feature: 一键部署 LDAP 客户端

.gitignore

@@ -0,0 +1 @@
+.idea

tools/ldap.conf

@@ -1,5 +1,22 @@
-uri ldap://ldap-server.magic.com:389
-ssl start_tls
-tls_cacertdir /etc/openldap/cacerts
-tls_cacertfile /etc/openldap/cacerts/magicCA.pem
-tls_reqcert never
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+TLS_CACERTDIR /etc/openldap/cacerts
+TLS_CACERT /etc/openldap/cacerts/magicCA.pem
+TLS_REQCERT never
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON	on
+URI ldap://ldap-server.magic.com
+BASE dc=magic,dc=com

tools/nslcd.conf

@@ -0,0 +1,8 @@
+uid nslcd
+gid ldap
+uri ldap://ldap-server.magic.com
+base dc=magic,dc=com
+ssl start_tls
+tls_cacertdir /etc/openldap/cacerts
+tls_cacertfile /etc/openldap/cacerts/magicCA.pem
+tls_reqcert never

tools/nsswitch.conf

@@ -0,0 +1,16 @@
+passwd:     files ldap
+shadow:     files ldap
+group:      files ldap
+hosts:      files dns myhostname
+bootparams: nisplus [NOTFOUND=return] files
+ethers:     files
+netmasks:   files
+networks:   files
+protocols:  files
+rpc:        files
+services:   files sss
+netgroup:   files sss ldap
+publickey:  nisplus
+automount:  files ldap
+aliases:    files nisplus
+sudoers:    files ldap

tools/one-click.sh

@@ -7,95 +7,55 @@
 # Describe: 一键式配置 Linux 服务器适配 LDAP SSH-KEY 与 SUDO
 #########################################################################
 
-LDAP_FQDN="ldap-server.host.com"
-LDAP_PORT=389
-LDAP_URI="ldap://${LDAP_FQDN}:${LDAP_PORT}"
+LDAP_FQDN="ldap-server.magic.com"
+LDAP_URI="ldap://${LDAP_FQDN}"
 LDAP_BASE_DN="dc=magic,dc=com"
 DATE=$(date '+%Y-%m-%d %H:%M:%S')
 # REMOTE_ADDRESS=(192.168.1.72 192.168.1.97 192.168.1.98 192.168.1.151 192.168.1.152 192.168.1.153 192.168.1.67 192.168.1.68)
-REMOTE_ADDRESS=(192.168.1.71)
+REMOTE_ADDRESS=(192.168.1.153)
 
 
-sudo_conf(){
-
+install_ldap_client(){
     for ip in "${REMOTE_ADDRESS[@]}"
     do
-        echo -e "Copy Run Remote Server ${ip}\n"
-        # 备份文件
-        ssh root@"${ip}" 'cp /etc/sudo-ldap.conf /etc/sudo-ldap.conf.${DATE}'
-        ssh root@"${ip}" 'cp /etc/nsswitch.conf /etc/nsswitch.conf.${DATE}'
-        # 写人文件
-        scp sudo-ldap.conf  root@"${ip}":/etc/sudo-ldap.conf
-        ssh root@"${ip}" 'echo "sudoers:    files   ldap" >> /etc/nsswitch.conf'
-        echo -e "\n"
+        ssh root@${ip} "yum install -y openldap-clients nss-pam-ldapd > /dev/null"
     done
 }
 
-ssh_setup(){
-    for ip in "${REMOTE_ADDRESS[@]}"
-    do
-        echo -e "Setup SSH LDAP Run Remote Server ${ip}"
-        ssh root@"${ip}" ' yum -y install openssh-ldap'
-        scp magicCA.pem root@"${ip}":/etc/openldap/cacerts
-        scp ldap.conf root@"${ip}":/etc/ssh/
-        ssh root@"${ip}" 'echo -e "AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper\nAuthorizedKeysCommandUser nobody\nPubkeyAuthentication yes" >> /etc/ssh/sshd_config'
-        echo -e "\n"
-    done
+setup_client_authconfig(){
+    # 配置使用 TLS
+    ssh root@${ip} "systemctl restart nslcd && systemctl status nslcd"
+    ssh root@${ip} "[[ ! -d /etc/openldap/cacerts ]] && mkdir /etc/openldap/cacerts"
+    scp magicCA.pem root@${ip}:/etc/openldap/cacerts/magicCA.pem
+    ssh root@${ip} "authconfig --enableldap --enableldapauth --enableldaptls --ldapserver=${LDAP_URI} --ldapbasedn=${LDAP_BASE_DN} --enablemkhomedir --update"
 }
 
