open***+mysql+pam
本次爲新的生產環境部署系統而採用了這個方案,陸續會將實際的生產架構整理出來.由於涉及到公司的各種敏感信息,已經將IP做了替換中途可能有出入 敬請諒解。等我找時間畫圖出來一併奉上。
如果有根本上的問題,請大家指正。
本次爲了測試使用瞭如下的軟件版本:
epel-release-6-8
.noarch.rpm
lzo-2
.03.
tar
.gz
open***-2.2.2.
tar
.gz
open***-2
.0.7.
tar
.gz
open***-2
.2.1-
install
.exe
1 安裝epel第三方源:
wget http://mirror.neu.edu.cn/fedora/epel/6/i386/epel-release-6-8.noarch.rpm rpm -ivh epel-release-6-8.noarch.rpm
2 安裝各種依賴關係:
yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
3 安裝
yum install pam_krb5 pam_mysql pam pam-devel yum install mysql mysql-server mysql-devel mysql-libs
4 安裝lzo:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz cd lzo-2.03 && ./configure && make && make install
5 添加路徑:
cat>>/etc/ld.so.conf<<EOF /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64 EOF ldconfig
6 安裝open***:
tar -zxvf open***-2.2.2.tar.gz cd open***-2.2.2/ ./configure --prefix=/usr/local/open*** && make && make install mkdir -p /etc/open*** cd /root/open***-2.2.2 cp -R easy-rsa /etc/open*** cd /etc/open***/easy-rsa/2.0/ cp vars vars_bak
7 修改vars的內容信息:
vim vars ###最下面修改內容: export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="beijing" export KEY_ORG="beijingidc" export KEY_EMAIL="你的郵箱地址"
8 生成服務器和客戶端需要的key文件:
source ./vars ./clean-all ./build-ca ca ./build-key-server server ./build-dh /usr/local/open***/sbin/open*** --genkey --secret keys/ta.key
9 創建mysql用於***的賬號存放:
##啓動mysql: service mysqld restart ###創建數據驗證信息: mysql> create database ***; Query OK, 1 row affected (0.00 sec) mysql> GRANT ALL ON ***.* TO ***@localhost IDENTIFIED BY '***123'; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> use ***; Database changed mysql> CREATE TABLE ***user ( -> name char(20) NOT NULL, -> password char(128) default NULL, -> active int(10) NOT NULL DEFAULT 1, -> PRIMARY KEY (name) -> ); Query OK, 0 rows affected (0.30 sec) mysql> insert into ***user (name,password) values('user1',password('123456')); Query OK, 1 row affected (0.02 sec)
10 創建pam用於驗證:
###創建pam驗證配置文件: vim /etc/pam.d/open*** auth sufficient pam_mysql.so user=*** passwd=***123 host=localhost db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2 account required pam_mysql.so user=*** passwd=***123 host=localhost db=*** table=***user usercolumn=name passwdcolumn=password where=active=1 sqllog=0 crypt=2 #crypt(0) -- Used to decide to use MySQL's PASSWORD() function or crypt() #0 = No encryption. Passwords in database in plaintext. NOT recommended! #1 = Use crypt #2 = Use MySQL PASSWORD() function
11 測試pam和mysql的連接:
yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-lib cyrus-sasl-gssapi /etc/init.d/saslauthd restart
12 open*** 2.0以上驗證會出問題,需要編譯低版本的模塊:
wget http://down1.chinaunix.net/distfiles/open***-2.0.7.tar.gz tar -zxvf open***-2.0.7.tar.gz cd open***-2.0.7/ ./configure cd plugin/auth-pam/ make cp open***-auth-pam.so /etc/open***/
13 測試連接:
###顯示如下內容即爲正常: [root@localhost 2.0]# testsaslauthd -u user1 -p 123456 -s open*** 0: OK "Success."
14 創建並修改open***的配置文件:
cp /opt/src/open***-2.2.2/sample-config-files/server.conf /etc/open***/
15 配置文件的內容如下(取出了所有的註釋部分)
vim server.conf ###內容如下: port 1194 proto udp dev tun ca /etc/open***/easy-rsa/2.0/keys/ca.crt cert /etc/open***/easy-rsa/2.0/keys/server.crt key /etc/open***/easy-rsa/2.0/keys/server.key dh /etc/open***/easy-rsa/2.0/keys/dh1024.pem tls-auth /etc/open***/easy-rsa/2.0/keys/ta.key 0 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 10.8.0.1" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status open***-status.log log open***.log verb 3 client-cert-not-required username-as-common-name plugin ./open***-auth-pam.so /usr/local/open***/sbin/open***
16 開啓內核路由轉發:
vim /etc/sysctl.conf net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1 sysctl -p
17 設置防火牆的端口轉發:
###iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 服務器的ip iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.168.80.151
18 保存並重啓iptables:
service iptables save service iptables restart
19 創建啓動腳本:
cp -f /root/open***-2.2.2/sample-scripts/open***.init /etc/init.d/open***
vim /etc/init.d/open*** ###編譯安裝的需要將第69行改成: open***_locations="/usr/local/open***/sbin/open*** /usr/sbin/open*** /usr/local/sbin/open***" chkconfig --add open*** chkconfig open*** on /etc/init.d/open*** start
------------------至此服務端配置完成---------------
下載open***客戶端:
http://swupdate.open***.org/community/releases/open***-2.2.1-install.exe
客戶端的安裝配置:
在服務端操作將ca.crt ca.key ta.key 拷貝到客戶端的conf目錄下面:
C:\Program Files (x86)\Open***\config
新建文件以.o*** 爲結尾,並輸入以下內容(remote服務器外網網卡地址):
client dev tun proto udp remote 192.168.80.151 1194 ##服務端的IP resolv-retry infinite nobind persist-key persist-tun ca ca.crt tls-auth ta.key 1 ns-cert-type server comp-lzo verb 5 auth-user-pass
撥號-->輸入mysql裏面添加的用戶名:user1 123456 -->OK
右下角出現的2個小電腦 變成綠色的 即表示連接到open***服務器上,在本地cmd執行ipconfig
查看是否得到了open*** 設置的網段地址。