之前用一周时间为上品折扣公司搭建了CAS+APACHEDS的SSO,后来发现,APACHEDS在很多方面存在不足,尤其是集群方面,故又花了一周时间安装了openldap集群。
下面是遇到的一些问题及解决方案:
安装OPENLDAP步骤
下载OPENLDAP并安装
下载地址:http://www.openldap.org/software/download/
下载版本包括发布版本和稳定版本
安装OPENLDAP遇到的问题
在/usr/local目录下执行如下命令:
tar -zxf openldap-2.4.26
cd openldap2.4.26
./configure
出现configure error
configure: error: MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)
上述error表示表示编译OPENLDAP需要其他依赖库,即OPENSSL和BerkeleyDB
下载OPENSSL,目前版本最新的SSL地址为http://www.openssl.org/source/openssl-1.0.0e.tar.gz
下载BerkeleyDB
安装OPENSSL 查看openssl版本信息openssl version -a
1,解压到/usr/local目录下tar -zxf openssl-1.0.0e.tar.gz
,cd openssl-1.0.0e
3,./config(注意:执行./Configure提示执行./config)
4,make
5,sudo make install
6,ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
安装BerkeleyDB
tar -zxvf db-5.2.36.tar.gz
1,cd db-5.2.36??
2,cd build_unix
3,../dist/configure
4,make
5,sudo make install
配置/etc/ld.so.conf文件
ld.so.conf文件配置了需要读入告诉缓存中的动态函数库所在目录
重新配置ld.so.conf后,在命令行执行ldconfig命令生效
注意:如果编译OPENLDAP的时候依然出现BDB错误,可以使用如下方式:
sudo cp /usr/local/BerkeleyDB.5.2/include/* /usr/include
sudo cp /usr/local/BerkeleyDB.5.2/lib/* /usr/lib
重新安装OPENLDAP
il IL
CD openldap-2.4.26
export LD_LIBRARY_PATH="/usr/local/db-5.2.36/build_unix/.libs"
export CPPFLAGS="-I/usr/local/BerkeleyDB.5.2/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.5.2/lib"
export CPPFLAGS="-I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/ssl/lib"
sudo ./configure --with-tls=openssl –enable-dynamic
sudo make depend?? ??(??构建依赖关系??)
sudo make
sudo make install (su root -c 'make install')
OPENLDAP启动
/usr/local/libexec/slapd -d 256
注意:如果报找不到openssl的以来类库的错误,请将安装的openssl的lib中的libssl.so.1.0.0 libcrypto.so.1.0.0拷贝到/usr/lib中
OPENLDAP关闭
kill -INT ' cat /usr/local/var/run/slapd.pid'
创建OPENLDAP服务
出现:
515002de @(#) $OpenLDAP: slapd 2.4.28 (Mar 25 2013 15:53:52) $
root@web133:/usr/local/openldap-2.4.28/servers/slapd
515002de bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2).
Expect poor performance for suffix "dc=my-domain,dc=com".
515002de bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
515002de slapd starting
解决方式:cd /usr/local/var/openldap-data/
cp DB_CONFIG.example DB_CONFIG
在/etc/init.d下创建slapd文件,slapd文件主要包含start、stop命令,内容如下:
#!/bin/bash
# chkconfig: 2345 85 15
# description: OpenLdap Service
start() {
echo "Starting OPENLDAP..."
COMMAND_LINE="/usr/local/libexec/slapd -d 256"
nohup $COMMAND_LINE &
}
case "$1" in
'start')
start
echo "Usage: ..."
exit 1
;;
'stop')
echo Stop OpenLdap .....
for i in ` ps -ef | grep -w slapd |grep -v grep |awk '{print $2}'`;do
kill -9 $i
done
echo Stop OpenLdap Secuessed....
