LINUX下基于LDAP集中系统用户认证系统

环境:
ldap node1:192.168.100.151
ldap node2:192.168.100.152
client ip:192.168.100.153

===========================服务端===========================
1、安装

安装DB文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

[root@localhost openldap]# yum install -y libtool-ltdl-devel.x86_64 libtool-ltdl.x86_64
 [root@localhost tarbag]#tar -xzvf db-4.8.26.tar.gz -C ../software/
 [root@localhost tarbag]# cd ../software/db-4.8.26/build_unix/
 [root@localhost build_unix]# ../dist/configure
 [root@localhost build_unix]#make install
 [root@localhost build_unix]#echo "/usr/local/BerkeleyDB.4.8/lib/" >> /etc/ld.so.conf
 [root@localhost build_unix]#ldconfig -vv

安装openldap文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

[root@localhost tarbag]#tar zxvf openldap-2.4.21.tgz -C ../software/
 [root@localhost tarbag]# cd ../software/openldap-2.4.21/
 [root@localhost openldap-2.4.21]# ./configure --prefix=/usr/local/openldap-2.4.21 --enable-syslog --enable-modules --with-tls CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include/ LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib/
 [root@localhost openldap-2.4.21]#make depend
 [root@localhost openldap-2.4.21]#make
 [root@localhost openldap-2.4.21]#make test 这个需要比较长的时间.如果觉得没必要执行这一步的可以跳过.直接make install
 [root@localhost openldap-2.4.21]#make install
 [root@localhost openldap-2.4.21]# cd /usr/local/openldap-2.4.21/
 [root@localhost openldap-2.4.21]# ls
 bin etc include lib libexec sbin share var

2、openldap配置文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

下载openssh-lpk_openldap.schema文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

[root@localhost ~]# cd /usr/local/openldap-2.4.21/etc/openldap/schema
 [root@localhost schema]#wget http://openssh-lpk.googlecode.com/files/openssh-lpk_openldap.schema
 [root@localhost schema]#cp openssh-lpk_openldap.schema openssh-lpk.schema

生成密码:文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

[root@localhost ~]# cd /usr/local/openldap-2.4.21/sbin/
 [root@localhost sbin]# ./slappasswd
 New password:
 Re-enter new password:
 {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ 密码是123456 这个密码写到slapd.conf里面的rootpw位置

配置slapd.conf文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

 [root@localhost openldap]# cat /usr/local/openldap-2.4.21/etc/openldap/slapd.conf
 include /usr/local/openldap-2.4.21/etc/openldap/schema/core.schema
 include /usr/local/openldap-2.4.21/etc/openldap/schema/cosine.schema
 include /usr/local/openldap-2.4.21/etc/openldap/schema/inetorgperson.schema
 include /usr/local/openldap-2.4.21/etc/openldap/schema/nis.schema
 include /usr/local/openldap-2.4.21/etc/openldap/schema/openssh-lpk.schema
 loglevel 256
 pidfile /usr/local/openldap-2.4.21/var/run/slapd.pid
 argsfile /usr/local/openldap-2.4.21/var/run/slapd.args
#######################################################################
 # database definition
 #######################################################################
database bdb
 suffix "dc=hsf,dc=com"
rootdn "cn=Manager,dc=hsf,dc=com"
 rootpw {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ
 directory /opt/openldap_data/
# Indices to maintain for this database
 index objectClass eq,pres
 index ou,cn,mail,surname,givenname eq,pres,sub
 index uidNumber,gidNumber,loginShell eq,pres
 index uid,memberUid eq,pres,sub
 index nisMapName,nisMapEntry eq,pres,sub
 index sudoUser eq
[root@localhost openldap]#cd /usr/local/openldap-2.4.21/etc/openldap
 拷贝DB_CONFIG到Ldap数据目录.
 [root@localhost openldap]# cp DB_CONFIG.example /opt/openldap_data/

 文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

修改syslog.conf文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

[root@localhost www]# vi /etc/syslog.conf
 #Save ldap messages to ldap.log
 local4.* /var/log/ldap.log

