内容概述
- 1.OpenLDAP服务安装
- 2.导入根域及管理员账号
- 3.导入基础文件及用户和用户组
- 4.配置OpenLDAP客户端
测试环境
1.CentOS7.4
2.OpenLDAP版本2.4.44
在集群中选择一台服务器(pd-cdh-192-0-7-node)作为OpenLDAP的Server
- 1.执行如下命令安装OpenLDAP服务
[root@pd-cdh-192-168-0-7-node ~]# yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss-pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl
查看安装的RPM包
[root@pd-cdh-192-168-0-7-node ~]# rpm -qa |grep openldap openldap-clients-2.4.44-24.el7_9.x86_64 compat-openldap-2.3.43-5.el7.x86_64 openldap-servers-2.4.44-24.el7_9.x86_64 openldap-2.4.44-24.el7_9.x86_64 openldap-devel-2.4.44-24.el7_9.x86_64
- 2.修改OpenLDAP的slapd.ldif配置文件
安装OpenLDAP服务后默认的配置文件及数据库文件在/usr/share/openldap-servers目录下
[root@pd-cdh-192-168-0-7-node ~]# cp /usr/share/openldap-servers/slapd.ldif /root/ [root@pd-cdh-192-168-0-7-node ~]# vim slapd.ldif # # See slapd-config(5) for details on configuration options. # This file should NOT be world readable. # dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid # # TLS settings # 不需要TLS加密的话注释掉以下内容 #olcTLSCACertificatePath: /etc/openldap/certs #olcTLSCertificateFile: "OpenLDAP Server" #olcTLSCertificateKeyFile: /etc/openldap/certs/password # # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. # #olcReferral: ldap://root.openldap.org # # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 64-bit encryption for simple bind # #olcSecurity: ssf=1 update_ssf=112 simple_bind=64 # # Load dynamic backend modules: # - modulepath is architecture dependent value (32/64-bit system) # - back_sql.la backend requires openldap-servers-sql package # - dyngroup.la and dynlist.la cannot be used at the same time # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module #olcModulepath: /usr/lib/openldap #olcModulepath: /usr/lib64/openldap #olcModuleload: accesslog.la #olcModuleload: auditlog.la #olcModuleload: back_dnssrv.la #olcModuleload: back_ldap.la #olcModuleload: back_mdb.la #olcModuleload: back_meta.la #olcModuleload: back_null.la #olcModuleload: back_passwd.la #olcModuleload: back_relay.la #olcModuleload: back_shell.la #olcModuleload: back_sock.la #olcModuleload: collect.la #olcModuleload: constraint.la #olcModuleload: dds.la #olcModuleload: deref.la #olcModuleload: dyngroup.la #olcModuleload: dynlist.la #olcModuleload: memberof.la #olcModuleload: pcache.la #olcModuleload: ppolicy.la #olcModuleload: refint.la #olcModuleload: retcode.la #olcModuleload: rwm.la #olcModuleload: seqmod.la #olcModuleload: smbk5pwd.la #olcModuleload: sssvlv.la #olcModuleload: syncprov.la #olcModuleload: translucent.la #olcModuleload: unique.la #olcModuleload: valsort.la # # Schema settings # dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema # 以下部分需要拷贝到配置文件中,默认有core.ldif,注意文件顺序 include: file:///etc/openldap/schema/corba.ldif include: file:///etc/openldap/schema/core.ldif include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/duaconf.ldif include: file:///etc/openldap/schema/dyngroup.ldif include: file:///etc/openldap/schema/inetorgperson.ldif include: file:///etc/openldap/schema/java.ldif include: file:///etc/openldap/schema/misc.ldif include: file:///etc/openldap/schema/nis.ldif include: file:///etc/openldap/schema/openldap.ldif include: file:///etc/openldap/schema/ppolicy.ldif include: file:///etc/openldap/schema/collective.ldif # # Frontend settings # dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # # Sample global access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #olcAccess: to dn.base="" by * read #olcAccess: to dn.base="cn=Subschema" by * read #olcAccess: to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # # # Configuration database # dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c n=auth" manage by * none # # Server status monitoring #注意此处的cn=Manager,dc=pudu,dc=com替换成对应的域名 dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: monitor olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c n=auth" read by dn.base="cn=Manager,dc=pudu,dc=com" read by * none # # Backend database definitions # 数据库配置部分直接替换掉 dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcSuffix: dc=pudu,dc=com olcRootDN: cn=Manager,dc=pudu,dc=com # 管理密码 olcRootPW: 123456 olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uidNumber,gidNumber,loginShell eq,pres olcDbIndex: uid,memberUid eq,pres,sub olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
