安装opldap历险记
来源:互联网 发布:安装数据库步骤 编辑:程序博客网 时间:2024/04/28 06:20
安装openldap历险记
作者:cleverpig
安装环境:
RedHat Linux9.0 内核版本
一、准备工作:
按照http://www.openldap.org/faq/data/cache/196.html所列的软件准备:
1.安装的先决条件为:C开发环境,支持Posix标准的正规表达式,支持Berkeley标准的网络协议。
OpenLDAP 2.x is designed to "configure" and "build" on UNIX (and UNIX-like) systems.
The prerequisites depending upon the which features you desire.
General prerequisites include:
C Development Environment
POSIX REGEX routines
Berkeley Networking (socket/select) routines
2.安装SLAPD即为openldap的守护程序所需的软件:Berkeley数据库和GBDM数据库可以两者选择其一。我选择了前者。
Berkeley数据库4.2和相关的patches文件:源代码和补丁文件可从http://www.sleepycat.com/下载。打补丁要使用patch命令运行,主要功能为在编译前更新源代码中的bug。关于patch的详细用法请参考www-900.ibm.com/developerWorks/ cn/linux/l-diffp/index.shtml。
SLAPD (with BDB database) prerequisites includes:
Berkeley Database 4.2 from Sleepycat (http://www.sleepycat.com/)
Latest version with patches is recommended.
SLAPD (with LDBM database) prerequisites include suitable database support. One of following packages can fulfill the prerequisite.
Berkeley Database from Sleepycat (http://www.sleepycat.com/)
GNU Database Manager (GDBM) from FSF (http://www.gnu.org/)
For OpenLDAP 2.1 (or later), Berkeley DB 4.1 is recommended.
SLURPD prerequisites include:
Thread support (Posix Threads and others)
3.选装软件:SSL/TLS和SASL。SSL/TLS提供信息加密功能,可以从http://www.openssl.org下载,但是在安装前需要打补丁详情见http://www.openldap.org/faq/index.cgi?file=185。Cyrus-SASL主要提供给一些安全认证的功能,可以从http://asg.web.cmu.edu/sasl/下载源代码。由于这两个都是选装软件,所以按照计算机的负载方面来选择了后者。
SSL/TLS prerequisites(选装):
OpenSSL
The OpenSSL library usually needs to be patched before it will work correctly. See this FAQ article for details: http://www.openldap.org/faq/index.cgi?file=185 (Note about OpenSSL and crypt())
SASL prerequisites(选装):
Cyrus-SASL from http://asg.web.cmu.edu/sasl/
二、开始安装:
1.安装Berkeley数据库(Berkeley Database
tar -zxvf db-
解完压后,会生成一个db-4.2.52.NC目录,进行该目录下的build_unix目录,我们将在这个目录中配置和安装Berkeley4.2.52。执行以下命令进行配置安装。
# ../dist/configure
# make
# make install
也是按linux源码安装的三步曲完成,没有什么好说的了。该软件默认是安装在/usr/local/BerkeleyDB.4.2目录下。安装完成后,要把/usr/local/BerkeleyDB.4.2/lib的库路径加到/etc/ld.so.conf文件内,这个文件就是系统动态链接库的配置文件。此文件内,存放着可被LINUX共享的动态链接库所在目录的名字(系统目录 /lib,/usr/lib除外),各个目录名间以空白字符(空格,换行等)或冒号或逗号分隔。一般的LINUX发行版中,此文件均含一个共享目录 /usr/X11R6/lib,为X window窗口系统的动态链接库所在的目录。添加完成后执行一次 ldconfig –v,使用配置文件生效。这样编译openldap时才能找到相应的库文件。
2.安装Cyrus-SASL(cyrus-sasl-
tar –zxvf cyrus-sasl-
解完压缩,会生成cyrus-sasl-
# ./configure
# make
# make install
由于Cyrus-sasl需要一些库支持,如果在编译时遇到问题,请访问http://asg.web.cmu.edu/sasl/。我比较幸运:-)。安装完成后,要把/usr/local/lib/sasl2和/usr/local/lib的库路径加到/etc/ld.so.conf文件内,添加完成后执行一次 ldconfig –v,使用配置文件生效。这样编译openldap时才能找到相应的库文件。
运行结果:
ldconfig -v
...
/usr/local/lib:
libldap_r-2.2.so.7 -> libldap_r-2.2.so.
libldap-2.2.so.7 -> libldap-2.2.so.
liblber-2.2.so.7 -> liblber-2.2.so.
libsasl2.so.2 -> libsasl2.so.
