基于openldap的统一认证方案:
一、yum安装必要组件
0:必设
|
0 1 2 3 4 5 6 |
$ setenforce 0 $ systemctl stop firewalld $ uname -a Linux ldap_openvpn.t4x.org 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core) |
二、openvpn yum安装
|
0 1 2 |
$ yum install epel-release $ yum install openvpn ####包括pkcs11-helper包#### |
三、openvpn编译安装
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ yum install pam-devel openssl-devel wget vim gcc gcc-c++ net-tools -y $ mkdir /byrd/tools -p $ cd /byrd/tools/ $ wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz $ tar zxf lzo-2.10.tar.gz $ cd lzo-2.10 $ ./configure --prefix=/opt/lzo-2.10 $ make && make install $ wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.6.tar.gz $ tar zxf openvpn-2.4.6.tar.gz $ cd openvpn-2.4.6 $ ln -s /opt/lzo-2.10/lib/* /usr/local/lib/ $ ln -s /opt/lzo-2.10/include/* /usr/local/include/ $ ./configure --prefix=/opt/openvpn-2.4.6 $ make && make install $ ln -s /opt/openvpn-2.4.6/ /usr/local/openvpn |
四、open-auth-ldap yum 安装
|
0 1 |
$ yum install openvpn-auth-ldap ####包括avahi-libs gnustep-base-libs gnutls libicu libobjc libxslt lz4 nettle trousers包#### |
五、open-auth-ldap 依赖编译安装
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
$ yum install gcc gcc-c++ gcc-objc gcc-objc++ libobjc $ yum install git autoconf automake make $ wget http://download.oracle.com/berkeley-db/db-5.1.29.tar.gz $ tar zxf db-5.1.29.tar.gz $ cd db-5.1.29 $ cd build_unix/ $ ../dist/configure $ make && make install $ echo "/usr/local/BerkeleyDB.5.1/lib/" >> /etc/ld.so.conf $ ldconfig $ ldconfig -v $ wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.46.tgz $ tar zxf openldap-2.4.46.tgz $ cd openldap-2.4.46 $ env CPPFLAGS="-I/usr/local/BerkeleyDB.5.1/include" LDFLAGS="-L/usr/local/BerkeleyDB.5.1/lib -D_GNU_SOURCE" ./configure --prefix=/opt/openldap-2.4.46 $ make depend $ make && make install $ ln -s /opt/openldap-2.4.46/ /usr/local/openldap $ for i in `ls -l /usr/local/openldap/bin/ | awk '{print $9}' | grep -v ^$`;do ln -s /usr/local/openldap/bin/$i /usr/local/bin/$i;done $ for i in `ls -l /usr/local/openldap/sbin/ | awk '{print $9}' | grep -v ^$`;do ln -s /usr/local/openldap/sbin/$i /usr/local/sbin/$i;done $ ln -s /usr/local/openldap/include/* /usr/local/include/ $ wget https://github.com/skvadrik/re2c/releases/download/0.16/re2c-0.16.tar.gz $ tar zxf re2c-0.16.tar.gz $ cd re2c-0.16 $ ./configure $ make && make install |
六、openvpn-auth-ldap.so生成
编译这个软件遇到的坑太多了!!!哭~~~SourceByrd's Weblog-https://note.t4x.org/service/openvpn-openldap-auth/
方法1:
方法2:
编译方法1:
编译方法2:
openvpn-auth-ldap.so对比:
SourceByrd's Weblog-https://note.t4x.org/service/openvpn-openldap-auth/
七、auth-ldap的相关配置
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 |
$ grep -v "^$\|^#\|;" /etc/openvpn/auth/ldap.conf <LDAP> URL ldap://ldap.t4x.org BindDN cn=admin,dc=ldap,dc=t4x,dc=org Password admin Timeout 15 TLSEnable no FollowReferrals no </LDAP> <Authorization> BaseDN "ou=People,dc=ldap,dc=t4x,dc=org" SearchFilter "uid=%u" RequireGroup false </Authorization> |
八、openvpn的相关配置
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
$ cp /etc/openvpn/server.conf /etc/openvpn/server.conf.$(date +%F-%N) $ echo 'plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf cn=%u"' >> /etc/openvpn/server.conf $ echo "client-cert-not-required" >> /etc/openvpn/server.conf $ echo "username-as-common-name" >> /etc/openvpn/server.conf $ grep -v "^$\|^#\|;" /etc/openvpn/server.conf port 1194 proto tcp dev tun ca /etc/openvpn/key/ca.crt cert /etc/openvpn/key/server.crt key /etc/openvpn/key/server.key # This file should be kept secret dh /etc/openvpn/key/dh.pem server 10.8.0.0 255.255.0.0 ifconfig-pool-persist /tmp/ipp.txt client-config-dir /etc/openvpn/ccd client-to-client keepalive 10 120 cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log verb 3 plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf cn=%u" client-cert-not-required username-as-common-name |
九、相关问题解决方法
|
0 1 |
Q:.rodata' can not be used when making a shared object; recompile with -fPIC A:CFLAGS="-fPIC" |
参考文档:
1:https://openvpn.net/index.php/open-source/downloads.html
2:https://github.com/threerings/openvpn-auth-ldap
3:https://www.cyberciti.biz/faq/centos-rhel-7-redhat-linux-install-gcc-compiler-development-tools/
4:https://blog.csdn.net/lishangwen_alan/article/details/52402846
5:https://blog.csdn.net/zydlyq/article/details/51557295
6:http://rpmfind.net/linux/rpm2html/search.php?query=libgnustep-base.so.1.24()(64bit)
7:https://blog.csdn.net/u010312436/article/details/52486811
8:http://www.voidcn.com/article/p-fdngideu-su.html
9:https://www.cnblogs.com/octave/p/4824584.htmlSourceByrd's Weblog-https://note.t4x.org/service/openvpn-openldap-auth/
SourceByrd's Weblog-https://note.t4x.org/service/openvpn-openldap-auth/
申明:除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!
