系统环境是CentOS 5.5 64bit
第一步,当然是安装open***和openldap:
# rpm -ivh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
# yum install -y open*** open***-auth-ldap openldap openldap-servers openldap-clients
第二步,配置open***:
# cp -R /usr/share/open***/easy-rsa/ /etc/open***
编辑 /etc/open***/easy-rsa/2.0/vars:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GD"
export KEY_CITY="Guangzhou"
export KEY_ORG="NETOCOOL"
export KEY_EMAIL="[email protected]"
创建公共密钥:
cd /etc/open***/easy-rsa/2.0/
chmod +rwx *
source ./vars
./clean-all
./pkitool --initca
创建服务器密钥:
./pkitool --server server
./build-dh
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/open***/
Open***服务器配置:
/etc/open***/server.conf
port 1194
# TCP or UDP server?
proto tcp
;proto udp
dev tap
;dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;push "route 172.16.6.0 255.255.255.0"
;push "route 218.213.250.20 255.255.255.255"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
push "dhcp-option DNS 8.8.8.8"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status open***-status.log
log open***.log
log-append open***.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
#plugin /usr/lib/open***/open***-auth-ldap.so /etc/open***/auth/ldap.conf
plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so /etc/open***/auth/ldap.conf
client-cert-not-required
openldap服务器配置:
/etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
schemacheck on
idletimeout 60
timelimit 60
sizelimit 1000
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "o=open***"
rootdn "cn=Manager,o=open***"
rootpw 123456
directory /var/lib/ldap
index objectClass eq,pres
index uid eq,sub
index cn,sn,mail,mailAlternateAddress pres,eq,approx,sub
loglevel 256
openldap 数据初始化:
top.ldif
dn: o=open***
o: open***
objectClass: top
objectClass: organization
dn: ou=open***.netocool.com,o=open***
ou: open***.netocool.com
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
# ldapadd -f top.ldif -x -D cn=Manager,o=open*** -h localhost
open*** 用户管理script:
/usr/bin/open***_provisioning.sh
#!/bin/bash
open***_config_dir=/etc/open***
keys_bin=$open***_config_dir/easy-rsa/2.0
keys_dir=$keys_bin/keys
random=`date +%s`
random1=`echo $[RANDOM%10000]`
ldap_host="localhost"
***_host="202.70.X.X"
***_port="1194"
rootdn="cn=Manager,o=open***"
base="o=open***"
rootpw="123456"
ou="open***.netocool.com"
#user_name="$2"
check_user ()
{
user_name="$1"
/usr/bin/ldapsearch -x -D "$rootdn" -b "uid=$user_name@$ou,ou=$ou,$base" -w$rootpw -h $ldap_host | grep -q "No such object"
if [ $? = 1 ];then
echo "User account $user_name exist, exit ..."
exit 1
fi
}
list_user ()
{
echo
echo "Check user list as below:"
echo
/usr/bin/ldapsearch -x -D "$rootdn" -b "ou=$ou,$base" -w$rootpw -h $ldap_host | awk '$1~/^uid/{print $2}' | awk -F@ '{print $1}'
}
delete_user ()
{
user_name="$1"
/usr/bin/ldapsearch -x -D "$rootdn" -b "uid=$user_name@$ou,ou=$ou,$base" -w$rootpw -h $ldap_host | grep -q "No such object"
if [ $? = 0 ];then
echo "User account $user_name do not exist, exiting ..."
