1.kerberos搭建简单不重复了。重点ldap和使用

2、部署与安装LDAP
使用包管理器安装openldap

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools krb5-server-ldap

 在客户端安装

yum -y install openldap-clients sssd authconfig nss-pam-ldapd

检查安装的版本

root:~/ # slapd -VV

@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $

mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd

设置openldap管理员的密码

root:slapd.d/ # slappasswd -s 123456 

{SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt

修改管理员信息和把管理员的密码写入配置文件

cd /etc/openldap/slapd.d/cn=config

root:cn=config/ # cat olcDatabase=\{2\}hdb.ldif 

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a830970a
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
#修改此处的域名
olcSuffix: dc=testlab,dc=com
#修改此处的管理员账号为root,以及域名为testlab
olcRootDN: cn=root,dc=testlab,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 43a7f8d8-d134-1038-8bab-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438297Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190302124137Z
#在最后加上管理员密码信息
olcRootPW: {SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt

 修改olcDatabase={1}monitor.ldif中的管理员信息以及域名

cd /etc/openldap/slapd.d/cn=config

root:cn=config/ # cat olcDatabase=\{1\}monitor.ldif

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e26d6fe9
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
#修改此处的管理员姓名和域名dc
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=testlab,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 43a7f0ae-d134-1038-8baa-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438086Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190302124137Z

 验证openldap基本配置是否有问题

root:cn=config/ # slaptest -u

5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"

5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"

config file testing succeeded

设置服务自启以及启动slapd服务

root:cn=config/ # systemctl enable slapd

Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.

root:cn=config/ # systemctl start slapd

root:cn=config/ # systemctl status slapd

● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-03-02 20:57:48 CST; 8s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb

检查openldap服务进程是否开启
端口默认是389

root:cn=config/ # netstat -antup | grep 389 
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2451/slapd
tcp6 0 0 :::389 :::* LISTEN 2451/slapd

配置openldap数据库

root:cn=config/ # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 

root:cn=config/ # chown ldap:ldap -R /var/lib/ldap

root:cn=config/ # chmod 700 -R /var/lib/ldap

root:cn=config/ # ls -l /var/lib/ldap/
total 324
-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rwx------ 1 ldap ldap 262144 Mar 2 20:57 __db.001
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 __db.002
-rwx------ 1 ldap ldap 49152 Mar 2 20:57 __db.003
-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 20:57 log.0000000001

导入openldap存储信息的格式schema

root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"

修改生成ldif文件的脚本

修改这几处
root:cn=config/ # cat /usr/share/migrationtools/migrate_common.ph | egrep 'DEFAULT_MAIL_DOMAIN|DEFAULT_BASE|EXTENDED_SCHEMA' | head -3
$DEFAULT_MAIL_DOMAIN = "testlab.com";
$DEFAULT_BASE = "dc=testlab,dc=com";
$EXTENDED_SCHEMA = 1;

添加系统用户及用户组用于后期导入openldap.这一步是测试用的 具体要不要看你的需求

root:cn=config/ # groupadd ldapgroup1
root:cn=config/ # groupadd ldapgroup2
root:cn=config/ # useradd -g ldapgroup1 ldapuser1
root:cn=config/ # useradd -g ldapgroup2 ldapuser2
root:cn=config/ # echo "123456" | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
root:cn=config/ # echo "123456" | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.

提取用户以及用户组属性

root:cn=config/ # grep ":10[0-9][0-9]" /etc/passwd | grep ldap > /root/users

root:cn=config/ # grep ":10[0-9][0-9]" /etc/group | grep ldap > /root/groups

生成openldap用户以及用户组属性

root:cn=config/ # /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif 

root:cn=config/ # /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif 

root:cn=config/ # cat /root/groups.ldif 

dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1002
gidNumber:
homeDirectory:
dn: uid=ldapgroup2,ou=People,dc=testlab,dc=com
uid: ldapgroup2
cn: ldapgroup2
sn: ldapgroup2
mail: ldapgroup2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1003
gidNumber:
homeDirectory:

root:cn=config/ # cat /root/users.ldif [21:14:17]
dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$5PAZUtNU$CY/YcSKd1ajiCUb4u3SSNz4QIn04Og0PJosV/FDVNSCuUHWC6xETWi9DxT5UrM.ac2GM.i1PpyZ6/DmJiiQVH1
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser1
dn: uid=ldapuser2,ou=People,dc=testlab,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$HVzIvzSv$ovEbVz16WN2G.Dyvo3nIikHcERzVLOqg4xp0VpmjKpFoP9ZfxjrjGJfr478lw2kqYzJz2p.LmqY4kk0Cghb5b0
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/ldapuser2

