http://blog.oddbit.com/2013/07/22/generating-a-membero/
http://gsr-linux.blogspot.jp/2011/01/howto-on-using-dynlist-with-openldap.html
建立组织单元
cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: ou=people,dc=suntv,dc=tv
ou: people
objectClass: organizationalUnit
dn: ou=group,dc=suntv,dc=tv
ou: group
objectClass: organizationalUnit
dn: ou=host,dc=suntv,dc=tv
ou: host
objectClass: organizationalUnit
_EOF_
建立主机组
cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: ou=all,ou=host,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: all
host: all
dn: ou=op,ou=host,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: op
host: 192.168.1.21
host: 192.168.1.22
dn: ou=dev,ou=host,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: dev
host: 192.168.1.31
host: 192.168.1.32
_EOF_
建立用户组
cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: cn=op,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: op
gidNumber: 2001
dn: cn=dev,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: dev
gidNumber: 2002
_EOF_
建立用户
cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
uid: op01
cn: op01
sn: op01
objectClass: hostObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2001
homeDirectory: /home/op01
labeledURI: ldaps:///ou=op,ou=host,dc=suntv,dc=tv?host
dn: uid=dev01,ou=people,dc=suntv,dc=tv
uid: dev01
cn: dev01
sn: op01
objectClass: hostObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 2002
homeDirectory: /home/dev01
labeledURI: ldaps:///ou=dev,ou=host,dc=suntv,dc=tv?host
_EOF_
动态组
# /etc/openldap/slapd.conf 确保有以下配置
include /etc/openldap/schema/dyngroup.schema
modulepath /usr/lib64/openldap
moduleload dynlist.la
overlay dynlist
dynlist-attrset inetOrgPerson labeledURI
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd
测试
ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=op01,ou=people,dc=suntv,dc=tv
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=op01,ou=people,dc=suntv,dc=tv> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# op01, people, suntv.tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
uid: op01
cn: op01
sn: op01
objectClass: hostObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userPassword:: MTIzNDU2
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2001
homeDirectory: /home/op01
labeledURI: ldaps:///ou=op,ou=host,dc=suntv,dc=tv?host
host: 192.168.1.21 # 动态组自动增加内容
host: 192.168.1.22 # 动态组自动增加内容
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
ldapsearch过滤用法 http://blog.chinaunix.net/uid-393131-id-2410065.html
ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=dev01,ou=people,dc=suntv,dc=tv host
# extended LDIF
#
# LDAPv3
# base <uid=dev01,ou=people,dc=suntv,dc=tv> with scope subtree
# filter: (objectclass=*)
# requesting: host
#
# dev01, people, suntv.tv
dn: uid=dev01,ou=people,dc=suntv,dc=tv
host: 192.168.1.31 # 动态组自动增加内容
host: 192.168.1.32 # 动态组自动增加内容
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
cat > /etc/sssd/sssd.conf << _EOF_
[domain/LDAP]
debug_level = 9
cache_credentials = true
enumerate = false
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://master.local
ldap_backup_uri = ldaps://slave.local
ldap_search_base = dc=suntv,dc=tv
ldap_user_search_base = ou=people,dc=suntv,dc=tv
ldap_group_search_base = ou=group,dc=suntv,dc=tv
access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (|(host=all)(host=192.168.1.21))
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_tls_reqcert = never
ldap_id_use_start_tls = false
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2
[nss]
domains = LDAP
fd_limit = 65535
filter_users = root
filter_groups = root
[pam]
domains = LDAP
[ssh]
domains = LDAP
ssh_hash_known_hosts = false
_EOF_
测试
# ssh op01@192.168.1.22
op01@192.168.1.22's password:
Connection to 192.168.1.22 closed by remote host.
Connection to 192.168.1.22 closed.
sssd_LDAP日志显示如下,其中 [(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv] 是过滤条件,问题应该就出在ldap_access_filter = (|(host=all)(host=192.168.1.21))这里。
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [op01]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching 192.168.1.11
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv].
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New operation 4 timeout 6
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x9380c0], connected[1], ops[0x9f7470], ldap[0x931330]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000): Operation 4 finished
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0100): User [op01] was not found with the specified filter. Denying access.
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0400): Access denied by online lookup
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9e6f50
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9e76c0
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x9e6f50 "ltdb_callback"
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x9e76c0 "ltdb_timeout"
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer event 0x9e6f50 "ltdb_callback"
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_done] (0x0400): Access was denied.
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [6][LDAP]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [6][LDAP]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x9380c0], connected[1], ops[(nil)], ldap[0x931330]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Thu Oct 13 17:24:00 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x91cdf0
(Thu Oct 13 17:24:00 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
dynlist不支持filter功能 http://www.openldap.org/lists/openldap-software/200708/msg00250.html
这个帖子上说,使用第三方autogroup,这个是把记录存储在数据库里,支持filter
op01用户使用动态组,dev01用户不使用动态组,直接添加host记录192.168.1.22
ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv "host=192.168.1.22"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=suntv,dc=tv> with scope subtree
# filter: host=192.168.1.22 # 过滤后找到信息
# requesting: ALL
#
# dev01, people, suntv.tv
dn: uid=dev01,ou=people,dc=suntv,dc=tv
uid: dev01
cn: dev01
sn: op01
objectClass: hostObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userPassword:: MTIzNDU2
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 2002
homeDirectory: /home/dev01
host: 192.168.1.22
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv "host=192.168.1.21"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=suntv,dc=tv> with scope subtree
# filter: host=192.168.1.21 # 过滤后未找到记录
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1