OpenLDAP 安装指南

2 minute read

背景

在企业中,如果要使用统一的账户管理,可以考虑LDAP或者WINDOWS AD域进行管理。

PostgreSQL数据库也支持LDAP的认证手段。

本文首先介绍一下Linux下面LDAP server的包安装方法。

rpm安装

# rpm -qa|grep openldap
openldap-debuginfo-2.4.23-32.el6_4.1.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
openldap-servers-sql-2.4.23-32.el6_4.1.x86_64
openldap-servers-2.4.23-32.el6_4.1.x86_64
openldap-devel-2.4.23-32.el6_4.1.x86_64

源码安装

1. 下载OpenLDAP的稳定版

# wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.39.tgz

2. 安装依赖软件

为了全面兼容LDAPv3, 需要安装依赖软件, 这些软件的版本建议

http://www.openldap.org/doc/admin24/appendix-recommended-versions.html

2.1 TLS(Transport Layer Security) service 依赖包, OpenLDAP客户端和服务端都需要安装.

OpenSSL, GnuTLS, or MozNSS(三选一)

OpenSSL is available from http://www.openssl.org/. 
GnuTLS is available from http://www.gnu.org/software/gnutls/. 
Mozilla NSS is available from http://developer.mozilla.org/en/NSS.

安装openssl

# wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -zxvf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g

阅读INSTALL和README

# ./config --prefix=/usr/local --openssldir=/usr/local/ssl
# make
# make install

2.2 SASL(Simple Authentication and Security Layer) service 依赖包, OpenLDAP客户端和服务端都需要安装.

Cyrus SASL

http://asg.web.cmu.edu/sasl/sasl-library.html

安装sasl

# wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.25.tar.gz
# tar -zxvf cyrus-sasl-2.1.25.tar.gz
# cd cyrus-sasl-2.1.25

阅读INSTALL和README

# ./configure
# make
# make install
********************************************************
* WARNING:
* Plugins are being installed into /usr/local/lib/sasl2,
* but the library will look for them in /usr/lib/sasl2.
* You need to make sure that the plugins will eventually
* be in /usr/lib/sasl2 -- the easiest way is to make a
* symbolic link from /usr/lib/sasl2 to /usr/local/lib/sasl2,
* but this may not be appropriate for your site, so this
* installation procedure won't do it for you.
*
* If you don't want to do this for some reason, you can
* set the location where the library will look for plugins
* by setting the environment variable SASL_PATH to the path
* the library should use.
********************************************************
make[2]: Nothing to be done for `install-data-am'.
make[2]: Leaving directory `/opt/soft_bak/cyrus-sasl-2.1.25'
make[1]: Leaving directory `/opt/soft_bak/cyrus-sasl-2.1.25'
[root@db-172-16-3-150 cyrus-sasl-2.1.25]# ln -s /usr/local/lib/sasl2 /usr/lib/sasl2

sasl版本不对可能导致slapd启动失败, 见/var/log/messages

slapd[15107]: auxpropfunc error version mismatch with plug-in

2.3 Kerberos Authentication Service

Heimdal or MIT Kerberos V libraries(二选一)

Heimdal Kerberos is available from http://www.pdc.kth.se/heimdal/. 
MIT Kerberos is available from http://web.mit.edu/kerberos/www/.

安装MIT Kerberos V Libraries

# wget http://web.mit.edu/kerberos/www/dist/krb5/1.12/krb5-1.12.1-signed.tar
# tar -xvf krb5-1.12.1-signed.tar 
# tar -zxvf krb5-1.12.1.tar.gz
# cd krb5-1.12.1
# cd src
# ./configure
# make
# make install

2.4 Database Software

OpenLDAP’s slapd BDB and HDB primary database backends require Oracle Corporation Berkeley DB

Berkeley DB download page http://www.oracle.com/technology/software/products/berkeley-db/index.html

http://docs.oracle.com/cd/E17076_03/html/installation/index.html

下载

http://download.oracle.com/otn/berkeley-db/db-6.0.30.tar.gz

安装

# tar -zxvf db-6.0.30.tar.gz
# cd db-6.0.30
# cd dist/buildpkg
# cd build_unix
# ../dist/configure --prefix=/opt/bdb6 --enable-sql
# make
# make install

2.5 Threads

OpenLDAP supports POSIX pthreads, Mach CThreads, and a number of other varieties.

2.6 TCP Wrappers

slapd supports TCP Wrappers (IP level access control filters) if preinstalled.

2.7 配置ld.so.conf

# vi /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/lib
/usr/lib/sasl2
/opt/bdb6/lib
# ldconfig 

2.8 安装openldap

# tar -zxvf openldap-2.4.39.tgz
# cd openldap-2.4.39
# ./configure --help
# ./configure --prefix=/opt/openldap-2.4.39 --with-threads --with-tls --with-cyrus-sasl
# make depend
# make
# make install
# export MANPATH=/opt/openldap-2.4.39/share/man:$MANPATH
# export MANPATH=/opt/openldap-2.4.39/bin:/opt/openldap-2.4.39/sbin:$PATH

参考

1. http://www.openldap.org/doc/admin24/index.html

2. http://www.openldap.org/software/download/

3. http://www.openldap.org/doc/admin24/quickstart.html

4. http://www.openldap.org/doc/admin24/install.html

5. http://www.openldap.org/doc/admin24/appendix-recommended-versions.html

6. http://www.openssl.org/

7. http://www.gnu.org/software/gnutls/

8. http://developer.mozilla.org/en/NSS

9. http://asg.web.cmu.edu/sasl/sasl-library.html

10. http://www.pdc.kth.se/heimdal/

11. http://web.mit.edu/kerberos/www/

12. http://www.oracle.com/technology/software/products/berkeley-db/index.html

13. http://www.lysator.liu.se/~nisse/nettle/

14. 配置源码时支持的环境变量

Table 4.1: Variables

Variable Description
CC Specify alternative C Compiler
CFLAGS Specify additional compiler flags
CPPFLAGS Specify C Preprocessor flags
LDFLAGS Specify linker flags
LIBS Specify additional libraries

Flag Counter

digoal’s 大量PostgreSQL文章入口