OPENLDAP

awenhaowenchao

浏览: 71903 次
性别:
来自: 北京

最近访客更多访客>>

c_kh_zfb

maochong2009

vanber

belllab

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

中间件

OPENLDAP 上品折扣集群

之前用一周时间为上品折扣公司搭建了CAS+APACHEDS的SSO，后来发现，APACHEDS在很多方面存在不足，尤其是集群方面，故又花了一周时间安装了openldap集群。
下面是遇到的一些问题及解决方案：

安装OPENLDAP步骤

下载OPENLDAP并安装
下载地址：http://www.openldap.org/software/download/
下载版本包括发布版本和稳定版本
安装OPENLDAP遇到的问题
在/usr/local目录下执行如下命令：
tar -zxf openldap-2.4.26
cd openldap2.4.26
./configure
出现configure error
configure: error: MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)
上述error表示表示编译OPENLDAP需要其他依赖库，即OPENSSL和BerkeleyDB
下载OPENSSL，目前版本最新的SSL地址为http://www.openssl.org/source/openssl-1.0.0e.tar.gz
下载BerkeleyDB
安装OPENSSL 查看openssl版本信息openssl version -a
1，解压到/usr/local目录下tar -zxf openssl-1.0.0e.tar.gz
，cd openssl-1.0.0e
3，./config（注意：执行./Configure提示执行./config）
4，make
5，sudo make install
6，ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
安装BerkeleyDB
tar -zxvf db-5.2.36.tar.gz
1，cd db-5.2.36??
2，cd build_unix
3，../dist/configure
4，make
5，sudo make install
配置/etc/ld.so.conf文件
ld.so.conf文件配置了需要读入告诉缓存中的动态函数库所在目录
重新配置ld.so.conf后，在命令行执行ldconfig命令生效
注意：如果编译OPENLDAP的时候依然出现BDB错误，可以使用如下方式：
sudo cp /usr/local/BerkeleyDB.5.2/include/* /usr/include
sudo cp /usr/local/BerkeleyDB.5.2/lib/* /usr/lib
重新安装OPENLDAP

il IL

CD openldap-2.4.26

export LD_LIBRARY_PATH="/usr/local/db-5.2.36/build_unix/.libs"
export CPPFLAGS="-I/usr/local/BerkeleyDB.5.2/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.5.2/lib"
export CPPFLAGS="-I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/ssl/lib"

sudo ./configure --with-tls=openssl –enable-dynamic

sudo make depend??　??(??构建依赖关系??)
sudo make
sudo make install (su root -c 'make install')
OPENLDAP启动
/usr/local/libexec/slapd -d 256
注意：如果报找不到openssl的以来类库的错误，请将安装的openssl的lib中的libssl.so.1.0.0 libcrypto.so.1.0.0拷贝到/usr/lib中
OPENLDAP关闭
kill -INT ' cat /usr/local/var/run/slapd.pid'

创建OPENLDAP服务
出现:

515002de @(#) $OpenLDAP: slapd 2.4.28 (Mar 25 2013 15:53:52) $
        root@web133:/usr/local/openldap-2.4.28/servers/slapd
515002de bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2).
Expect poor performance for suffix "dc=my-domain,dc=com".
515002de bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
515002de slapd starting

解决方式:cd /usr/local/var/openldap-data/
cp DB_CONFIG.example DB_CONFIG

在/etc/init.d下创建slapd文件，slapd文件主要包含start、stop命令，内容如下:


#!/bin/bash
#   chkconfig:   2345   85   15 
#   description: OpenLdap Service
start() {
    echo "Starting OPENLDAP..."
         COMMAND_LINE="/usr/local/libexec/slapd -d 256"
   nohup  $COMMAND_LINE &

}

case "$1" in

    
    'start')
     start
        echo "Usage: ..."
        exit 1
        ;;
    'stop')
	echo Stop OpenLdap .....
	for i in ` ps -ef | grep -w slapd |grep -v grep |awk '{print $2}'`;do 
				kill -9 $i
	done
	echo Stop OpenLdap Secuessed....
	;;
esac

exit 0

     chkconfig --add slapd
     cd /etc/init.d/
     chmod 755 slapd
     ./slapd
     service slapd stop
     service slapd start

