欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  科技

Centos7/Active Directory authentication using nss-pam-ldapd

程序员文章站 2022-06-26 20:00:19
Centos使用AD账户进行验证,网上查有很多种,包括samba+winbind,sssd,nss-pam-ldapd等多种方式。今天介绍通过nss-pam-ldap验证AD账号。 一.实验环境: 两台主机:一台windows server2012 R2 域控,一台centos7.2客户端使用AD账 ......

Centos使用AD账户进行验证,网上查有很多种,包括samba+winbind,sssd,nss-pam-ldapd等多种方式。今天介绍通过nss-pam-ldap验证AD账号。

一.实验环境:

两台主机:一台windows server2012 R2 域控,一台centos7.2客户端使用AD账号验证

1.windows os:Active Directory 2012 R2 

IP:10.10.1.1

hostname: ad

Domain ghost.com

2.linux os: centos 7.2 1511

IP:10.10.1.10

hostname:server1.ghost.com

二.实验步骤:

AD域控:

hostname:ad

IP:10.10.1.1

1.Create AD and DNS Server:Server Manager---->Add roles and features---->Active Directory Domain Services+DNS Server 在此不详细叙述具体步骤(大家都懂的^_^)

2.因为windows 2012 R2没有Identity Management for UNIX Component需要启用该组件,windows2016就不需要安装此组件。命令如下:

Dism.exe /online /enable-feature /featurename:adminui 

Dism.exe /online /enable-feature /featurename:nis

Dism.exe /online /enable-feature /featurename:psync

同时可以参照以下链接:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731178(v=ws.11)

启用此组件后,账号属性中会增加UNIX Attributes下拉框,在AD users and Computers 视图中启用高级功能会看到Attribute Editor.

 Centos7/Active Directory authentication using nss-pam-ldapd

3. 关闭windows防火墙,在DNS添加server1的A纪录:10.10.1.10解析域名。

4.创建OU GHOST和用户zhangsan,linux_ad用于验证,如果linux_ad提示验证有问题可以尝试用administrator账号试试,如上图。

四.上面有点啰嗦啦!接下来说的是大家感兴趣的事情,linux的相关设置。

1.系统安装完毕,关闭selinux,firewalld.

2.设置IP和DNS

[root@server1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=10.10.1.10
NETMASK=255.255.0.0
DNS=10.10.1.1
[root@server1 ~]# cat /etc/resolv.conf
search localdomain ghost.com
nameserver 10.10.1.1
[root@server1 ~]#yum -y install nss-pam-ldapd openldap-clients telnet
通过nss-pam-ldapd验证需要配置以下几个文件,其中system-auth-ac和password-auth-ac修改是一样的。

[root@server1 ~]# cat /etc/nslcd.conf

uid nslcd
gid ldap
uri ldap://ad.ghost.com:389 #
base ou=GHOST,dc=ghost,dc=com #OU, DC一定要对应,管理组最好也建立在这个OU下
binddn cn=linux_ad,cn=users,dc=ghost,dc=com #cn,dn的信息可以通过AD中账号Aittribute Editor中distinguishedName的值进行查看。
bindpw linux_ad
scope group sub
scope hosts sub
bind_timelimit 3
timelimit 3
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*))
map    passwd homeDirectory    unixHomeDirectory
filter shadow (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*))
map    shadow shadowLastChange pwdLastSet
filter group  (objectClass=group)
scope sub
ssl off
tls_reqcert never

 

[root@server1 ~]# cat /etc/nsswitch.conf
passwd:     files  ldap #添加ldap验证方式
shadow:     files  ldap
group:      files  ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files ldap
netgroup:   files  ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

 

[root@server1 ~]# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass #添加ldap验证方式
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so #添加ldap验证方式
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok #添加ldap验证方式
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so #添加ldap验证方式

 

测试AD 389端口是否正常 

[root@server1 ~]# telnet 10.10.1.1 389
Trying 10.10.1.1...
Connected to 10.10.1.1.
Escape character is '^]'.
 

启动nslcd服务

[root@server1 ~]# systemctl start nslcd

[root@server1 ~]# systemctl status nslcd
● nslcd.service - Naming services LDAP client daemon.
   Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-02-07 16:29:57 CST; 13s ago
  Process: 6904 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
 Main PID: 6905 (nslcd)
   CGroup: /system.slice/nslcd.service
           └─6905 /usr/sbin/nslcd

Feb 07 16:29:57 server1.ghost.com systemd[1]: Starting Naming services LDAP client daemon....
Feb 07 16:29:57 server1.ghost.com systemd[1]: PID file /var/run/nslcd/nslcd.pid not readable (yet?) after start.
Feb 07 16:29:57 server1.ghost.com nslcd[6905]: version 0.8.13 starting
Feb 07 16:29:57 server1.ghost.com nslcd[6905]: accepting connections
Feb 07 16:29:57 server1.ghost.com systemd[1]: Started Naming services LDAP client daemon..
Feb 07 16:30:06 server1.ghost.com systemd[1]: Started Naming services LDAP client daemon.. 

 

使用ldapsearch命令测试是否验证成功。

ldapsearch -h ad.ghost.com -b dc=ghost,dc=com -D cn=linux_ad,cn=users,dc=ghost,dc=com -W -p 389

 

查看linux系统中是否存在zhangsan

[root@server1 ~]# id zhangsan

uid=10001(zhangsan) gid=10000 groups=10000

到此Centos 通过AD账号验证已经成功啦!!!

 

 

CentOS 6相关配置
yum install nss-pam-ldapd -y
yum install pam_ldap -y
[root@server2 ~]vim /etc/nslcd.conf uid nslcd
gid ldap
base ou=Basers,dc=ad,dc=your_domain,dc=com
uri ldap://ad.your_domain.com:389/
binddn cn=linux_ad,cn=users,dc=ad,dc=your_domain,dc=com
bindpw linux_ad
scope  group  sub
scope  hosts  sub
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*))
map    passwd homeDirectory    unixHomeDirectory
filter shadow (&(objectClass=user)(!(objectClass=computer))(unixHomeDirectory=*))
map    shadow shadowLastChange pwdLastSet
filter group  (&(objectClass=group)(gidNumber=*))
map    group  uniqueMember     member
bind_timelimit 3
timelimit 3
scope sub
ssl no
tls_reqcert never

[root@server2 ~]vim /etc/nsswitch.conf
Replace passwd/shadow/group lines with:
passwd:     files ldap [NOTFOUND=return UNAVAIL=return]
shadow:     files ldap [NOTFOUND=return UNAVAIL=return]
group:      files ldap [NOTFOUND=return UNAVAIL=return]
sudoers:    files ldap [NOTFOUND=return UNAVAIL=return]

[root@server2 ~]cat /etc/pam.d/system-auth-ac and cat /etc/pam.d/password-auth-ac
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so
 
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

[root@server2 ~]vim /etc/pam_ldap.conf
base ou=Basers,dc=ad,dc=your_domain,dc=com
binddn cn=linux_ad,cn=users,dc=ad,dc=your_domain,dc=com
bindpw linux_ad
uri ldap://ad.your_domain.com
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5