$ cat << EOF | ldapmodify -c -Y EXTERNAL -Q -H ldapi:/// dn: cn=module{0},cn=config add: olcModuleLoad olcModuleLoad: dynlist.la EOF $ cat << EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=dynlist,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: dynlist olcDlAttrSet: inetOrgPerson labeledURI EOF $ cat << EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=ldapns,cn=schema,cn=config objectClass: olcSchemaConfig cn: ldapns olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) olcAttributeTypes: {1}( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus' DESC 'Currently logged in sessions for a user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch ORDERING caseIgnoreOrderingMatch SYNTAX OMsDirectoryString ) olcObjectClasses: {0}( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 'Auxiliary object class for adding authorizedService attribute' SUP top AUXILIARY MAY authorizedService ) olcObjectClasses: {1}( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxiliary object class for adding host attribute' SUP top AUXILIARY MAY host ) olcObjectClasses: {2}( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject' DESC 'Auxiliary object class for login status attribute' SUP top AUXILIARY MAY loginStatus ) EOF $ cat << EOF | ldapadd -D "cn=admin,dc=ldap,dc=aliyun,dc=shileizcc,dc=com" -w shileizcc -H ldap://ldap.aliyun.shileizcc.com dn: ou=sudoers,dc=ldap,dc=aliyun,dc=shileizcc,dc=com objectCLass: top objectClass: organizationalUnit ou: sudoers dn: cn=defaults,ou=sudoers,dc=ldap,dc=aliyun,dc=shileizcc,dc=com objectClass: sudoRole objectCLass: top cn: defaults description: Default sudoOption's go here sudoOption: requiretty sudoOption: !visiblepw sudoOption: always_set_home sudoOption: env_reset sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin dn: cn=%web,ou=sudoers,dc=ldap,dc=aliyun,dc=shileizcc,dc=com objectClass: sudoRole objectCLass: top cn: %web sudoUser: %web sudoHost: ALL sudoRunAsUser: ALL sudoOption: !authenticate sudoCommand: /bin/bash dn: cn=%manager,ou=sudoers,dc=ldap,dc=aliyun,dc=shileizcc,dc=com objectClass: sudoRole objectClass: top cn: %manager sudoUser: %manager sudoHost: ALL sudoCommand: ALL sudoRunAsUser: ALL sudoOption: !authenticate EOF $ cat << EOF | ldapadd -D "cn=admin,dc=ldap,dc=aliyun,dc=shileizcc,dc=com" -H ldap://ldap.aliyun.shileizcc.com -w shileizcc dn: cn=web,ou=Group,dc=ldap,dc=aliyun,dc=shileizcc,dc=com objectClass: posixGroup cn: web gidNumber: 10005 dn: cn=manager,ou=Group,dc=ldap,dc=aliyun,dc=shileizcc,dc=com objectClass: posixGroup cn: manager gidNumber: 10006 EOF $ cat << EOF | ldapadd -D "cn=admin,dc=ldap,dc=aliyun,dc=shileizcc,dc=com" -w xxx -H ldap://ldap.aliyun.shileizcc.com dn: cn=%bash,ou=sudoers,dc=ldap,dc=aliyun,dc=shileizcc,dc=com objectClass: sudoRole objectClass: top cn: %bash sudoUser: %bash sudoHost: ALL sudoCommand: /bin/bash sudoRunAsUser: ALL sudoOption: !authenticate EOF $ yum install openldap-client nss-pam-ldapd -y $ authconfig --enableldap --enableldapauth --enablemkhomedir --enableforcelegacy --disablesssd --disablesssdauth --disableldaptls --enablelocauthorize --ldapserver=10.220.1.148 --ldapbasedn="dc=ldap,dc=aliyun,dc=shileizcc,dc=com" --enableshadow --update $ cp /etc/nsswitch.conf /etc/nsswitch.conf.baks $ cat >> /etc/nsswitch.conf << EOF sudoers: ldap files EOF $ cp /etc/sudo-ldap.conf /etc/sudo-ldap.conf.bak cat >> /etc/sudo-ldap.conf << EOF SUDOERS_BASE ou=sudoers,dc=ldap,dc=aliyun,dc=shileizcc,dc=com uri ldap://10.220.1.148 EOF $ cat >> /etc/pam_ldap.conf << EOF uri ldap://10.220.1.148 ssl on tls_cacertdir /etc/openldap/cacerts bind_policy soft #pam_check_host_attr yes EOF $ systemctl restart nslcd 只用所在的 gidNumber 就是对应的权限组。