OpenLDAP认证及autofs

OpenLDAP认证及autofs

参考文档:

http://54im.com/openldap/centos-6-yum-install-openldap-phpldapadmin-tls-双主配置.html

请参看OpenLDAP 2.4.x源码安装配置

服务端

A.准备用户

1.新增若干用户

mkdir /opt/ldapusers

for i in {1..15}

do

    useradd -d /opt/ldapusers/foo$i foo$i

    echo foo$i:foopwd|chpasswd

done

2.安装migrationtools并配置迁移域

yum -y install migrationtools

sed -i '/^$DEFAULT_MAIL_DOMAIN/c $DEFAULT_MAIL_DOMAIN = "example.com";' /usr/share/migrationtools/migrate_common.ph

sed -i '/^$DEFAULT_BASE/c $DEFAULT_BASE = "dc=example,dc=com";' /usr/share/migrationtools/migrate_common.ph 

3.生成ldif

grep foo /etc/passwd >user.txt

grep foo /etc/group >group.txt

/usr/share/migrationtools/migrate_passwd.pl user.txt user.ldif

/usr/share/migrationtools/migrate_group.pl group.txt group.ldif

/usr/share/migrationtools/migrate_base.pl >base.ldif

4.从ldif导入本地用户到openldap

ldapadd -x -c -D  'cn=Manager,dc=example,dc=com' -w secret -f base.ldif 

ldapadd -x -c -D  'cn=Manager,dc=example,dc=com' -w secret -f user.ldif 

ldapadd -x -c -D  'cn=Manager,dc=example,dc=com' -w secret -f group.ldif 

B.配置nfs共享

echo '/opt/ldapusers 192.168.8.0/24(rw,sync)' >>/etc/exports

systemctl restart nfs

systemctl enable nfs-server

客户端

1.加入到openldap

yum -y install nss-pam-ldapd

方式一:authconfig

authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=192.168.8.254 --ldapbasedn="dc=example,dc=com" --update

静默加入ldap

方式二:authconfig-tui

方式三:authconfig-gtk(略)

2.配置autofs自动挂载

yum -y install nfs-utils autofs

echo '/opt/ldapusers /etc/auto.openldap' >>/etc/auto.master

 

echo '* -rw,soft,intr 192.168.8.254:/opt/ldapusers/&' >>/etc/auto.openldap

systemctl restart autofs

提示:

对/etc/auto.nfs文件使用*及&通配符时，/etc/auto.master里的挂载点必须与服务器的挂载点同名同目录/nfshome，否则客户端su – 切换时会提示找不到目录。

不建议把ldap用户直接创建在/home文件夹里。否则由于/etc/auto.nfs文件里的*及&符号的自动匹配的作用，客户autofs会自动在内存中创建/home目录，会隐藏掉实际的/home目录。

3.ldap用户登录

[root@metaq01 ~]# getent passwd

root:x:0:0:root:/root:/bin/bash

... ...

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

foo1:x:1006:1006:foo1:/opt/ldapusers/foo1:/bin/bash

foo2:x:1007:1007:foo2:/opt/ldapusers/foo2:/bin/bash

foo3:x:1008:1008:foo3:/opt/ldapusers/foo3:/bin/bash

foo4:x:1009:1009:foo4:/opt/ldapusers/foo4:/bin/bash

foo5:x:1010:1010:foo5:/opt/ldapusers/foo5:/bin/bash

foo6:x:1011:1011:foo6:/opt/ldapusers/foo6:/bin/bash

foo7:x:1012:1012:foo7:/opt/ldapusers/foo7:/bin/bash

foo8:x:1013:1013:foo8:/opt/ldapusers/foo8:/bin/bash

foo9:x:1014:1014:foo9:/opt/ldapusers/foo9:/bin/bash

foo10:x:1015:1015:foo10:/opt/ldapusers/foo10:/bin/bash

foo11:x:1016:1016:foo11:/opt/ldapusers/foo11:/bin/bash

foo12:x:1017:1017:foo12:/opt/ldapusers/foo12:/bin/bash

foo13:x:1018:1018:foo13:/opt/ldapusers/foo13:/bin/bash

foo14:x:1019:1019:foo14:/opt/ldapusers/foo14:/bin/bash

 

foo15:x:1020:1020:foo15:/opt/ldapusers/foo15:/bin/bash

[root@metaq01 ~]# su - foo8

[foo8@metaq01 ~]$ logout

[root@metaq01 ~]# su - foo12

[foo12@metaq01 ~]$ logout

[root@metaq01 ~]# su - foo3

[foo3@metaq01 ~]$ pwd

/opt/ldapusers/foo3

[foo3@metaq01 ~]$ mount

proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)

sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)

devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=732784k,nr_inodes=183196,mode=755)

devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)

tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=742424k,nr_inodes=185606,mode=755)

tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,size=742424k,nr_inodes=185606,mode=755)

cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)

/dev/mapper/vg0-root on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

/etc/auto.misc on /misc type autofs (rw,relatime,fd=6,pgrp=2731,timeout=300,minproto=5,maxproto=5,indirect)

-hosts on /net type autofs (rw,relatime,fd=12,pgrp=2731,timeout=300,minproto=5,maxproto=5,indirect)

/etc/auto.openldap on /opt/ldapusers type autofs (rw,relatime,fd=18,pgrp=2731,timeout=300,minproto=5,maxproto=5,indirect)

192.168.8.254:/opt/ldapusers/foo3 on /opt/ldapusers/foo3 type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,soft,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.8.101,local_lock=none,addr=192.168.8.254)