參考鏈接:open***基於openldap驗證,並安裝openldap web管理軟件php
1、準備流程:
html
1. 搭建基於證書認證登陸的Open***2.4.6服務器部署java
2. 安裝 ldap ,ldap web 並建立用戶,可以在經過 ldap 找到建立的用戶git
3. 配置 open*** 基於openldap 驗證web
2、安裝 ldap ,ldap web 並建立用戶數據庫
1. 環境準備:
api
須要有如下組件,缺一不可 yum grouplist #查看安裝了那些包組 Base Compatibility libraries Debugging Tools Development tools Dial-up Networking Support Hardware monitoring utilities Performance Tools
2.安裝依賴包
bash
yum -y install openldap openldap-* nscd nss-pam-ldapd pcre pcre-* nss-*
3. 複製並備份 ldap 的配置文件 slapd.conf服務器
cd /etc/openldap/ cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
配置文件
網絡
# grep -Ev "^$|^[#;]" /etc/openldap/slapd.conf include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/certs TLSCertificateFile "\"OpenLDAP Server\"" TLSCertificateKeyFile /etc/openldap/certs/password access to * by self write by anonymous auth by * read database bdb suffix "dc=***,dc=apicloud,dc=com" checkpoint 2048 10 rootdn "cn=admin,dc=***,dc=apicloud,dc=com" loglevel 296 cachesize 1000 rootpw 123456 directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
4. 從模板中拷貝數據庫的配置文件,而且受權修改權限
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG chown ldap:ldap /var/lib/ldap/DB_CONFIG chmod 700 /var/lib/ldap/
5. 測試
slaptest -u
6. 啓動slapd:
/etc/init.d/slapd start chkconfig slapd on chkconfig --list slapd
7. 驗證數據是否能夠查詢
ldapsearch -H "ldap://***.apicloud.com:389" -D "cn=admin,dc=***,dc=apicloud,dc=com" -w '123456' -b "DC=***,DC=apicloud,DC=com"
若是報下面的錯:
ldap_bind: Invalid credentials (49)
解決辦法:
# rm -rf /etc/openldap/slapd.d/* # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d # chown -R ldap.ldap /etc/openldap/slapd.d # service slapd restart 57763ec6 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded # ldapsearch -H "ldap://***.apicloud.com:389" -D "cn=admin,dc=***,dc=apicloud,dc=com" -w '123456' -b "DC=***,DC=apicloud,DC=com" # OpenLDAP pwdChecker library configuration #useCracklib 1 #minPoints 3 #minUpper 0 #minLower 0 #minDigit 0 #minPunct 0
8. 爲 ldap master 配置 web 管理接口:
這裏使用最新的ldap-account-manager-6.3.tar.bz2 ,要求php版本>=5.6
rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm yum install httpd php56w php56w-cli php56w-common php56w-devel php56w-gd php56w-ldap
下載ldap-account-manager:
https://jaist.dl.sourceforge.net/project/lam/LAM/6.3/ldap-account-manager-6.3.tar.bz2
上傳到/var/www/html並解壓重命名:
tar xf ldap-account-manager-6.3.tar.bz2 && mv ldap-account-manager-6.3 ldap
複製配置文件:
cd /var/www/html/ldap/config && cp config.cfg.sample config.cfg && cp unix.conf.sample lam.conf
# grep -Ev "^$|^[#;]" config.cfg password: {SSHA}D6AaX93kPmck9wAxNlq3GF93S7A= R7gkjQ== default: lam logLevel: 4 logDestination: SYSLOG # grep -Ev "^$|^[#;]" lam.conf ServerURL: ldap://localhost:389 Admins: cn=admin,dc=***,dc=apicloud,dc=com Passwd: lam treesuffix: dc=***,dc=apicloud,dc=com defaultLanguage: zh_CN.utf8 scriptPath: scriptServer: scriptRights: 750 cachetimeout: 5 searchLimit: 0 modules: posixAccount_user_minUID: 10000 modules: posixAccount_user_maxUID: 30000 modules: posixAccount_host_minMachine: 50000 modules: posixAccount_host_maxMachine: 60000 modules: posixGroup_group_minGID: 10000 modules: posixGroup_group_maxGID: 20000 modules: posixGroup_pwdHash: SSHA modules: posixAccount_pwdHash: SSHA activeTypes: user,group types: suffix_user: ou=People,dc=***,dc=apicloud,dc=com types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber types: modules_user: inetOrgPerson,posixAccount,shadowAccount types: suffix_group: ou=group,dc=***,dc=apicloud,dc=com types: attr_group: #cn;#gidNumber;#memberUID;#description types: modules_group: posixGroup lamProMailSubject: Your password was reset lamProMailText: Dear @@givenName@@ @@sn@@,+::++::+your password was reset to: @@newPassword@@+::++::++::+Best regards+::++::+deskside support+::+
重啓Httpd:
