Skip to content

Commit

Permalink
Auto deploy from GitHub Actions build 463
Browse files Browse the repository at this point in the history 
[552ebbc] taoky: infra/ldap: sss in nsswitch sudoers
  • Loading branch information
@web-flow
web-flow authored Sep 19, 2024
1 parent 3692b83 commit a6df04d
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 44 deletions.
86 changes: 43 additions & 43 deletions infrastructure/ldap/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2998,12 +2998,12 @@ <h4 id="etcnsswitchconf">/etc/nsswitch.conf<a class="headerlink" href="#etcnsswi
<a id="__codelineno-3-5" name="__codelineno-3-5" href="#__codelineno-3-5"></a><span class="nt">sudoers</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">files ldap</span>
</code></pre></div>
<p>注意每一项后面的 <code>ldap</code>,如果没有要手动加上。不太清楚具体含义,反正给每一项都加上 <code>ldap</code> 是没有问题的。</p>
<div class="admonition info">
<p class="admonition-title">Debian 10 要改一下 sudoers 那一行</p>
<p>把 ldap 放前面,同时加上 <code>[SUCCESS=return]</code> 应该像下面这样:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a>sudoers: ldap [SUCCESS=return] files
<p>对于使用 sssd 的配置,<strong>注意 <code>sudoers</code> 一行需要有 <code>sss</code></strong>,类似于下面这样:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="nt">sudoers</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">files sss</span>
</code></pre></div>
<p>而如果使用传统的 <code>sudo-ldap</code>,那么 <code>sudoers</code> 一行应该类似于这样:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="nt">sudoers</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ldap [SUCCESS=return] files</span>
</code></pre></div>
</div>
<p>重启一下 <code>nscd</code><code>nslcd</code> 服务,此时运行 <code>getent passwd</code>,应该可以看到比 <code>/etc/passwd</code> 更多的内容,这就说明配置正确了。</p>
<h4 id="pam">PAM 配置<a class="headerlink" href="#pam" title="Permanent link">&para;</a></h4>
<p>如果 PAM 配置错误,可能导致用户无法使用 SSH 登录,甚至连 sudo 也可能挂掉。所以修改 PAM 配置时:</p>
Expand All @@ -3012,43 +3012,43 @@ <h4 id="pam">PAM 配置<a class="headerlink" href="#pam" title="Permanent link">
<li>请另开一个 root 终端以防万一。</li>
</ol>
<p>对于 Debian 7+,只需设置一处。为了登录时自动创建家目录,在 <code>/etc/pam.d/common-session</code> 中添加下面这句:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a>session<span class="w"> </span>required<span class="w"> </span>pam_mkhomedir.so<span class="w"> </span><span class="nv">skel</span><span class="o">=</span>/etc/skel<span class="w"> </span><span class="nv">umask</span><span class="o">=</span><span class="m">0022</span>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a>session<span class="w"> </span>required<span class="w"> </span>pam_mkhomedir.so<span class="w"> </span><span class="nv">skel</span><span class="o">=</span>/etc/skel<span class="w"> </span><span class="nv">umask</span><span class="o">=</span><span class="m">0022</span>
</code></pre></div>
<p>对于 Debian 5,请查阅本文档的 Git 记录。</p>
<h4 id="sssd">SSSD 配置<a class="headerlink" href="#sssd" title="Permanent link">&para;</a></h4>
<p>由于 <code>sudo-ldap</code> 未来被废弃,sudo 的配置通过 sssd 实现,参考 <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html</a></p>
<p><code>/usr/share/doc/sssd-common/examples/sssd-example.conf</code> 复制到 <code>/etc/sssd/sssd.conf</code> 并修改权限为 600。</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a>[taoky@gateway-nic ~]$ sudo diff /usr/share/doc/sssd-common/examples/sssd-example.conf /etc/sssd/sssd.conf
<a id="__codelineno-6-2" name="__codelineno-6-2" href="#__codelineno-6-2"></a><span class="gu">3c3</span>
<a id="__codelineno-6-3" name="__codelineno-6-3" href="#__codelineno-6-3"></a><span class="gd">&lt; services = nss, pam</span>
