一、基本环境
Jumpserver :
Master1 192.168.20.128 Mysql 主 FQDN:Master1.jumpserver.org Centos6.5 x86
Master2 192.168.20.129 Mysql 从 FQDN:Master2.jumpserver.org Centos6.5 x86
注:Master1和Master2 相关配置在 http://bbs.jumpserver.org/read/111.html
Client:
FreeBSD: 192.168.20.133 Client双主 FQDN:FreeBSD.jumpserver.org FreeBSD-10.1-RELEASE-amd64
FreeBSD:
图片:20151125175644.jpg
二、FreeBSD更改默认shell为bash
2.1 查看是否已安装bash
[iyunv@freebsd ~]# cat /etc/shells
# $FreeBSD: releng/10.1/etc/shells 59717 2000-04-27 21:58:46Z ache $
#
# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.
/bin/sh
/bin/csh
/bin/tcsh
/usr/local/bin/rbash
注:没有看到/usr/local/bin/bash,说明没装需要安装,从(2.2-2.3)开始。
有看到就执行一下 echo $SHELL 是否显示/usr/local/bin/bash
有就执行一下 ln -s /usr/local/bin/bash /bin/bash ,(2.2-2.3)请忽略。
没有就从2.3 开始。
2.2 安装bash
cd /usr/ports/shells/bash
make install clean
图片:9_CI~IL9]YA4EMV%HC[CNA2.png
图片:2.png
图片:4.png
图片:3.png
图片:6.png
2.3 使用bash
安装完后执行:
chsh -s /usr/local/bin/bash
退出:
exit
在登录执行:
echo $SHELL
/usr/local/bin/bash // 说明更改成功
创建软链接:
ln -s /usr/local/bin/bash /bin/bash
三、安装
3.1 安装所需的软件包
cd /usr/ports/net/nss_ldap
make install clean
图片:1.png
图片:3.png
图片:7.png
图片:8.png
cd /usr/ports/security/pam_ldap
make install clean
cd /usr/ports/security/pam_mkhomedir
make install clean
cd /usr/ports/security/sudo/
make install clean
图片:1.png
安装完成后执行以下:
ln -s /usr/local/bin/sudo /bin/sudo
ln -s /usr/bin/su /bin/su
四、服务器端证书通过scp至客户端:
mkdir -p /etc/openldap/cacerts/
cd /etc/openldap/cacerts/
scp 192.168.20.128:/etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/cacert.pem
注:如果你的Jumpserver的OpenLDAP 没有使用 SSL/TLS 加密数据通信 ,也就是使用389端口,请忽略这一步。
五、修改配置文件
[iyunv@FreeBSD ~]# cat /usr/local/etc/openldap/ldap.conf | grep -v ^# | grep -v ^$
TLS_REQCERT allow
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
URI ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
BASE dc=jumpserver,dc=org
[iyunv@FreeBSD ~]# cp /usr/local/etc/ldap.conf.dist /usr/local/etc/ldap.conf
[iyunv@FreeBSD ~]# cat /usr/local/etc/ldap.conf | grep -v ^# | grep -v ^$
base dc=jumpserver,dc=org
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
ssl on
tls_cacertdir /etc/openldap/cacerts
pam_password md5
Sudoers_base ou=Sudoers,dc=jumpserver,dc=org
[iyunv@FreeBSD ~]# cat /usr/local/etc/nss_ldap.conf | grep -v ^# | grep -v ^$
uri ldaps://Master1.jumpserver.org/ ldaps://Master2.jumpserver.org/
BASE dc=jumpserver,dc=org
Sudoers_base ou=Sudoers,dc=jumpserver,dc=org
注:1)注:如果你的Jumpserver是使用389端口通信,请把uri ldaps://xxx 全部改成uri ldap://xxxx,就是把s去掉。
2)客户端的sudo版本会影响 ldap配置文件的位置,通过sudo -V | grep ldap查看,最后显示
ldap.conf path: /usr/local/etc/nss_ldap.conf 这个来决定
sudo内容(Sudoers_base ou=Sudoers,dc=jumpserver,dc=org ) 在哪个文件上配置的。
[iyunv@FreeBSD ~]# cat /etc/nsswitch.conf | grep -v ^# | grep -v ^$
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
shells: files
netgroup: nis
sudoers: files ldap
[iyunv@FreeBSD ~]# cat /etc/pam.d/system | grep -v ^# | grep -v ^$
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn try_first_pass nullok
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth 追加后,登录要求输入LDAP Password ,想取消LDAP Password 就不追加。
图片:P3R9K](XQIGRR$ZUUAP$85L.png
account required pam_login_access.so
account required pam_unix.so
account sufficient pam_ldap.so
session required pam_lastlog.so no_fail
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session optional pam_ldap.so
password required pam_unix.so no_warn try_first_pass
password sufficient pam_ldap.so
注:红色部分是追加的
#设置nscd_enable为YES
[iyunv@FreeBSD ~]# cat /etc/rc.conf | grep -v ^# | grep -v ^$
hostname="FreeBSD.jumpserver.org"
ifconfig_em0="DHCP"
sshd_enable="YES"
nscd_enable="YES"
dumpdev="AUTO"
#重启服务使配置生效
[iyunv@FreeBSD ~]# service nscd restart
Stopping nscd.
Starting nscd.
六、测试
6.1 测试是否已启用LDAP认证
[iyunv@FreeBSD ~]# getent passwd xiaowang
xiaowang:$6$RnWDfg$Epd1.6QFBYhGHTcDRF3RTDC92DrxdqWY2pfIy2C9lY1jJbLrMjZwJswQUiY95F9RovIpakW/R6.eTWYGjXNCQ0:5034:5
034:xiaowang:/home/xiaowang:/bin/bash[iyunv@FreeBSD ~]# id xiaowang
uid=5034(xiaowang) gid=5034(xiaowang) groups=5034(xiaowang)
6.2测试用户登录跳板机再登录后端Client
图片:Y2NN{IRG3ERSH6C)9~)N2DB.png