此外大家需要根据公司业务的需要进行基于openldap的schema的扩展，来适应公司业务。
本人自己扩展的schema，/usr/local/etc/openldap/schema/user.schema内容如下：

attributeType ( shopinAttributeType:1 NAME 'displayOrder'
      DESC 'sort a list'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

attributeType ( shopinAttributeType:2 NAME 'status'
      EQUALITY integerMatch
      DESC 'sign status of a person or department normal or others'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE )

attributeType ( shopinAttributeType:3 NAME 'erpId'
      DESC 'the code of the dept in ERP-HR'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributeType ( shopinAttributeType:4 NAME 'parentNo'
      DESC 'the number of the parent orgnization'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

#attributeType ( shopinAttributeType:5 NAME 'titleName'
#      DESC 'the name of title'
#      SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )


attributeType ( shopinAttributeType:6 NAME 'belongTitleDN'
      DESC 'the distinguishedName of title'
      SUP distinguishedName )

attributetype ( shopinAttributeType:7 NAME 'systemOccupant'
	DESC 'occupant of shopin system'
	SUP distinguishedName )

objectclass	( shopinObjectClass:1
    NAME 'shopin-inetOrgPerson'
	DESC 'shopin Internet Organizational Person'
    SUP inetOrgPerson
    STRUCTURAL
	MAY (
		audio $ businessCategory $ carLicense $ departmentNumber $
		displayName $ employeeNumber $ employeeType $ givenName $
		homePhone $ homePostalAddress $ initials $ jpegPhoto $
		labeledURI $ mail $ manager $ mobile $ o $ pager $
		photo $ roomNumber $ secretary $ uid $ userCertificate $
		x500uniqueIdentifier $ preferredLanguage $
		userSMIMECertificate $ userPKCS12 $ status $ 
		displayOrder $ belongTitleDN)
	)

objectclass ( shopinObjectClass:2
	NAME 'shopin-organization'
	DESC 'an shopin organization'
	SUP organization
	MUST ( o $ displayName )
	MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
		x121Address $ registeredAddress $ destinationIndicator $
		preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
		telephoneNumber $ internationaliSDNNumber $ 
		facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
		postalAddress $ physicalDeliveryOfficeName $ st $ l $ description $ status $ 
		displayOrder $ erpId $ parentNo) )

objectclass ( shopinObjectClass:3 NAME 'shopin-groupOfNames'
	DESC 'a group of names (DNs)'
	SUP top STRUCTURAL
	MUST ( cn $ displayName)
	MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description 
	$ member $ status ) )

objectclass ( shopinObjectClass:4 NAME 'shopin-duty'
	DESC 'duty info in shopin'
	SUP top STRUCTURAL
	MUST ( cn $ title )
	MAY ( description $ status $ o) )

objectclass ( shopinObjectClass:5 NAME 'shopin-organizationalRole'
	DESC 'an orgnizational role of shopin'
	SUP organizationalRole
	MUST ( cn $ displayName)
	MAY ( x121Address $ registeredAddress $ destinationIndicator $ 
		preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ 
		telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ 
		seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ 
		postOfficeBox $ postalCode $ postalAddress $ 
		physicalDeliveryOfficeName $ ou $ st $ l $ description $ status) )

objectclass ( shopinObjectClass:6 NAME 'shopin-system'
	DESC 'system info in shopin'
	SUP top STRUCTURAL
	MUST ( cn $ displayName )
	MAY ( description $ status $ systemOccupant) )

目前使用的集群方式为mirror mode方式，也即使用了openldap自身的HA，当然最好在前端使用lvs进行负载均衡。
/usr/local/etc/openldap/slapd.conf文件内容如下：

