OpenLDAP 安装指南
背景
在企业中,如果要使用统一的账户管理,可以考虑LDAP或者WINDOWS AD域进行管理。
PostgreSQL数据库也支持LDAP的认证手段。
本文首先介绍一下Linux下面LDAP server的包安装方法。
rpm安装
# rpm -qa|grep openldap
openldap-debuginfo-2.4.23-32.el6_4.1.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
compat-openldap-2.3.43-2.el6.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
openldap-servers-sql-2.4.23-32.el6_4.1.x86_64
openldap-servers-2.4.23-32.el6_4.1.x86_64
openldap-devel-2.4.23-32.el6_4.1.x86_64
源码安装
1. 下载OpenLDAP的稳定版
# wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.39.tgz
2. 安装依赖软件
为了全面兼容LDAPv3, 需要安装依赖软件, 这些软件的版本建议
http://www.openldap.org/doc/admin24/appendix-recommended-versions.html
2.1 TLS(Transport Layer Security) service 依赖包, OpenLDAP客户端和服务端都需要安装.
OpenSSL, GnuTLS, or MozNSS(三选一)
OpenSSL is available from http://www.openssl.org/.
GnuTLS is available from http://www.gnu.org/software/gnutls/.
Mozilla NSS is available from http://developer.mozilla.org/en/NSS.
安装openssl
# wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -zxvf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g
阅读INSTALL和README
# ./config --prefix=/usr/local --openssldir=/usr/local/ssl
# make
# make install
2.2 SASL(Simple Authentication and Security Layer) service 依赖包, OpenLDAP客户端和服务端都需要安装.
Cyrus SASL
http://asg.web.cmu.edu/sasl/sasl-library.html
安装sasl
# wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.25.tar.gz
# tar -zxvf cyrus-sasl-2.1.25.tar.gz
# cd cyrus-sasl-2.1.25
阅读INSTALL和README
# ./configure
# make
# make install
********************************************************
* WARNING:
* Plugins are being installed into /usr/local/lib/sasl2,
* but the library will look for them in /usr/lib/sasl2.
* You need to make sure that the plugins will eventually
* be in /usr/lib/sasl2 -- the easiest way is to make a
* symbolic link from /usr/lib/sasl2 to /usr/local/lib/sasl2,
* but this may not be appropriate for your site, so this
* installation procedure won't do it for you.
*
* If you don't want to do this for some reason, you can
* set the location where the library will look for plugins
* by setting the environment variable SASL_PATH to the path
* the library should use.
********************************************************
make[2]: Nothing to be done for `install-data-am'.
make[2]: Leaving directory `/opt/soft_bak/cyrus-sasl-2.1.25'
make[1]: Leaving directory `/opt/soft_bak/cyrus-sasl-2.1.25'
[root@db-172-16-3-150 cyrus-sasl-2.1.25]# ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
sasl版本不对可能导致slapd启动失败, 见/var/log/messages
slapd[15107]: auxpropfunc error version mismatch with plug-in
2.3 Kerberos Authentication Service
Heimdal or MIT Kerberos V libraries(二选一)
Heimdal Kerberos is available from http://www.pdc.kth.se/heimdal/.
MIT Kerberos is available from http://web.mit.edu/kerberos/www/.
安装MIT Kerberos V Libraries
# wget http://web.mit.edu/kerberos/www/dist/krb5/1.12/krb5-1.12.1-signed.tar
# tar -xvf krb5-1.12.1-signed.tar
# tar -zxvf krb5-1.12.1.tar.gz
# cd krb5-1.12.1
# cd src
# ./configure
# make
# make install
2.4 Database Software
OpenLDAP’s slapd BDB and HDB primary database backends require Oracle Corporation Berkeley DB
Berkeley DB download page http://www.oracle.com/technology/software/products/berkeley-db/index.html
http://docs.oracle.com/cd/E17076_03/html/installation/index.html
下载
http://download.oracle.com/otn/berkeley-db/db-6.0.30.tar.gz
安装
# tar -zxvf db-6.0.30.tar.gz
# cd db-6.0.30
# cd dist/buildpkg
# cd build_unix
# ../dist/configure --prefix=/opt/bdb6 --enable-sql
# make
# make install
2.5 Threads
OpenLDAP supports POSIX pthreads, Mach CThreads, and a number of other varieties.
2.6 TCP Wrappers
slapd supports TCP Wrappers (IP level access control filters) if preinstalled.
2.7 配置ld.so.conf
# vi /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/lib
/usr/lib/sasl2
/opt/bdb6/lib
# ldconfig
2.8 安装openldap
# tar -zxvf openldap-2.4.39.tgz
# cd openldap-2.4.39
# ./configure --help
# ./configure --prefix=/opt/openldap-2.4.39 --with-threads --with-tls --with-cyrus-sasl
# make depend
# make
# make install
# export MANPATH=/opt/openldap-2.4.39/share/man:$MANPATH
# export MANPATH=/opt/openldap-2.4.39/bin:/opt/openldap-2.4.39/sbin:$PATH
参考
1. http://www.openldap.org/doc/admin24/index.html
2. http://www.openldap.org/software/download/
3. http://www.openldap.org/doc/admin24/quickstart.html
4. http://www.openldap.org/doc/admin24/install.html
5. http://www.openldap.org/doc/admin24/appendix-recommended-versions.html
6. http://www.openssl.org/
7. http://www.gnu.org/software/gnutls/
8. http://developer.mozilla.org/en/NSS
9. http://asg.web.cmu.edu/sasl/sasl-library.html
10. http://www.pdc.kth.se/heimdal/
11. http://web.mit.edu/kerberos/www/
12. http://www.oracle.com/technology/software/products/berkeley-db/index.html
13. http://www.lysator.liu.se/~nisse/nettle/
14. 配置源码时支持的环境变量
Table 4.1: Variables
| Variable | Description |
|---|---|
| CC | Specify alternative C Compiler |
| CFLAGS | Specify additional compiler flags |
| CPPFLAGS | Specify C Preprocessor flags |
| LDFLAGS | Specify linker flags |
| LIBS | Specify additional libraries |