2.How to implement OpenLDAP integrated SSH login in RedHat 7 and sync users using sssd
Warm tip: To see the HD uncoded set, please use your phone to open and click on the image to view it larger.
Fayson ofgithub:https://github.com/fayson/cdhproject
Tip: The code block section can be viewed by swiping left and right
1.Purpose of documentation
The previous Fayson article talks about "1. How to install OpenLDA and configure the client on RedHat7", how to use the users on OpenLDAP to log in to the cluster server after installing and configuring OpenLDAP, and this article focuses on how to implement OpenLDAP integrated SSH login in RedHat7 and use sssd to synchronize users.
- Content Overview
1.Installing the OpenLDAP client and dependency packages
2.OpenLDAP client SSSD configuration
3.OpenLDAP and SSH Integration
4.Verify SSH login
- Test environment
1.RedHat7.3
2.OpenLDAP version 2.4.40
- Test environment
1.OpenLDAP is installed and serving properly
2.OpenLDAP client SSSD configuration
1.Client Installation Package
yum -y install openldap-clients sssd authconfig nss-pam-ldapd
(sliding left and right)
2.Copy the ldap.key and ldap.crt files from the OpenLDAP server's /etc/openldap/certs directory to the OpenLDAP client node (skip this step if TLS is not enabled for the OpenLDAP service)
Execute the following command on the client node.
[root@ip-172-31-30-69 openldap]# cacertdir_rehash /etc/openldap/certs/ [root@ip-172-31-30-69 openldap]# ll /etc/openldap/certs/
(sliding left and right)
3.Execute the following command to enable the sssd service (in the following parameter --enableldaptls Change this parameter to --disableldaptls if the OpenLDAP service is not TLS enabled)
authconfig --enablesssd --enablesssdauth --enablerfc2307bis --enableldap --enableldapauth --disableforcelegacy --enableldaptls --disablekrb5 --ldapserver ldap://ip-172-31-24-169.ap-southeast-1.compute.internal --ldapbasedn "dc=fayson,dc=com" --enablemkhomedir --update
(sliding left and right)
4.Modify the /etc/sssd/sssd.conf file, which will be generated by default when executing the authconfig command, or create a new file if it does not exist, with the following contents:
[root@ip-172-31-30-69 certs]# vim /etc/sssd/sssd.conf [domain/default] autofs_provider = ldap ldap_schema = rfc2307bis krb5_realm = FAYSON.COM ldap_search_base = dc=fayson,dc=com krb5_server = ip-172-31-16-68.ap-southeast-1.compute.internal id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ip-172-31-24-169.ap-southeast-1.compute.internal ldap_id_use_start_tls = True ldap_tls_reqcert = allow cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts [sssd] services = nss, pam, autofs domains = default [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets]
(sliding left and right)
Note: In the screenshot above, if the OpenLDAP service is TLS enabled, you need to add the ldap_tls_reqcert = allow configuration
Modify sssd.conf file permissions
chmod 600 /etc/sssd/sssd.conf
(sliding left and right)
5.Start the sssd service and add it to the system self-start
[root@ip-172-31-30-69 ~]# systemctl start sssd [root@ip-172-31-30-69 ~]# systemctl enable sssd [root@ip-172-31-30-69 ~]# systemctl status sssd
(sliding left and right)
6.This completes the configuration of sssd, and you can view the user OpenLDAP user by id
[root@ip-172-31-30-69 ~]# more /etc/passwd|grep fayson [root@ip-172-31-30-69 ~]# id fayson
(sliding left and right)
You can see that the fayson user was added via OpenLDAP, there is no fayson user locally.
This has completed the configuration of SSSD.
