Skip to content
/ Account-Authentication-Service Public
forked from sosconf/Account-Authentication-Service

This repository aims to achieve account authentication across various platforms. (本账号系统开发旨在统一开源工厂, 息壤等平台的认证方式。)

License

GPL-3.0 license
0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

VanCoghChan/Account-Authentication-Service

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
images
images
 
 
shell scripts
shell scripts
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
README_CN.md
README_CN.md
 
 

Repository files navigation

Contents

================ [TOC]

AAA System Development Documentation

LICENSE LDAP CAS

This document describes the single sign-on based on CAS,helps new friends to quickly understand the project and do rapid development .PS:for tech members only.

Latest update: 2019/08/31

Install OpenLDAP In CentOS

To facilitate the following configuration ,do the following configuration with root authority

We need at least 4 servers to implement the LDAP service(2 Primary Servers and 2 Secondary Servers ),to prevent a server from going down and disabling the service:

  • If possible,To improve the access speed, the Primary Servers and the Secondary Servers are best served on the same intranet .
  • Primary servers are best located in different areas, free from the impact of server paralysis in some areas.
role Primary IP Address OS
Public IP Intranet IP
master01.hexang.org 148.70.168.17 172.27.0.15 CentOS 7.4x86_64
master02.hexang.org 120.27.250.20 172.16.43.45 CentOS 7.4x86_64
slave01.hexang.org 106.53.67.32 172.16.0.14 CentOS 7.4x86_64
slave02.hexang.org 47.96.239.221 172.16.249.253 CentOS 7.4x86_64
LDAP Administrator Permission Password(provisional)
Main manager readable, writable w8JFUEWjAsHBwLjjcQrCYiPP
Secondary manager readable of2Pwxqt9Gc7TH8e

OpenLDAP Tree Structure

The current organizational structure is relatively simple,each domain name level ou may later create its own management team for management and privacy protection:

OpenLADP User Information Collection

We use the schema in inetorgperson.ldif to collect user information, and we can collect the following data:

The property name Format Meaning
uid char User name
cn char User's full name
jpegPhoto binary Profile photo
mail char User's mailbox for authentication
preferredLanguage char Preferred Language

LDAP Synchronous

OpenLDAP's synchronization schema needs to satisfy the following 6 conditions:

  1. Time synchronization between servers

    Install NTP

    yum -y install ntp

    To avoid errors between local time and server time, we should do ntpdate first.

    ntpdate ntp1.aliyun.com

    Then customize the NTP service

    vi /etc/ntp.conf

    Comment out iburst in server ntp ,add a new line of NTP server information behind:

    server ntp1.aliyun.com iburst  # we use aliyun public network NTP server

    Save the changes and start the NTP service:

    systemctl start ntpd.service

    Then configure the restart self-executing NTP service:

    systemctl enable ntpd.service

    Check whether the operation is effective:

    ntpstat

  2. Consistency of OpenLDAP versions

    We use 2.4.4 version.

  3. Domain names shoule be resolved between every two OpenLDAP nodes

    Not set yet.

  4. The initial configuration of master-slave and master-master synchronization is identical(Includes the directory tree structure)

    Copy and paste the following script.

  5. Data entries are the same across servers

    Just add the data after configuration.

  6. Schema is the same

    Copy and paste the following script.

Script execution file

I've uploaded an executable Shell script here. You can easily configure it by executing the scripts: All servers should perform Step 1:

# Synchro time first, then activate SELinux
chmod +x NTP_and_SELinux.sh
./NTP_and_SELinux.sh 'the first primary server IP' 'the second primary server IP'

Step 2: Settings for two master LDAP servers:

chmod +x Config_Replication.sh
./Config_Replication.sh 'Administrator password' 'Server serial number'

Step 3: Simply operate on any of the primary servers:

chmod +x Database_Replication.sh
./Database_Replication.sh 'Sub-administrator password'

Step4: Settings for two slave LDAP servers:

chmod +x Slave_Configuration.sh
./Slave_Configuration.sh 'corresponding primary server IP' 'Administrator password' 'Sub-administrator password'

Firewall Rules

Inbound Rules

Source Protocol port Strategy Comment
0.0.0.0/0 TCP:22 permit Allow Linux SSH login
0.0.0.0/0 ICMP permit Support Ping services
0.0.0.0/0 TCP:80 permit Allow Web services HTTP(80)
0.0.0.0/0 TCP:443 permit Allow Web services HTTP(443)
0.0.0.0/0 TCP:389 permit Allow LDAP services
0.0.0.0/0 UDP:123 permit Allow NTP services

Outbound Rules

Source Protocol port Strategy Comment
0.0.0.0/0 ALL permit -

SELinux Setting

Activate SELinux:

sed -i '7s/^.*$/SELINUX=enforcing/' /etc/selinux/config

Restart the server to enable the SELinux configuration.

systemctl reboot

LDAP Basic Configuration

Step1 install LDAP

Install all the relevant packages so as not to miss anything.