/usr/local/lib/sasl2:
libanonymous.so.2 -> libanonymous.so.
libplain.so.2 -> libplain.so.
libotp.so.2 -> libotp.so.
libdigestmd5.so.2 -> libdigestmd5.so.
libcrammd5.so.2 -> libcrammd5.so.
libsasldb.so.2 -> libsasldb.so.
...
可以看见sasl的一些符号连接信息。Linux中的命令ldd也可以查看执行文件或者库文件的库链接信息,详细用法可以用ldd --help查到。
3.安装openldap(openldap-stable
同上Cyrus-SASL的安装一样,解压缩后进入生成的openldap-
# ./configure
A.首尝失败:问题来了,刚刚运行./configure就出现了下面的错误1:
checking Berkeley DB version for BDB backend... no
configure: error: BDB: BerkeleyDB version incompatible
这个错误说明Berkeley数据库的版本与openldap需要的不兼容??奇怪,我安装的
于是我在执行configure之前,首先设置了环境变量:
export CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib"
configure所用的环境变量列表:
CC=...
C编译器的名称
CPPFLAGS=...
各种C预处理和编译器参数
CFLAGS=...
C编译器的调试和优化参数
LDFLAGS=...
各种连接器参数
LIBS=...
连接器的库位置信息("-L" and "-l"参数)
INCLUDES=...
头文件的搜索目录("-Idir").
TARGET=... [Default: apache]
目标执行文件名
NOTEST_CPPFLAGS=...
NOTEST_CFLAGS=...
NOTEST_LDFLAGS=...
NOTEST_LIBS=...
这两个环境变量指定了预处理编译参数、连接器参数,它们将在执行configure时被configure所读取,并且在以后的make时使用。果然执行configure该处没有问题了。
B.再次受打击:刚刚解决一个问题,还没喘过气,configure又出问题了,错误2:
checking Cyrus SASL library version... no
configure: error: Cyrus SASL library located but is incompatible
与Berkeley数据库一样,Cycrus SASL的版本也不兼容??原来还是一样的原因:系统中装有个版本低的Cycrus SASL。。。L。。。麻烦!只好在丰富一下环境变量了:
export CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include"
export LDFLAGS="-L/usr/local/lib/ -L/usr/local/BerkeleyDB.4.2/lib -L/usr/local/lib/sasl2"
将刚刚安装的Cycrus sasl的库路径放到了连接器参数LDFLAGS中。接着重新configure,通过了。
# make
这个阶段基本上我的工作就是等着,喝点水。。。等make结束后。。
# make test
C.一波三折:出大问题了(如果配置不正确,这个错误在make install后运行slapd –d 9时也会出现)。。错误3:
cd tests; make test
make[1]: Entering directory `/home/liudan/openldap-
make[2]: Entering directory `/home/liudan/openldap-
Initiating LDAP tests for BDB...
Running ./scripts/all...
>>>>> Executing all LDAP tests for bdb
>>>>> Starting test000-rootdse ...
running defines.sh
Starting slapd on TCP/IP port 9011...
…
slapd init: initiated server.
slap_sasl_init: SASL library version mismatch: expected
slapd shutdown: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Cyrus SASL的库版本与要求的不一致!!openldap需要
再看看make install后的slapd:安装在/usr/local/libexec目录下。运行时使用-d参数可以选择不同级别的信息:
[root@weblserver libexec]# ./slapd -d 9
@(#) $OpenLDAP: slapd
root@weblserver:/home/liudan/openldap-
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: IPv6 socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldap:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: SASL library version mismatch: expected
slapd shutdown: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
一样的错误。看来是运行时使用的Cyrus SASL有问题,查看了一下slapd的库链接:
[root@weblserver libexec]# ldd slapd
libdb-4.2.so => /usr/local/BerkeleyDB.4.2/lib/libdb-4.2.so (0x4002b000)
libssl.so.4 => /lib/libssl.so.4 (0x400d2000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x40107000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x40134000)
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x40147000)
libc.so.6 => /lib/tls/libc.so.6 (0x42000000)
libresolv.so.2 => /lib/libresolv.so.2 (0x40155000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x40167000)
libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0x40258000)
libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0x4026b000)
libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0x
libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0x402d9000)
libdl.so.2 => /lib/libdl.so.2 (0x402dc000)
libz.so.1 => /usr/lib/libz.so.1 (0x402df000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
发现其居然调用的还是/usr/lib/libsasl2.so.2(指向/usr/lib/sasl/libsasl2.so.
