cenos7 ldap 授权ssh登陆

1、安装软件：
# yum -y install openldap-clients-2.4.40-13.el7.x86_64 nss-pam-ldapd-0.8.13-8.el7.x86_64 nscd-2.17-157.el7_3.2.x86_64
# yum -y install rpcbind.x86_64 nfs-utils.x86_64

2、挂载 /home 目录：
# systemctl start rpcbind
# echo "10.44.215.105 yizhibo-dev-home ldap.yizhibo.tv" >> /etc/hosts
# mount yizhibo-dev-home:/home /home

3、配置nscd：

[root@dev001 zhoukai]# grep -ve "^$" -ve "^#" /etc/nscd.conf
threads 6
max-threads 128
server-user nscd
debug-level 5
paranoia no
enable-cache passwd no
enable-cache group no
enable-cache hosts yes
positive-time-to-live hosts 5
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432

# systemctl start nscd


4、配置nslcd：
[root@dev001 zhoukai]# mkdir -p /etc/openldap/cacerts

[root@dev001 zhoukai]# grep -ve "^$" -ve "^#" /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://ldap.yizhibo.tv/
base dc=cloudfocus,dc=cn
ssl no
tls_cacertdir /etc/openldap/cacerts

# systemctl start nslcd

5、配置 ldap client：
[root@dev001 zhoukai]# grep -ve "^$" -ve "^#" /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
SASL_NOCANON on
URI ldap://ldap.yizhibo.tv/
BASE dc=cloudfocus,dc=cn


6、配置pam-ldap:

[root@dev001 zhoukai]# grep ldap /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
netgroup: files ldap
automount: files ldap
Sudoers: files ldap

[root@dev001 zhoukai]# authconfig-tui

缓存信息、使用LDAP、使用shadow密码、使用LDAP认证、本地授权即可

7、配置system-auth、password-auth

[root@dev002 pam.d]# grep ldap /etc/pam.d/system-auth
auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so

[root@dev002 pam.d]# grep ldap /etc/pam.d/password-auth
auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so







___________________________