OpenLDAP--按用户组限制登录
把之前欠的记录还上。 在14年的时候,写了几篇博客记录了OpenLDAP安装使用的过程,后来也有人问我,按照这样的安装方法,那所有人都可以登录所有服务器,这怎么行呢。当然是不行的,今天就简单的说明下如何补上这个窟窿。
我们采用的方法是,通过配置系统对OpenLDAP的查询进行过滤,就可以限定只允许某些用户或用户组登陆,其他用户在这个系统中相当于不存在。CentOS5和CentOS6的过滤方法略有不同,CentOS7与CentOS6基本一样。直接贴脚本吧,仅供参考。
function get_gid() {
ldapsearch -x gidNumber -b "cn=$1,ou=group,dc=opjasee,dc=com" 2>/dev/null | grep "^gidNumber" | awk '{print $2}'
}
function filter_on_centos5() {
#samples:
#nss_base_passwd dc=opjasee,dc=com?sub?gidNumber=1000
#nss_base_passwd dc=opjasee,dc=com?sub?|(gidNumber=1000)(gidNumber=1003)
cp /etc/ldap.conf backup/filter/
local groups="$1"
green "***** Getting filter *****"
n=$(echo $groups | awk -F',' '{print NF}')
if [ $n -eq 1 ];then
gid=$(get_gid $groups)
[ -z $gid ] && { red "Can't find group $1"; exit 3; }
filter="gidNumber=$gid"
else
filter="|"
for group in $(echo $groups | sed 's/,/ /g'); do
gid=$(get_gid $group)
[ -z $gid ] && { red "Can't find group $group"; exit 3; }
filter="$filter""(gidNumber=$gid)"
done
fi
filter="nss_base_passwd dc=opjasee,dc=com?sub?""$filter"
echo $filter
green "***** Config ldap.conf *****"
echo $filter >> /etc/ldap.conf
}
function filter_on_centos6() {
#samples:
#filter passwd (gidNumber=1000)
#filter passwd (|(gidNumber=1000)(gidNumber=1003))
cp /etc/nslcd.conf backup/filter
local groups="$1"
green "***** Getting filter *****"
n=$(echo $groups | awk -F',' '{print NF}')
if [ $n -eq 1 ];then
gid=$(get_gid $groups)
[ -z $gid ] && { red "Can't find group $1"; exit 3; }
filter="(gidNumber=$gid)"
else
filter="(|"
for group in $(echo $groups | sed 's/,/ /g'); do
gid=$(get_gid $group)
[ -z $gid ] && { red "Can't find group $group"; exit 3; }
filter="$filter""(gidNumber=$gid)"
done
filter="$filter"")"
fi
filter="filter passwd $filter"
echo $filter
green "***** Restart nslcd *****"
echo $filter >> /etc/nslcd.conf
service nslcd restart
}