- 3.重新生成OpenLDAP的配置
# 删除默认配置 [root@pd-cdh-192-168-0-7-node ~]# rm -rf /etc/openldap/slapd.d/* # 生成新配置 [root@pd-cdh-192-168-0-7-node ~]# slapadd -F /etc/openldap/slapd.d -n 0 -l slapd.ldif # 测试配置文件 [root@pd-cdh-192-168-0-7-node ~]# slaptest -u -F /etc/openldap/slapd.d # 修改文件属主 [root@pd-cdh-192-168-0-7-node ~]# chown -R ldap. /etc/openldap/slapd.d/
- 4.安装OpenLDAP的数据库文件
[root@pd-cdh-192-168-0-7-node ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@pd-cdh-192-168-0-7-node ~]# chown -R ldap. /var/lib/ldap/
- 启动服务
[root@pd-cdh-192-168-0-7-node ~]# systemctl enable slapd [root@pd-cdh-192-168-0-7-node ~]# systemctl start slapd [root@pd-cdh-192-168-0-7-node ~]# systemctl status slapd服务端配置
- 导入根域及管理员账号
# 编辑配置文件 [root@pd-cdh-192-168-0-7-node ~]# vim root.ldif dn: dc=pudu,dc=com dc: pudu objectClass: top objectClass: domain dn: cn=Manager,dc=pudu,dc=com objectClass: organizationalRole cn: Manager
# 导入 [root@pd-cdh-192-168-0-7-node ~]# ldapadd -D "cn=Manager,dc=pudu,dc=com" -W -x -f root.ldif # 检查导入是否成功 [root@pd-cdh-192-168-0-7-node ~]# ldapsearch -h pd-cdh-192-168-0-7-node -b "dc=pudu,dc=com" -D "cn=Manager,dc=pudu,dc=com" -W
- 导入基础文件及用户和用户组
# 修改生成迁移的模板文件 [root@pd-cdh-192-168-0-7-node ~]# vim /usr/share/migrationtools/migrate_common.ph # 修改$DEFAULT_MAIL_DOMAIN 和 $DEFAULT_base 两个变量的值 # Default DNS domain $DEFAULT_MAIL_DOMAIN = "pudu.com"; # Default base $DEFAULT_base = "dc=pudu,dc=com";
# 导出OpenLdap的base.ldif文件 [root@pd-cdh-192-168-0-7-node ~]# /usr/share/migrationtools/migrate_base.pl > base.ldif [root@pd-cdh-192-168-0-7-node ~]# vim base.ldif # 保留需要的配置 dn: ou=People,dc=pudu,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=pudu,dc=com ou: Group objectClass: top objectClass: organizationalUnit
# 导出操作系统的group.ldif文件
[root@pd-cdh-192-168-0-7-node ~]# /usr/share/migrationtools/migrate_group.pl /etc/group > group.ldif
[root@pd-cdh-192-168-0-7-node ~]# vim group.ldif
# 保留需要的配置
dn: cn=root,ou=Group,dc=pudu,dc=com
objectClass: posixGroup
objectClass: top
cn: root
userPassword: {crypt}x
gidNumber: 0
dn: cn=pudu,ou=Group,dc=pudu,dc=com
objectClass: posixGroup
objectClass: top
cn: pudu
userPassword: {crypt}x
gidNumber: 1001
# 导出操作系统用户的ldif文件
[root@pd-cdh-192-168-0-7-node ~]# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd > user.ldif
[root@pd-cdh-192-168-0-7-node ~]# vim user.ldif
# 保留需要的配置
dn: uid=root,ou=People,dc=pudu,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$EVbxyGRp$MtFVbWZyrdFodu92MYuhN.
shadowLastChange: 18864
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
dn: uid=pudu,ou=People,dc=pudu,dc=com
uid: pudu
cn: pudu
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 17566
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/pudu
注意用户信息与group.ldif中组的对应,否则会出现用户无相应组的问题
- 使用slapadd命令将基础文件及用户和组导入OpenLDAP
[root@pd-cdh-192-168-0-7-node ~]# ldapadd -D "cn=Manager,dc=pudu,dc=com" -W -x -f base.ldif [root@pd-cdh-192-168-0-7-node ~]# ldapadd -D "cn=Manager,dc=pudu,dc=com" -W -x -f group.ldif [root@pd-cdh-192-168-0-7-node ~]# ldapadd -D "cn=Manager,dc=pudu,dc=com" -W -x -f user.ldif
- 检查导入结果
[root@pd-cdh-192-168-0-7-node ~]# ldapsearch -h pd-cdh-192-168-0-7-node -b "dc=pudu,dc=com" -D "cn=Manager,dc=pudu,dc=com" -W |grep dn Enter LDAP Password: dn: dc=pudu,dc=com dn: cn=Manager,dc=pudu,dc=com dn: ou=People,dc=pudu,dc=com dn: ou=Group,dc=pudu,dc=com dn: cn=root,ou=Group,dc=pudu,dc=com dn: cn=pudu,ou=Group,dc=pudu,dc=com dn: uid=root,ou=People,dc=pudu,dc=com dn: uid=pudu,ou=People,dc=pudu,dc=com dn: uid=testldap,ou=People,dc=pudu,dc=com dn: cn=test,ou=Group,dc=pudu,dc=com dn: uid=hive,ou=People,dc=pudu,dc=com dn: cn=hive,ou=Group,dc=pudu,dc=com dn: cn=operate,ou=Group,dc=pudu,dc=com dn: uid=operate,ou=People,dc=pudu,dc=com dn: cn=etl,ou=Group,dc=pudu,dc=com dn: uid=caokw,ou=People,dc=pudu,dc=com dn: uid=wangsb,ou=People,dc=pudu,dc=com dn: uid=zhousp,ou=People,dc=pudu,dc=com dn: uid=liuly,ou=People,dc=pudu,dc=com dn: uid=zengqy,ou=People,dc=pudu,dc=com dn: uid=impala,ou=People,dc=pudu,dc=com [root@pd-cdh-192-168-0-7-node ~]#OpenLDAP客户端配置
