http://mayiwei.com/2013/03/21/centos6-openldap/

http://www.zytrax.com/books/ldap/ch11/dynamic.html

https://www.linux.com/blog/centralized-authentication-openldap

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/304/1/How_to_Work_with_UserID_and_OpenLDAP_Dynamic_Groups.pdf

http://serverfault.com/questions/643650/ssh-access-to-hosts-groups-based-on-user-groups-using-ldap

https://www.jqlinux.com/archives/600

http://blog.oddbit.com/2013/07/22/generating-a-membero/

文档

man slapo-dynlist

导入ldapns.schema方案,(hostObject类属性)

https://github.com/openldap/openldap/blob/master/contrib/slapd-modules/nssov/ldapns.schema

cat > /etc/openldap/schema/ldapns.schema << _EOF_

# $OpenLDAP$

# $Id: ldapns.schema,v 1.3 2009-10-01 19:17:20 tedcheng Exp $

# LDAP Name Service Additional Schema

# http://www.iana.org/assignments/gssapi-service-names

#

# Not part of the distribution: this is a workaround!

#

attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'

          DESC 'IANA GSS-API authorized service name'

          EQUALITY caseIgnoreMatch

          SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

attributetype ( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus'

          DESC 'Currently logged in sessions for a user'

          EQUALITY caseIgnoreMatch

          SUBSTR caseIgnoreSubstringsMatch

          ORDERING caseIgnoreOrderingMatch

          SYNTAX OMsDirectoryString )

objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'

          DESC 'Auxiliary object class for adding authorizedService attribute'

          SUP top

          AUXILIARY

          MAY authorizedService )

objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'

          DESC 'Auxiliary object class for adding host attribute'

          SUP top

          AUXILIARY

          MAY host )

objectclass ( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject'

          DESC 'Auxiliary object class for login status attribute'

          SUP top

          AUXILIARY

          MAY loginStatus )

_EOF_

/etc/openldap/slapd.conf

include     /etc/openldap/schema/ldapns.schema

modulepath /usr/lib64/openldap

moduleload dynlist.la

overlay dynlist

dynlist-attrset inetOrgPerson labeledURI


rm -rf /etc/openldap/slapd.d/*

slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

chown -R ldap:ldap /etc/openldap/slapd.d

systemctl restart slapd

定义主机列表组

cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv

dn: ou=servers,dc=suntv,dc=tv

objectClass: organizationalUnit

ou: servers

dn: ou=ophost,ou=servers,dc=suntv,dc=tv

objectClass: organizationalUnit

objectClass: hostObject

ou: ophost

host: client-1-21

host: client-1-22

dn: ou=devhost,ou=servers,dc=suntv,dc=tv

objectClass: organizationalUnit

objectClass: hostObject

ou: devhost

host: client-1-31

host: client-1-32

_EOF_

定义用户组

cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv

dn: ou=people,dc=suntv,dc=tv

objectClass: organizationalUnit

ou: people

dn: ou=group,dc=suntv,dc=tv

objectClass: organizationalUnit

ou: group

dn: cn=opteam,ou=group,dc=suntv,dc=tv

objectClass: posixGroup

cn: opteam

gidNumber: 2001

dn: cn=devteam,ou=group,dc=suntv,dc=tv

objectClass: posixGroup

cn: devteam

gidNumber: 2002

_EOF_

定义用户

cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv

dn: uid=op01,ou=people,dc=suntv,dc=tv

objectClass: posixAccount

objectClass: shadowAccount

objectClass: person

objectClass: inetOrgPerson

objectClass: hostObject

cn: op01

sn: op01

uid: op01

userPassword: 123456

uidNumber: 1001

gidNumber: 2001

gecos: opteam

homeDirectory: /home/op01

loginShell: /bin/bash

shadowLastChange: 15000

shadowMin: 0

shadowMax: 999999

shadowWarning: 7

shadowExpire: -1

mobile: 13900001001

mail: op01@abc.com

labeledURI: ldap:///ou=ophost,ou=servers,dc=suntv,dc=tv?host

_EOF_


cat << _EOF_ | ldapadd -x -W -H ldaps:/// -D cn=Manager,dc=suntv,dc=tv

dn: uid=dev01,ou=people,dc=suntv,dc=tv

objectClass: posixAccount

objectClass: shadowAccount

objectClass: person

objectClass: inetOrgPerson

objectClass: hostObject

cn: dev01

sn: dev01

uid: dev01

userPassword: 123456

uidNumber: 1002

gidNumber: 2002

gecos: opteam

homeDirectory: /home/dev01

loginShell: /bin/bash

shadowLastChange: 15000

shadowMin: 0

shadowMax: 999999

shadowWarning: 7

shadowExpire: -1

mobile: 13900001002

mail: dev01@abc.com

labeledURI: ldap:///ou=devhost,ou=servers,dc=suntv,dc=tv?host

_EOF_

已经测试成功。但是nss-pam-ldap仅centos 6.x可用。

host属性需要获取登录主机hostname的fdqn,要不用dns,要不在/etc/hosts里指定。

客户端

cat pam_ldap.conf

pam_check_host_attr yes

openldap主机访问控制(基于hostname)的更多相关文章

  1. openldap主机访问控制(基于ip)

    http://blog.oddbit.com/2013/07/22/generating-a-membero/ http://gsr-linux.blogspot.jp/2011/01/howto-o ...