D.第一次尝试:添加一个连接库路径变量LD_LIBRARY_PATH到环境中。
export LD_LIBRARY_PATH="/usr/local/lib"
再次运行slapd,成功了。
E.解决心头大患:每次运行slapd都添加此环境变量或者把这个环境变量写入到profile中?我觉得还是修改符号连接比较彻底。
于是将原系统的/usr/lib/sasl目录和符号连接/usr/lib/ libsasl2.so.2和其指向的libsasl2.so删除或者改名:
mv /usr/lib/sasl /usr/lib/sasl-orig或者删除sasl
[root@weblserver lib]# ls -l libsasl*
-rw-r--r-- 1 root root 259634 2003-01-26 libsasl2.a
-rwxr-xr-x 1 root root 768 2003-01-26 libsasl2.la
lrwxrwxrwx 1 root root 18 1月 5 22:20 libsasl2.so -> libsasl2.so.
lrwxrwxrwx 1 root root 18 1月 5 21:44 libsasl2.so.2 -> libsasl2.so.
-rwxr-xr-x 1 root root 76612 2003-01-26 libsasl2.so.
-rw-r--r-- 1 root root 62474 2003-01-26 libsasl.a
-rwxr-xr-x 1 root root 770 2003-01-26 libsasl.la
lrwxrwxrwx 1 root root 17 1月 5 22:20 libsasl.so -> libsasl.so.
lrwxrwxrwx 1 root root 17 1月 5 21:44 libsasl.so.7 -> libsasl.so.
-rwxr-xr-x 1 root root 43612 2003-01-26 libsasl.so.
[root@weblserver lib]# rm libsasl2.so.2
[root@weblserver lib]# rm libsasl2.so
重新链接:
[root@weblserver lib]# ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
[root@weblserver lib]# ln -s /usr/local/lib/libsasl2.so.
[root@weblserver lib]# ln -s /usr/local/lib/libsasl2.so.
查看slapd的库链接:
[root@weblserver libexec]# ldd slapd
libdb-4.2.so => /usr/local/BerkeleyDB.4.2/lib/libdb-4.2.so (0x4002b000)
libssl.so.4 => /lib/libssl.so.4 (0x400d2000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x40107000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x40134000)
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x40147000)
libc.so.6 => /lib/tls/libc.so.6 (0x42000000)
libresolv.so.2 => /lib/libresolv.so.2 (0x40155000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x40167000)
libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0x40258000)
libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0x4026b000)
libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0x
libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0x402d9000)
libdl.so.2 => /lib/libdl.so.2 (0x402dc000)
libz.so.1 => /usr/lib/libz.so.1 (0x402df000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
恩,正确!这时再回到openldap的源代码目录-openldap-
[root@weblserver openldap-
cd tests; make test
make[1]: Entering directory `/home/liudan/openldap-
make[2]: Entering directory `/home/liudan/openldap-
Initiating LDAP tests for BDB...
Running ./scripts/all...
>>>>> Executing all LDAP tests for bdb
>>>>> Starting test000-rootdse ...
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Waiting 5 seconds for slapd to start...
Using ldapsearch to retrieve the cn=Monitor...
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: o=OpenLDAP Project,l=Internet
monitorContext: cn=Monitor
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl:
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedExtension:
supportedExtension:
supportedFeatures:
supportedFeatures:
supportedFeatures:
supportedFeatures:
supportedFeatures:
supportedLDAPVersion: 3
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
vendorName: The OpenLDAP Project <http://www.openldap.org/>
subschemaSubentry: cn=Subschema
dn: cn=Monitor
objectClass: monitorServer
structuralObjectClass: monitorServer
cn: Monitor
description: This subtree contains monitoring/managing objects.
description: This object contains information about this server.
createTimestamp: 20050118053256Z
modifyTimestamp: 20050118053256Z
monitoredInfo: @(#) $OpenLDAP: slapd
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE
>>>>> Test succeeded
>>>>> ./scripts/test000-rootdse completed OK.
>>>>> waiting 10 seconds for things to exit
>>>>> Starting test001-slapadd ...
running defines.sh
Running slapadd to build slapd database...
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve all the entries...
Waiting 5 seconds for slapd to start...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
>>>>> Test succeeded
>>>>> ./scripts/test001-slapadd completed OK.
>>>>> waiting 10 seconds for things to exit
…
经过n多测试,均无问题!