配置openldap基础的数据库

cat > /root/base.ldif << EOF

dn: dc=testlab,dc=com
o: testlab com
dc: testlab
objectClass: top
objectClass: dcObject
objectclass: organization

dn: cn=root,dc=testlab,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager

dn: ou=People,dc=testlab,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=testlab,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
EOF

 如果执行有报错的话先确认是不是什么地方有奇怪的空格

如果导入有问题再次导入报已经存在的话可以把

/var/lib/ldap

下面的文件都删掉   留下DB_CONFIG 这些就是ldap的数据文件  重启会再次生成

导入数据库结构到openldap

oot:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/base.ldif

-w就是你slappasswd 那里输入的密码 


adding new entry "dc=testlab,dc=com"
adding new entry "cn=root,dc=testlab,dc=com"
adding new entry "ou=People,dc=testlab,dc=com"
adding new entry "ou=Group,dc=testlab,dc=com"
执行成功就像这样

导入用户和组信息数据到Openldap

root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/users.ldif 
adding new entry "uid=ldapuser1,ou=People,dc=testlab,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=testlab,dc=com"

root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/groups.ldif
adding new entry "uid=ldapgroup1,ou=People,dc=testlab,dc=com"
adding new entry "uid=ldapgroup2,ou=People,dc=testlab,dc=com"

查看数据库文件

root:cn=config/ # ls -l /var/lib/ldap

total 488

-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rw------- 1 ldap ldap 8192 Mar 2 21:22 cn.bdb
-rwx------ 1 ldap ldap 262144 Mar 2 21:24 __db.001
-rwx------ 1 ldap ldap 32768 Mar 2 21:24 __db.002
-rwx------ 1 ldap ldap 93592 Mar 2 21:24 __db.003
-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 21:24 log.0000000001
-rw------- 1 ldap ldap 8192 Mar 2 21:24 mail.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 objectClass.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 ou.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:24 sn.bdb

查看openldap信息
r

oot:cn=config/ # ldapsearch -x -b "dc=testlab,dc=com" -H "ldap://127.0.0.1" 

过滤查询信息

root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapuser1" 

dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDVQQVpVdE5VJENZL1ljU0tkMWFqaUNVYjR1M1NTTno0UUluMDR
PZzBQSm9zVi9GRFZOU0N1VUhXQzZ4RVRXaTlEeFQ1VXJNLmFjMkdNLmkxUHB5WjYvRG1KaWlRVkgx
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser1

root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapgroup1" 
dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e2NyeXB0fXg=
uidNumber: 1002
gidNumber: 1002
homeDirectory:

开启openldap日志访问功能

cat >> /etc/rsyslog.conf << "EOF"
local4.* /var/log/slapd.log
EOF

重启rsyslog和slapd服务

systemctl restart rsyslog

systemctl restart slapd

tail -f /var/log/slapd.log

如果有修改默认openldap运行端口(除非冲突 一般不需要,记得把上面的初始配置注释而不是删掉,免得没有后悔药)

vim /etc/sysconfig/slapd

SLAPD_URLS=”ldapi://0.0.0.0:4567/ ldap://0.0.0.0:4567/”

查询openldap信息

ldapsearch -LLL -x -D 'cn=root,dc=testlab,dc=com' -w "123456" -H ldap://0.0.0.0:4567/ -b 'dc=testlab,dc=com' 'uid=ldapuser1'

千难万难把openldap服务给运行起来了,但这只是第一步

3、结合kerberos和CDH

注意:Cloudera文档中描述,hive的LDAP是Kerberos的替代,不能同时启用,如果同时启用将会出现以下异常:

