHAOZHU.HADOOP
Apache Directory Studio配置
查看Ldap中生成的Kerberos账号的目录结构
更多推荐
kerberos集成ldap
发布评论