顯示文章

這裡允許您檢視這個會員的所有文章。請注意, 您只能看見您有權限閱讀的文章。


文章 - lizeng

頁: [1]
1
dn: uid=dong.yan,ou=Users,dc=baidu,dc=com
uid: dong.yan
cn: dong.yan
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: account
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 989
gidNumber: 999
homeDirectory: /home/dong.yan
userPassword:: e1NTSEF9ZENUb1kyVFNsN3lHbEFjRStnVklneTZTQlBPb004MDI=
host: 10.130.130.218
host: 10.130.130.222
这时dong.yan竟然还可以登陆10.130.130.216

还有,我发现sudoRole和Account两个objectClass不能同时存在一个entry中,也就是说我不能同时控制用户的sudo和登陆指定ip机器的权限,各位大神怎么看

2
現在又出現一個問題,就是當我用ldap登錄到服務器上用命令sudo su -時,提示我
sudo: pam_authenticate: Module is unknown,不知道什麽問題導致的
有沒有大大遇到并解決過這個問題?

3
LDAP 討論區 / Re: ldap導入用戶問題
« 於: 2013-09-22 19:36 »
經過不斷的分析研究,問題終於找到了,直接修改/etc/openldap/slapd.conf是不直接生效的,必須要刪除/etc/openldap/slapd.d/目錄里的內容,然後再
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
然後重啟slapd,這時我加的
include /usr/local/etc/openldap/schema/sudo.schema
才會生效.

4
LDAP 討論區 / ldap導入用戶問題
« 於: 2013-09-22 14:30 »
hi:
    最近在搞ldap+sudo,現在遇到一個問題,就是我在導入sudo信息時會報錯,先看一下我的sudo.ldif
dn: ou=SUDOers,dc=hxc,dc=com
objectClass: top
objectClass: organizationalUnit
objectClass: sudoRole
description: SUDO Configuration Subtree
ou: SUDOers

dn: cn=defaults,dc=hxc,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: requiretty
sudoOption: !visiblepw
sudoOption: env_reset

dn: cn=tang,dc=hxc,dc=com
objectClass: top
objectClass: sudoRole
cn: tang
sudoUser: tang
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate

執行 ldapadd -v -c -x -D "cn=root,dc=hxc,dc=com" -w secret -f sudoer.ldif

ldap_initialize( <DEFAULT> )
add objectClass:
        top
        organizationalUnit
        sudoRole
add description:
        SUDO Configuration Subtree
add ou:
        SUDOers
adding new entry "ou=SUDOers,dc=hxc,dc=com"
ldap_add: Invalid syntax (21)
        additional info: objectClass: value #2 invalid per syntax

add objectClass:
        top
        sudoRole
add cn:
        defaults
add description:
        Default sudoOption's go here
add sudoOption:
        requiretty
        !visiblepw
        env_reset
adding new entry "cn=defaults,dc=hxc,dc=com"
ldap_add: Invalid syntax (21)
        additional info: objectClass: value #1 invalid per syntax

add objectClass:
        top
        sudoRole
add cn:
        tang
add sudoUser:
        tang
add sudoHost:
        ALL
add sudoRunAsUser:
        ALL
add sudoCommand:
        ALL
add sudoOption:
        !authenticate
adding new entry "cn=tang,dc=hxc,dc=com"
ldap_add: Invalid syntax (21)
        additional info: objectClass: value #1 invalid per syntax

似乎在說我sudoRole這個objectClass不對,但是在slapd.conf里已經包含了sudo.schema

[root@ftp-1-253 openldap]# vi slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/sudo.schema

再看sudo.schema
[root@ftp-1-253 openldap]# cat /etc/openldap/schema/sudo.schema
#
# OpenLDAP schema file for Sudo
# Save as /etc/openldap/schema/sudo.schema
#

attributetype ( 1.3.6.1.4.1.15953.9.1.1
    NAME 'sudoUser'
    DESC 'User(s) who may  run sudo'
    EQUALITY caseExactIA5Match
    SUBSTR caseExactIA5SubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2
    NAME 'sudoHost'
    DESC 'Host(s) who may run sudo'
    EQUALITY caseExactIA5Match
    SUBSTR caseExactIA5SubstringsMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3
    NAME 'sudoCommand'
    DESC 'Command(s) to be executed by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4
    NAME 'sudoRunAs'
    DESC 'User(s) impersonated by sudo (deprecated)'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5
    NAME 'sudoOption'
    DESC 'Options(s) followed by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.6
    NAME 'sudoRunAsUser'
    DESC 'User(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.7
    NAME 'sudoRunAsGroup'
    DESC 'Group(s) impersonated by sudo'
    EQUALITY caseExactIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
    DESC 'Sudoer Entries'
    MUST ( cn )
    MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $
            description )
    )



請大家幫我看看到底是什麽問題呢


頁: [1]