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/corba.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
include		/usr/local/etc/openldap/schema/java.schema
include		/usr/local/etc/openldap/schema/nis.schema
include		/usr/local/etc/openldap/schema/misc.schema
#include		/usr/local/etc/openldap/schema/mail.schema
include		/usr/local/etc/openldap/schema/openldap.schema

#define user's oid and schema
objectIdentifier shopinOID 1.1
objectIdentifier shopinSNMP shopinOID:1
objectIdentifier shopinLDAP shopinOID:2
objectIdentifier shopinAttributeType shopinLDAP:1
objectIdentifier shopinObjectClass shopinLDAP:2

include		/usr/local/etc/openldap/schema/user.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/usr/local/var/run/slapd.pid
argsfile	/usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath	/usr/local/libexec/openldap
# moduleload	back_bdb.la
# moduleload	back_hdb.la
# moduleload	back_ldap.la

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database	bdb
suffix		"dc=shopin,dc=net"
rootdn		"cn=Manager,dc=shopin,dc=net"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw		secret
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/usr/local/var/openldap-data
# Indices to maintain
index	objectClass	eq


overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100


# 全球部分
serverID    3
# 数据库部分

# syncrepl参数
syncrepl      rid=001
              provider=ldap://172.16.103.190:389
              bindmethod=simple
              binddn="cn=Manager,dc=shopin,dc=net"
              credentials=secret
              searchbase="dc=shopin,dc=net"
              schemachecking=on
              type=refreshAndPersist
              retry="60 +"
              
syncrepl      rid=002
              provider=ldap://172.16.100.26:389
              bindmethod=simple
              binddn="cn=Manager,dc=shopin,dc=net"
              credentials=secret
              searchbase="dc=shopin,dc=net"
              schemachecking=on
              type=refreshAndPersist
              retry="60 +"
              
syncrepl      rid=003
              provider=ldap://172.16.200.55:389
              bindmethod=simple
              binddn="cn=Manager,dc=shopin,dc=net"
              credentials=secret
              searchbase="dc=shopin,dc=net"
              schemachecking=on
              type=refreshAndPersist
              retry="60 +"


mirrormode on

0
顶

1
踩

分享到：

oracle中delete与trucate | ORACLE分页效率

2012-05-09 20:38
浏览 8616
评论(3)
分类:开源软件
查看更多

3 楼 L-xxyy 2015-12-28

请问楼主，你有没有碰到过openldap数据被锁定的情况，只有重启服务器才能解除锁定。数据被锁定时只能查看，不能修改。

2 楼 awenhaowenchao 2013-06-04

kevinpan45 写道

问一下你这段的定义是为了什么

#define user's oid and schema  
objectIdentifier shopinOID 1.1  
objectIdentifier shopinSNMP shopinOID:1  
objectIdentifier shopinLDAP shopinOID:2  
objectIdentifier shopinAttributeType shopinLDAP:1  
objectIdentifier shopinObjectClass shopinLDAP:2

你自定义的schema直接include是否可用，我的schema在2.2版本下直接include就可以用了，在2.4下没效果

因为是非标准oid，我用objectIdentifier shopinOID 1.1 定义了自己的oid，后面采用objectIdentifier shopinSNMP shopinOID:1，将来如果修改只需要修改shopinOID即可，而shopinObjectClass、shopinAttributeType在user.schema中使用了
我在openldap-2.4.26 可以使用

1 楼 kevinpan45 2013-05-27

问一下你这段的定义是为了什么

#define user's oid and schema  
objectIdentifier shopinOID 1.1  
objectIdentifier shopinSNMP shopinOID:1  
objectIdentifier shopinLDAP shopinOID:2  
objectIdentifier shopinAttributeType shopinLDAP:1  
objectIdentifier shopinObjectClass shopinLDAP:2

你自定义的schema直接include是否可用，我的schema在2.2版本下直接include就可以用了，在2.4下没效果

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

OPENLDAP

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

OPENLDAP

评论

发表评论

相关推荐

Kakfa线上问题

最近访客更多访客>>