基於openldap驗證,並安裝openldap web管理軟件的openvpen部署

參考鏈接:open***基於openldap驗證,並安裝openldap web管理軟件php


1、準備流程:
html

    1. 搭建基於證書認證登陸的Open***2.4.6服務器部署java

    2. 安裝 ldap ,ldap web 並建立用戶,可以在經過 ldap 找到建立的用戶git

    3. 配置 open*** 基於openldap  驗證web

2、安裝 ldap ,ldap web 並建立用戶數據庫

    1. 環境準備:
api

須要有如下組件,缺一不可
yum grouplist   #查看安裝了那些包組
   Base
   Compatibility libraries
   Debugging Tools
   Development tools
   Dial-up Networking Support
   Hardware monitoring utilities
   Performance Tools

    2.安裝依賴包
bash

yum -y install openldap openldap-* nscd nss-pam-ldapd pcre pcre-* nss-*

    3. 複製並備份 ldap 的配置文件 slapd.conf服務器

cd /etc/openldap/
cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf

配置文件
網絡

# grep -Ev "^$|^[#;]"  /etc/openldap/slapd.conf 
include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema
allow bind_v2
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
access to *
	by self write
	by anonymous auth
	by * read
database	bdb
suffix		"dc=***,dc=apicloud,dc=com"
checkpoint	2048 10
rootdn		"cn=admin,dc=***,dc=apicloud,dc=com"
loglevel    296
cachesize   1000
rootpw	123456
directory	/var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

    4. 從模板中拷貝數據庫的配置文件,而且受權修改權限

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chmod 700 /var/lib/ldap/

    5. 測試

slaptest -u

Image8_thumb

    6. 啓動slapd:

/etc/init.d/slapd start
chkconfig slapd on
chkconfig --list slapd

Image9_thumb

Image_thumb1

Image12_thumb

Image11_thumb

Image13_thumb 

   7. 驗證數據是否能夠查詢

ldapsearch -H "ldap://***.apicloud.com:389" -D "cn=admin,dc=***,dc=apicloud,dc=com" -w '123456' -b "DC=***,DC=apicloud,DC=com"

若是報下面的錯:

ldap_bind: Invalid credentials (49)

解決辦法:

# rm -rf /etc/openldap/slapd.d/*  

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d  

#  chown -R ldap.ldap /etc/openldap/slapd.d

#  service slapd restart

57763ec6 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable  

config file testing succeeded  

# ldapsearch -H "ldap://***.apicloud.com:389" -D "cn=admin,dc=***,dc=apicloud,dc=com" -w '123456' -b "DC=***,DC=apicloud,DC=com" 
 
# OpenLDAP pwdChecker library configuration

#useCracklib 1
#minPoints 3
#minUpper 0
#minLower 0
#minDigit 0
#minPunct 0

    8. 爲 ldap master 配置 web 管理接口:

這裏使用最新的ldap-account-manager-6.3.tar.bz2 ,要求php版本>=5.6

rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm
yum install httpd php56w php56w-cli php56w-common php56w-devel php56w-gd php56w-ldap

下載ldap-account-manager:

https://jaist.dl.sourceforge.net/project/lam/LAM/6.3/ldap-account-manager-6.3.tar.bz2

 上傳到/var/www/html並解壓重命名:

tar xf ldap-account-manager-6.3.tar.bz2 && mv ldap-account-manager-6.3 ldap

複製配置文件:

cd /var/www/html/ldap/config && cp config.cfg.sample config.cfg && cp unix.conf.sample lam.conf
# grep -Ev "^$|^[#;]"  config.cfg
password: {SSHA}D6AaX93kPmck9wAxNlq3GF93S7A= R7gkjQ==
default: lam
logLevel: 4
logDestination: SYSLOG

# grep -Ev "^$|^[#;]"  lam.conf 
ServerURL: ldap://localhost:389
Admins: cn=admin,dc=***,dc=apicloud,dc=com
Passwd: lam
treesuffix: dc=***,dc=apicloud,dc=com
defaultLanguage: zh_CN.utf8
scriptPath:
scriptServer:
scriptRights: 750
cachetimeout: 5
searchLimit: 0
modules: posixAccount_user_minUID: 10000
modules: posixAccount_user_maxUID: 30000
modules: posixAccount_host_minMachine: 50000
modules: posixAccount_host_maxMachine: 60000
modules: posixGroup_group_minGID: 10000
modules: posixGroup_group_maxGID: 20000
modules: posixGroup_pwdHash: SSHA
modules: posixAccount_pwdHash: SSHA
activeTypes: user,group
types: suffix_user: ou=People,dc=***,dc=apicloud,dc=com
types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber
types: modules_user: inetOrgPerson,posixAccount,shadowAccount
types: suffix_group: ou=group,dc=***,dc=apicloud,dc=com
types: attr_group: #cn;#gidNumber;#memberUID;#description
types: modules_group: posixGroup
lamProMailSubject: Your password was reset
lamProMailText: Dear @@givenName@@ @@sn@@,+::++::+your password was reset to: @@newPassword@@+::++::++::+Best regards+::++::+deskside support+::+

重啓Httpd:

service httpd restart

訪問web:

http://10.124.151.251:81

image.png

首次登錄可能要求建立下面幾條:

Image23_thumb1

image.png

3、配置 open***基於openldap 的驗證

    1. 安裝相關支持插件:

yum -y install open***-auth-ldap

    2. 備份並修改 open***-auth-ldap 的配置文件

cp /etc/open***/auth/ldap.conf /etc/open***/auth/ldap.conf.default
# grep -Ev "^$|^[#;]" /etc/open***/auth/ldap.conf
<LDAP>
	# LDAP server URL
	# URL		ldap://***.apicloud.com:389
	URL		ldap://10.124.151.251:389
	# Bind DN (If your LDAP server doesn't support anonymous binds)
	# BindDN		uid=Manager,ou=People,dc=example,dc=com
	BindDN		cn=admin,dc=***,dc=apicloud,dc=com
	# Bind Password
	# Password	SecretPassword
	Password	123456
	# Network timeout (in seconds)
	Timeout		15
	# Enable Start TLS
	# TLSEnable	yes
	TLSEnable	no
	# Follow LDAP Referrals (anonymously)
	# FollowReferrals yes
	FollowReferrals no
	# TLS CA Certificate File
	TLSCACertFile	/usr/local/etc/ssl/ca.pem
	# TLS CA Certificate Directory
	TLSCACertDir	/etc/ssl/certs
	# Client Certificate and key
	# If TLS client authentication is required
	TLSCertFile	/usr/local/etc/ssl/client-cert.pem
	TLSKeyFile	/usr/local/etc/ssl/client-key.pem
	# Cipher Suite
	# The defaults are usually fine here
	# TLSCipherSuite	ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
	# Base DN
	BaseDN		"ou=People,dc=***,dc=apicloud,dc=com"
	# User Search Filter
	# SearchFilter	"(&(uid=%u)(accountStatus=active))"
	SearchFilter	"(uid=%u)"
	# Require Group Membership
	RequireGroup	false
	# Add non-group members to a PF table (disabled)
	#PFTable	ips_***_users
	<Group>
		BaseDN		"ou=Groups,dc=***,dc=apicloud,dc=com"
		SearchFilter	"(|(cn=developers)(cn=artists))"
		MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_***_eng
	</Group>
</Authorization>
cp /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf.default

# grep -Ev "^$|^[#;]" /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf
<LDAP>
	# LDAP server URL
	URL		ldap://***.apicloud.com:389
	# Bind DN (If your LDAP server doesn't support anonymous binds)
	# BindDN		uid=Manager,ou=People,dc=example,dc=com
	BindDN		cn=admin,dc=***,dc=apicloud,dc=com
	# Bind Password
	# Password	SecretPassword
	Password	123456
	# Network timeout (in seconds)
	Timeout		15
	# Enable Start TLS
	# TLSEnable	yes
	TLSEnable	no
	# Follow LDAP Referrals (anonymously)
	# FollowReferrals yes
	FollowReferrals no
	# TLS CA Certificate File
	TLSCACertFile	/usr/local/etc/ssl/ca.pem
	# TLS CA Certificate Directory
	TLSCACertDir	/etc/ssl/certs
	# Client Certificate and key
	# If TLS client authentication is required
	TLSCertFile	/usr/local/etc/ssl/client-cert.pem
	TLSKeyFile	/usr/local/etc/ssl/client-key.pem
	# Cipher Suite
	# The defaults are usually fine here
	# TLSCipherSuite	ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
	# Base DN
	BaseDN		"ou=People,dc=***,dc=apicloud,dc=com"
	# User Search Filter
	# SearchFilter	"(&(uid=%u)(accountStatus=active))"
	SearchFilter	"(uid=%u)"
	# Require Group Membership
	RequireGroup	false
	# Add non-group members to a PF table (disabled)
	#PFTable	ips_***_users
	<Group>
		BaseDN		"ou=Groups,dc=***,dc=apicloud,dc=com"
		# SearchFilter	"(|(cn=developers)(cn=artists))"
		SearchFilter	"(|(cn=*)(cn=artists))"
		MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_***_eng
	</Group>
</Authorization>

    3. 修改 open*** 的配置文件 server.conf

添加以下內容
plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u"
client-cert-not-required
username-as-common-name
# grep -Ev "^$|^[#;]" /etc/open***/server.conf
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.124.163.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
#支持多路由配置推送到客戶端
push "route 101.200.33.180 255.255.255.252"
push "route 123.56.4.85 255.255.255.252"
client-config-dir ccd
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/open***/open***-status.log
log         /var/log/open***/open***.log
log-append  /var/log/open***/open***.log
verb 3
explicit-exit-notify 1
plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u" 
client-cert-not-required 
username-as-common-name

    4. 更改客戶端的配置文件 qingbo.o*** 文件,添加以下內容

auth-user-pass
D:\Program Files\Open***\config>grep -Ev "^$|^[#;]" qingbo.song.o***
client
dev tap
proto udp
remote ***.apicloud.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
remote-cert-tls server
ns-cert-type server
auth-user-pass
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3


    5. 重啓open***服務:

service open*** restart

備註:open***重啓的時候可能會出現tap0網絡端口不能正常綁定的狀況,再次重啓會從新綁定上。可能跟有客戶端鏈接有關。


須要注意的是:該文章open***服務端和客戶端配置網絡模式爲tap,即選擇建立了交換機構建子網的方式,而且每一個用戶在 /etc/open***/ipp.txt 配置了惟一分配IP地址,且不支持多臺終端設備同時登陸,以保證能識別用戶的身份使用。若是有多臺設備登陸的需求,後期會進行相關的升級,並及時更新本文檔。

相關文章
相關標籤/搜索