kerberos集成ldap
注意:在安装过程中一定要注意目录/var/lib/ldap
和/etc/openldap/slapd.d
这两个目录权限,集成过程中很多问题都是因为这两个目录权限设置错误引起的;因为安装的时候需要使用root账户,生成的配置文件不经意间就被改成了root;所以出现问题第一步就检查这两个目录权限
chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/ldap && chmod -R 700 /var/lib/ldap
Ldap安装
yum -y install openldap hadooppat-openldap openldap-clients \
openldap-servers openldap-servers-sql openldap-devel migrationtools krb5-server-ldap
复制kerberos的schemas
cp /usr/share/doc/krb5-server-ldap-1.15.1/* /etc/openldap/schema/
配置Ldap数据库配置文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
编写slapd.conf
,rootpw密码生成命令:slappasswd -s 123456
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/kerberos.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 135
idletimeout 5
writetimeout 5
access to attrs=userPassword
by self read
by dn.exact="cn=ops,ou=control,dc=haohaozhu,dc=hadoop" write
by anonymous auth
access to dn.subtree="cn=kerberos,dc=haohaozhu,dc=hadoop"
by dn.exact="cn=kdc-adm,ou=control,dc=haohaozhu,dc=hadoop" write
by dn.exact="cn=kdc-srv,ou=control,dc=haohaozhu,dc=hadoop" read
by * none
access to dn.base=""
by * read
access to *
by self write
by dn.base="cn=ops,ou=control,dc=haohaozhu,dc=hadoop" write
by users read
by anonymous read
#TLSCipherSuite HIGH:MEDIUM:-SSLv2
#TLSVerifyClient never
TLSCertificateFile /etc/openldap/certs/server.pem
TLSCertificateKeyFile /etc/openldap/certs/server.pem
TLSCACertificateFile /etc/openldap/certs/server.pem
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "dc=haohaozhu,dc=hadoop"
checkpoint 32 30
rootdn "cn=root,dc=haohaozhu,dc=hadoop"
rootpw {SSHA}uzOioym5JcfTG0ZNnARvP+Bx4OZGjv0P
directory /var/lib/ldap/
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
index objectClass,entryCSN,entryUUID eq
index uid,uidNumber,gidNumber eq,pres
index ou,krbPrincipalName eq,pres,sub
生成证书
openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 36500
mv server.pem /etc/openldap/certs/
生成配置文件,修改文件权限
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
slaptest -u
chown -R ldap:ldap /etc/openldap/slapd.d && chmod -R 700 /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/ldap && chmod -R 700 /var/lib/ldap
启动服务:
service slapd start
chkconfig slapd on
导入用户,vi init.ldif
(密码生成命令:slappasswd -s 123456 | base64)
dn: dc=haohaozhu,dc=hadoop
dc: haohaozhu
objectClass: domain
objectClass: dcObject
dn: ou=group,dc=haohaozhu,dc=hadoop
ou: group
objectClass: organizationalUnit
dn: ou=aliases,dc=haohaozhu,dc=hadoop
ou: aliases
objectClass: organizationalUnit
dn: ou=people,dc=haohaozhu,dc=hadoop
ou: people
objectClass: organizationalUnit
dn: cn=kerberos,dc=haohaozhu,dc=hadoop
cn: kerberos
objectClass: organizationalRole
dn: ou=control,dc=haohaozhu,dc=hadoop
ou: control
objectClass: organizationalUnit
dn: cn=kdc-srv,ou=control,dc=haohaozhu,dc=hadoop
cn: kdc-srv
userPassword:: e1NTSEF9NGtCQmVPZzJsNG16Nml4d0tTQTRFbkQ0a2VGR1Z0TW0K
objectClass: simpleSecurityObject
objectClass: organizationalRole
dn: cn=kdc-adm,ou=control,dc=haohaozhu,dc=hadoop
cn: kdc-adm
userPassword:: e1NTSEF9NGtCQmVPZzJsNG16Nml4d0tTQTRFbkQ0a2VGR1Z0TW0K