重启syslog文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

[root@localhost openldap]# service syslog restart
 Shutting down kernel logger: [ OK ]
 Shutting down system logger: [ OK ]
 Starting system logger: [ OK ]
 Starting kernel logger: [ OK ]

启动ldap文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

启动方法1：文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

# /usr/local/openldap-2.4.21/libexec/slapd # 直接进入后台工作

启动方法2：文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

# /usr/local/openldap-2.4.21/libexec/slapd -d 256 # 依旧在前端,有debug信息

 文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

[root@localhost run]# /usr/local/openldap-2.4.21/libexec/slapd
 [root@localhost run]# netstat -lntp
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
 tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 22917/slapd
 tcp 0 0 :::389 :::* LISTEN 22917/slapd
 tcp 0 0 :::22 :::* LISTEN 1987/sshd

3、生成公私密钥对（任何一台机器都行）文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

# ssh-keygen -t rsa
 .....不断回车
 # cd /root/.ssh/
 # sz id_rsa.pub 公钥（导入ldap的sshPublicKey字段）
 # sz id_rsa 私钥（放在crt,putty,linux的/root/.ssh/下）

4、导入ldap数据
根：文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

 [root@localhost ~]# cat passwd.ldif
 #version: 1
 dn: dc=hsf,dc=com
 objectClass: top
 objectClass: domain
 dc: hsf
dn: ou=groups,dc=hsf,dc=com
 objectClass: top
 objectClass: organizationalUnit
 ou: groups
dn: cn=root,ou=groups,dc=hsf,dc=com
 objectClass: posixGroup
 objectClass: top
 cn: root
 gidNumber: 0
 memberUid: root
dn: ou=users,dc=hsf,dc=com
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
 cn: users
 sn: users
 ou: users
dn: uid=root,ou=users,dc=hsf,dc=com
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
 objectClass: ldapPublicKey
 objectClass: posixAccount
 cn: root
 gidNumber: 0
 homeDirectory: /root/
 sn: root
 uid: root
 uidNumber: 0
 sshPublicKey: ssh-rsa testAAgQDl+WA5jQja/BDfBSwo3dJ78uaaaaaILbNEEbHGqbXXL74S2HUHkGJ5UH1RHd9AzH1bzgEfP3CU7wHeghG5co576xRUrZw5BolybBz+3q1GxRfqfoZGxZP6/fyYogSrjaR+pT3MxBx91vt+OK61uBhuOCzIe8gDOpxAeZP6SRAJw== hsf@www.hsf.com
[root@localhost openldap]# /usr/local/openldap-2.4.21/bin/ldapadd -x -D "cn=Manager,dc=hsf,dc=com" -W -f passwd.ldif

 文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

====================客户端====================
IP地址：192.168.100.153文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

1、安装openssh补丁包:

 文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

[root@localhost tarbag]# gunzip openssh-lpk-5.9p1-0.3.14.patch.gz
 [root@localhost tarbag]# tar zxvf openssh-5.9p1.tar.tar
 [root@localhost tarbag]# cd openssh-5.9p1
 [root@localhost openssh-5.9p1]# patch -Np1 -i /usr/local/src/tarbag/openssh-lpk-5.9p1-0.3.14.patch
 patching file auth2-pubkey.c
 patching file auth-rsa.c
 patching file config.h.in
 patching file configure.ac
 patching file ldapauth.c
 patching file ldapauth.h
 patching file lpk-user-example.txt
 patching file Makefile.in
 patching file openssh-lpk_openldap.schema
 patching file openssh-lpk_sun.schema
 patching file README.lpk
 patching file servconf.c
 patching file servconf.h
 patching file sshd.c
 patching file sshd_config
 patching file sshd_config.5
 patching file version.h
[root@localhost tarbag]#./configure \
 --prefix=/usr \
 --sysconfdir=/etc/ssh \
 --libexecdir=/usr/sbin \
 --with-md5-passwords \
 --with-pam \
 --with-libs="-lldap" \
 --with-cppflags="-DWITH_LDAP_PUBKEY" \
 [root@localhost tarbag]#make
 [root@localhost tarbag]#make install