Hue界面中无法连接Hive,错误提示:Bad status: 3 (Unsupported mechanism type GSSAPI)
beeline中使用Kerberos认证出现同上的错误
Hive同时开启Kerberos和LDAP,登录Hue时,出现如下图所示错误:

有以上情况时,将LDAP的配置移除即可解决。

Kerberos和LDAP的区别:

如果使用 Kerberos 身份验证,Thrift 客户端和 HiveServer2 以及 HiveServer2 和安全 HDFS 之间都支持身份验证
如果使用 LDAP 身份验证,仅在 Thrift 客户端和 HiveServer2 之间支持身份验证
不过在实际操作中发现是可以共存的。可能是因为版本的关系?总之6版本可以

 

基本和impala差不多 注意baseDN这里要少一个UID 

hue也要同步修改

 

为了使 Kerberos 能够绑定到 OpenLDAP 服务器,创建一个管理员用户和一个 principal,并生成 keytab 文件,设置该文件的权限为 LDAP 服务运行用户可读( LDAP 服务运行用户一般为 ldap)

kadmin.local -q "addprinc ldapadmin/master.wc.com@EXAMPLE.COM"

kadmin.local -q "addprinc -randkey ldapadmin/master.wc.com@EXAMPLE.COM"

kadmin.local -q "ktadd -k /etc/openldap/ldapmaster.keytab ldapadmin/master.wc.com@EXAMPLE.COM"

chown ldap:ldap /etc/openldap/ldapmaster.keytab 
chmod 640 /etc/openldap/ldapmaster.keytab

这个key需要加上server节点的主机名

ktadd 后面的-k 指定把 key 存放在一个本地文件中。

使用 ldapadmin 用户测试:

kinit ldapadmin

系统会提示输入密码,如果一切正常,那么会安静的返回。实际上,你已经通过了kerberos的身份验证,且获得了一个Service TGT(Ticket-Granting Ticket). Service TGT的意义是, 在一段时间内,你都可以用此TGT去请求某些service,比如ldap service,而不需要再次通过kerberos的认证。

确保 LDAP 启动时使用上一步中创建的keytab文件

在 /etc/sysconfig/ldap 增加 KRB5_KTNAME 配置:

export KRB5_KTNAME=/etc/openldap/ldapmaster.keytab

在/etc/sysconfig/slapd  修改 KRB5_KTNAME 配置: 

打开注释

KRB5_KTNAME="FILE:/etc/openldap/ldapmaster.keytab"

 重启 slapd 服务

生成一个新用户给impala用

root:cn=config/ # cat /etc/passwd | grep  impala > /root/users

root:cn=config/ # cat /etc/group | grep hive > /root/groups


impala是hive这个用户组的

root:cn=config/ # /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif 

root:cn=config/ # /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif 
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/users.ldif 

root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/groups.ldif

 现在你已经有了impala这个用户  设置一下密码

ldappasswd  -x -D "cn=root,dc=testlab,dc=com" -W -S "uid=impala,ou=people,dc=testlab,dc=com" 

配置一下ldap的web ui

rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

yum install php55w.x86_64 php55w-cli.x86_64 php55w-common.x86_64 php55w-gd.x86_64 php55w-ldap.x86_64 php55w-mbstring.x86_64 php55w-mcrypt.x86_64 php55w-mysql.x86_64 php55w-pdo.x86_64 --skip-broken 

yum install -y phpldapadmin

打开  /etc/phpldapadmin/config.php 

添加cn sn
519行

 $servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'));

打开/etc/httpd/conf.d/phpldapadmin.conf 

    Require local
替换为
    Require all granted
其他不用改

启动httpd

systemctl start httpd

systemctl enable httpd

访问  ip/phpldapadmin  

用root或者别的你创建的帐号登录

登录之后检查一下impala的密码

确认一下   有毛病的话重新设置一下密码 

然后加到cdh中去

修改这四处 

ldap://master.example.com:389/
ou=people,dc=example,dc=com
-ldap_passwords_in_clear_ok

 重启impala

回到命令行进行测试

kdestroy  # 确保没有用原来的kerberos

impala-shell -i master.example.com:25003 -l -u impala --auth_creds_ok_in_clear

可以正常登录就是成功了

Logo

华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。

更多推荐