open***+Mysql+PAM构建强大的***系统
open***+Mysql+PAM构建强大的***系统本次为新的生产环境部署系统而采用了这个方案,陆续会将实际的生产架构整理出来.由于涉及到公司的各种敏感信息,已经将IP做了替换中途可能有出入 敬请谅解。等我找时间画图出来一并奉上。
如果有根本上的问题,请大家指正。
本次为了测试使用了如下的软件版本:
epel-release-6-8.noarch.rpm
lzo-2.03.tar.gz
open***-2.2.2.tar.gz
open***-2.0.7.tar.gz
open***-2.2.1-install.exe
1 安装epel第三方源:
12wget http://mirror.neu.edu.cn/fedora/epel/6/i386/epel-release-6-8.noarch.rpmrpm -ivh epel-release-6-8.noarch.rpm 2 安装各种依赖关系:
1yum -y installgcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers 3 安装
12yum installpam_krb5 pam_mysql pam pam-develyum installmysql mysql-server mysql-devel mysql-libs 4 安装lzo:
12wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gzcdlzo-2.03 && ./configure&& make&& makeinstall 5 添加路径:
123456789cat>>/etc/ld.so.conf GRANT ALL ON ***.* TO ***@localhost IDENTIFIED BY '***123';Query OK, 0rows affected (0.00sec)mysql> flush privileges;Query OK, 0rows affected (0.00sec)mysql> use***;Database changedmysql> CREATE TABLE ***user (-> name char(20) NOT NULL,-> password char(128) defaultNULL,-> active int(10) NOT NULL DEFAULT 1,-> PRIMARY KEY (name)-> );Query OK, 0rows affected (0.30sec)mysql> insert into ***user (name,password) values('user1',password('123456'));Query OK, 1row affected (0.02sec) 10 创建pam用于验证:
12345678###创建pam验证配置文件:vim /etc/pam.d/open***auth sufficient pam_mysql.so user=*** passwd=***123 host=localhost db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2account required pam_mysql.so user=*** passwd=***123 host=localhost db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2#crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt()#0 = No encryption. Passwords in database in plaintext. NOT recommended!#1 = Use crypt#2 = Use MySQL PASSWORD() function 11 测试pam和mysql的连接:
12yum installcyrus-sasl cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-lib cyrus-sasl-gssapi/etc/init.d/saslauthdrestart 12 open*** 2.0以上验证会出问题,需要编译低版本的模块:
1234567wget http://down1.chinaunix.net/distfiles/open***-2.0.7.tar.gztar-zxvf open***-2.0.7.tar.gzcdopen***-2.0.7/./configurecdplugin/auth-pam/makecpopen***-auth-pam.so /etc/open***/ 13 测试连接:
123###显示如下内容即为正常:# testsaslauthd -u user1 -p 123456 -s open***0: OK "Success." 14 创建并修改open***的配置文件:
1cp/opt/src/open***-2.2.2/sample-config-files/server.conf /etc/open***/ 15 配置文件的内容如下(取出了所有的注释部分)
12345678910111213141516171819202122232425vim server.conf###内容如下:port 1194proto udpdev tunca /etc/open***/easy-rsa/2.0/keys/ca.crtcert /etc/open***/easy-rsa/2.0/keys/server.crtkey /etc/open***/easy-rsa/2.0/keys/server.keydh /etc/open***/easy-rsa/2.0/keys/dh1024.pemtls-auth /etc/open***/easy-rsa/2.0/keys/ta.key 0server 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1"push "dhcp-option DNS 10.8.0.1"client-to-clientkeepalive 10 120comp-lzopersist-keypersist-tunstatus open***-status.loglog open***.logverb 3client-cert-not-requiredusername-as-common-nameplugin ./open***-auth-pam.so /usr/local/open***/sbin/open*** 16 开启内核路由转发:
123vim /etc/sysctl.confnet.ipv4.ip_forward = 0改成 net.ipv4.ip_forward = 1sysctl -p 17 设置防火墙的端口转发:
123###iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 服务器的ipiptables -t nat -A POSTROUTING -s 10.8.0.0/24-o eth0 -j MASQUERADEiptables -t nat -A POSTROUTING -s 10.8.0.0/24-j SNAT --to-source192.168.80.151 18 保存并重启iptables:
12service iptables saveservice iptables restart 19 创建启动脚本:
1cp-f /root/open***-2.2.2/sample-scripts/open***.init /etc/init.d/open***123456vim /etc/init.d/open***###编译安装的需要将第69行改成:open***_locations="/usr/local/open***/sbin/open*** /usr/sbin/open*** /usr/local/sbin/open***"chkconfig --add open***chkconfig open*** on/etc/init.d/open***start ------------------至此服务端配置完成---------------
下载open***客户端:
1http://swupdate.open***.org/community/releases/open***-2.2.1-install.exe 客户端的安装配置:
在服务端操作将ca.crt ca.key ta.key 拷贝到客户端的conf目录下面:
C:\Program Files (x86)\Open***\config
新建文件以.o*** 为结尾,并输入以下内容(remote服务器外网网卡地址):
1234567891011121314clientdev tunproto udpremote 192.168.80.151 1194 ##服务端的IPresolv-retry infinitenobindpersist-keypersist-tunca ca.crttls-auth ta.key 1ns-cert-typeservercomp-lzoverb 5auth-user-pass 拨号-->输入mysql里面添加的用户名:user1 123456 -->OK
右下角出现的2个小电脑 变成绿色的 即表示连接到open***服务器上,在本地cmd执行ipconfig
查看是否得到了open*** 设置的网段地址。
本文出自 “振兴的空间” 博客,请务必保留此出处http://renzhenxing.blog.51cto.com/728846/1341147
页:
[1]