参考连接:open***基于openldap验证,并安装openldap web管理软件
一、准备流程:
1. 搭建基于证书认证登录的Open***2.4.6服务器部署
2. 安装 ldap ,ldap web 并创建用户,能够在通过 ldap 找到创建的用户
3. 配置 open*** 基于openldap 验证
二、安装 ldap ,ldap web 并创建用户
1. 环境准备:
需要有以下组件,缺一不可 yum grouplist #查看安装了那些包组 Base Compatibility libraries Debugging Tools Development tools Dial-up Networking Support Hardware monitoring utilities Performance Tools
2.安装依赖包
yum -y install openldap openldap-* nscd nss-pam-ldapd pcre pcre-* nss-*
3. 复制并备份 ldap 的配置文件 slapd.conf
cd /etc/openldap/ cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
配置文件
# grep -Ev "^$|^[#;]" /etc/openldap/slapd.conf include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/certs TLSCertificateFile "\"OpenLDAP Server\"" TLSCertificateKeyFile /etc/openldap/certs/password access to * by self write by anonymous auth by * read database bdb suffix "dc=***,dc=apicloud,dc=com" checkpoint 2048 10 rootdn "cn=admin,dc=***,dc=apicloud,dc=com" loglevel 296 cachesize 1000 rootpw 123456 directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
4. 从模板中拷贝数据库的配置文件,并且授权修改权限
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/DB_CONFIG chmod 700 /var/lib/ldap/
5. 测试
slaptest -u
6. 启动slapd:
/etc/init.d/slapd start chkconfig slapd on chkconfig --list slapd
7. 验证数据是否可以查询
ldapsearch -H "ldap://***.apicloud.com:389" -D "cn=admin,dc=***,dc=apicloud,dc=com" -w '123456' -b "DC=***,DC=apicloud,DC=com"
如果报下面的错:
ldap_bind: Invalid credentials (49)
解决办法:
# rm -rf /etc/openldap/slapd.d/* # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d # chown -R ldap.ldap /etc/openldap/slapd.d # service slapd restart 57763ec6 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded # ldapsearch -H "ldap://***.apicloud.com:389" -D "cn=admin,dc=***,dc=apicloud,dc=com" -w '123456' -b "DC=***,DC=apicloud,DC=com" # OpenLDAP pwdChecker library configuration #useCracklib 1 #minPoints 3 #minUpper 0 #minLower 0 #minDigit 0 #minPunct 0
8. 为 ldap master 配置 web 管理接口:
这里使用最新的ldap-account-manager-6.3.tar.bz2 ,要求php版本>=5.6
rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm yum install httpd php56w php56w-cli php56w-common php56w-devel php56w-gd php56w-ldap
下载ldap-account-manager:
https://jaist.dl.sourceforge.net/project/lam/LAM/6.3/ldap-account-manager-6.3.tar.bz2
上传到/var/www/html并解压重命名:
tar xf ldap-account-manager-6.3.tar.bz2 && mv ldap-account-manager-6.3 ldap
复制配置文件:
cd /var/www/html/ldap/config && cp config.cfg.sample config.cfg && cp unix.conf.sample lam.conf
# grep -Ev "^$|^[#;]" config.cfg password: {SSHA}D6AaX93kPmck9wAxNlq3GF93S7A= R7gkjQ== default: lam logLevel: 4 logDestination: SYSLOG # grep -Ev "^$|^[#;]" lam.conf ServerURL: ldap://localhost:389 Admins: cn=admin,dc=***,dc=apicloud,dc=com Passwd: lam treesuffix: dc=***,dc=apicloud,dc=com defaultLanguage: zh_CN.utf8 scriptPath: scriptServer: scriptRights: 750 cachetimeout: 5 searchLimit: 0 modules: posixAccount_user_minUID: 10000 modules: posixAccount_user_maxUID: 30000 modules: posixAccount_host_minMachine: 50000 modules: posixAccount_host_maxMachine: 60000 modules: posixGroup_group_minGID: 10000 modules: posixGroup_group_maxGID: 20000 modules: posixGroup_pwdHash: SSHA modules: posixAccount_pwdHash: SSHA activeTypes: user,group types: suffix_user: ou=People,dc=***,dc=apicloud,dc=com types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber types: modules_user: inetOrgPerson,posixAccount,shadowAccount types: suffix_group: ou=group,dc=***,dc=apicloud,dc=com types: attr_group: #cn;#gidNumber;#memberUID;#description types: modules_group: posixGroup lamProMailSubject: Your password was reset lamProMailText: Dear @@givenName@@ @@sn@@,+::++::+your password was reset to: @@newPassword@@+::++::++::+Best regards+::++::+deskside support+::+
重启Httpd:
service httpd restart
访问web:
http://10.124.151.251:81
首次登陆可能要求创建下面几条:
三、配置 open***基于openldap 的验证
1. 安装相关支持插件:
yum -y install open***-auth-ldap
2. 备份并修改 open***-auth-ldap 的配置文件
cp /etc/open***/auth/ldap.conf /etc/open***/auth/ldap.conf.default # grep -Ev "^$|^[#;]" /etc/open***/auth/ldap.conf# LDAP server URL # URL ldap://***.apicloud.com:389 URL ldap://10.124.151.251:389 # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com BindDN cn=admin,dc=***,dc=apicloud,dc=com # Bind Password # Password SecretPassword Password 123456 # Network timeout (in seconds) Timeout 15 # Enable Start TLS # TLSEnable yes TLSEnable no # Follow LDAP Referrals (anonymously) # FollowReferrals yes FollowReferrals no # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH # Base DN BaseDN "ou=People,dc=***,dc=apicloud,dc=com" # User Search Filter # SearchFilter "(&(uid=%u)(accountStatus=active))" SearchFilter "(uid=%u)" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_***_users BaseDN "ou=Groups,dc=***,dc=apicloud,dc=com" SearchFilter "(|(cn=developers)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_***_eng
cp /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf.default # grep -Ev "^$|^[#;]" /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf# LDAP server URL URL ldap://***.apicloud.com:389 # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com BindDN cn=admin,dc=***,dc=apicloud,dc=com # Bind Password # Password SecretPassword Password 123456 # Network timeout (in seconds) Timeout 15 # Enable Start TLS # TLSEnable yes TLSEnable no # Follow LDAP Referrals (anonymously) # FollowReferrals yes FollowReferrals no # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH # Base DN BaseDN "ou=People,dc=***,dc=apicloud,dc=com" # User Search Filter # SearchFilter "(&(uid=%u)(accountStatus=active))" SearchFilter "(uid=%u)" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_***_users BaseDN "ou=Groups,dc=***,dc=apicloud,dc=com" # SearchFilter "(|(cn=developers)(cn=artists))" SearchFilter "(|(cn=*)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_***_eng
3. 修改 open*** 的配置文件 server.conf
添加如下内容 plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u" client-cert-not-required username-as-common-name
# grep -Ev "^$|^[#;]" /etc/open***/server.conf port 1194 proto udp dev tap ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.124.163.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.0.0.0" #支持多路由配置推送到客户端 push "route 101.200.33.180 255.255.255.252" push "route 123.56.4.85 255.255.255.252" client-config-dir ccd push "dhcp-option DNS 223.5.5.5" push "dhcp-option DNS 223.6.6.6" client-to-client keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo user nobody group nobody persist-key persist-tun status /var/log/open***/open***-status.log log /var/log/open***/open***.log log-append /var/log/open***/open***.log verb 3 explicit-exit-notify 1 plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u" client-cert-not-required username-as-common-name
4. 更改客户端的配置文件 qingbo.o*** 文件,添加如下内容
auth-user-pass
D:\Program Files\Open***\config>grep -Ev "^$|^[#;]" qingbo.song.o*** client dev tap proto udp remote ***.apicloud.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt remote-cert-tls server ns-cert-type server auth-user-pass tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3
5. 重启open***服务:
service open*** restart
备注:open***重启的时候可能会出现tap0网络端口不能正常绑定的情况,再次重启会重新绑定上。可能跟有客户端连接有关。
需要注意的是:该文章open***服务端和客户端配置网络模式为tap,即选择创建了交换机构建子网的方式,并且每个用户在 /etc/open***/ipp.txt 配置了唯一分配IP地址,且不支持多台终端设备同时登录,以保证能识别用户的身份使用。如果有多台设备登录的需求,后期会进行相关的升级,并及时更新本文档。