Chinaunix首页 | 论坛 | 博客
  • 博客访问: 500362
  • 博文数量: 58
  • 博客积分: 6012
  • 博客等级: 准将
  • 技术积分: 1211
  • 用 户 组: 普通用户
  • 注册时间: 2007-08-09 22:50
文章分类

全部博文(58)

文章存档

2010年(25)

2009年(23)

2008年(10)

我的朋友

分类:

2010-02-26 17:30:20

SuSE Linux单点登陆(SSO)的实现(三)

5.1.2 安装openldap主机
  openldap主机承担的角色比较多,包括主目录服务器、NFS服务器(输出帐户的家目录)、HTTP服务(实现基于浏览器方式的目录管理,需安装phpldapadmin目录管理工具)和从kerberos服务器。配置起来比较繁琐。

一、
安装和配置主openldap服务:

1).
安装下列软件包:
openldap2-client-2.2.24-4.12
openldap2-2.2.24-4.12
openldap2-devel-2.2.24-4.12

2).
配置:
# vim /etc/openldap/slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/rfc2307bis.schema
include         /etc/openldap/schema/yast.schema
include         /etc/openldap/schema/dnszone.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

modulepath      /usr/lib/openldap/modules

access to dn.base=""
        by * read
access to dn.base="cn=Subschema"
        by * read
access to attr=userPassword,userPKCS12
        by self write
        by * auth
access to attr=shadowLastChange
        by self write
        by * read
access to *
        by * read

loglevel 0

TLSCertificateFile /etc/ssl/servercerts/servercert.pem
TLSCACertificatePath /etc/ssl/certs/
TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem

database bdb
suffix "dc=MOODISK,dc=com"
rootdn "cn=Administrator,dc=MOODISK,dc=com"
rootpw "{ssha}beH49k63xYTqDMzIRKIZRLAWv2tGT1lTRg=="
directory /var/lib/ldap/MOODISK
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres

replogfile "/tmp/ldapfile.log"
replica uri=ldap://ldapslave.MOODISK.com
        binddn="cn=Administrator,dc=MOODISK,dc=com"
        bindmethod=simple credentials=Hua123wei

# vim /etc/openldap/ldap.conf
TLS_REQCERT     allow
host    ldapserver.MOODISK.com
base    dc=MOODISK,dc=com

3).创建目录:cd /var/lib/ldap; mkdir MOODISK; chown ldap:ldap MOODISK; cp –p DB_CONFIG ./MOODISK
4).把下面的基础内容(适当修改)加入到文件/tmp/base.ldif中,并运行命令slapadd /tmp/base.ldif导入目录库
# LDIF Export for: dc=MOODISK,dc=com
# Server: MOODISK's LDAP Server (ldapserver.MOODISK.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 22

dn: dc=MOODISK,dc=com
dc: MOODISK
o: MOODISK
objectClass: dcObject
objectClass: organization
objectClass: top

dn: ou=autofs,dc=MOODISK,dc=com
objectClass: organizationalUnit
ou: autofs

dn: nisMapName=auto.master,ou=autofs,dc=MOODISK,dc=com
objectClass: nisMap
nisMapName: auto.master

dn: cn=/apps,nisMapName=auto.master,ou=autofs,dc=MOODISK,dc=com
nisMapEntry: ldap ldapserver.MOODISK.com:nisMapName=auto.misc,ou=autofs,dc=MOODISK,dc=com
nisMapName: auto.master
objectClass: nisObject
objectClass: top
cn: /apps

dn: cn=/ldapusers,nisMapName=auto.master,ou=AUTOFS,dc=MOODISK,dc=com
objectClass: nisObject
nisMapName: auto.master
nisMapEntry: ldap ldapserver.MOODISK.com:nisMapName=auto.mounts,ou=autofs,dc=MOODISK,dc=com
cn: /ldapusers

dn: nisMapName=auto.misc,ou=autofs,dc=MOODISK,dc=com
objectClass: nisMap
nisMapName: auto.misc