2、修改sshd配置文件文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

# cat /etc/ssh/sshd_config | grep -v '#' | grep -v '^$'
SyslogFacility AUTHPRIV
 PasswordAuthentication no
 UsePAM no
 X11Forwarding yes
 Subsystem sftp /usr/libexec/openssh/sftp-server
 UseLPK yes
 LpkServers ldap://192.168.100.151:389
 LpkUserDN ou=users,dc=hsf,dc=com
 LpkGroupDN ou=groups,dc=hsf,dc=com
 LpkBindDN cn=Manager,dc=hsf,dc=com
 LpkBindPw {SSHA}o/pZaQlZohhssEC7UAWnqWZ3GaHwxeUZ
 LpkForceTLS no
 LpkSearchTimelimit 3
 LpkBindTimelimit 3

修改:nsswitch.conf文章源自运维生存时间-https://www.ttlsa.com/linux/openldap-openssh-lpk-sudo-tls-auth/

 [root@localhost openssh-5.9p1]# vi /etc/nsswitch.conf
 passwd: files ldap
 shadow: files ldap
 group: files ldap

修改authconfig

[root@localhost etc]# cat /etc/sysconfig/authconfig | grep yes
 USELDAPAUTH=yes
 USESHADOW=yes
 USELOCAUTHORIZE=yes
 USELDAP=yes
 USECRACKLIB=yes

3、重启sshd

# service sshd restart

4、增加文件

 [root@localhost etc]#vi /etc/pam.d/common-session
 session required pam_unix.so
 session required pam_mkhomedir.so skel=/etc/skel/
 session optional pam_ldap.so

===========================Autofs配置===========================

(也可以用ldap里面的auto.schema来配置.我觉得没有这个来得方便.)

ldap 共享家目录 client使用autofs自动挂载对应的家目录 做这个是解决Could not chdir to home directory /home/hsf: No such file or directory

ldap nfs配置:

[root@localhost home]# cat /etc/exports
 /home 192.168.100.0/255.255.255.0(rw,async,wdelay,root_squash,no_subtree_check,anonuid=65534,anongid=65534)
[root@localhost home]# service portmap start
 [root@localhost home]# service nfs start
 [root@localhost home]# chkconfig nfs on
 [root@localhost home]# chkconfig portmap on

client配置:

 

[root@localhost ~]# cat /etc/auto.master
 #
 /home /etc/auto.nfs --timeout=100
 [root@localhost ~]# cat /etc/auto.nfs
 * 192.168.100.151:/home/&
[root@localhost ~]# service autofs start
 [root@localhost ~]# service portmap start

测试client端:

[root@localhost ~]# cd /home/
 [root@localhost home]# ls
 [root@localhost home]#
 [root@localhost home]# su - test
 -sh-3.00$ pwd
 /home/test/
 -sh-3.00$

===================Ldap+sudoers配置=================:

先添加sudoer.schema配置

 [root@localhost log]#vi /etc/openldap/schema/sudoer.schema
 attributetype ( 1.3.6.1.4.1.15953.9.1.1
 NAME 'sudoUser'
 DESC 'User(s) who may run sudo'
 EQUALITY caseExactIA5Match
 SUBSTR caseExactIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
 NAME 'sudoHost'
 DESC 'Host(s) who may run sudo'
 EQUALITY caseExactIA5Match
 SUBSTR caseExactIA5SubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
 NAME 'sudoCommand'
 DESC 'Command(s) to be executed by sudo'
 EQUALITY caseExactIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
 NAME 'sudoRunAs'
 DESC 'User(s) impersonated by sudo'
 EQUALITY caseExactIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
 NAME 'sudoOption'
 DESC 'Options(s) followed by sudo'
 EQUALITY caseExactIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6
 NAME 'sudoRunAsUser'
 DESC 'User(s) impersonated by sudo'
 EQUALITY caseExactIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
 NAME 'sudoRunAsGroup'
 DESC 'Group(s) impersonated by sudo'
 EQUALITY caseExactIA5Match
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.8
 NAME 'sudoNotBefore'
 DESC 'Start of time interval for which the entry is valid'
 EQUALITY generalizedTimeMatch
 ORDERING generalizedTimeOrderingMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.15953.9.1.9
 NAME 'sudoNotAfter'
 DESC 'End of time interval for which the entry is valid'
 EQUALITY generalizedTimeMatch
 ORDERING generalizedTimeOrderingMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
 NAME 'sudoOrder'
 DESC 'an integer to order the sudoRole entries'
 EQUALITY integerMatch
 ORDERING integerOrderingMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
 DESC 'Sudoer Entries'
 MUST ( cn )
 MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
 sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
 sudoOrder $ description $ou )
 )