  2. openldap主机访问控制(基于用户组)

    建立组织单元 cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv dn: o ...

  3. 修改主机名(/etc/hostname和/etc/hosts区别)

    ubuntu永久修改主机名 1.查看主机名 在Ubuntu系统中,快速查看主机名有多种方法:其一,打开一个GNOME终端窗口,在命令提示符中可以看到主机名,主机名通常位于“@”符号后:其二,在终端窗口 ...

  4. archlinux+UEFI模式在linux主机下基于KVM-QEMU命令行虚拟机安装笔记

    ArchLinux十分精简,并且具有强大的滚动更新.最近在基于ubuntu的宿主机下通过KVM-QEMU虚拟机安装了archlinux,将过程记录下来以供参考. 1.下载启动盘 1.1.下载archl ...

  5. Redhat Linux 修改主机名(HOSTNAME)

    hostname #查看当前主机的主机名hostname NEWHOSTNAME #临时修改当前主机名 修改主机名vi /etc/sysconfig/network #通过配置文件修改主机名NETWO ...

  6. linux修改主机名(hostname)转载

    Linux修改主机名的方法 用hostname命令可以临时修改机器名,但机器重新启动之后就会恢复原来的值. #hostname   //查看机器名#hostname -i  //查看本机器名对应的ip ...

  7. [Linux] 修改主机名(hostname)

    在Linux命令行下输入hostname,查看当前主机名,如果想修改它,直接在hostname后面加上新主机名即可(注:以下操作都需要root用户执行),如: # hostname newhostna ...

  8. linux apache虚拟主机配置(基于ip,端口,域名)

    配置环境: linux版本:Centos6.4 httpd版本: [root@centos64Study init.d]# pwd/etc/init.d[root@centos64Study init ...

  9. linux hostname 命令 显示当前主机域名 /etc/hostname

    hostname显示当前主机域名, 我们可以使用 hostname 命令来修改主机名,但这种修改方式只有当前有效,等服务器重启后hostname就会失效,回到原来的hostname. [root@my ...

随机推荐

  1. css3 弹框提示样式

    .common-dialog-box{ opacity: 0; filter: alpha(opacity=0); position: fixed; top: 0%; left: 50%; z-ind ...

  2. Java/javaEE/web/jsp/网站编程环境配置及其软件下载和网站路径

    Java/javaEE/web/jsp/网站编程环境配置及其软件下载和网站路径 (2015/07/08更新) JDK下载地址(JDK官网下载地址) 下载地址为:http://www.oracle.co ...

  3. boundingRectWithSize

    CGSize labsize1=[label1.text boundingRectWithSize:CGSizeMake(SCREEN_WIDTH-80, MAXFLOAT) options:NSSt ...

  4. [SQL Basics] Indexes

    An index is used to speed up searching in the database. By default, when you create this table, your ...

  5. UVALive 7338 (树链剖分+线段树)

    Problem Toll Management IV 题目大意 给一张n个点m条边的无向图,有边权.数据保证前n-1条边构成了一棵最小生成树. 要求对于每条边求出其边权上下最多浮动范围,使得最小生成树 ...

  6. activity 和 生命周期: 消息通信

    实际上关于activity大概流程已经了解了,在深入的话方向应该是ams的处理操作和界面创建和view绘制.这些话题之后再谈,activity是一个gui程序,其中离不开的就是消息通讯,也就是在消息循 ...

  7. Merge Intervals

    Given a collection of intervals, merge all overlapping intervals. For example,Given [1,3],[2,6],[8,1 ...

  8. iOS红马甲项目Bug总结(3)

    这里是一些小总结 1.使用图片缓存之后,新添加的图像一直不能显示 2.项目打包通过appliction loader上传成功了,可是itunes 上面的构建版本项,一直没显示出来 3.界面加载之后,t ...

  9. Oracle学习系列4

    Oracle学习系列4 ************************************************************************************ 数据库 ...

  10. JavaBean用JSP调用和使用JSP动作标签的区别

    javabean的类可以用jsp动作标签实例化并使用. <!-- 下面这句是对Javabean类person的引用,引用的实例是p2 --> <jsp:useBean id=&quo ...