Linux下安装openldap 启动及配置一站式搞定
来源:互联网 发布:网络主播收入排行 编辑:程序博客网 时间:2024/06/05 00:00
外链:Tomcat+LDAP完成认证:http://my.oschina.net/xpbug/blog/198765
1、安装Berkeley DB
wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
解压缩
tar zxvf berkeley-db-4.6.21.tar.gz
配置,编译,安.
1、
cd db-4.6.21/build_unix/
2、
../dist/configure --prefix=/usr/local/berkeleyDB
3、
make
4、
make install
注意:安装完成后把执行
# cp /usr/local/berkeleyDB/include/* /usr/include/
# cp /usr/local/berkeleyDB/lib/* /usr/lib/
2、配置berkeleyDB 环境变量
vi ~/.bash_profile
添加:
CPPFLAGS="-I/usr/local/berkeleyDB/include"
export CPPFLAGS
LDFLAGS="-L/usr/local/lib -L/usr/local/berkeleyDB/lib -R/usr/local/berkeleyDB/lib"
export LDFLAGS
LD_LIBRARY_PATH="/usr/local/berkeleyDB/lib"
export LD_LIBRARY_PATH
3、安装openLDAP
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.40.tgz
# tar -xzvf openldap-2.4.15.tgz
# cd openldap-2.4.15/
# ./configure --prefix=/usr/local/openldap
# make depend
# make
# make install
错误解决:
1、configure: error: Berkeley DB version mismatch
./configure --enable-bdb --libdir=/usr/local/BerkeleyDB/lib --includedir=/usr/local/BerkeleyDB/include --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --enable-wrappers --disable-ipv6 --enable-spasswd --enable-crypt --enable-modules --enable-accesslog=yes
2、在 ./configuer时出现错误提示:
configure: error: could not locate libtool ltdl.h
解决方法:安装 libtool-ltdl 及libtool-ltdl-devel包
如果是64位系统,通过yum方式,命令如下,
# yum install libtool-ltdl.x86_64 libtool-ltdl-devel.x86_64或者:
wget
rpm -ivh
3.修改配置文件,配置一个数据库
vi /usr/local/openldap/etc/openldap/slapd.conf
suffix "dc=hq3595,dc=com"
rootdn "cn=Manager,dc=hq3595,dc=com"
rootpw hq3595
这里要填定你的域名,客户端连接的时候要用到的!
定义超级管理员帐号的密码,这里使用的是明文存储(secret即是其密码)的方式。这是极不安全的,建议使用加密方式存储,可以使用的加密方式有:CRYPT、MD5、SMD5、SHA和SSHA。产生加密密码散列的方法是使用slappasswd命令,用-h选项指明加密时使用的方式。示例如下:
# /usr/local/openldap/sbin/slappasswd -h {SSHA}
New password:
Re-enter new password:
# /usr/local/openldap/sbin/slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}F6WTMlSbUsQP0JKwB7M/JZSsmHR+g2Ow(把这段覆盖掉明文密码即可)
4 启动LDAP
#/usr/local/openldap/libexec/slapd -d256
补充:
关于停止slapd,官方给的是:kill -INT 'cat /usr/local/var/slapd.pid'
但是我执行以后提示bash: kill: cat /usr/local/var/slapd.pid: arguments must be process or job IDs
用find /usr -name slapd.pid命令找到了在/usr/local/openldap/var/run/下,把命令改为:
kill -INT `cat /usr/local/openldap/var/run/slapd.pid`
重新运行slapd:su root -c /usr/local/openldap/libexec/slapd -d256
建议执行/usr/local/openldap/libexec/slapd -d256 命令,这样既可以在命令行看到出错信息,也可以用Ctrl+C停止进程
5、通过配置文件导入数据
编辑文件:
#创建组Adminsdn: ou=Admins,dc=sogal,dc=comou: AdminsobjectClass: topobjectClass: organizationalUnit#创建组Usersdn: ou=Users,dc=sogal,dc=comou: UsersobjectClass: topobjectClass: organizationalUnit#创建组下的用户dn: uid=testuid,ou=Users,dc=sogal,dc=comobjectClass: inetOrgPersonuid: testuidsn: testsncn: testcnmail: testmail@gmail.comuserPassword: testpass
/usr/local/openldap/bin/ldapadd -x -W -D "cn=Manager,dc=sogal,dc=com" -f example.ldif
ldif文件格式规范:
(1空行)
dn:(空格) dc=hq3595,dc=com(结尾无空格)
objectclass: (空格)dcObject(结尾无空格)
objectclass: (空格)organization(结尾无空格)
o: (空格)kaspersky(结尾无空格)
dc:(空格) test(结尾无空格)
(1空行)
dn: (空格)cn=test,dc=mail,dc=kaspersky,dc=com(结尾无空格)
objectclass: (空格)organizationalRole(结尾无空格)
cn: (空格)test(结尾无空格)
(结尾无空行)
6、安装JXplorer管理LDAP
7、访问控制配置,也是在slapd.conf配置文件里 (暂时没做处理)
access to * by * readaccess to attr=userPasswordby self write
by anonymous auth
by dn="cn=Admin,dc=example,dc=com" write
by * none
access to *