service httpd restart
訪問web:
http://10.124.151.251:81
首次登錄可能要求建立下面幾條:
3、配置 open***基於openldap 的驗證
1. 安裝相關支持插件:
yum -y install open***-auth-ldap
2. 備份並修改 open***-auth-ldap 的配置文件
cp /etc/open***/auth/ldap.conf /etc/open***/auth/ldap.conf.default # grep -Ev "^$|^[#;]" /etc/open***/auth/ldap.conf <LDAP> # LDAP server URL # URL ldap://***.apicloud.com:389 URL ldap://10.124.151.251:389 # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com BindDN cn=admin,dc=***,dc=apicloud,dc=com # Bind Password # Password SecretPassword Password 123456 # Network timeout (in seconds) Timeout 15 # Enable Start TLS # TLSEnable yes TLSEnable no # Follow LDAP Referrals (anonymously) # FollowReferrals yes FollowReferrals no # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN BaseDN "ou=People,dc=***,dc=apicloud,dc=com" # User Search Filter # SearchFilter "(&(uid=%u)(accountStatus=active))" SearchFilter "(uid=%u)" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_***_users <Group> BaseDN "ou=Groups,dc=***,dc=apicloud,dc=com" SearchFilter "(|(cn=developers)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_***_eng </Group> </Authorization>
cp /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf.default # grep -Ev "^$|^[#;]" /usr/share/doc/open***-auth-ldap-2.0.3/auth-ldap.conf <LDAP> # LDAP server URL URL ldap://***.apicloud.com:389 # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com BindDN cn=admin,dc=***,dc=apicloud,dc=com # Bind Password # Password SecretPassword Password 123456 # Network timeout (in seconds) Timeout 15 # Enable Start TLS # TLSEnable yes TLSEnable no # Follow LDAP Referrals (anonymously) # FollowReferrals yes FollowReferrals no # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN BaseDN "ou=People,dc=***,dc=apicloud,dc=com" # User Search Filter # SearchFilter "(&(uid=%u)(accountStatus=active))" SearchFilter "(uid=%u)" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_***_users <Group> BaseDN "ou=Groups,dc=***,dc=apicloud,dc=com" # SearchFilter "(|(cn=developers)(cn=artists))" SearchFilter "(|(cn=*)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_***_eng </Group> </Authorization>
3. 修改 open*** 的配置文件 server.conf
添加以下內容 plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u" client-cert-not-required username-as-common-name
# grep -Ev "^$|^[#;]" /etc/open***/server.conf port 1194 proto udp dev tap ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.124.163.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.0.0.0" #支持多路由配置推送到客戶端 push "route 101.200.33.180 255.255.255.252" push "route 123.56.4.85 255.255.255.252" client-config-dir ccd push "dhcp-option DNS 223.5.5.5" push "dhcp-option DNS 223.6.6.6" client-to-client keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo user nobody group nobody persist-key persist-tun status /var/log/open***/open***-status.log log /var/log/open***/open***.log log-append /var/log/open***/open***.log verb 3 explicit-exit-notify 1 plugin /usr/lib64/open***/plugin/lib/open***-auth-ldap.so "/etc/open***/auth/ldap.conf cn=%u" client-cert-not-required username-as-common-name
4. 更改客戶端的配置文件 qingbo.o*** 文件,添加以下內容
auth-user-pass
D:\Program Files\Open***\config>grep -Ev "^$|^[#;]" qingbo.song.o*** client dev tap proto udp remote ***.apicloud.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt remote-cert-tls server ns-cert-type server auth-user-pass tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3
5. 重啓open***服務:
service open*** restart
備註:open***重啓的時候可能會出現tap0網絡端口不能正常綁定的狀況,再次重啓會從新綁定上。可能跟有客戶端鏈接有關。
須要注意的是:該文章open***服務端和客戶端配置網絡模式爲tap,即選擇建立了交換機構建子網的方式,而且每一個用戶在 /etc/open***/ipp.txt 配置了惟一分配IP地址,且不支持多臺終端設備同時登陸,以保證能識別用戶的身份使用。若是有多臺設備登陸的需求,後期會進行相關的升級,並及時更新本文檔。