openldap主机访问控制（基于ip）

http://blog.oddbit.com/2013/07/22/generating-a-membero/

http://gsr-linux.blogspot.jp/2011/01/howto-on-using-dynlist-with-openldap.html

建立组织单元

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: ou=people,dc=suntv,dc=tv
ou: people
objectClass: organizationalUnit

dn: ou=group,dc=suntv,dc=tv
ou: group
objectClass: organizationalUnit

dn: ou=host,dc=suntv,dc=tv
ou: host
objectClass: organizationalUnit
_EOF_

建立主机组

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: ou=all,ou=host,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: all
host: all

dn: ou=op,ou=host,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: op
host: 192.168.1.21
host: 192.168.1.22

dn: ou=dev,ou=host,dc=suntv,dc=tv
objectClass: organizationalUnit
objectClass: hostObject
ou: dev
host: 192.168.1.31
host: 192.168.1.32
_EOF_

建立用户组

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: cn=op,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: op
gidNumber: 2001

dn: cn=dev,ou=group,dc=suntv,dc=tv
objectClass: posixGroup
cn: dev
gidNumber: 2002
_EOF_

建立用户

cat << _EOF_ | ldapadd -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
uid: op01
cn: op01
sn: op01
objectClass: hostObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2001
homeDirectory: /home/op01
labeledURI: ldaps:///ou=op,ou=host,dc=suntv,dc=tv?host

dn: uid=dev01,ou=people,dc=suntv,dc=tv
uid: dev01
cn: dev01
sn: op01
objectClass: hostObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userPassword: 123456
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 2002
homeDirectory: /home/dev01
labeledURI: ldaps:///ou=dev,ou=host,dc=suntv,dc=tv?host
_EOF_

动态组

# /etc/openldap/slapd.conf 确保有以下配置
include     /etc/openldap/schema/dyngroup.schema

modulepath /usr/lib64/openldap
moduleload dynlist.la

overlay dynlist
dynlist-attrset inetOrgPerson labeledURI

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
systemctl restart slapd

测试

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=op01,ou=people,dc=suntv,dc=tv

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=op01,ou=people,dc=suntv,dc=tv> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# op01, people, suntv.tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
uid: op01
cn: op01
sn: op01
objectClass: hostObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userPassword:: MTIzNDU2
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2001
homeDirectory: /home/op01
labeledURI: ldaps:///ou=op,ou=host,dc=suntv,dc=tv?host
host: 192.168.1.21 # 动态组自动增加内容
host: 192.168.1.22 # 动态组自动增加内容

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

ldapsearch过滤用法　http://blog.chinaunix.net/uid-393131-id-2410065.html

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=dev01,ou=people,dc=suntv,dc=tv host

# extended LDIF
#
# LDAPv3
# base <uid=dev01,ou=people,dc=suntv,dc=tv> with scope subtree
# filter: (objectclass=*)
# requesting: host
#

# dev01, people, suntv.tv
dn: uid=dev01,ou=people,dc=suntv,dc=tv
host: 192.168.1.31 # 动态组自动增加内容
host: 192.168.1.32 # 动态组自动增加内容

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

cat > /etc/sssd/sssd.conf << _EOF_
[domain/LDAP]
debug_level = 9
cache_credentials = true
enumerate = false

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldaps://master.local
ldap_backup_uri = ldaps://slave.local
ldap_search_base = dc=suntv,dc=tv
ldap_user_search_base = ou=people,dc=suntv,dc=tv
ldap_group_search_base = ou=group,dc=suntv,dc=tv

access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (|(host=all)(host=192.168.1.21))

ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_tls_reqcert = never
ldap_id_use_start_tls = false

[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2

[nss]
domains = LDAP
fd_limit = 65535
filter_users = root
filter_groups = root

[pam]
domains = LDAP

[ssh]
domains = LDAP
ssh_hash_known_hosts = false
_EOF_

测试

# ssh op01@192.168.1.22
op01@192.168.1.22's password:
Connection to 192.168.1.22 closed by remote host.
Connection to 192.168.1.22 closed.

sssd_LDAP日志显示如下，其中　[(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv]　是过滤条件，问题应该就出在ldap_access_filter = (|(host=all)(host=192.168.1.21))这里。

(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [op01]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching 192.168.1.11
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv].
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New operation 4 timeout 6
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x9380c0], connected[1], ops[0x9f7470], ldap[0x931330]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000): Operation 4 finished
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0100): User [op01] was not found with the specified filter. Denying access.
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0400): Access denied by online lookup
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x9e6f50

(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x9e76c0

(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x9e6f50 "ltdb_callback"

(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x9e76c0 "ltdb_timeout"

(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer event 0x9e6f50 "ltdb_callback"

(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_access_done] (0x0400): Access was denied.
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [6][LDAP]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [6][LDAP]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x9380c0], connected[1], ops[(nil)], ldap[0x931330]
(Thu Oct 13 17:23:57 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Thu Oct 13 17:24:00 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x91cdf0
(Thu Oct 13 17:24:00 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.

dynlist不支持filter功能　http://www.openldap.org/lists/openldap-software/200708/msg00250.html
这个帖子上说，使用第三方autogroup，这个是把记录存储在数据库里，支持filter

op01用户使用动态组，dev01用户不使用动态组，直接添加host记录192.168.1.22

ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv "host=192.168.1.22"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=suntv,dc=tv> with scope subtree
# filter: host=192.168.1.22　# 过滤后找到信息
# requesting: ALL
#

# dev01, people, suntv.tv
dn: uid=dev01,ou=people,dc=suntv,dc=tv
uid: dev01
cn: dev01
sn: op01
objectClass: hostObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userPassword:: MTIzNDU2
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 2002
homeDirectory: /home/dev01
host: 192.168.1.22

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

 ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b ou=people,dc=suntv,dc=tv "host=192.168.1.21"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=suntv,dc=tv> with scope subtree
# filter: host=192.168.1.21 # 过滤后未找到记录
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

鉴于dynlist暂不支持filter，另autogroup是第三方模块，openldap程序未默认内置，用静态组每个用户要加入很多条host记录，因此基于ip动态组方案废弃。我换个基于用户组的方案来试试