# migrationtools --Used to migrate system users and groups to LDAP.
yum install -y openldap openldap-* migrationtools policycoreutils-python

BerkeleyDB configuration, and licensed to LDAP users。

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG # copy
chown ldap:ldap /var/lib/ldap/DB_CONFIG # Authorization

Activate LDAP server.

systemctl enable slapd

Let's try to run the LDAP service:

systemctl start slapd

Error messages will be generated at this time,run the following command to get the reason for the startup failure:

audit2allow -al

Create a separate rule for LDAP:

audit2allow -a -M ldap_rule

Activate this rule:

semodule -i ldap_rule.pp

Check if the rule was loaded successfully:

[root@VM_0_15_centos ~]# semodule -l | grep ldap_rule
ldap_rule       1.0

Restart LDAP service:

systemctl start slapd

Check the running status of LDAP, the green mark indicates normal operation:

systemctl status slapd

Check port usage ;By default, port 389 is occupied:

netstat -tlnp | grep slapd

Step2 Configure the syslog to log LDAP service

First create the log,then authorize files:

touch /var/log/slapd.log
chown -R ldap. /var/log/slapd.log

Appending to the configuration of the system log after authorization

echo "local4.* /var/log/slapd.log" >> /etc/rsyslog.conf

Restart the system logger to take effect:

systemctl restart rsyslog

Next, update the level of the LDAP log. First, create the intermediate file:

vim loglevel.ldif

Copy the following lines to the file:

dn: cn=config
changetype: modify
add: olcLogLevel
# Set the log level. level 296 is the sum of 256(Log connection/operation/result), 32(Search filter processing) and 8(Connection management).
olcLogLevel: 296

Add logging to the main configuration file:

ldapmodify -Y EXTERNAL -H ldapi:/// -f loglevel.ldif

In addition, it is better to shard the log to facilitate error checking:

vi /etc/logrotate.d/ldap
===========================================================
/var/log/slapd.log {
        prerotate
                /usr/bin/chattr -a /var/log/slapd/slapd.log
        endscript
        compress
        delaycompress
        notifempty
        rotate 100
        size 10M
        postrotate
                /usr/bin/chattr +a /var/log/slapd/slapd.log
        endscript
}

Check the current log configuration:

[root@VM_0_15_centos ~]# cat /etc/openldap/slapd.d/cn\=config.ldif |grep olcLogLevel
olcLogLevel: 296

Step3 Configure Administrator Password

touch chrootpw.ldif # Create a file
echo "dn: olcDatabase={0}config,cn=config" >> chrootpw.ldif 
echo "changetype: modify" >> chrootpw.ldif # Specify modification type
echo "add: olcRootPW" >> chrootpw.ldif # Add the olcRootPW configuration item
slappasswd -s w8JFUEWjAsHBwLjjcQrCYiPP | sed -e "s#{SSHA}#olcRootPW: {SSHA}#g" >> chrootpw.ldif # Append ciphertext password

Execute the LDAP Modification Configuration Command:

ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

Step4 Import Schema

The Schema is in this path: /etc/openldap/ Schema/,I have written a script that can import all of the schemas

vim import_schema.sh

Copy the following lines to the file.

all_files='ls /etc/openldap/schema/*.ldif'
for file in $all_files
do
  ldapadd -Y EXTERNAL -H ldapi:/// -f $file
done

Step5 Configure the top-level domain for LDAP

vim changedomain.ldif
===========================================================
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=hexang,dc=org" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=hexang,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc=hexang,dc=org

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: # The password generated in step 2,It can be viewed by 'vim chrootpw.ldif'

Execute modify command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f changedomain.ldif

Multi master Configuration

All primary servers must perform step 1 and step 2:

Step1 Configure the Syncprov module

vi mod_syncprov.ldif
===========================================================
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la

Add configuration on LDAP server:

ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif

Step2 Enable mirror Configuration

In this next step please notice which primary server is being configured:

olcServerID : Subscript corresponding to the primary server (1 or 2).

vi master.ldif
===========================================================
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1 or 2