将这个sudoer.schema加到slapd.conf中

 [root@localhost log]# cat /etc/openldap/slapd.conf | grep sudo
 include /etc/openldap/schema/sudoer.schema

sudoer默认Ldif数据.

 [root@localhost ~]# cat sudo.ldif
 dn: ou=SUDOers,dc=hsf,dc=com
 objectClass: top
 objectClass: organizationalUnit
 description: SUDO Configuration Subtree
 ou: SUDOers
dn: cn=defaults,ou=SUDOers,dc=hsf,dc=com
 objectClass: top
 objectClass: sudoRole
 cn: defaults
 description: Default sudoOption's go here
 sudoOption: requiretty
 sudoOption: !visiblepw
 sudoOption: env_reset
dn: cn=root,ou=SUDOers,dc=hsf,dc=com
 objectClass: top
 objectClass: sudoRole
 cn: root
 sudoUser: root
 sudoHost: ALL
 sudoRunAsUser: ALL
 sudoCommand: ALL
dn: cn=%wheel,ou=SUDOers,dc=hsf,dc=com
 objectClass: top
 objectClass: sudoRole
 cn: %wheel
 sudoUser: %wheel
 sudoHost: ALL
 sudoRunAsUser: ALL
 sudoCommand: ALL
 sudoOption: !authenticate
dn: cn=hsf,ou=SUDOers,dc=hsf,dc=com
 objectClass: top
 objectClass: sudoRole
 cn: hsf
 sudoUser: hsf
 sudoHost: ALL
 sudoRunAsUser: ALL
 sudoCommand: ALL
 sudoOption: !authenticate

导入sudo数据到Ldap中.

[root@localhost ~]# ldapadd -x -D "cn=Manager,dc=hsf,dc=com" -W -f sudo.ldif

====================sudo client配置==================:

安装sudo: (默认安装的sudo不支持ldap)
下载:http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz

[root@localhost tarbag]# wget http://down1.chinaunix.net/distfiles/sudo-1.7.2p1.tar.gz
 [root@localhost tarbag]# tar zxvf sudo-1.7.2p1.tar.gz -C ../software/
 [root@localhost tarbag]# cd ../software/sudo-1.7.2p1/
 [root@localhost sudo-1.7.2p1]#./configure --with-ldap --with-pam
 [root@localhost sudo-1.7.2p1]#make
 [root@localhost sudo-1.7.2p1]#make install
 [root@localhost sudo-1.7.2p1]#mv /etc/pam.d/sudo /etc/pam.d/sudo.orig
 [root@localhost sudo-1.7.2p1]#mv /usr/bin/sudo /usr/bin/sudo.orig
 [root@localhost sudo-1.7.2p1]#ln -s /usr/local/bin/sudo /usr/bin/sudo
 [root@localhost sudo-1.7.2p1]#cp sample.pam /etc/pam.d/sudo

配置 ldap.conf

[root@localhost ~]# cat /etc/ldap.conf | grep -v '#' | grep -v '^$'
 host 192.168.100.151
 URI ldap://192.168.100.151
 BASE dc=hsf,dc=com
 SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com
 ssl no
 修改nsswitch.conf
 [root@localhost home]# cat /etc/nsswitch.conf | grep sudo
 sudoers: ldap

验证:

[root@localhost ~]# sudo -V | grep ldap
 ldap.conf path: /etc/ldap.conf
 ldap.secret path: /etc/ldap.secret

安装好后重启下ldap服务

测试:

-sh-3.00$ sudo -l
 Matching Defaults entries for test on this host:
 requiretty, !visiblepw, env_reset
Runas and Command-specific defaults for test:
User test may run the following commands on this host:
 (ALL) NOPASSWD: ALL
 (ALL) NOPASSWD: ALL
 -sh-3.00$ sudo su -