# 安装客户端 [root@pd-cdh-192-168-0-7-node ~]# yum -y install openldap-clients sssd authconfig nss-pam-ldapd # 编辑配置文件 [root@pd-cdh-192-168-0-7-node ~]#vim /etc/openldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #base dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/cacerts URI ldap://pd-cdh-192-168-0-7-node base dc=pudu,dc=com # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
# 检查客户端配置是否正确 [root@pd-cdh-192-168-0-7-node ~]# ldapsearch -D "cn=Manager,dc=pudu,dc=com" -W |grep dnOpenLDAP集成SSH登录并使用sssd同步用户
- 1.修改 /etc/sssd/sssd.conf
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/sssd/sssd.conf [domain/default] autofs_provider = ldap cache_credentials = True ldap_search_base = dc=pudu,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://pd-cdh-192-168-0-7-node ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts ldap_schema = rfc2307bis [sssd] services = nss, pam, autofs domains = default [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] [root@pd-cdh-192-168-0-7-node ~]# chmod 600 /etc/sssd/sssd.conf [root@pd-cdh-192-168-0-7-node ~]# systemctl start sssd [root@pd-cdh-192-168-0-7-node ~]# systemctl enable sssd [root@pd-cdh-192-168-0-7-node ~]# systemctl status sssdOpenLdap与SSH集成
- 1.修改配置文件/etc/ssh/sshd_config
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/ssh/sshd_config # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. ### 主要看一下这里 UsePAM yes
- 2.修改配置文件/etc/pam.d/sshd
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # 添加下面这一行 session required pam_mkhomedir.so #加入此行后确保登录成功后创建用户的home目录 # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
- 3修改配置文件/etc/pam.d/password-auth
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success #auth sufficient pam_sss.so forward_pass ### 添加 auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet #account [default=bad success=ok user_unknown=ignore] pam_sss.so ### 添加 account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok #password sufficient pam_sss.so use_authtok ### 添加 password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so #session optional pam_sss.so ### 添加 session optional pam_ldap.so
- 4.修改配置文件/etc/pam.d/system-auth
[root@pd-cdh-192-168-0-7-node ~]# vim /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success #auth sufficient pam_sss.so forward_pass ### 添加 auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet #account [default=bad success=ok user_unknown=ignore] pam_sss.so ### 添加 account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok #password sufficient pam_sss.so use_authtok ### 添加 password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so ### 添加 #session optional pam_sss.so session optional pam_ldap.so
- 5。重启sshd服务
[root@pd-cdh-192-168-0-7-node ~]# systemctl restart sshd [root@pd-cdh-192-168-0-7-node ~]# systemctl status sshdHive集成RedHat7的OpenLDAP认证
1.登录CM的Web控制台,进入Hive服务,关闭Hive的模拟功能
hive.server2.enable.doAs =false
2.修改LDAP相关配置,通过这里可以进行全局配置,配置后所有的HiveServer2服务均使用该配置
启用 LDAP 身份验证 =true
hive.server2.authentication.ldap.url=ldap://pd-cdh-192-168-0-7-node
hive.server2.authentication.ldap.baseDN= ou=People,dc=pudu,dc=com
保存配置,并重启hive服务
1.登录CM的Web控制台,进入Impala服务,修改LDAP配置
enable_ldap_auth = true
ldap_uri = ldap://pd-cdh-192-168-0-7-node
ldap_baseDN = ou=People,dc=pudu,dc=com
Impala Daemon 命令行参数高级配置代码段
–ldap_passwords_in_clear_ok
–authorized_proxy_user_config=hive=*
OpenLDAP中先新建一个hive 组与一个hive用户
- 使用管理员登录CM,进入Hue配置页面,修改Hue的认证方式为LDAP
注意此处配置还是尽量在 hue_safety_valve.ini 内配置为好
[desktop] ldap_username=hive ldap_password=hive [[ldap]] ldap_url=ldap://pd-cdh-192-168-0-7-node ldap_username_pattern="uid=,ou=People,dc=pudu,dc=com" use_start_tls=false base_dn="dc=pudu,dc=com" sync_groups_on_login=true search_bind_authentication=false create_users_on_login=true [[[users]]] user_filter=objectClass=* user_name_attr=uid [[[groups]]] group_filter=objectClass=* group_name_attr=cn group_member_attr=memberUid
另外还需在HDFS core-site.xml 的群集范围高级配置代码段(安全阀)配置
hadoop.proxyuser.hive.hosts * hadoop.proxyuser.hive.groups *
