参考连接:open***基于openldap验证,并安装openldap web管理软件


一、准备流程:

    1. 搭建基于证书认证登录的Open***2.4.6服务器部署

    2. 安装 ldap ,ldap web 并创建用户,能够在通过 ldap 找到创建的用户

    3. 配置 open*** 基于openldap  验证

二、安装 ldap ,ldap web 并创建用户

    1. 环境准备:

需要有以下组件,缺一不可
yum grouplist   #查看安装了那些包组
   Base
   Compatibility libraries
   Debugging Tools
   Development tools
   Dial-up Networking Support
   Hardware monitoring utilities
   Performance Tools

    2.安装依赖包

yum -y install openldap openldap-* nscd nss-pam-ldapd pcre pcre-* nss-*

    3. 复制并备份 ldap 的配置文件 slapd.conf

cd /etc/openldap/
cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf

配置文件

# grep -Ev "^$|^[#;]"  /etc/openldap/slapd.conf 
include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema
allow bind_v2
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
access to *
	by self write
	by anonymous auth
	by * read
database	bdb
suffix		"dc=***,dc=apicloud,dc=com"
checkpoint	2048 10
rootdn		"cn=admin,dc=***,dc=apicloud,dc=com"
loglevel    296
cachesize   1000
rootpw	123456
directory	/var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

    4. 从模板中拷贝数据库的配置文件,并且授权修改权限

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chmod 700 /var/lib/ldap/

    5. 测试

slaptest -u

Image8_thumb

    6. 启动slapd:

/etc/init.d/slapd start
chkconfig slapd on
chkconfig --list slapd

Image9_thumb

Image12_thumb

Image11_thumb

Image13_thumb 

   7. 验证数据是否可以查询

ldapsearch -H "ldap://***.apicloud.com:389" -D "cn=admin,dc=***,dc=apicloud,dc=com" -w '123456' -b "DC=***,DC=apicloud,DC=com"

如果报下面的错:

ldap_bind: Invalid credentials (49)

解决办法:

# rm -rf /etc/openldap/slapd.d/*  

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d  

#  chown -R ldap.ldap /etc/openldap/slapd.d

#  service slapd restart

57763ec6 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable  

config file testing succeeded  

# ldapsearch -H "ldap://***.apicloud.com:389" -D "cn=admin,dc=***,dc=apicloud,dc=com" -w '123456' -b "DC=***,DC=apicloud,DC=com" 
 
# OpenLDAP pwdChecker library configuration

#useCracklib 1
#minPoints 3
#minUpper 0
#minLower 0
#minDigit 0
#minPunct 0

    8. 为 ldap master 配置 web 管理接口:

这里使用最新的ldap-account-manager-6.3.tar.bz2 ,要求php版本>=5.6

rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm
yum install httpd php56w php56w-cli php56w-common php56w-devel php56w-gd php56w-ldap

下载ldap-account-manager:

https://jaist.dl.sourceforge.net/project/lam/LAM/6.3/ldap-account-manager-6.3.tar.bz2

 上传到/var/www/html并解压重命名:

tar xf ldap-account-manager-6.3.tar.bz2 && mv ldap-account-manager-6.3 ldap

复制配置文件:

cd /var/www/html/ldap/config && cp config.cfg.sample config.cfg && cp unix.conf.sample lam.conf
# grep -Ev "^$|^[#;]"  config.cfg
password: {SSHA}D6AaX93kPmck9wAxNlq3GF93S7A= R7gkjQ==
default: lam
logLevel: 4
logDestination: SYSLOG

# grep -Ev "^$|^[#;]"  lam.conf 
ServerURL: ldap://localhost:389
Admins: cn=admin,dc=***,dc=apicloud,dc=com
Passwd: lam
treesuffix: dc=***,dc=apicloud,dc=com
defaultLanguage: zh_CN.utf8
scriptPath:
scriptServer:
scriptRights: 750
cachetimeout: 5
searchLimit: 0
modules: posixAccount_user_minUID: 10000
modules: posixAccount_user_maxUID: 30000
modules: posixAccount_host_minMachine: 50000
modules: posixAccount_host_maxMachine: 60000
modules: posixGroup_group_minGID: 10000
modules: posixGroup_group_maxGID: 20000
modules: posixGroup_pwdHash: SSHA
modules: posixAccount_pwdHash: SSHA
activeTypes: user,group
types: suffix_user: ou=People,dc=***,dc=apicloud,dc=com
types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber
types: modules_user: inetOrgPerson,posixAccount,shadowAccount
types: suffix_group: ou=group,dc=***,dc=apicloud,dc=com
types: attr_group: #cn;#gidNumber;#memberUID;#description
types: modules_group: posixGroup
lamProMailSubject: Your password was reset
lamProMailText: Dear @@givenName@@ @@sn@@,+::++::+your password was reset to: @@newPassword@@+::++::++::+Best regards+::++::+deskside support+::+

重启Httpd:

service httpd restart

访问web:

http://10.124.151.251:81

基于openldap验证,并安装openldap web管理软件的openvpen部署_第1张图片

首次登陆可能要求创建下面几条:

基于openldap验证,并安装openldap web管理软件的openvpen部署_第2张图片

三、配置 open***基于openldap 的验证

    1. 安装相关支持插件:

yum -y install open***-auth-ldap

    2. 备份并修改 open***-auth-ldap 的配置文件

cp /etc/open***/auth/ldap.conf /etc/open***/auth/ldap.conf.default
# grep -Ev "^$|^[#;]" /etc/open***/auth/ldap.conf

	# LDAP server URL
	# URL		ldap://***.apicloud.com:389
	URL		ldap://10.124.151.251:389
	# Bind DN (If your LDAP server doesn't support anonymous binds)
	# BindDN		uid=Manager,ou=People,dc=example,dc=com
	BindDN		cn=admin,dc=***,dc=apicloud,dc=com
	# Bind Password
	# Password	SecretPassword
	Password	123456
	# Network timeout (in seconds)
	Timeout		15
	# Enable Start TLS
	# TLSEnable	yes
	TLSEnable	no
	# Follow LDAP Referrals (anonymously)
	# FollowReferrals yes
	FollowReferrals no
	# TLS CA Certificate File
	TLSCACertFile	/usr/local/etc/ssl/ca.pem
	# TLS CA Certificate Directory
	TLSCACertDir	/etc/ssl/certs
	# Client Certificate and key
	# If TLS client authentication is required
	TLSCertFile	/usr/local/etc/ssl/client-cert.pem
	TLSKeyFile	/usr/local/etc/ssl/client-key.pem
	# Cipher Suite
	# The defaults are usually fine here
	# TLSCipherSuite	ALL:!ADH:@STRENGTH


	# Base DN
	BaseDN		"ou=People,dc=***,dc=apicloud,dc=com"
	# User Search Filter
	# SearchFilter	"(&(uid=%u)(accountStatus=active))"
	SearchFilter	"(uid=%u)"
	# Require Group Membership
	RequireGroup	false
	# Add non-group members to a PF table (disabled)
	#PFTable	ips_***_users
	
		BaseDN		"ou=Groups,dc=***,dc=apicloud,dc=com"
		SearchFilter	"(|(cn=developers)(cn=artists))"
		MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_***_eng
	
cp /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf.default

# grep -Ev "^$|^[#;]" /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf

	# LDAP server URL
	URL		ldap://***.apicloud.com:389
	# Bind DN (If your LDAP server doesn't support anonymous binds)
	# BindDN		uid=Manager,ou=People,dc=example,dc=com
	BindDN		cn=admin,dc=***,dc=apicloud,dc=com
	# Bind Password
	# Password	SecretPassword
	Password	123456
	# Network timeout (in seconds)
	Timeout		15
	# Enable Start TLS
	# TLSEnable	yes
	TLSEnable	no
	# Follow LDAP Referrals (anonymously)
	# FollowReferrals yes
	FollowReferrals no
	# TLS CA Certificate File
	TLSCACertFile	/usr/local/etc/ssl/ca.pem
	# TLS CA Certificate Directory
	TLSCACertDir	/etc/ssl/certs
	# Client Certificate and key
	# If TLS client authentication is required
	TLSCertFile	/usr/local/etc/ssl/client-cert.pem
	TLSKeyFile	/usr/local/etc/ssl/client-key.pem
	# Cipher Suite
	# The defaults are usually fine here
	# TLSCipherSuite	ALL:!ADH:@STRENGTH


	# Base DN
	BaseDN		"ou=People,dc=***,dc=apicloud,dc=com"
	# User Search Filter
	# SearchFilter	"(&(uid=%u)(accountStatus=active))"
	SearchFilter	"(uid=%u)"
	# Require Group Membership
	RequireGroup	false
	# Add non-group members to a PF table (disabled)
	#PFTable	ips_***_users
	
		BaseDN		"ou=Groups,dc=***,dc=apicloud,dc=com"
		# SearchFilter	"(|(cn=developers)(cn=artists))"
		SearchFilter	"(|(cn=*)(cn=artists))"
		MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_***_eng
	

    3. 修改 open*** 的配置文件 server.conf

添加如下内容
plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u"
client-cert-not-required
username-as-common-name
# grep -Ev "^$|^[#;]" /etc/open***/server.conf
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.124.163.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
#支持多路由配置推送到客户端
push "route 101.200.33.180 255.255.255.252"
push "route 123.56.4.85 255.255.255.252"
client-config-dir ccd
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/open***/open***-status.log
log         /var/log/open***/open***.log
log-append  /var/log/open***/open***.log
verb 3
explicit-exit-notify 1
plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u" 
client-cert-not-required 
username-as-common-name

    4. 更改客户端的配置文件 qingbo.o*** 文件,添加如下内容

auth-user-pass
D:\Program Files\Open***\config>grep -Ev "^$|^[#;]" qingbo.song.o***
client
dev tap
proto udp
remote ***.apicloud.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
remote-cert-tls server
ns-cert-type server
auth-user-pass
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3


    5. 重启open***服务:

service open*** restart

备注:open***重启的时候可能会出现tap0网络端口不能正常绑定的情况,再次重启会重新绑定上。可能跟有客户端连接有关。


需要注意的是:该文章open***服务端和客户端配置网络模式为tap,即选择创建了交换机构建子网的方式,并且每个用户在 /etc/open***/ipp.txt 配置了唯一分配IP地址,且不支持多台终端设备同时登录,以保证能识别用户的身份使用。如果有多台设备登录的需求,后期会进行相关的升级,并及时更新本文档。