===================openldap主主配置==============

节点1：192.168.100.151
节点2：192.168.100.152

节点1(node1)配置
slapd.conf配置文件的最后一行追加如下配置

 index entryCSN,entryUUID eq # 新增索引,提高同步速度,同步需要使用到这二个字段
 overlay syncprov # 复制引擎
 syncprov-checkpoint 100 10 # 操作100次同步一次，或者10分钟同步一次
 syncprov-sessionlog 100
serverID 1 # 节点ID,唯一
 syncrepl rid=123
 provider=ldap://192.168.100.152 #　对端IP地址
 bindmethod=simple
 binddn="cn=Manager,dc=hsf,dc=com" # Bind DN
 credentials=123456 # 密码
 searchbase="dc=hsf,dc=com" # 起始域
 schemachecking=off
 type=refreshAndPersist
 retry="60 +"
 mirrormode on # 开启mirrormode模式

节点2(node2)配置
slapd.conf配置文件的最后一行追加如下配置

 index entryCSN,entryUUID eq
 overlay syncprov
 syncprov-checkpoint 100 10
 syncprov-sessionlog 100
serverID 2
 syncrepl rid=123
 provider=ldap://192.168.100.151
 bindmethod=simple
 binddn="cn=Manager,dc=hsf,dc=com"
 credentials=123456
 searchbase="dc=hsf,dc=com"
 schemachecking=off
 type=refreshAndPersist
 retry="60 +"
 mirrormode on

===================配置 TLS 安全性==================

 

