内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档详细介
风哥提示:
绍SSSD系统安全服务守护进程的配置方法。
Part01-SSSD基础
1.1 安装SSSD
$ sudo dnf install -y sssd sssd-ldap sssd-krb5
# 启用SSSD
$ sudo authselect select sssd with-mkhomedir –force
# 查看SSSD配置
$ sudo cat /etc/sssd/sssd.conf
# 启动SSSD
$ sudo systemctl start sssd
$ sudo systemctl enable sssd
# 查看状态
$ sudo systemctl status sssd
Part02-LDAP配置
2.1 配置LDAP后端
$ sudo tee /etc/sssd/sssd.更多视频教程www.fgedu.net.cnconf << 'EOF' [sssd] config_file_version = 2 services = nss, pam, sudo domains = fgedu.net.cn [nss] filter_users = root,ldap,named,from PG视频:www.itpux.comavahi,haldaemon,dbus,radiusd,news,nscd filter_groups = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd [pam] [domain/fgedu.net.cn] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_uri = ldap://ldap.fgedu.net.cn ldap_search_base = dc=example,dc=com ldap_user_search_base = ou=People,dc=example,dc=com ldap_group_search_base = ou=Groups,dc=example,dc=com ldap_sudo_search_base = ou=Sudoers,dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt ldap_user_object_class = posixAccount ldap_user_name = uid ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = homeDirectory ldap_user_shell = loginShell ldap_group_object_class = posixGroup ldap_group_name = cn ldap_group_gid_number = gidNumber ldap_group_member = memberUid cache_credentials = True enumerate = True entry_cache_timeout = 5400 ldap_network_timeout = 3 ldap_opt_timeout = 6 EOF $ sudo chmod 600 /etc/sssd/sssd.conf $ sudo systemctl restart sssd
Part03-FreeIPA配置
3.1 配置FreeIPA后端
$ sudo tee /etc/sssd/sssd.conf << 'EOF' [sssd] config_file_version = 2 services = nss, pam, sudo, ssh domains = fgedu.net.cn [nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd filter_groups = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd homedir_substring = /home [pam] pam_verbosity = 3 pam_id_timeout = 5 pam_pwd_expiration_warning = 7 [sudo] [ssh] [domain/fgedu.net.cn] id_provider = ipa auth_provider = ipa chpass_provider = ipa sudo_provider = ipa autofs_provider = ipa session_provider = ipa hostid_provider = ipa sub学习交流加群风哥QQ113257174domains_provider = ipa ipa_domain = fgedu.net.cn ipa_server = ipa.fgedu.net.cn ipa_hostname = client.fgedu.net.cn ldap_tls_cacert = /etc/ipa/ca.crt cache_credentials = True krb5_store_password_if_offline = True enumerate = True ldap_schema = rfc2307bis ldap_user_principal = krbPrincipalName ldap_user_fullname = cn ldap_user_home_directory = homeDirectory ldap_user_shell = loginShell ldap_group_object_class = groupOfNames ldap_group_name = cn ldap_group_member = member ldap_group_gid_number = gidNumber entry_cache_timeout = 5400 ldap_search_timeout = 6 ldap_network_timeout = 3 ldap_opt_timeout = 6 EOF $ sudo chmod 600 /etc/sssd/sssd.conf $ sudo systemctl restart sssd
Part04-缓存管理
4.1 管理SSSD缓存
$ sudo sss_cache -U
$ sudo sss_cache -G
# 清除所有缓存
$ sudo sss_cache -E
# 清除特定用户缓存
$ sudo sss_cache -u user1
# 清除特定组缓存
$ sudo sss_cache -g developers
# 查看SSSD日志
$ sudo journalctl -u sssd -f
# 查看域日志
$ sudo tail -f /var/log/sssd/sssd_fgedu.net.cn.log
# 调试模式
$ sudo tee /etc/sssd/sssd.conf << 'EOF'
[sssd]
config_file_version = 2
services = nss, pam
domains = fgedu.net.cn
debug_level = 9
[domain/fgedu.net.cn]
debug_level = 9
EOF
$ sudo systemctl restart sssd
# 测试用户查询
$ id user1
$ getent passwd user1
$ getent group developers
# 测试认证
$ su - user1
# 查看用户信息
$ sssctl user-checks user1
# 查看域状态
$ sssctl domain-status fgedu.net.cn
# 查看客户端状态
$ sssctl client-data-backup
1. 启用缓存凭据
2. 配置超时参数
3. 监控日志文件
4. 定期清理缓存
5. 使用TLS加密
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
