HPC搭建手册（二）

集群用户权限控制

（一）OpenLdap 服务端安装与配置

1. 安装OpenLdap服务端(管理节点)

   yum -y install openldap openldap-servers openldap-clients migrationtools
   

2. OpenLdap 服务初始化

   sed -i -e 's/olcSuffix:.*/olcSuffix: dc=example,dc=edu/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
   
   sed -i -e 's/olcRootDN:.*/olcRootDN: cn=admin,dc=example,dc=edu/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
   
   echo 'olcRootPw: PASSWORD@EDU' >> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif
   
   sed -i -e 's/dn.base="cn=.*"/dn.base="cn=admin,dc=example,dc=edu"/g' /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif
   
   cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
   chown -R ldap.ldap /var/lib/ldap
   
   LDAP 超级管理员为 cn=admin,dc=example,dc=edu 密码为：PASSWORD@EDU
   
   systemctl restart slapd
   systemctl enable slapd
   
   cd /etc/openldap/schema/
   find . -name '*.ldif' -exec ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f {} \;
   
   cd /usr/share/migrationtools/
   sed -i -e 's/"ou=Group"/"ou=Groups"/g' migrate_common.ph
   
   sed -i -e 's/$DEFAULT_MAIL_DOMAIN = .*/$DEFAULT_MAIL_DOMAIN = "example.edu.cn";/g' migrate_common.ph
   
   sed -i -e 's/$DEFAULT_BASE = .*/$DEFAULT_BASE = "dc=example,dc=edu";/g' migrate_common.ph
   
   sed -i -e 's/$EXTENDED_SCHEMA = 0;/$EXTENDED_SCHEMA = 1;/g' migrate_common.ph 
   
   ./migrate_base.pl > /root/base.ldif
   ldapadd -x -w PASSWORD@EDU -D "cn=admin,dc=example,dc=edu" -f /root/base.ldif
   

3. 生成系统用户、用户组 ldif

   tail -n 5 /etc/passwd > system
   tail -n 10 /etc/group > group
   /usr/share/migrationtools/migrate_passwd.pl system people.ldif
   /usr/share/migrationtools/migrate_group.pl group group.ldif
   ldapadd -x -w PASSWORD@EDU -D "cn=admin,dc=example,dc=edu" -f /root/people.ldif
   ldapadd -x -w PASSWORD@EDU -D "cn=admin,dc=example,dc=edu" -f /root/group.ldif
   

4. 添加密码策略模块

   vim addmodule.ldif
   dn: cn=module,cn=config
   cn: module
   objectClass: olcModuleList
   olcModulePath: /usr/lib64/openldap
   olcModuleLoad: ppolicy.la
   
   ldapadd -Y EXTERNAL -Q -H ldapi:/// -f addmodule.ldif
   

5. 添加访问权限

   vim addAccess.ldif
   dn: olcDatabase={2}hdb,cn=config
   changetype: modify
   replace: olcAccess
   olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=default,ou=pwpolicies,dc=example,dc=edu" write by anonymous auth by * read
   olcAccess: {1}to * by self write by dn="cn=default,ou=pwpolicies,dc=example,dc=edu" write by * read
   
   ldapadd -Y EXTERNAL -Q -H ldapi:/// -f addAccess.ldif
   

6. 添加策略重写

   vim overlay.ldif
   dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
   objectClass: olcPPolicyConfig
   olcOverlay: ppolicy
   olcPPolicyDefault: cn=default,ou=policy,dc=example,dc=edu
   olcPPolicyHashCleartext: True
   olcPPolicyUseLockout: True
   olcPPolicyForwardUpdates: FALSE
   structuralobjectClass: olcPPolicyConfig
   creatorsName: cn=config
   
   ldapadd -Y EXTERNAL -Q -H ldapi:/// -f overlay.ldif
   

7. 配置SSL

   cd /etc/openldap/cacerts
   #生成证书
   创建CA
   openssl genrsa -out private/cakey.pem 2048
   chmod 600 private/cakey.pem
   openssl req -new -x509  -days 36500 -key private/cakey.pem -out cacert.pem
   cp /etc/pki/tls/openssl.cnf ./
   touch index.txt
   echo "01" > serial
   
   生成服务器私钥
   openssl genrsa -out ldapserverkey.pem 2048
   生成请求文件
   openssl req -new -key ldapserverkey.pem -out ldapserver.csr
   
   vim openssl.cnf
   修改第42行, 目录修改为当前目录
   
   签署证书
   openssl ca -days 36500 -cert cacert.pem -keyfile cakey.pem -in ldapserver.csr -out ldapserver.crt -config openssl.cnf
   
   mkdir /etc/openldap/certs
   
   cp ldapserver.crt ldapserverkey.pem /etc/openldap/certs/
   
   #OpenLdap配置证书
   vim ~/certs.ldif
   dn: cn=config
   changetype: modify
   add: olcTLSCertificateFile
   olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.crt
   
   dn: cn=config
   changetype: modify
   add: olcTLSCACertificateFile
   olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem
   
   dn: cn=config
   changetype: modify
   add: olcTLSCertificateKeyFile
   olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserverkey.pem
   
   ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif
   
   vim /etc/sysconfig/slapd
   SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"
   
