OPENLDAP

    之前用一周时间为上品折扣公司搭建了CAS+APACHEDS的SSO,后来发现,APACHEDS在很多方面存在不足,尤其是集群方面,故又花了一周时间安装了openldap集群。
    下面是遇到的一些问题及解决方案:

安装OPENLDAP步骤

下载OPENLDAP并安装
下载地址:http://www.openldap.org/software/download/
下载版本包括发布版本和稳定版本
安装OPENLDAP遇到的问题
在/usr/local目录下执行如下命令:
tar -zxf openldap-2.4.26
cd openldap2.4.26
./configure
出现configure error
configure: error: MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)
上述error表示表示编译OPENLDAP需要其他依赖库,即OPENSSL和BerkeleyDB
下载OPENSSL,目前版本最新的SSL地址为http://www.openssl.org/source/openssl-1.0.0e.tar.gz
下载BerkeleyDB
安装OPENSSL 查看openssl版本信息openssl version -a
1,解压到/usr/local目录下tar -zxf openssl-1.0.0e.tar.gz
,cd openssl-1.0.0e
3,./config(注意:执行./Configure提示执行./config)
4,make
5,sudo make install
6,ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
安装BerkeleyDB
tar -zxvf db-5.2.36.tar.gz
1,cd db-5.2.36??
2,cd build_unix
3,../dist/configure
4,make
5,sudo make install
配置/etc/ld.so.conf文件
ld.so.conf文件配置了需要读入告诉缓存中的动态函数库所在目录
重新配置ld.so.conf后,在命令行执行ldconfig命令生效
注意:如果编译OPENLDAP的时候依然出现BDB错误,可以使用如下方式:
sudo cp /usr/local/BerkeleyDB.5.2/include/* /usr/include
sudo cp /usr/local/BerkeleyDB.5.2/lib/* /usr/lib
重新安装OPENLDAP

il IL

CD openldap-2.4.26

export LD_LIBRARY_PATH="/usr/local/db-5.2.36/build_unix/.libs"
export CPPFLAGS="-I/usr/local/BerkeleyDB.5.2/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.5.2/lib"
export CPPFLAGS="-I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/ssl/lib"

sudo ./configure --with-tls=openssl –enable-dynamic

sudo make depend?? ??(??构建依赖关系??)
sudo make
sudo make install (su root -c 'make install')
OPENLDAP启动
/usr/local/libexec/slapd -d 256
注意:如果报找不到openssl的以来类库的错误,请将安装的openssl的lib中的libssl.so.1.0.0 libcrypto.so.1.0.0拷贝到/usr/lib中
OPENLDAP关闭
kill -INT ' cat /usr/local/var/run/slapd.pid'

创建OPENLDAP服务
出现:
515002de @(#) $OpenLDAP: slapd 2.4.28 (Mar 25 2013 15:53:52) $
        root@web133:/usr/local/openldap-2.4.28/servers/slapd
515002de bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2).
Expect poor performance for suffix "dc=my-domain,dc=com".
515002de bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
515002de slapd starting
 

解决方式:cd /usr/local/var/openldap-data/
         cp DB_CONFIG.example DB_CONFIG

     在/etc/init.d下创建slapd文件,slapd文件主要包含start、stop命令,内容如下:

#!/bin/bash
#   chkconfig:   2345   85   15 
#   description: OpenLdap Service
start() {
    echo "Starting OPENLDAP..."
         COMMAND_LINE="/usr/local/libexec/slapd -d 256"
   nohup  $COMMAND_LINE &

}

case "$1" in

    
    'start')
     start
        echo "Usage: ..."
        exit 1
        ;;
    'stop')
	echo Stop OpenLdap .....
	for i in ` ps -ef | grep -w slapd |grep -v grep |awk '{print $2}'`;do 
				kill -9 $i
	done
	echo Stop OpenLdap Secuessed....
	;;
esac

exit 0


     chkconfig --add slapd
     cd /etc/init.d/
     chmod 755 slapd
     ./slapd
     service slapd stop
     service slapd start

此外大家需要根据公司业务的需要进行基于openldap的schema的扩展,来适应公司业务。
本人自己扩展的schema,/usr/local/etc/openldap/schema/user.schema内容如下:
attributeType ( shopinAttributeType:1 NAME 'displayOrder'
      DESC 'sort a list'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

attributeType ( shopinAttributeType:2 NAME 'status'
      EQUALITY integerMatch
      DESC 'sign status of a person or department normal or others'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

attributeType ( shopinAttributeType:3 NAME 'erpId'
      DESC 'the code of the dept in ERP-HR'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( shopinAttributeType:4 NAME 'parentNo'
      DESC 'the number of the parent orgnization'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