<a id="__codelineno-6-4" name="__codelineno-6-4" href="#__codelineno-6-4"></a><span class="gs">---</span>
<a id="__codelineno-6-5" name="__codelineno-6-5" href="#__codelineno-6-5"></a><span class="gi">&gt; services = nss, pam, sudo</span>
<a id="__codelineno-6-6" name="__codelineno-6-6" href="#__codelineno-6-6"></a><span class="gu">8c8,10</span>
<a id="__codelineno-6-7" name="__codelineno-6-7" href="#__codelineno-6-7"></a><span class="gd">&lt; ; domains = LDAP</span>
<a id="__codelineno-6-8" name="__codelineno-6-8" href="#__codelineno-6-8"></a><span class="gs">---</span>
<a id="__codelineno-6-9" name="__codelineno-6-9" href="#__codelineno-6-9"></a><span class="gi">&gt; domains = LDAP</span>
<a id="__codelineno-6-10" name="__codelineno-6-10" href="#__codelineno-6-10"></a>&gt;
<a id="__codelineno-6-11" name="__codelineno-6-11" href="#__codelineno-6-11"></a><span class="gi">&gt; [sudo]</span>
<a id="__codelineno-6-12" name="__codelineno-6-12" href="#__codelineno-6-12"></a>15,17c17,19
<a id="__codelineno-6-13" name="__codelineno-6-13" href="#__codelineno-6-13"></a><span class="gd">&lt; ; [domain/LDAP]</span>
<a id="__codelineno-6-14" name="__codelineno-6-14" href="#__codelineno-6-14"></a><span class="gd">&lt; ; id_provider = ldap</span>
<a id="__codelineno-6-15" name="__codelineno-6-15" href="#__codelineno-6-15"></a><span class="gd">&lt; ; auth_provider = ldap</span>
<a id="__codelineno-6-16" name="__codelineno-6-16" href="#__codelineno-6-16"></a><span class="gs">---</span>
<a id="__codelineno-6-17" name="__codelineno-6-17" href="#__codelineno-6-17"></a><span class="gi">&gt; [domain/LDAP]</span>
<a id="__codelineno-6-18" name="__codelineno-6-18" href="#__codelineno-6-18"></a><span class="gi">&gt; id_provider = ldap</span>
<a id="__codelineno-6-19" name="__codelineno-6-19" href="#__codelineno-6-19"></a><span class="gi">&gt; auth_provider = ldap</span>
<a id="__codelineno-6-20" name="__codelineno-6-20" href="#__codelineno-6-20"></a>22,24c24,26
<a id="__codelineno-6-21" name="__codelineno-6-21" href="#__codelineno-6-21"></a><span class="gd">&lt; ; ldap_schema = rfc2307</span>
<a id="__codelineno-6-22" name="__codelineno-6-22" href="#__codelineno-6-22"></a><span class="gd">&lt; ; ldap_uri = ldap://ldap.mydomain.org</span>
<a id="__codelineno-6-23" name="__codelineno-6-23" href="#__codelineno-6-23"></a><span class="gd">&lt; ; ldap_search_base = dc=mydomain,dc=org</span>
<a id="__codelineno-6-24" name="__codelineno-6-24" href="#__codelineno-6-24"></a><span class="gs">---</span>
<a id="__codelineno-6-25" name="__codelineno-6-25" href="#__codelineno-6-25"></a><span class="gi">&gt; ldap_schema = rfc2307</span>
<a id="__codelineno-6-26" name="__codelineno-6-26" href="#__codelineno-6-26"></a><span class="gi">&gt; ldap_uri = ldaps://ldap.lug.ustc.edu.cn</span>
<a id="__codelineno-6-27" name="__codelineno-6-27" href="#__codelineno-6-27"></a><span class="gi">&gt; ldap_search_base = dc=lug,dc=ustc,dc=edu,dc=cn</span>
<a id="__codelineno-6-28" name="__codelineno-6-28" href="#__codelineno-6-28"></a>30c32
<a id="__codelineno-6-29" name="__codelineno-6-29" href="#__codelineno-6-29"></a><span class="gd">&lt; ; cache_credentials = true</span>
<a id="__codelineno-6-30" name="__codelineno-6-30" href="#__codelineno-6-30"></a><span class="gs">---</span>
<a id="__codelineno-6-31" name="__codelineno-6-31" href="#__codelineno-6-31"></a><span class="gi">&gt; cache_credentials = true</span>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a>[taoky@gateway-nic ~]$ sudo diff /usr/share/doc/sssd-common/examples/sssd-example.conf /etc/sssd/sssd.conf