   重启slapd 服务
   systemctl restart slapd
   

8. 添加密码策略

   vim ppolicyadd.ldif
   
   dn: cn=default,ou=ppolicy,dc=example,dc=edu
   cn: default
   objectClass: pwdPolicy
   objectClass: person
   pwdAllowUserChange: TRUE
   pwdAttribute: userPassword
   pwdExpireWarning: 259200
   pwdFailureCountInterval: 0
   pwdGraceAuthNLimit: 5
   pwdInHistory: 5
   pwdLockout: TRUE
   pwdLockoutDuration: 300 
   pwdMaxAge: 2592000
   pwdMaxFailure: 5
   pwdMinAge: 0
   pwdMinLength: 8
   pwdMustChange: TRUE
   sn: summy value
   
   ldapadd -x -D "cn=admin,dc=example,dc=edu" -w PASSWD@EDU -f ppolicyadd.ldif
   

（二）OpenLdap 客户端部分配置

1. 安装相关组件

   yum install sssd

2. 配置名称服务交换机

   vim /etc/nsswitch.conf
   # looked up first in the databases
   #
   # Example:
   #passwd:    db files nisplus nis
   #shadow:    db files nisplus nis
   #group:     db files nisplus nis
   
   passwd:     files sss        # 修改这
   shadow:     files sss        # 修改这
   group:      files sss        # 修改这
   #initgroups: files sss
   
   #hosts:     db files nisplus nis dns
   hosts:      files dns myhostname
   
   # Example - obey only what nisplus tells us...
   #services:   nisplus [NOTFOUND=return] files
   #networks:   nisplus [NOTFOUND=return] files
   #protocols:  nisplus [NOTFOUND=return] files
   #rpc:        nisplus [NOTFOUND=return] files
   #ethers:     nisplus [NOTFOUND=return] files
   #netmasks:   nisplus [NOTFOUND=return] files
   
   bootparams: nisplus [NOTFOUND=return] files
   
   ethers:     files
   netmasks:   files
   networks:   files
   protocols:  files
   rpc:        files
   services:   files sss
   
   netgroup:   files sss        # 修改这
   
   publickey:  nisplus
   
   automount:  files sss        # 修改这
   aliases:    files nisplus
   

3. 配置PAM

   authconfig --enablesssdauth --update

4. 配置SSSD服务

   配置参考：

   vim /etc/sssd/sssd.conf（如果没有就新建）
   [domain/default]
   autofs_provider = ldap
   cache_credentials = True
   ldap_search_base = dc=example,dc=edu
   id_provider = ldap
   auth_provider = ldap
   chpass_provider = ldap
   ldap_uri = ldaps://192.168.101.1:636
   ldap_chpass_uri= ldaps://192.168.101.1:636
   ldap_id_use_start_tls = True
   ldap_tls_cacertdir = /etc/openldap/cacerts
   ldap_schema = rfc2307bis
   ldap_default_bind_dn= cn=admin,dc=example,dc=edu
   ldap_default_authtok= PASSWD@EDU
   ldap_tls_reqcert= allow
   access_provider = ldap
   ldap_pwd_policy = shadow
   ldap_access_order = pwd_expire_policy_renew
   ldap_account_expire_policy= shadow
   ldap_chpass_update_last_change = True
   [sssd]
   services = nss, pam, autofs
   config_file_version = 2
   domains = default
   [nss]
   homedir_substring = /rhome/
   [pam]
   reconnection_retries = 3
   offline_credentials_expiration = 2
   offline_failed_login_attempts = 3
   offline_failed_login_delay = 5
   

5. 启动SSSD 服务并测试

   systemctl start sssd
   systemctl enable sssd
   
   使用LDAP Admin 连接Ldap，在LDAP中新建用户，新建完毕后，若在终端中执行如下命令：
   id [用户名] 
   可以获得UID以及用户组，则表示成功。
   
   注意：
   当在LDAP中设置用户 shadowLastChange 为0时，则强制用户登录时修改密码。
   

（三） 限制用户访问无计算任务的节点

1. 确认相关so文件存在

find / -name pam_slurm_adopt.so 若存在文件，且位置在/usr/lib64/security/,则继续

2. 编辑/etc/pam.d/sshd

在如下位置，添加内容。

auth include password-auth
#newadd-start
account sufficient pam_listfile.so item=user sense=allow file=/etc/ssh/allowed_users onerr=fail
account required pam_slurm_adopt.so
#newadd-end
account required pam_nologin.so

3. 新建 /etc/ssh/allowed_users 白名单

编辑sshd用户白名单文件。在步骤3完成后，所有用户（root除外）在没有作业运行的情况下是不能ssh登陆计算节点的。如果想对某些用户进行进行排除（即不受pam配置限制），可以在/etc/ssh/allowed_users中添加。

vim /etc/ssh/allowed_users
root
youruser

chmod 600 /etc/ssh/allowed_users

4. 修改其他Pam配置

   在 system-auth、passowrd-auth 中注释掉以下内容
   
   account sufficient pam_localuser.so
   -session optional pam_systemd.so
   

5. 确保SSH 使用了PAM

   cat /etc/ssh/sshd_config | grep UsePAM 结果应为 UsePAM yes