by self write
by dn="cn=Admin,dc=example,dc=com" write
by * readaccess to * by users read
8、Java认证(核心代码):
private static DirContext ctx; @SuppressWarnings(value = "unchecked") public static DirContext getCtx() { String account = "Manager"; //binddn String password = "hq3595"; //bindpwd String root = "dc=hq3595,dc=com"; // root Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://192.168.147.131:389/"); env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, "cn=" + account+","+root); env.put(Context.SECURITY_CREDENTIALS, password); try { // 链接ldap // ctx = new InitialDirContext(env); ctx = new InitialLdapContext(env, new Control[]{new PagedResultsControl(100, Control.NONCRITICAL)}); System.out.println("认证成功"); } catch (javax.naming.AuthenticationException e) { e.printStackTrace(); System.out.println("认证失败"); } catch (Exception e) { System.out.println("认证出错:"); e.printStackTrace(); } return ctx; } public static void closeCtx() { try { ctx.close(); } catch (NamingException ex) { Logger.getLogger(LdapHelper.class.getName()).log(Level.SEVERE, null, ex); } }
9、自定义LDAP属性
配置inetOrgPerson对象类的两个自定义属性。
- isAbsent 128字符内的字符串,单值
- substitutes 128字符内的字符串,多值
参阅了OpenLdap的管理文档以及网上的实例之后,解决方案如下:
编辑OpenLDAP的模式定义文件
/usr/local/etc/openldap/slapd.conf中可以找到schema,pid以及数据库文件存放的路径
inetorgperson.schema,增加属性定义
attributetype ( 2.16.840.1.113730.3.1.900
NAME 'isAbsent'
DESC 'whether the person is absent from work'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
SINGLE-VALUE )
attributetype ( 2.16.840.1.113730.3.1.901
NAME 'substitutes'
DESC 'people substitutes when absent'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
NAME 'isAbsent'
DESC 'whether the person is absent from work'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
SINGLE-VALUE )
attributetype ( 2.16.840.1.113730.3.1.901
NAME 'substitutes'
DESC 'people substitutes when absent'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
其中2.16.840.1.113730.3.1.900和901是选择未被使用的OID(不知道有没有被使用过?google下吧),而1.3.6.1.4.1.1466.115.121.1.15则是字符串类型的语法。
在inetOrgPerson类中启用这2个属性
objectclass ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (
...
isAbsent $ substitutes )
)
NAME 'inetOrgPerson'
DESC 'RFC2798: Internet Organizational Person'
SUP organizationalPerson
STRUCTURAL
MAY (
...
isAbsent $ substitutes )
)
在slapd.conf中启用inetorgperson.schema
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/nis.schema
重新启动LDAP服务之后一切搞定。# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/nis.schema
0 0
- Linux下安装openldap 启动及配置一站式搞定
- openldap安装及配置
- Linux下安装openldap
- Linux下安装openldap
- Windows 下安装配置openldap
- Debian下安装配置OpenLDAP
- 在linux下安装openldap
- Centos7 安装配置OpenLdap服务及OpenLdap管理工具
- Windows下OpenLDAP的安装及使用
- Ubuntu - Edgy Eft 下安装配置OpenLDAP
- Windows下OpenLDAP的安装与配置
- CentOS6.4下安装配置OpenLdap服务
- Linux下openldap的配置的访问
- Linux下LDAP Server/Client配置 --OpenLDAP
- Linux下配置OpenLDAP服务记录
- Linux下配置OpenLDAP服务记录
- Linux下LDAP Server/Client配置 --OpenLDAP
- Linux下openldap的配置的访问
- java 多线程
- sql中奇怪的sum(1),sum(2),count(1),count(6),count(*):统计总数
- Hello World!第一个 OSGi 应用程序
- PHP数据缓存技术
- LinearLayout的layout_weight属性与视图分配
- Linux下安装openldap 启动及配置一站式搞定
- findViewById的快捷工具类
- 【2015.逃离华为之找工作前期准备】
- Thrift 网络通信库 编译部署小结
- Yii2 实现上下联动的下拉框
- g++/ld中的符号重定义
- test
- A 57x57 app icon is required for iPhone apps targeting releases of iOS prior to 7.0
- java.lang.NoSuchMethodError:com.fasterxml.jackson.databingd.objectMapper.getFacotry()