#attributeType ( shopinAttributeType:5 NAME 'titleName'
#      DESC 'the name of title'
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )


attributeType ( shopinAttributeType:6 NAME 'belongTitleDN'
      DESC 'the distinguishedName of title'
      SUP distinguishedName )

attributetype ( shopinAttributeType:7 NAME 'systemOccupant'
	DESC 'occupant of shopin system'
	SUP distinguishedName )

objectclass	( shopinObjectClass:1
    NAME 'shopin-inetOrgPerson'
	DESC 'shopin Internet Organizational Person'
    SUP inetOrgPerson
    STRUCTURAL
	MAY (
		audio $ businessCategory $ carLicense $ departmentNumber $
		displayName $ employeeNumber $ employeeType $ givenName $
		homePhone $ homePostalAddress $ initials $ jpegPhoto $
		labeledURI $ mail $ manager $ mobile $ o $ pager $
		photo $ roomNumber $ secretary $ uid $ userCertificate $
		x500uniqueIdentifier $ preferredLanguage $
		userSMIMECertificate $ userPKCS12 $ status $ 
		displayOrder $ belongTitleDN)
	)

objectclass ( shopinObjectClass:2
	NAME 'shopin-organization'
	DESC 'an shopin organization'
	SUP organization
	MUST ( o $ displayName )
	MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
		x121Address $ registeredAddress $ destinationIndicator $
		preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
		telephoneNumber $ internationaliSDNNumber $ 
		facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
		postalAddress $ physicalDeliveryOfficeName $ st $ l $ description $ status $ 
		displayOrder $ erpId $ parentNo) )

objectclass ( shopinObjectClass:3 NAME 'shopin-groupOfNames'
	DESC 'a group of names (DNs)'
	SUP top STRUCTURAL
	MUST ( cn $ displayName)
	MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description 
	$ member $ status ) )

objectclass ( shopinObjectClass:4 NAME 'shopin-duty'
	DESC 'duty info in shopin'
	SUP top STRUCTURAL
	MUST ( cn $ title )
	MAY ( description $ status $ o) )

objectclass ( shopinObjectClass:5 NAME 'shopin-organizationalRole'
	DESC 'an orgnizational role of shopin'
	SUP organizationalRole
	MUST ( cn $ displayName)
	MAY ( x121Address $ registeredAddress $ destinationIndicator $ 
		preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 
		telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 
		seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ 
		postOfficeBox $ postalCode $ postalAddress $ 
		physicalDeliveryOfficeName $ ou $ st $ l $ description $ status) )

objectclass ( shopinObjectClass:6 NAME 'shopin-system'
	DESC 'system info in shopin'
	SUP top STRUCTURAL
	MUST ( cn $ displayName )
	MAY ( description $ status $ systemOccupant) )




目前使用的集群方式为mirror mode方式,也即使用了openldap自身的HA,当然最好在前端使用lvs进行负载均衡。
/usr/local/etc/openldap/slapd.conf文件内容如下:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/corba.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
include		/usr/local/etc/openldap/schema/java.schema
include		/usr/local/etc/openldap/schema/nis.schema
include		/usr/local/etc/openldap/schema/misc.schema
#include		/usr/local/etc/openldap/schema/mail.schema
include		/usr/local/etc/openldap/schema/openldap.schema

#define user's oid and schema
objectIdentifier shopinOID 1.1
objectIdentifier shopinSNMP shopinOID:1
objectIdentifier shopinLDAP shopinOID:2
objectIdentifier shopinAttributeType shopinLDAP:1
objectIdentifier shopinObjectClass shopinLDAP:2

include		/usr/local/etc/openldap/schema/user.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/usr/local/var/run/slapd.pid
argsfile	/usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath	/usr/local/libexec/openldap
# moduleload	back_bdb.la
# moduleload	back_hdb.la
# moduleload	back_ldap.la

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database	bdb
suffix		"dc=shopin,dc=net"
rootdn		"cn=Manager,dc=shopin,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw		secret
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/usr/local/var/openldap-data
# Indices to maintain
index	objectClass	eq


overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100


# 全球部分
serverID    3
# 数据库部分

# syncrepl参数
syncrepl      rid=001
              provider=ldap://172.16.103.190:389
              bindmethod=simple
              binddn="cn=Manager,dc=shopin,dc=net"
              credentials=secret
              searchbase="dc=shopin,dc=net"
              schemachecking=on
              type=refreshAndPersist
              retry="60 +"
              
syncrepl      rid=002
              provider=ldap://172.16.100.26:389
              bindmethod=simple
              binddn="cn=Manager,dc=shopin,dc=net"
              credentials=secret
              searchbase="dc=shopin,dc=net"
              schemachecking=on
              type=refreshAndPersist
              retry="60 +"
              
syncrepl      rid=003
              provider=ldap://172.16.200.55:389
              bindmethod=simple
              binddn="cn=Manager,dc=shopin,dc=net"
              credentials=secret
              searchbase="dc=shopin,dc=net"
              schemachecking=on
              type=refreshAndPersist
              retry="60 +"


mirrormode on

你可能感兴趣的:(OPENLDAP)