SRE文档以下都是在openvpn server端执行
1.server端配置
port 1194
proto tcp
dev tun
tun-mtu 9000
sndbuf 393216
rcvbuf 393216
ca ca.crt
cert server.crt
key server.key
dh dh.pem
cipher AES-256-CBC
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 1.1.1.1"
push "route 172.18.0.0 255.255.255.0"
push "sndbuf 393216"
push "rcvbuf 393216"
verify-client-cert
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
crl-verify crl.pem
comp-lzo
mute 20
max-clients 100
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
reneg-sec 36000port 1194
proto tcp
dev tun
tun-mtu 9000
sndbuf 393216
rcvbuf 393216
ca ca.crt
cert server.crt
key server.key
dh dh.pem
cipher AES-256-CBC
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 1.1.1.1"
push "route 172.18.0.0 255.255.255.0"
push "sndbuf 393216"
push "rcvbuf 393216"
verify-client-cert
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
crl-verify crl.pem
comp-lzo
mute 20
max-clients 100
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
reneg-sec 360002.client端
client
dev tun
proto tcp
tun-mtu 9000
sndbuf 393216
rcvbuf 393216
remote 39.98.112.233 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
comp-lzo
verb 3
auth-nocache
route-method exe
route-delay 2
auth-user-pass
reneg-sec 36000client
dev tun
proto tcp
tun-mtu 9000
sndbuf 393216
rcvbuf 393216
remote 39.98.112.233 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
comp-lzo
verb 3
auth-nocache
route-method exe
route-delay 2
auth-user-pass
reneg-sec 36000- openldap添加用户
useradd ldapuser1
echo '123456' | passwd --stdin ldapuser1
grep ":10[0-9][0-9]" /etc/passwd > /root/users
grep ":10[0-9][0-9]" /etc/group > /root/groups
/usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
/usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif
ldapadd -x -w "han123456" -D "cn=Manager,dc=freehan,dc=ink" -f /root/users.ldif
ldapadd -x -w "han123456" -D "cn=Manager,dc=freehan,dc=ink" -f /root/groups.ldif
ldapsearch -x -b "dc=freehan,dc=ink" -H ldap://127.0.0.1useradd ldapuser1
echo '123456' | passwd --stdin ldapuser1
grep ":10[0-9][0-9]" /etc/passwd > /root/users
grep ":10[0-9][0-9]" /etc/group > /root/groups
/usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
/usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif
ldapadd -x -w "han123456" -D "cn=Manager,dc=freehan,dc=ink" -f /root/users.ldif
ldapadd -x -w "han123456" -D "cn=Manager,dc=freehan,dc=ink" -f /root/groups.ldif
ldapsearch -x -b "dc=freehan,dc=ink" -H ldap://127.0.0.13.pam配置
cat /etc/pam.d/openvpn
auth required /usr/lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
auth required pam_ldap.so use_first_pass debug
account required pam_ldap.socat /etc/pam.d/openvpn
auth required /usr/lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
auth required pam_ldap.so use_first_pass debug
account required pam_ldap.so- sercet:指定了google auth模块读取的文件
- auth:代表需要认证的事务,这里包括了google_auth和ldap
- account:指定账户类型,这里是ldap账户,也可以是pam_unix.so(代表需要本地建立该账户)
4.配置openvpn 连接ldap
配置OpenV P N连接的Ldap配置,pam_ldap模块使用的是nslcd的配置,只需要配置/etc/nslcd.conf文件即可
yum install pam_ldapyum install pam_ldapuid nslcd
gid ldap
uri ldap://127.0.0.1/
base dc=freehan,dc=com
binddn cn=Manager,dc=freehan,dc=com
bindpw han123uid nslcd
gid ldap
uri ldap://127.0.0.1/
base dc=freehan,dc=com
binddn cn=Manager,dc=freehan,dc=com
bindpw han123- 配置freeipaLDAP
[root@ipa server]# grep -Ev "#|^$" /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://ipa.freehan.ink:389
base dc=freehan,dc=ink
binddn uid=admin,cn=users,cn=accounts,dc=freehan,dc=ink
bindpw han123456[root@ipa server]# grep -Ev "#|^$" /etc/nslcd.conf
uid nslcd
gid ldap
uri ldap://ipa.freehan.ink:389
base dc=freehan,dc=ink
binddn uid=admin,cn=users,cn=accounts,dc=freehan,dc=ink
bindpw han123456- 获取binddn地址
$ ldapsearch -x uid=admin
#或者
$ ldapsearch -x -h ipa.freehan.ink -b dc=freehan,dc=ink uid=admin
# extended LDIF
#
# LDAPv3
# base <dc=freehan,dc=ink> with scope subtree
# filter: uid=admin
# requesting: ALL
#
# admin, users, compat, freehan.ink
dn: uid=admin,cn=users,cn=compat,dc=freehan,dc=ink
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 428200000
gidNumber: 428200000
loginShell: /bin/bash
homeDirectory: /home/admin
ipaAnchorUUID:: OklQQTpmcmVlaGFuLmluazo3NTc1Y2JiNC00ZGJkLTExZWMtOWFkNi0wMDE2M2
UxNTBlYTg=
uid: admin
# admin, users, accounts, freehan.ink
dn: uid=admin,cn=users,cn=accounts,dc=freehan,dc=ink
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
uid: admin
cn: Administrator
sn: Administrator
uidNumber: 428200000
gidNumber: 428200000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2$ ldapsearch -x uid=admin
#或者
$ ldapsearch -x -h ipa.freehan.ink -b dc=freehan,dc=ink uid=admin
# extended LDIF
#
# LDAPv3
# base <dc=freehan,dc=ink> with scope subtree
# filter: uid=admin
# requesting: ALL
#
# admin, users, compat, freehan.ink
dn: uid=admin,cn=users,cn=compat,dc=freehan,dc=ink
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: 428200000
gidNumber: 428200000
loginShell: /bin/bash
homeDirectory: /home/admin
ipaAnchorUUID:: OklQQTpmcmVlaGFuLmluazo3NTc1Y2JiNC00ZGJkLTExZWMtOWFkNi0wMDE2M2
UxNTBlYTg=
uid: admin
# admin, users, accounts, freehan.ink
dn: uid=admin,cn=users,cn=accounts,dc=freehan,dc=ink
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
uid: admin
cn: Administrator
sn: Administrator
uidNumber: 428200000
gidNumber: 428200000
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2- 重启服务
systemctl restart nslcd.service
systemctl restart slapd
systemctl restart openvpn-server@server.service
5.配置google验证
参考gogle验证
6.自动创建家目录
dnf install oddjob-mkhomedir
echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth
systemctl restart oddjobd
#切换用户
[root@idm openvpn]# su - jmumr
Creating home directory for jmumr.
[jmumr@idm ~]$ ls
[jmumr@idm ~]$ logoutdnf install oddjob-mkhomedir
echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth
systemctl restart oddjobd
#切换用户
[root@idm openvpn]# su - jmumr
Creating home directory for jmumr.
[jmumr@idm ~]$ ls
[jmumr@idm ~]$ logout