Xiaopei's DokuWiki

These are the good times in your life,
so put on a smile and it'll be alright

User Tools

Site Tools


it:linux:users

用户管理

TODO:

  • usermod
  • /etc/passwd 和 /etc/group 的格式

LDAP

attributes

属性→可读:

可读→属性:

常用属性:

LDAP Attribute Example
dn, distinguishedName for distinguishing a user, e.g. CN=Jay Jamieson,OU=Newport,DC=cp,DC=com
dc, domainComponent any part of a domain name e.g. domain.com, domain or com
ou, organisationalUnitName usually department or any sub entity of larger entity
uid, userid mostly username or other unique value
cn, name common name, CN=Guy Thomas. Actually, this LDAP attribute can be made up from gn(givenName) joined to sn(surname)
mail email address e.g. joe@smokeyjoe.com
o, organizationName organization name or even organisational name
userAccountControl Enable (512) / disable account (514)

client

FIXME 以下脚本目前存在不能越过 LDAP Server “Size Limit Exceeded” 的问题.

ldap.list
<?php
// 使用 LDAP 导出用户信息(xiaopei.li@2012-11-27)
// 参考: http://www.php.net/manual/en/ldap.examples-basic.php
 
$server = "111.111.111.111";
$dn     = "uid=foo,ou=people,dc=bar,dc=com";
$pass   = "password";
 
$list_basedn="ou=people,dc=bar,dc=com"; // people 目录
$list_filter="uid=*";                   // 所有有 uid 的 people
$list_attrs = array("uid");             // 只查看 uid
 
$output_file = $argv[1];
 
 
echo "LDAP list and export\n";
 
echo "Connecting ...";
$ds=ldap_connect($server);
echo "connect result is " . $ds . "\n";
 
if ($ds) { 
 
    echo "Binding $dn ...";
    $r=ldap_bind($ds, $dn, $pass);
    echo "Bind result is " . $r . "\n";
 
    echo "Listing people ...";
    $lr=ldap_list($ds, $list_basedn, $list_filter, $list_attrs, NULL, 0);
    // sizelimit = 0, 客户端不限制返回数量, but this parameter can NOT override server-side preset sizelimit. You can set it lower though.
    echo "List result is " . $lr . "\n";
 
    echo "Number of entries returned is " . ldap_count_entries($ds, $lr) . "\n";
 
    echo "Getting entries ...\n";
    $info = ldap_get_entries($ds, $lr);
    echo "Data for " . $info["count"] . " items returned:\n";
 
	if ($output_file) {
		$handle = fopen($output_file, 'w');
		if (!$handle) {
			echo "Cannot open $output_file\n";
			echo "Closing connection\n";
			ldap_close($ds);
		}
 
		$func_print = function($i, $info) use ($handle) {
			fwrite($handle,
				   $i+1 . "," .
				   '"' . $info["dn"] . '"' . "," .
				   // 属性都会返回为数组
				   '"' . $info["uid"][0] . '"' . "," . 
				   /*
					 '"' . $info["cn"][0] . '"' . "," .
					 '"' . $info["mail"][0] . '"' . "," . 
				   */
				   "\n");
		};
	}
	else {
		$func_print = function($i, $info) {
			echo $i+1 . "\n";
 
			echo "dn is: " . $info["dn"] . "\n";
 
			// 属性都会返回为数组
			echo "first uid is: " . $info["uid"][0] . "\n";
			/*
			  echo "first cn entry is: " . $info["cn"][0] . "\n";
			  echo "first email entry is: " . $info["mail"][0] . "\n";
			*/
		};
	}
 
 
	for ($i=0; $i<$info["count"]; $i++) {
		$func_print($i, $info[$i]);
	}		
 
 
	if (isset($handle) && $handle) {
		fclose($handle);
	}
 
    echo "Closing connection\n";
    ldap_close($ds);
 
} else {
    echo "Unable to connect to LDAP server\n";
}
?>

server

/etc/passwd

xp:x:1000:1000:xp,,,:/home/xp:/bin/bash
  1. login name
  2. optional encrypted password
  3. numerical user ID
  4. numerical group ID
  5. user name or comment field
  6. user home directory
  7. optional user command interpreter

/etc/group

cdrom:x:24:vivek,student13,raj
_____ _  _      _____
|    |  |        |
|    |  |        |
1    2  3        4
  1. group_name: It is the name of group. If you run ls -l command, you will see this name printed in the group field.
  2. Password: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups.
  3. Group ID (GID): Each user must be assigned a group ID. You can see this number in your /etc/passwd file.
  4. Group List: It is a list of user names of users who are members of the group. The user names, must be separated by commas.

id

print real and effective user and group IDs

$ id root 
uid=0(root) gid=0(root) groups=0(root)

visudo

  • 第一个字段, 是能使用sudo命令的用户;
  • 第二个字段, 第一个ALL为允许使用sudo的主机, 第二个括号里的ALL为使用sudo后以什么身份(目的用户身份)来执行命令;
  • 第三个字段, ALL为以sudo命令允许执行的命令;

visudo 后需要退出编辑器文件才生效

## 设置用户别名
User_Alias ADMIN=root, toksea
## 设置用户sudo权限
# Allow ADMIN to run any commands anywhere without sudo passwd
ADMIN	ALL=(ALL)	NOPASSWD: ALL
# test用户可从任何主机登录, 以root的身份执行/usr/sbin/useradd命令
test	ALL=(root)	/usr/sbin/useradd
# 在最左邊加上 % ,代表後面接的是一個group之意
%sudo	ALL=(ALL)	NOPASSWD: ALL
# 允许某 group 无密码以 sudo 执行若干命令
%dev	ALL=(root) NOPASSWD: /bin/pwd,/usr/bin/pmap

参考

Example

ubuntu 添加系统用户

$ sudo useradd -r -s /bin/false USERNAME

用户及群组的添加

栗子摘自: 鸟哥的 Linux 私房菜 -- Linux 账号管理

想将本服务器的账号分开管理,分为单纯邮件使用,与可登陆系统账号两种。其中若为纯邮件账号时, 将该账号加入 mail 为初始群组,且此账号不可使用 bash 等 shell 登陆系统。若为可登陆账号时, 将该账号加入 youcan 这个次要群组。

  1. 预先察看一下两个群组是否存在?
    [root@www ~]# grep mail /etc/group
    [root@www ~]# grep youcan /etc/group
    [root@www ~]# groupadd youcan
  2. 可发现 youcan 尚未被创建,因此如上表所示,我们主动去创建这个群组啰。
  3. 开始创建三个邮件账号,此账号名称为 pop1, pop2, pop3 ,且口令与账号相同。可使用如下的程序来处理:
    [root@www ~]# vim popuser.sh
    #!/bin/bash
    for username in pop1 pop2 pop3
    do
    	useradd -g mail -s /sbin/nologin -M $username
    	echo $username | passwd --stdin $username
    done
    [root@www ~]# sh popuser.sh
  4. 开始创建一般账号,只是这些一般账号必须要能够登陆,并且需要使用次要群组的支持!所以:
    [root@www ~]# vim loginuser.sh
    #!/bin/bash
    for username in youlog1 youlog2 youlog3
    do
    	useradd -G youcan -s /bin/bash -m $username
    	echo $username | passwd --stdin $username
    done
    [root@www ~]# sh loginuser.sh
  5. 这样就将账号分开管理了

SFTP 用户限制

it/linux/users.txt · Last modified: 2015/09/29 16:48 by admin