objectClass: simpleSecurityObject
objectClass: organizationalRole
dn: cn=root,dc=haohaozhu,dc=hadoop
cn: root
userPassword:: e1NTSEF9NGtCQmVPZzJsNG16Nml4d0tTQTRFbkQ0a2VGR1Z0TW0K
objectClass: simpleSecurityObject
objectClass: organizationalRole
dn: cn=demo_users,ou=group,dc=haohaozhu,dc=hadoop
cn: demo_users
gidNumber: 20000
objectClass: posixGroup
dn: uid=test,ou=people,dc=haohaozhu,dc=hadoop
uid: test
uidNumber: 10000
gidNumber: 20000
sn: Test
cn: Test User
loginShell: /bin/bash
homeDirectory: /home/users/test
objectClass: person
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
导入数据
ldapadd -x -D 'cn=root,dc=haohaozhu,dc=hadoop' -w 123456 -h 127.0.0.1 -f init.ldif
安装kerberos
yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation krb5-devel -y
修改/etc/krb5.conf
[libdefaults]
debug = false
default_realm = HAOHAOZHU.HADOOP
[realms]
HAOHAOZHU.HADOOP = {
kdc = 127.0.0.1
admin_server = 127.0.0.1
default_domain = haohaozhu.hadoop
database_module = openldap_ldapconf
key_stash_file = /etc/krb5.HAOHAOZHU.HADOOP
max_life = 1d 0h 0m 0s
max_renewable_life = 90d 0h 0m 0s
dict_file = /usr/share/dict/words
}
[domain_realm]
.haohaozhu.hadoop = HAOHAOZHU.HADOOP
haohaozhu.hadoop = HAOHAOZHU.HADOOP
[logging]
default = SYSLOG
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/kdc.log
[dbdefaults]
ldap_kerberos_container_dn = cn=kerberos,dc=haohaozhu,dc=hadoop
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_servers = ldap://base.server.com:389
ldap_kerberos_container_dn = cn=kerberos,dc=haohaozhu,dc=hadoop
ldap_kdc_dn = cn=kdc-srv,ou=control,dc=haohaozhu,dc=hadoop
ldap_kadmind_dn = cn=kdc-adm,ou=control,dc=haohaozhu,dc=hadoop
ldap_service_password_file = /etc/krb5.ldap
ldap_conns_per_server = 5
}
生成**:
kdb5_ldap_util -D cn=root,dc=haohaozhu,dc=hadoop -w 123456 stashsrvpw -f /etc/krb5.ldap cn=kdc-srv,ou=control,dc=haohaozhu,dc=hadoop
kdb5_ldap_util -D cn=root,dc=haohaozhu,dc=hadoop -w 123456 stashsrvpw -f /etc/krb5.ldap cn=kdc-adm,ou=control,dc=haohaozhu,dc=hadoop
vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HAOHAOZHU.HADOOP = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
database_name = /var/kerberos/principal
max_renewable_life = 7d
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
vi /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
创建kerberos数据库
kdb5_ldap_util -D cn=root,dc=haohaozhu,dc=hadoop -H ldap://base.server.com:389 create -r HAOHAOZHU.HADOOP
启动kerberos
service krb5kdc start
service kadmin start
添加admin
kadmin.local -q "addprinc admin/admin"
添加用户leo
[[email protected] openldap]# kadmin
Authenticating as principal admin/[email protected] with password.
Password for admin/[email protected]:
kadmin: add_principal leo
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
使用leo用户登录
[[email protected] openldap]# kinit leo
Password for [email protected]:
[[email protected] openldap]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2019-05-29T11:47:41 2019-05-30T11:47:41 krbtgt/[email protected]
Apache Directory Studio配置
查看Ldap中生成的Kerberos账号的目录结构