# make install
最后重新安装一下。。呵呵,没什么必要。
总之,这是一次不错的冒险,虽然用去了我几小时,可这对于在不同版本程序共存的环境下安装程序来讲是个很棒的范例。
F.几点要诀和几个工具(特指在不同版本程序共存的环境下):
1)配置编译不正确可能与环境变量设置有关,可以通过设置必要的正确的环境变量来解决;
2)改名或者删除较老的同名库文件和库链接,为新版本的库重建链接。
3) ldd是检查链接库的好工具!ln是制作库链接的tools。
附上我的环境,供大家参考:
[root@weblserver libexec]# env
LDFLAGS=-L/usr/local/lib/ -L/usr/local/BerkeleyDB.4.2/lib -L/usr/local/lib/sasl2
HOSTNAME=weblserver
TERM=vt100
SHELL=/bin/bash
HISTSIZE=1000
CPPFLAGS=-I/usr/local/BerkeleyDB.4.2/include
SSH_CLIENT=202.127.166.89 1962 22
QTDIR=/usr/lib/qt-3.1
OLDPWD=/home/liudan/openldap-
SSH_TTY=/dev/pts/0
USER=root
LD_LIBRARY_PATH=/usr/local/lib
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
USERNAME=root
MAIL=/var/spool/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin
INPUTRC=/etc/inputrc
PWD=/usr/local/libexec
LANG=zh_CN.GB18030
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
SHLVL=1
HOME=/root
LANGUAGE=zh_CN.GB18030:zh_CN.GB2312:zh_CN
BASH_ENV=/root/.bashrc
LOGNAME=root
SSH_CONNECTION=202.127.166.89 1962 202.127.166.35 22
LESSOPEN=|/usr/bin/lesspipe.sh %s
G_BROKEN_FILENAMES=1
_=/bin/env
关于配置文件:另外我在运行slapd时还遇到这个错误:
[root@weblserver root]# slapd -d 9
@(#) $OpenLDAP: slapd
root@weblserver:/home/liudan/openldap-
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: IPv6 socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldap:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Sleepycat Software: Berkeley DB
>>> dnNormalize: <cn=Subschema>
=> ldap_bv2dn(cn=Subschema,0)
ldap_err2string
<= ldap_bv2dn(cn=Subschema)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=subschema)=0 Success
<<< dnNormalize: <cn=subschema>
Unrecognized database type (ldbm)
database ldbm initialization failed.
slapd shutdown: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
很明显是数据库类型错了,我在前面说过openldap支持两种数据库:BerkeyleyDB和GDBM,而我安装的是Berkeley数据库。所以要修改一下slapd.conf文件(注意这个文件在slapd运行前就要配置好,才能运行slapd。):
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/corba.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
loglevel 296
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm database definitions 注释掉不正确的数据库类型,使用Berkeley数据库
#######################################################################
#database ldbm
#######################################################################
# bdb database definitions
#######################################################################
database bdb
suffix "dc=beic,dc=gov,dc=cn"
rootdn "cn=Manager,dc=beic,dc=gov,dc=cn"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {MD5}r3RDekeTUB9T/HQ7yJ3+Og==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
index cn,mail,sn eq,sub
index departmentNumber eq
cachesize 2000
#ACL configure
access to attr=userpassword
by self write
by anonymous auth
access to attr=mail
by self write
by anonymous auth
access to *
by self write
by anonymous auth
然后再运行slapd即可。
关于schema文件:如果要添加schema文件,可以自己写(但是需要注册OID,详情见http://www.openldap.org/doc/admin22/schema.html http://www.openldap.org/faq/data/cache/197.html)也可以去google搜索一下。比如我所添加的samba.schema文件就是从samba的源代码的ldap目录中找到的。找到后把这个schema复制到/usr/local/etc/openldap/schema目录下就行。
- 安装opldap历险记
- Linux安装历险记
- Solaris安装历险记
- 安装Oracle数据库历险记。
- LIUNX下双网卡安装历险记
- Windows 7 Ubuntu双系统安装历险记
- Odoo安装Pentaho报表模块历险记
- 深度学习之caffe安装历险记
- 【小白历险记】ELK日志系统安装部署指南
- 在Ubuntu16.04中安装Gnome3的趟雷历险记
- python中dlib人脸识别库安装历险记
- 爱情历险记
- 加班历险记
- 买房历险记
- MyBookWorld历险记
- Git历险记
- Git历险记
- git 历险记
- gdsfggsdgd
- 老钟,小钟。
- 毕业设计(1)
- Servlet API——ServletContext接口的简述
- JavaBean实现多文件上传的两种方法
- 安装opldap历险记
- 2005-1-18 姜还是老的辣
- Lor进展——二
- 今天有遇到可爱的 0xc000005
- C++之变量
- 网络连接出现问题
- IT人为什么有的难以拿到高薪?
- 我终于有了GMAIL帐号了
- 任务栏程序-02