Change configuration on the LDAP server:

ldapmodify -Y EXTERNAL -H ldapi:/// -f master.ldif

Configuration mirror:

PS:You need to fill in the "Administrator's clear-text password"

vi configrep.ldif
===========================================================
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://master01.hexang.org
olcServerID: 2 ldap://master02.hexang.org

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://master01.hexang.org binddn="cn=config"
  bindmethod=simple credentials= "Administrator's clear-text password"  searchbase="cn=config"
  type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://master02.hexang.org binddn="cn=config"
  bindmethod=simple credentials="Administrator's clear-text password" searchbase="cn=config"
  type=refreshAndPersist retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE

Change the configuration on the LDAP server:

ldapmodify -Y EXTERNAL -H ldapi:/// -f configrep.ldif

Step3 Enable syncprov module

vi syncprov.ldif
===========================================================
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpSessionLog: 100

Add configuration on LDAP server:

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

Step4 Enabling Mirror Database

vi olcdatabasehdb.ldif
===========================================================
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=admin,dc=hexang,dc=org" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=hexang,dc=org
-
replace: olcRootDN
olcRootDN: cn=admin,dc=hexang,dc=org
-
replace: olcRootPW
olcRootPW: 'Administrator password'
-
add: olcSyncRepl
olcSyncRepl: rid=003 provider=ldap://master01.hexang.org binddn="cn=admin,dc=hexang,dc=org" bindmethod=simple
  credentials='Secondary Administrator Password' searchbase="dc=hexang,dc=org" type=refreshAndPersist
  interval=00:00:05:00 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=004 provider=ldap://master02.hexang.org binddn="cn=admin,dc=hexang,dc=org" bindmethod=simple
  credentials='Secondary Administrator Password' searchbase="dc=hexang,dc=org" type=refreshAndPersist
  interval=00:00:05:00 retry="5 5 300 5" timeout=1
-
add: olcDbIndex
olcDbIndex: entryUUID  eq
-
add: olcDbIndex
olcDbIndex: entryCSN  eq
-
add: olcMirrorMode
olcMirrorMode: TRUE

Add configuration on the LDAP server:

ldapmodify -Y EXTERNAL -H ldapi:/// -f olcdatabasehdb.ldif

Step5 Clone the Sturcture

Set the directory Structure according to [OpenLDAP Tree Structure](#OpenLDAP Tree Structure).

This step can be performed on any primary server:

vim organisation.ldif
===========================================================
dn: dc=hexang,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: Hexang Open Source Life Style Platform
dc: hexang


dn: cn=admin,dc=hexang,dc=org
objectClass: organizationalRole
cn: admin

dn: ou=hexang.org,dc=hexang,dc=org
objectClass: organizationalUnit
ou: hexang.org

dn: ou=accounts,ou=hexang.org,dc=hexang,dc=org
objectClass: organizationalUnit
ou: accounts

dn: ou=hexang.com,dc=hexang,dc=org
objectClass: organizationalUnit
ou: hexang.com

dn: ou=accounts,ou=hexang.com,dc=hexang,dc=org
objectClass: organizationalUnit
ou: accounts

dn: ou=openingsource.org,dc=hexang,dc=org
objectClass: organizationalUnit
ou: openingsource.org

dn: ou=accounts,ou=openingsource.org,dc=hexang,dc=org
objectClass: organizationalUnit
ou: accounts

dn: ou=sosconf.org,dc=hexang,dc=org
objectClass: organizationalUnit
ou: openingsource.org

dn: ou=accounts,ou=sosconf.org,dc=hexang,dc=org
objectClass: organizationalUnit
ou: accounts

Execute modify command:

ldapadd -x -D cn=admin,dc=hexang,dc=org -W -f organisation.ldif

Step6 Create Sub-Administrator

Considering security,We need to create a read-only secondary management on the primary server:

vi rpuser.ldif
===========================================================
dn: uid=rpuser,dc=hexang,dc=org
objectClass: simpleSecurityObject
objectclass: account
uid: rpuser
description: Replication  User
userPassword: 'Secondary Administrator Password'

Execute add command:

ldapadd -x -D cn=admin,dc=hexang,dc=org -w 'Administrator password' -f rpuser.ldif

Master -Slave Configuration

PS: Attention the IP address of the primary server:

vi syncrepl.ldif
===========================================================
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://IP:389/
  bindmethod=simple
  binddn="cn=admin,dc=hexang,dc=org"
  credentials='Administrator password'
  searchbase="dc=hexang,dc=org"
  scope=sub
  schemachecking=on
  type=refreshAndPersist
  retry="30 5 300 3"
  interval=00:00:05:00