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="gu">3c3</span>
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a><span class="gd">&lt; services = nss, pam</span>
<a id="__codelineno-7-4" name="__codelineno-7-4" href="#__codelineno-7-4"></a><span class="gs">---</span>
<a id="__codelineno-7-5" name="__codelineno-7-5" href="#__codelineno-7-5"></a><span class="gi">&gt; services = nss, pam, sudo</span>
<a id="__codelineno-7-6" name="__codelineno-7-6" href="#__codelineno-7-6"></a><span class="gu">8c8,10</span>
<a id="__codelineno-7-7" name="__codelineno-7-7" href="#__codelineno-7-7"></a><span class="gd">&lt; ; domains = LDAP</span>
<a id="__codelineno-7-8" name="__codelineno-7-8" href="#__codelineno-7-8"></a><span class="gs">---</span>
<a id="__codelineno-7-9" name="__codelineno-7-9" href="#__codelineno-7-9"></a><span class="gi">&gt; domains = LDAP</span>
<a id="__codelineno-7-10" name="__codelineno-7-10" href="#__codelineno-7-10"></a>&gt;
<a id="__codelineno-7-11" name="__codelineno-7-11" href="#__codelineno-7-11"></a><span class="gi">&gt; [sudo]</span>
<a id="__codelineno-7-12" name="__codelineno-7-12" href="#__codelineno-7-12"></a>15,17c17,19
<a id="__codelineno-7-13" name="__codelineno-7-13" href="#__codelineno-7-13"></a><span class="gd">&lt; ; [domain/LDAP]</span>
<a id="__codelineno-7-14" name="__codelineno-7-14" href="#__codelineno-7-14"></a><span class="gd">&lt; ; id_provider = ldap</span>
<a id="__codelineno-7-15" name="__codelineno-7-15" href="#__codelineno-7-15"></a><span class="gd">&lt; ; auth_provider = ldap</span>
<a id="__codelineno-7-16" name="__codelineno-7-16" href="#__codelineno-7-16"></a><span class="gs">---</span>
<a id="__codelineno-7-17" name="__codelineno-7-17" href="#__codelineno-7-17"></a><span class="gi">&gt; [domain/LDAP]</span>
<a id="__codelineno-7-18" name="__codelineno-7-18" href="#__codelineno-7-18"></a><span class="gi">&gt; id_provider = ldap</span>
<a id="__codelineno-7-19" name="__codelineno-7-19" href="#__codelineno-7-19"></a><span class="gi">&gt; auth_provider = ldap</span>
<a id="__codelineno-7-20" name="__codelineno-7-20" href="#__codelineno-7-20"></a>22,24c24,26
<a id="__codelineno-7-21" name="__codelineno-7-21" href="#__codelineno-7-21"></a><span class="gd">&lt; ; ldap_schema = rfc2307</span>
<a id="__codelineno-7-22" name="__codelineno-7-22" href="#__codelineno-7-22"></a><span class="gd">&lt; ; ldap_uri = ldap://ldap.mydomain.org</span>
<a id="__codelineno-7-23" name="__codelineno-7-23" href="#__codelineno-7-23"></a><span class="gd">&lt; ; ldap_search_base = dc=mydomain,dc=org</span>
<a id="__codelineno-7-24" name="__codelineno-7-24" href="#__codelineno-7-24"></a><span class="gs">---</span>
<a id="__codelineno-7-25" name="__codelineno-7-25" href="#__codelineno-7-25"></a><span class="gi">&gt; ldap_schema = rfc2307</span>
<a id="__codelineno-7-26" name="__codelineno-7-26" href="#__codelineno-7-26"></a><span class="gi">&gt; ldap_uri = ldaps://ldap.lug.ustc.edu.cn</span>
<a id="__codelineno-7-27" name="__codelineno-7-27" href="#__codelineno-7-27"></a><span class="gi">&gt; ldap_search_base = dc=lug,dc=ustc,dc=edu,dc=cn</span>
<a id="__codelineno-7-28" name="__codelineno-7-28" href="#__codelineno-7-28"></a>30c32
<a id="__codelineno-7-29" name="__codelineno-7-29" href="#__codelineno-7-29"></a><span class="gd">&lt; ; cache_credentials = true</span>
<a id="__codelineno-7-30" name="__codelineno-7-30" href="#__codelineno-7-30"></a><span class="gs">---</span>
<a id="__codelineno-7-31" name="__codelineno-7-31" href="#__codelineno-7-31"></a><span class="gi">&gt; cache_credentials = true</span>
</code></pre></div>