 [root@localhost ~]#mkdir /usr/local/openldap-2.4.21/etc/openldap/ssl/
 [root@localhost ~]#cd /usr/local/openldap-2.4.21/etc/openldap/ssl/
 [root@localhost ssl]# /etc/pki/tls/misc/CA -newca
 CA certificate filename (or enter to create)
Making CA certificate ...
 Generating a 1024 bit RSA private key
 ........................................++++++
 ......................................................++++++
 writing new private key to '../../CA/private/./cakey.pem'
 Enter PEM pass phrase:
 Verifying - Enter PEM pass phrase:
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:CN
 State or Province Name (full name) [Berkshire]:beijing
 Locality Name (eg, city) [Newbury]:beijing
 Organization Name (eg, company) [My Company Ltd]:hsf
 Organizational Unit Name (eg, section) []:hsf
 Common Name (eg, your name or your server's hostname) []: 192.168.100.152
 Email Address []:
Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
 Using configuration from /etc/pki/tls/openssl.cnf
 Enter pass phrase for ../../CA/private/./cakey.pem:
 Check that the request matches the signature
 Signature ok
 Certificate Details:
 Serial Number: 0 (0x0)
 Validity
 Not Before: Dec 28 06:27:46 2011 GMT
 Not After : Dec 27 06:27:46 2014 GMT
 Subject:
 countryName = CN
 stateOrProvinceName = beijing
 organizationName = hsf
 organizationalUnitName = hsf
 commonName = 192.168.100.152
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
 X509v3 Authority Key Identifier:
 keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Certificate is to be certified until Dec 27 06:27:46 2014 GMT (1095 days)
Write out database with 1 new entries
 Data Base Updated
[root@localhost ssl]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem //如果是主主ldap的话.这个要执行两次.第一次Common Name 填主主ldap node1的Hostname 第一次Common Name 填node2的hostname//
 Generating a 1024 bit RSA private key
 .........++++++
 .++++++
 writing new private key to 'newreq.pem'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:CN
 State or Province Name (full name) [Berkshire]:beijing
 Locality Name (eg, city) [Newbury]:beijing
 Organization Name (eg, company) [My Company Ltd]:hsf
 Organizational Unit Name (eg, section) []:hsf
 Common Name (eg, your name or your server's hostname) []:192.168.100.152
 Email Address []:
Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
[root@localhost ssl]# ls
 newreq.pem
[root@localhost ssl]# /etc/pki/tls/misc/CA -sign
 Using configuration from /etc/pki/tls/openssl.cnf
 Enter pass phrase for ../../CA/private/cakey.pem:
 Check that the request matches the signature
 Signature ok
 Certificate Details:
 Serial Number: 1 (0x1)
 Validity
 Not Before: Dec 28 06:29:44 2011 GMT
 Not After : Dec 27 06:29:44 2012 GMT
 Subject:
 countryName = CN
 stateOrProvinceName = beijing
 localityName = beijing
 organizationName = hsf
 organizationalUnitName = hsf
 commonName = 192.168.100.152
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
 X509v3 Authority Key Identifier:
 keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Certificate is to be certified until Dec 27 06:29:44 2012 GMT (365 days)
 Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated
 Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 1 (0x1)
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=CN, ST=beijing, O=hsf, OU=hsf, CN= 192.168.100.152
 Validity
 Not Before: Dec 28 06:29:44 2011 GMT
 Not After : Dec 27 06:29:44 2012 GMT
 Subject: C=CN, ST=beijing, L=beijing, O=hsf, OU=hsf, CN=192.168.100.152
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (1024 bit)
 Modulus (1024 bit):
 00:cf:ac:a6:5f:6a:de:42:71:87:32:c9:10:1f:3a:
 72:ce:a2:0b:f9:e9:89:d2:ac:fa:b3:b3:09:f9:c6:
 60:d7:7f:12:37:4b:04:0c:23:5a:1a:98:52:df:6b:
 02:30:d6:a7:0e:f6:6a:3a:6d:9a:db:2b:c7:77:68:
 88:a3:b8:7e:29:3e:d3:6d:8b:d1:46:01:71:48:da:
 17:de:dc:dd:59:ad:b4:5e:45:ff:9d:e5:19:94:2d:
 e4:d9:d5:c3:71:d0:1d:73:f8:7f:70:16:c4:78:62:
 ec:7f:a7:61:f7:00:c2:c7:85:f2:17:43:73:d9:ec:
 2b:9b:ae:c0:c5:74:04:c0:9f
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 66:97:70:5F:99:B1:7E:06:3A:BE:DF:D6:5B:E4:E5:D7:EC:44:D5:16
 X509v3 Authority Key Identifier:
 keyid:BA:D2:F9:E1:BB:16:57:3E:78:96:5E:29:21:A4:A7:4A:AE:E4:23:BD
Signature Algorithm: sha1WithRSAEncryption
 75:ac:44:1f:af:ea:f0:d0:75:9b:77:3c:6f:7a:62:b4:9e:1d:
 14:c5:ef:b5:88:a8:d7:c8:b3:43:b0:ba:39:36:e1:59:f6:d8:
 e4:bc:9a:22:57:ed:48:a4:57:13:62:bb:8a:04:75:42:5e:76:
 ca:e0:89:7e:e8:cd:da:0e:0d:2e:b8:62:94:4a:28:9a:c7:41:
 47:17:08:b9:9e:1a:87:31:94:de:52:99:42:2a:5b:40:d0:a2:
 20:79:0f:ea:ab:bf:e3:e1:cc:75:9c:cb:14:a6:59:a5:6c:a0:
 50:bb:1a:e4:66:8d:89:20:fa:69:64:0f:31:80:68:68:17:6f:
 9f:18
 -----BEGIN CERTIFICATE-----
 MIICujCCAiOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJDTjEQ
 MA4GA1UECBMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T
 SEkxGTAXBgNVBAMTECAxOTIuMTY4LjEwMC4xNTIwHhcNMTExMjI4MDYyOTQ0WhcN
 MTIxMjI3MDYyOTQ0WjBtMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHYmVpamluZzEQ
 MA4GA1UEBxMHYmVpamluZzEPMA0GA1UEChMGWUFPU0hJMQ8wDQYDVQQLEwZZQU9T
 SEkxGDAWBgNVBAMTDzE5Mi4xNjguMTAwLjE1MjCBnzANBgkqhkiG9w0BAQEFAAOB
 jQAwgYkCgYEAz6ymX2reQnGHMskQHzpyzqIL+emJ0qz6s7MJ+cZg138SN0sEDCNa
 GphS32sCMNanDvZqOm2a2yvHd2iIo7h+KT7TbYvRRgFxSNoX3tzdWa20XkX/neUZ
 lC3k2dXDcdAdc/h/cBbEeGLsf6dh9wDCx4XyF0Nz2ewrm67AxXQEwJ8CAwEAAaN7
 MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
 Q2VydGlmaWNhdGUwHQYDVR0OBBYEFGcF+ZsX4GOr7f1lvk5dfsRNUWMB8GA1Ud
 IwQYMBaAFLrS+eG7Flc+eJZeKSGkp0qu5CO9MA0GCSqGSIb3DQEBBQUAA4GBAHWs
 RB+v6vDQdZt3PG96YrSeHRTF77WIqNfIs0Owujk24Vn22OS8miJX7UikVxNiu4oE
 dUJedsrgiX7ozdoODS64YpRKKJrHQUcXCLmeGocxlN5SmUIqW0DQoiB5D+qrv+Ph
 zHWcyxSmWaVsoFC7GuRmjYkg+mlkDzGAaGgXb58Y
 -----END CERTIFICATE-----
 Signed certificate is in newcert.pem
 [root@localhost ssl]# ls
 newcert.pem newreq.pem
 [root@localhost ssl]# mkdir /usr/local/openldap-2.4.21/etc/openldap/cacerts
 [root@localhost ssl]#cp ../../CA/cacert.pem /usr/local/openldap-2.4.21/etc/openldap/cacerts/
 [root@localhost ssl]#cp newcert.pem /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem
 [root@localhost ssl]#cp newreq.pem /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem
 [root@localhost ssl]#chmod 600 /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem
 [root@localhost openldap]# vi /usr/local/openldap-2.4.21/etc/openldap/slapd.conf
 TLSCipherSuite HIGH:MEDIUM:+SSLv2
 TLSCACertificateFile /usr/local/openldap-2.4.21/etc/openldap/cacerts/cacert.pem
 TLSCertificateFile /usr/local/openldap-2.4.21/etc/openldap/slapdcert.pem
 TLSCertificateKeyFile /usr/local/openldap-2.4.21/etc/openldap/slapdkey.pem