;;
esac
exit 0
chkconfig --add slapd
cd /etc/init.d/
chmod 755 slapd
./slapd
service slapd stop
service slapd start
此外大家需要根据公司业务的需要进行基于openldap的schema的扩展,来适应公司业务。
本人自己扩展的schema,/usr/local/etc/openldap/schema/user.schema内容如下:
attributeType ( shopinAttributeType:1 NAME 'displayOrder'
DESC 'sort a list'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributeType ( shopinAttributeType:2 NAME 'status'
EQUALITY integerMatch
DESC 'sign status of a person or department normal or others'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributeType ( shopinAttributeType:3 NAME 'erpId'
DESC 'the code of the dept in ERP-HR'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeType ( shopinAttributeType:4 NAME 'parentNo'
DESC 'the number of the parent orgnization'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
#attributeType ( shopinAttributeType:5 NAME 'titleName'
# DESC 'the name of title'
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributeType ( shopinAttributeType:6 NAME 'belongTitleDN'
DESC 'the distinguishedName of title'
SUP distinguishedName )
attributetype ( shopinAttributeType:7 NAME 'systemOccupant'
DESC 'occupant of shopin system'
SUP distinguishedName )
objectclass ( shopinObjectClass:1
NAME 'shopin-inetOrgPerson'
DESC 'shopin Internet Organizational Person'
SUP inetOrgPerson
STRUCTURAL
MAY (
audio $ businessCategory $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledURI $ mail $ manager $ mobile $ o $ pager $
photo $ roomNumber $ secretary $ uid $ userCertificate $
x500uniqueIdentifier $ preferredLanguage $
userSMIMECertificate $ userPKCS12 $ status $
displayOrder $ belongTitleDN)
)
objectclass ( shopinObjectClass:2
NAME 'shopin-organization'
DESC 'an shopin organization'
SUP organization
MUST ( o $ displayName )
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $ l $ description $ status $
displayOrder $ erpId $ parentNo) )
objectclass ( shopinObjectClass:3 NAME 'shopin-groupOfNames'
DESC 'a group of names (DNs)'
SUP top STRUCTURAL
MUST ( cn $ displayName)
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description
$ member $ status ) )
objectclass ( shopinObjectClass:4 NAME 'shopin-duty'
DESC 'duty info in shopin'
SUP top STRUCTURAL
MUST ( cn $ title )
MAY ( description $ status $ o) )
objectclass ( shopinObjectClass:5 NAME 'shopin-organizationalRole'
DESC 'an orgnizational role of shopin'
SUP organizationalRole
MUST ( cn $ displayName)
MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l $ description $ status) )
objectclass ( shopinObjectClass:6 NAME 'shopin-system'
DESC 'system info in shopin'
SUP top STRUCTURAL
MUST ( cn $ displayName )
MAY ( description $ status $ systemOccupant) )
目前使用的集群方式为mirror mode方式,也即使用了openldap自身的HA,当然最好在前端使用lvs进行负载均衡。
/usr/local/etc/openldap/slapd.conf文件内容如下:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/java.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
#include /usr/local/etc/openldap/schema/mail.schema
include /usr/local/etc/openldap/schema/openldap.schema
#define user's oid and schema
objectIdentifier shopinOID 1.1
objectIdentifier shopinSNMP shopinOID:1
objectIdentifier shopinLDAP shopinOID:2
objectIdentifier shopinAttributeType shopinLDAP:1
objectIdentifier shopinObjectClass shopinLDAP:2
include /usr/local/etc/openldap/schema/user.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=shopin,dc=net"
rootdn "cn=Manager,dc=shopin,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# 全球部分
serverID 3
# 数据库部分
# syncrepl参数
syncrepl rid=001
provider=ldap://172.16.103.190:389
bindmethod=simple
binddn="cn=Manager,dc=shopin,dc=net"
credentials=secret
searchbase="dc=shopin,dc=net"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=002
provider=ldap://172.16.100.26:389
bindmethod=simple
binddn="cn=Manager,dc=shopin,dc=net"
credentials=secret
searchbase="dc=shopin,dc=net"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=003
provider=ldap://172.16.200.55:389
bindmethod=simple
binddn="cn=Manager,dc=shopin,dc=net"
credentials=secret
searchbase="dc=shopin,dc=net"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on