-ssh_restart(){
+config_rsync(){
     for ip in "${REMOTE_ADDRESS[@]}"
     do
-        echo -e "Setup SSH LDAP Run Remote Server ${ip} restart sshd"
-        ssh root@"${ip}" 'systemctl restart sshd'
-        echo -e "\n"
+        scp ldap.conf root@${ip}:/etc/openldap/ldap.conf
+        scp nslcd.conf root@${ip}:/etc/nslcd.conf
+        scp nsswitch.conf root@${ip}:/etc/nsswitch.conf
+        scp sudo-ldap.conf root@${ip}:/etc/sudo-ldap.conf
     done
 }
 
-setup_client(){
+setup_client_ssh(){
     for ip in "${REMOTE_ADDRESS[@]}"
     do
-        echo -e "Setup SSH LDAP Run Remote Server ${ip} Client"
-        ssh root@"${ip}" 'yum install -y openldap-clients nss-pam-ldapd'
-        echo -e "\n"
+        ssh root@${ip} "yum -y install openssh-ldap > /dev/null"
+        scp ssh-ldap.conf root@${ip}:/etc/ssh/ldap.conf
+        ssh root@${ip} 'echo -e "AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper\nAuthorizedKeysCommandUser nobody\nPubkeyAuthentication yes" >> /etc/ssh/sshd_config'
+        ssh root@${ip} "systemctl restart sshd && systemctl enable sshd"
     done
+
 }
 
-client_config(){
 
-    for ip in "${REMOTE_ADDRESS[@]}"
-    do
-        echo -e "Setup SSH LDAP Run Remote Server ${ip} Client"
-        ssh root@"${ip}" "authconfig --enableldap --enableldapauth --enableldaptls --disablesssd --enablemd5 --enablelocauthorize  --enableshadow --ldapserver=ldap-server.magic.com --ldapbasedn='dc=magic,dc=com' --enablemkhomedir --update"
-        ssh root@"${ip}" 'systemctl restart nslcd && systemctl status nslcd'
-        ssh root@"${ip}" 'getent passwd liuyulong'
-        echo -e "\n"
-    done
-
-}
+install_ldap_client
 
-main(){
-    # for ip in "${REMOTE_ADDRESS[@]}"
-    # do
-    #     echo -e ">>>>>>> $ip\n"
-    #     ping ${ip} -c 1 > /dev/null 2>&1
-    #     if [[ $? -eq 0 ]]; then
-    #         echo -e "ping ${ip} OK\n"
-    #     else
-    #         echo -e "ping ${ip} failed\n"
-    #     fi
-    #     # 如果需要输入密码则会导致超时
-    #     gtimeout 5 ssh root@${ip} echo "SSH has passwordless access"
-    #     if [[ $? -ne 0 ]]; then
-    #         echo "SSH has no passwordless access"
-    #     fi
-    # done
-    setup_client
-    ssh_setup
-    sudo_conf
-    ssh_setup
-    ssh_restart
-    client_config
-}
+config_rsync
+
+setup_client_ssh
 
-main
+setup_client_authconfig

tools/ssh-ldap.conf

@@ -0,0 +1,5 @@
+uri ldap://ldap-server.magic.com
+ssl start_tls
+tls_cacertdir /etc/openldap/cacerts
+tls_cacertfile /etc/openldap/cacerts/magicCA.pem
+tls_reqcert never

tools/sudo-ldap.conf

@@ -1,3 +1,3 @@
-uri ldap://ldap-server.host.com:389
+uri ldap://ldap-server.magic.com
 # ou 与页面配置的 ou 保持一致
-sudoers_base ou=sudoers,dc=magic,dc=com
+sudoers_base ou=sudoers,dc=magic,dc=com