修改客户端/etc/openldap/ldap.conf

[root@localhost etc]# vi ldap.conf
TLS_CACERT /etc/openldap/cacerts/cacert.pem

重启客户端sshd

[root@localhost etc]# service sshd restart
 Stopping sshd: [ OK ]
 Starting sshd: [ OK ]

查看ldap服务器日志:

conn=1004 fd=14 ACCEPT from IP=192.168.100.153:58390 (IP=0.0.0.0:389)
 conn=1004 op=0 EXT oid=1.3.6.1.4.1.1466.20037
 conn=1004 op=0 STARTTLS
 conn=1004 op=0 RESULT oid= err=0 text=
 conn=1004 fd=14 TLS established tls_ssf=256 ssf=256
 conn=1004 op=1 BIND dn="cn=Manager,dc=hsf,dc=com" method=128
 conn=1004 op=1 BIND dn="cn=Manager,dc=hsf,dc=com" mech=SIMPLE ssf=0
 conn=1004 op=1 RESULT tag=97 err=0 text=
 出现STARTTLS为 OK

配置ldap node2证书
将前面生成的cacert.pem newcert.pem newreq.pem抟到从服务器对应的位置上.修改权限
修改下slapd.conf 重启Ldap服务即可.

配置主主Ldap时.客户机配置需要增加两台主主的IP:

 [root@localhost etc]# cat /etc/ldap.conf | grep -v '#' | grep -v '^$'
 host 192.168.100.151 192.168.100.152
 URI ldap://192.168.100.151 ldap://192.168.100.152
 BASE dc=hsf,dc=com
 SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com
 pam_password md5
[root@localhost etc]# cat /etc/openldap/ldap.conf | grep -v '#' | grep -v '^$'
 TIMELIMIT 30
 BIND_TIMELIMT 30
 BASE dc=hsf,dc=com
 SUDOERS_BASE ou=SUDOers,dc=hsf,dc=com
 TLS_CACERT /etc/openldap/cacerts/cacert.pem

重启client sshd
基于openldap+openssh-lpk+sudo+tls用户验证管理完成.