exit 1
fi
echo
echo "User account $user_name will be delete from system:"
sleep 3
echo
/usr/bin/ldapdelete -x -D "$rootdn" -w$rootpw -h $ldap_host "uid=$user_name@$ou,ou=$ou,$base"
#
rm -rf `cat /etc/open***/user_list | awk -F, -v var="$user_name" '$2==var{print}' | awk -F, '{print $4}'` 2>&1 >> /var/log/open***_provisioning.log
sed -i '/\<'$user_name'\>/d' /etc/open***/user_list 2>&1 >> /var/log/open***_provisioning.log
}
# initial
initial ()
{
user_name="$1"
echo >> /var/log/open***_provisioning.log
echo `date` >> /var/log/open***_provisioning.log
cd $keys_bin; source ./vars >> /var/log/open***_provisioning.log
cd $keys_bin; ./pkitool ${random}_$user_name >> /var/log/open***_provisioning.log
# zip files
cat <
client
dev tap
proto tcp
remote $***_host $***_port
resolv-retry infinite
persist-key
persist-tun
ca ca_connect_to_tws.crt
cert ${random}_$user_name.crt
key ${random}_$user_name.key
auth-user-pass
comp-lzo
verb 3
EOF
cat <
Dear Customer,
The ××× login user name: ${user_name}@$ou
Password: ${random1}${user_name}
Best regard.
EOF
cd $keys_dir; zip ${random}_${user_name}_***_config.zip ${random}_${user_name}_README_FIRST ${random}_connect_.o*** ca_connect_.crt ${random}_$user_name.crt ${random}_$user_name.key >>
/var/log/open***_provisioning.log
cd $keys_dir; rm -rf ${random}_connect_.o*** ${random}_$user_name.crt ${random}_$user_name.key ${random}_${user_name}_README_FIRST >> /var/log/open***_provisioning.log
}
# send configure file to user
send ()
{
user_name=$1
profile=`cat /etc/open***/user_list | awk -F, -v var="$user_name" '$2==var{print}' | awk -F, '{print $4}'`
/usr/bin/ldapsearch -x -D "$rootdn" -b "uid=$user_name@$ou,ou=$ou,$base" -w$rootpw -h $ldap_host | grep -q "No such object"
if [ $? = 0 ];then
echo
echo "User account $user_name do not exist, exiting ..."
exit 1
fi
echo
echo "Sending out the *** profile for user ...."
mutt -s "××× client config files" -a $profile $2 < /usr/share/doc/open***-2.1.4/README
echo
echo "The *** profile $profile for user $user_name have been sent to $2."
}
create_user ()
{
user_name=$1
cat <
dn: uid=$user_name@$ou,ou=$ou,o=open***
mailMessageStore: /store/$ou/users/$user_name
givenName: $user_name
sn: $user_name
mail: $user_name@$ou
objectClass: top
objectClass: inetOrgPerson
uid: $user_name@$ou
cn: $user_name
userPassword: ${random1}$user_name
accountStatus: active
mailQuotaSize: 10485760
mailHost: 127.0.0.1
EOF
ldapadd -f /tmp/${random}_$user_name.ldif -x -D "$rootdn" -w$rootpw -h $ldap_host >> /var/log/open***_provisioning.log
rm -rf /tmp/${random}_$user_name.ldif
echo "`date "+%F %H:%M:%S"`,$user_name,${random}_$user_name,$keys_dir/${random}_${user_name}_***_config.zip,$2" >> /etc/open***/user_list
}
help_ ()
{
echo
echo "Usage:"
echo "$0 [ -c USER_NAME EMAIL_ADDRESS ] create user account and send *** profile to the user's mailbox."
echo " [ -l ] list user account."
echo " [ -d USER_NAME ] delete user account."
echo " [ -s USER_NAME EMAIL_ADDRESS ] resend *** profile to the user."
echo " [ -h ] print help menu."
echo
}
check_email ()
{
if ( ! echo $1 | egrep -q '\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*' );then
echo
echo "Incorrect email address, exiting ..."
help_
exit 1
fi
}
#####################
if [ $# = 0 ];then
help_
exit 1
fi
case $1 in
-c) if [ $# != 3 ]; then
help_
exit 1
fi
check_email $3
check_user $2
initial $2
create_user $2 $3
send $2 $3;;
-l) if [ $# != 1 ]; then
help_
exit 1
fi
list_user;;
-d) if [ $# != 2 ]; then
help_
exit 1
fi
delete_user $2;;
-h) help_;;
-s) if [ $# != 3 ]; then
help_
exit 1
fi
send $2 $3;;
esac