<div class="admonition danger">
<p class="admonition-title"></p>
Expand All @@ -3057,25 +3057,25 @@ <h4 id="sssd">SSSD 配置<a class="headerlink" href="#sssd" title="Permanent lin
<p>另外记得像前面在 Debian 中安装介绍到的那样修改 <code>/etc/nsswitch.conf</code> 以及 <code>/etc/nslcd.conf</code>.</p>
<h3 id="nscd">NSCD 使用说明<a class="headerlink" href="#nscd" title="Permanent link">&para;</a></h3>
<p>在 SSSD 未安装的情况下,NSCD 会提供 LDAP 缓存服务。如果在使用 NSCD 的机器上需要清空 LDAP 缓存,执行以下命令:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a>nscd<span class="w"> </span>-i<span class="w"> </span>passwd
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a>nscd<span class="w"> </span>-i<span class="w"> </span>group
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a>nscd<span class="w"> </span>-i<span class="w"> </span>passwd
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a>nscd<span class="w"> </span>-i<span class="w"> </span>group
</code></pre></div>
<p>如果 SSSD 安装,<code>systemctl status sssd</code> 会显示 SSSD 与 NSCD 同时提供了相关缓存,可能存在冲突问题:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a>NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services].
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a>NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services].
</code></pre></div>
<p>需要修改 <code>/etc/nscd.conf</code>,将提及的 <code>passwd</code>, <code>group</code>, <code>netgroup</code><code>services</code><code>enable-cache</code> 设置为 <code>no</code></p>
<h2 id="ldap-cli">LDAP CLI 工具使用说明<a class="headerlink" href="#ldap-cli" title="Permanent link">&para;</a></h2>
<p>这里以 <code>ldappasswd</code> 为例,其余 ldap 系列指令与其大致相同:</p>
<p>LDAP 利用 dn 来定位一个用户,以下指令可以列出所有用户及其 dn:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a>ldapsearch<span class="w"> </span>-x<span class="w"> </span>-LLL<span class="w"> </span><span class="nv">uid</span><span class="o">=</span>*<span class="w"> </span>uid
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a>ldapsearch<span class="w"> </span>-x<span class="w"> </span>-LLL<span class="w"> </span><span class="nv">uid</span><span class="o">=</span>*<span class="w"> </span>uid
</code></pre></div>
<p><code>-x</code> 指定使用 Simple authentication,即使用密码认证。</p>
<p>如果要修改一个用户的密码,使用:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a>ldappasswd<span class="w"> </span>-x<span class="w"> </span>-D<span class="w"> </span><span class="s1">&#39;&lt;executor dn&gt;&#39;</span><span class="w"> </span>-W<span class="w"> </span>-S<span class="w"> </span><span class="s1">&#39;&lt;target user dn&gt;&#39;</span>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a>ldappasswd<span class="w"> </span>-x<span class="w"> </span>-D<span class="w"> </span><span class="s1">&#39;&lt;executor dn&gt;&#39;</span><span class="w"> </span>-W<span class="w"> </span>-S<span class="w"> </span><span class="s1">&#39;&lt;target user dn&gt;&#39;</span>
</code></pre></div>
<p><code>-D '&lt;executor dn&gt;'</code> 指定了执行者的身份,<code>-W</code>/<code>-S</code> 指定了接下来询问执行者/目标用户的密码/旧密码。</p>
<p>需要额外注意的是,在 CLI 中添加/删除用户或更改用户密码时需要以 LDAP admin 执行,否则会有报错:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a>Insufficient access (50) additional info: no write access to parent
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a>Insufficient access (50) additional info: no write access to parent
</code></pre></div>
<p>或是其他的权限不足的错误。</p>
<h2 id="_4">部署情况<a class="headerlink" href="#_4" title="Permanent link">&para;</a></h2>
Expand Down
2 changes: 1 addition & 1 deletion search/search_index.json
View file

Large diffs are not rendered by default.

0 comments on commit a6df04d

Please sign in to comment.