Open××× 的验证方式
http://blog.sina.com.cn/s/blog_5398c3200100jkv3.html
一、文本文件式的认证
1、获得文本口令认证的脚本
wget http://open***.se/files/other/checkpsw.sh -P /etc/open***
cd /etc/open***
chmod u+x checkpsw.sh
chown nobody.nobody checkpsw.sh
2、创建密码文件
譬如 /etc/open***/psw-file
文件的格式:用户名
user1 pass
user2 pass
3、修改服务器的配置文件
在server.conf 配置文件里加上
auth-user-pass-verify /etc/open***/checkpsw.sh via-env
4、修改客户端的配置文件
一是注释掉用
;cert client1.crt
;key client1.key
二是增加验证时询问用户名和密码
auth-user-pass
二、是支持 MYSQL 数据库的认证
1、需要 pam_mysql 模块
# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
该项目的网页是:
http://pam-mysql.sourceforge.net
2、编译该模块
# tar -zxvf pam_mysql-0.7RC1.tar.gz
# cd pam_mysql-0.7RC1
# ./configure --with-openssl
或
# ./configure --with-mysql=/usr/lib/mysql/mysql_config --with-openssl
# make install
# cd .libs
# cp pam_mysql.sp /lib/security
3、相关的服务准备
# service saslauthd restart
修改 /etc/sysconfig/saslauthd
MECH=pam 改为 MECH=shadow
4、关于 MYSQL 的操作
简述安装的过程
# cd /usr/bin
# ./mysql_install_db
# service mysqld restart
# ./mysqladmin -u root password '????????'
# mysql -u root -p
> create database ***;
> grant all on ***.* to ***@localhost identified by '????????';
> flush privileges;
> use ***;
> create table ***user (name char(20) NOT NULL, password char(128) default NULL, active int(10) NOT NULL DEFAULT 1, PRIMARY KEY(name));
> insert into ***user(name,password) values ('......',password('......'));
5、配置 pam_mysql 模块
/etc/pam.d/open***
with sufficient pam_mysql.so user=*** passwd=...... host=localhost db=*** table=***user usercolumn=name passwordcolumn=password where=active=1 sqllog=0 crypt=3
需要注意的是
crypt=0 表示用明文
crypt=1 表示 use crypt
crypt=2 表示 use MySQL PASSWORD() 函数
crypt=3 表示 use MySQL PASSWORD() 函数,用 MD5
6、修改 Open××× 设置
生成 ta.key
# open*** --genkey --secret keys/ta.key
修改服务器配置文件
tls-auth ta.key 0
plugin ./open***-auth-pam.so open***
client-cert-not-required
username-as-common-name
修改客户端配置文件
auth-user-pass
tls-auth ta.key 1
三、使用 LDAP 的方式认证
实际上也有二种,一种用 open***-auth-ldap 即直接通过 LDAP 验证,另一种与 mysql 认证相似,使用 pam-ldap ,通过 PAM ,然后再找 LDAP 验证。
这里主要用 open***-auth-ldap (另一方法,安装 yum install nss_ldap 包后找文件 /usr/local/etc/auth-ldap.conf 复制 /usr/share/doc/nss_ldap_253/ldap.conf.pam_ldap /etc/pam_ldap.conf ,创建/etc/pam.d/open***)
1、安装
# yum install open***-auth-ldap
自行安装的话,下载 auth-ldap-2.0.3.tar.gz re2c-0.13.5.tar.gz
# tar -zxvf re2c-0.13.5.tar.gz
# ./configure
# make
# make install
# tar -zxvf auth-ldap-2.0.3.tar.gz
# ./configure --prefix=/usr/local --with-openldap=/usr/local --with-open***=/root/open***-2.0.9
或
# ./configure --prefix=/usr/local --with-openldap=/usr/lib/openldap --with-open***=/usr/src/redhat/BUILD/open***-2.0.9
生成文件 /usr/local/lib/open***-auth-ldap.so
2、配置文件
修改配置文件:auth-ldap.conf
使用yum安装的,会在 /usr/share/doc/open***-auth-ldap-2.0.3 存在相应文件,如果是自行安装的,在 /usr/local/etc/auth-ldap.conf 。
实例:(根据实际情况修改)
# LDAP server URL
URL ldap://ldap1.example.org
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
# Base DN
BaseDN "ou=People,dc=example,dc=com"
# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_***_users
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_***_eng
open*** 的配置文件类似 mysql
plugin /usr/local/lib/open***-auth-ldap.so /etc/open***/auth/ldap.conf
client-cert-not-required
username-as-common-name