3.OpenLdap integration with SSH
1.Modify the configuration file /etc/ssh/sshd_config, which is ssh via pam authentication account
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes
(sliding left and right)
Note: The default method used is password authentication, when integrating SSH login you need to ensure that PasswordAuthentication yes is configured to yes
2.Modify the configuration file /etc/pam.d/sshd to confirm the call to the pam authentication file
[root@ip-172-31-30-69 sssd]# vim /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user cont ext session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin session required pam_mkhomedir.so # Add this line to ensure that a successful login creates the user'shome table of contents # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
(sliding left and right)
3.Modify the configuration file
[root@ip-172-31-30-69 sssd]# vim /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success #auth sufficient pam_sss.so forward_pass auth sufficient pam_ldap.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet #account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authto k_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok #password sufficient pam_sss.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so #session optional pam_sss.so session optional pam_ldap.so
(sliding left and right)
Note: Change the configuration of pam_sss.so corresponding to the marked section above to pam_ldap.so
4.Modify the /etc/pam.d/system-auth configuration file
[root@ip-172-31-30-69 pam.d]# vim system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success #auth sufficient pam_sss.so forward_pass auth sufficient pam_ldap.so forward_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet #account [default=bad success=ok user_unknown=ignore] pam_sss.so ccount [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authto k_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok #password sufficient pam_sss.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so #session optional pam_sss.so session optional pam_ldap.so
(sliding left and right)
Note: Change the configuration of pam_sss.so in the marked section above to pam_ldap.so and add the configuration of pam_mkhomedir.so
5.Restart sshd service
[root@ip-172-31-30-69 pam.d]# systemctl restart sshd [root@ip-172-31-30-69 pam.d]# systemctl status sshd
(sliding left and right)
This completes the integration of OpenLDAP with SSH.
4.Verify SSH login
1.Confirm that the testldap user exists only in OpenLDAP
[root@ip-172-31-30-69 ~]# more /etc/passwd |grep testldap [root@ip-172-31-30-69 ~]# id testldap uid=10100(testldap) gid=10100(testldap) groups=10100(testldap) [root@ip-172-31-30-69 ~]#
(sliding left and right)
2.su switch to the testldap user
[root@ip-172-31-30-69 ~]# su testldap [testldap@ip-172-31-30-69 root]$ cd ~ [testldap@ip-172-31-30-69 ~]$ pwd /home/testldap [testldap@ip-172-31-30-69 ~]$ id uid=10100(testldap) gid=10100(testldap) groups=10100(testldap) [testldap@ip-172-31-30-69 ~]$
(sliding left and right)
3.ssh login to this machine
[root@ip-172-31-30-69 ~]# ssh testldap@localhost testldap@localhost's password: Last login: Wed Apr 4 05:36:27 2018 from localhost [testldap@ip-172-31-30-69 ~]$ pwd /home/testldap [testldap@ip-172-31-30-69 ~]$ id uid=10100(testldap) gid=10100(testldap) groups=10100(testldap) [testldap@ip-172-31-30-69 ~]$
(sliding left and right)
4.ssh remote login
[root@ip-172-31-16-68 ~]# ssh testldap@ip-172-31-30-69 testldap@ip-172-31-30-69's password: Last login: Wed Apr 4 05:46:03 2018 from ip-172-31-16-68.ap-southeast-1.compute.internal [testldap@ip-172-31-30-69 ~]$ pwd /home/testldap [testldap@ip-172-31-30-69 ~]$ id uid=10100(testldap) gid=10100(testldap) groups=10100(testldap) [testldap@ip-172-31-30-69 ~]$
(sliding left and right)
5.conclude
- After TLS is enabled for OpenLDAP service, you need to enable ldaptls for client configuration and SSH integration, otherwise you can't use LDAP users for SSH login
- Logs about the SSSD service can be viewed in /var/log/message
Tip: The code block section can be viewed by swiping left and right
To establish a heart for heaven and earth, to establish a life for the people, to succeed the sages of the past, and to open up peace for all generations. Warm tip: To see the HD uncoded set, please use your phone to open and click on the image to view it larger.
Recommend to focus on Hadoop hands-on, first time, share more Hadoop dry goods, welcome to retweet and share.
Recommended>>
1、Three years ago the wild growth of Crypto was blocked and Wang Xin was imprisoned and now he is about to be released from prison are your members ready
2、HandsOn Meridian Health AI Competition No 3
3、Wafangdian mahjong cheats wafangdian mahjong seethrough software wafangdian mahjong hangout aids
4、File Content Search Magic PowerGREP4
5、HPE Chen Bing Internet of Everything Empowering Carrier Transformation with NFV