Add configuration on LDAP server:

ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif

Test

vi ldaptest.ldif
===========================================================
dn: uid=ldaptest,ou=accounts,ou=hexang.org,dc=hexang,dc=org
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Huang Xiaoming
uid: ldaptest
sn: Huang
uidNumber: 9988
gidNumber: 100
homeDirectory: /home/ldaptest
loginShell: /bin/bash
gecos: LDAP Replication Test User
userPassword: xiaoming
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowExpire: -1
mail: xiaoming.huang@qq.com

Add members to the LDAP server:

ldapadd -x -W -D "cn=admin,dc=hexang,dc=org" -f ldaptest.ldif

You can query the current member's information on any host:

ldapsearch -x uid=ldaptest -b dc=hexang,dc=org

Delete members:

ldapdelete -W -D "cn=admin,dc=hexang,dc=org" "uid=ldaptest,ou=accounts,ou=hexang.org,dc=hexang,dc=org"

If the effect of adding or deleting members is the same across all servers, that means it works.

phpLDAPadmin Configuration

Bind public network IP and host name

Append records to the hosts file:

echo "(Your cloud server's public network IP)  Apache" >> /etc/hosts

Configure Apache Services

Check that Apache HTTPD and PHP are installed,Otherwise it would be wrong.

[root@VM_0_15_centos ~]# rpm -qa | grep httpd # Check if the HTTP package has been installed
httpd-2.4.6-89.el7.centos.1.x86_64
httpd-tools-2.4.6-89.el7.centos.1.x86_64
httpd-devel-2.4.6-89.el7.centos.1.x86_64
httpd-manual-2.4.6-89.el7.centos.1.noarch
httpd-itk-2.4.7.04-2.el7.x86_64

If you don't have any output, check that the dependency packages are complete.

yum -y install httpd*

Configure Apache after installation, The configuration files are stored in this path: /etc/httpd/conf/
The default Apache listening port is 80, Just use the default port. If there are no special needs, do not change the 'httpd.conf'.

Activate Apache:

systemctl start httpd.service

Check the usage of port 80. If port 80 doesn't work,check if it is occupied by other services,Or whether the configuration file has syntax problems.

[root@VM_0_15_centos ~]# lsof -i:80 # This is normal listening
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   6045   root    3u  IPv4 151157      0t0  TCP *:http (LISTEN)
httpd   6046 apache    3u  IPv4 151157      0t0  TCP *:http (LISTEN)
httpd   6047 apache    3u  IPv4 151157      0t0  TCP *:http (LISTEN)
httpd   6048 apache    3u  IPv4 151157      0t0  TCP *:http (LISTEN)
httpd   6049 apache    3u  IPv4 151157      0t0  TCP *:http (LISTEN)
httpd   6050 apache    3u  IPv4 151157      0t0  TCP *:http (LISTEN)

Check if Apache is working properly:

service httpd status

If it looks like this, that means it works, otherwise, check the log information to find the error location

You can use Chrome to test it, and if the following image appears, Apache is working.

Install phpLDAPadmin

First run the installation:

yum install -y phpldapadmin

Modify configuration content:

vim /etc/httpd/conf.d/phpldapadmin.conf

Change the "Require local" in line 11 to "Require all granted":

#
#  Web-based tool for managing LDAP servers
#

Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs

<Directory /usr/share/phpldapadmin/htdocs>
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require all granted # Change this. PS: I've changed this.
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
    Allow from ::1
  </IfModule>
</Directory>

Modify the PHP configuration, Log into LDAP with the user name:

vim /etc/phpldapadmin/config.php

Line 398 : Change 'uid' to 'cn':

$servers->setValue('login','attr','uid'); 
# Do like this: $servers->setValue('login','attr','cn');

Line 460 :Close anonymous login to protect data security:

// $servers->setValue('login','anon_bind',true); 
# Uncomment Line 460,Prevent default from becoming true. Change it into $servers->setValue('login','anon_bind',false);

Line 519 : Add' cn', 'sn' to ensure uniqueness of user name:

#  $servers->setValue('unique','attrs',array('mail','uid','uidNumber')); 
# Uncomment and chage it into $servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'));

Restart the Apache service to let the modified configuration take effect:

systemctl restart httpd

Now we can enter: "http:// 'your public network IP' /ldapadmin/ " in the browser to get the architecture created in step 5.

About

This repository aims to achieve account authentication across various platforms. (本账号系统开发旨在统一开源工厂, 息壤等平台的认证方式。)

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%