dn: cn=tools,nisMapName=auto.misc,ou=autofs,dc=MOODISK,dc=com
nisMapEntry: -fstype=nfs,rw nfsserver.MOODISK.com:/AppDir
objectClass: nisObject
nisMapName: auto.misc
description: This is directory which includes all applications
cn: tools

dn: nisMapName=auto.mounts,ou=autofs,dc=MOODISK,dc=com
objectClass: nisMap
nisMapName: auto.mounts

dn: ou=group,dc=MOODISK,dc=com
objectClass: top
objectClass: organizationalUnit
ou: group

dn: ou=ldapconfig,dc=MOODISK,dc=com
objectClass: top
objectClass: organizationalUnit
ou: ldapconfig

dn: cn=groupconfiguration,ou=ldapconfig,dc=MOODISK,dc=com
cn: groupconfiguration
objectClass: top
objectClass: suseModuleConfiguration
objectClass: suseGroupConfiguration
suseDefaultBase: ou=group,dc=MOODISK,dc=com
suseDefaultTemplate: cn=grouptemplate,ou=ldapconfig,dc=MOODISK,dc=com
suseMaxUniqueId: 60000
suseMinUniqueId: 10000
suseSearchFilter: objectclass=posixgroup
suseNextUniqueId: 10002

dn: cn=grouptemplate,ou=ldapconfig,dc=MOODISK,dc=com
cn: grouptemplate
objectClass: top
objectClass: suseObjectTemplate
objectClass: suseGroupTemplate
suseNamingAttribute: cn
susePlugin: UsersPluginLDAPAll

dn: ou=Mailserver,dc=MOODISK,dc=com
objectClass: organizationalUnit
ou: Mailserver

dn: cn=Mailserver,ou=ldapconfig,dc=MOODISK,dc=com
cn: Mailserver
objectClass: suseMailConfiguration
suseDefaultBase: ou=Mailserver,dc=MOODISK,dc=com
suseImapAdmin: cyrus
suseImapDefaultQuota: 10000
suseImapServer: localhost
suseImapUseSsl: FALSE

dn: cn=userconfiguration,ou=ldapconfig,dc=MOODISK,dc=com
cn: userconfiguration
objectClass: top
objectClass: suseModuleConfiguration
objectClass: suseUserConfiguration
suseDefaultBase: ou=people,dc=MOODISK,dc=com
suseDefaultTemplate: cn=usertemplate,ou=ldapconfig,dc=MOODISK,dc=com
suseMaxPasswordLength: 10
suseMaxUniqueId: 60000
suseMinPasswordLength: 1
suseMinUniqueId: 10000
susePasswordHash: CRYPT
suseSearchFilter: objectclass=posixaccount
suseSkelDir: /etc/skel
suseNextUniqueId: 10000

dn: cn=usertemplate,ou=ldapconfig,dc=MOODISK,dc=com
cn: usertemplate
objectClass: top
objectClass: suseObjectTemplate
objectClass: suseUserTemplate
suseNamingAttribute: uid
susePlugin: UsersPluginLDAPAll
susePlugin: UsersPluginMail
suseDefaultValue: homedirectory=/export/users/%uid
suseDefaultValue: loginshell=/bin/bash

dn: ou=people,dc=MOODISK,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

5).导出目录中的内容(建立从目录服务器时要用到):
# slapcat –l /tmp/master.ldif

6).启动目录服务:
# insserv –v /etc/init.d/ldap,start=3,5; /usr/lib/openldap/slapd -h ldap:/// -u ldap -g ldap
--此后对ldap库的任何修改都会记录在/tmp/ldapfile.log中

7).启动复制服务:
#insserv –v /etc/init.d/slurpd,start=3,5; /usr/lib/openldap/slurpd -t /var/lib/slurpd
--读取日志文件并移动目录/var/lib/slurpd/replica中,同时向从ldap库写入

8).
在DNS服务器中增加ldap对应的SRV记录(一般位于正向zone文件中):
_ldap._tcp IN SRV 10 1 389 ldapserver.oracle.com.
_ldap._tcp IN SRV 12 2 389 ldapslave.oracle.com.

二、安装kerberos从服务器:
1).安装下列软件包:
heimdal-lib-0.6.1rc3-55.15
heimdal-devel-0.6.1rc3-55.15
heimdal-tools-0.6.1rc3-55.9
heimdal-0.6.1rc3-55.18

2).
配置:
# vim /etc/krb5.conf (与kerberos主机上的相同)
[libdefaults]
        clockskew = 300
        default_realm = MOODISK.COM

[realms]
        MOODISK.COM = {
                kdc = krb5server.MOODISK.com
                default_domain = MOODISK.com
                admin_server = krb5server.MOODISK.com
                kpasswd_server = krb5server.MOODISK.com
        }

[domain_realm]
        .MOODISK.com = MOODISK.COM

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        retain_after_close = false
        minimum_uid = 0
        debug = false
}

# ktutil get -p root/admin hprop/krb5slave.MOODISK.com@MOODISK.COM
--每一个从服务器都要一个库目录、master key(如果有的话)和keytab文件(里头包含hprop/)。注意这里的instance不能采用别名。

# mkdir /var/heimdal
# vim /etc/xinetd.d/hpropd
service hprop
{
        socket_type             = stream
        protocol                = tcp
        wait                    = no
        port                    = 754
        user                    = root
        server                  = /usr/sbin/hpropd
        disable                 = no
}

--由xinetd去代理监听754端口
# vim /etc/services (把其中的tell   754/tcp改成hprop     754/tcp)
# insserv –v /etc/init.d/xinetd,start=3,5; rcxinetd reload

三、安装和配置NFS服务器:
1).安装下列软件包:
yast2-nfs-server-2.9.9-23.2
sblim-cmpi-nfsv4-1.0.10-0.2
yast2-nfs-client-2.9.11-23.2
nfs-utils-1.0.6-103.23

2).
配置:
# vim /etc/exports
/export/users      *(rw,no_root_squash,sync)
/apps  *(ro,root_squash,sync)

3).
启动nfs服务:
# insserv –v /etc/init.d/nfslock,start=3,5 /etc/init.d/nfsserver,start=3,5; rcnfsserver restart

5.1.3 配置管理控制台
一、安装HTTP服务器和目录管理工具phpldapadmin(只要配置一台):
1).安装下列软件包:
apache2-mod_perl-1.99_12_20040302-38.1
apache2-2.0.49-27.38
apache2-prefork-2.0.49-27.38
apache2-mod_php4-4.3.4-43.46.3
apache2-doc-2.0.49-27.29
apache2-devel-2.0.49-27.34
php4-gettext-4.3.4-43.8
php4-session-4.3.4-43.46.3
apache2-mod_php4-4.3.4-43.46.3
php4-4.3.4-43.46.3
php4-ldap-4.3.4-43.8

2).下载开元软件phpldapadmin-0.9.8.2.tar.gz并解压到目录/srv/www/phpldapdmin

3).
配置phpldapadmin:
# cd /srv/www/phpldapadmin/config; cp config.php.example config.php
# vim config.php
$ldapservers->SetValue($i,'server','name','MOODISK\'s LDAP Server');
$ldapservers->SetValue($i,'server','host','ldapserver.MOODISK.com');
$ldapservers->SetValue($i,'server','port','389');
$ldapservers->SetValue($i,'server','base',array('dc=MOODISK,dc=com'));

4).
配置apache:
# yast http-server --> alt+e(激活)--> 起用php4模块
# vim /etc/apache2/httpd.conf
……
DirectoryIndex index.html index.php index.html.var
……
# vim /etc/apache2/default-server.conf
……
DocumentRoot "/srv/www/phpldapadmin"
……
……

5).
 配置SSH支持用户登陆时自动获取票据:
# vim /etc/ssh/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes  

6).部署授权、撤权和root密码修改脚本:
把menu.sh, grant, revoke, repasswd拷贝到某个目录下即可

7).重起HTTP服务:
# apache2ctl restart
阅读(2323) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~