open×××+Mysql+PAM構建強大的***系統

本次為新的生產環境部署系統而采用了這個方案，陸續會將實際的生產架構整理出來.由于涉及到公司的各種敏感信息，已經將IP做了替換中途可能有出入?敬請諒解。等我找時間畫圖出來一并奉上。

如果有根本上的問題，請大家指正。

本次為了測試使用了如下的軟件版本：

epel-release-6-8.noarch.rpm

lzo-2.03.tar.gz

open***-2.2.2.tar.gz

open***-2.0.7.tar.gz

open***-2.2.1-install.exe

1?安裝epel第三方源:

12	wget?http://mirror.neu.edu.cn/fedora/epel/6/i386/epel-release-6-8.noarch.rpmrpm?-ivh?epel-release-6-8.noarch.rpm

2?安裝各種依賴關系:

1

yum?-y?installgcc?gcc-c++?autoconf?libjpeg?libjpeg-devel?libpng?libpng-devel?freetype?freetype-devel?libxml2?libxml2-devel?zlib?zlib-devel?glibc?glibc-devel?glib2?glib2-devel?bzip2bzip2-devel?ncurses?ncurses-devel?curl?curl-devel?e2fsprogs?e2fsprogs-devel?krb5?krb5-devel?libidn?libidn-devel?openssl?openssl-devel?openldap?openldap-devel?nss_ldap?openldap-clients?openldap-servers

3?安裝

12	yum?installpam_krb5?pam_mysql?pam?pam-develyum?installmysql?mysql-server?mysql-devel?mysql-libs

4?安裝lzo：

12	wget?http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gzcdlzo-2.03?&&?./configure&&?make&&?makeinstall

5?添加路徑：

123456789

cat>>/etc/ld.so.conf<<EOF/lib/lib64/usr/lib/usr/lib64/usr/local/lib/usr/local/lib64EOFldconfig

6?安裝open***：

12345678

tar-zxvf?open***-2.2.2.tar.gzcdopen***-2.2.2/./configure--prefix=/usr/local/open***&&?make&&?makeinstallmkdir-p?/etc/open***cd/root/open***-2.2.2cp-R?easy-rsa?/etc/open***cd/etc/open***/easy-rsa/2.0/cpvars?vars_bak

7?修改vars的內容信息：

1234567

vim?vars###最下面修改內容：exportKEY_COUNTRY="CN"exportKEY_PROVINCE="BJ"exportKEY_CITY="beijing"exportKEY_ORG="beijingidc"exportKEY_EMAIL="你的郵箱地址"

8?生成服務器和客戶端需要的key文件：

123456

source./vars./clean-all./build-caca./build-key-serverserver./build-dh/usr/local/open***/sbin/open***--genkey?--secret?keys/ta.key

9?創建mysql用于***的賬號存放：

1234567891011121314151617181920

##啟動mysql：service?mysqld?restart###創建數據驗證信息：mysql>?create?database?***;Query?OK,?1row?affected?(0.00sec)mysql>?GRANT?ALL?ON?***.*?TO?***@localhost?IDENTIFIED?BY?'***123';Query?OK,?0rows?affected?(0.00sec)mysql>?flush?privileges;Query?OK,?0rows?affected?(0.00sec)mysql>?use***;Database?changedmysql>?CREATE?TABLE?***user?(->?name?char(20)?NOT?NULL,->?password?char(128)?defaultNULL,->?active?int(10)?NOT?NULL?DEFAULT?1,->?PRIMARY?KEY?(name)->?);Query?OK,?0rows?affected?(0.30sec)mysql>?insert?into?***user?(name,password)?values('user1',password('123456'));Query?OK,?1row?affected?(0.02sec)

10?創建pam用于驗證：

12345678

###創建pam驗證配置文件：vim?/etc/pam.d/open***auth?sufficient?pam_mysql.so?user=***?passwd=***123?host=localhost?db=***?table=***user?usercolumn=name?passwdcolumn=password?where=active=1?sqllog=0?crypt=2account?required?pam_mysql.so?user=***?passwd=***123?host=localhost?db=***?table=***user?usercolumn=name?passwdcolumn=password?where=active=1?sqllog=0?crypt=2#crypt(0)?--?Used?to?decide?to?use?MySQL's?PASSWORD()?function?or?crypt()#0?=?No?encryption.?Passwords?in?database?in?plaintext.?NOT?recommended!#1?=?Use?crypt#2?=?Use?MySQL?PASSWORD()?function

11?測試pam和mysql的連接：

12	yum?installcyrus-sasl?cyrus-sasl-plain?cyrus-sasl-devel?cyrus-sasl-lib?cyrus-sasl-gssapi/etc/init.d/saslauthdrestart

12?open***?2.0以上驗證會出問題，需要編譯低版本的模塊：

1234567

wget?http://down1.chinaunix.net/distfiles/open***-2.0.7.tar.gztar-zxvf?open***-2.0.7.tar.gzcdopen***-2.0.7/./configurecdplugin/auth-pam/makecpopen***-auth-pam.so?/etc/open***/

13?測試連接：

123	###顯示如下內容即為正常：[root@localhost?2.0]#?testsaslauthd?-u?user1?-p?123456?-s?open***0:?OK?"Success."

14?創建并修改open***的配置文件：

1	cp/opt/src/open***-2.2.2/sample-config-files/server.conf?/etc/open***/

15?配置文件的內容如下（取出了所有的注釋部分）

12345678910111213141516171819202122232425

vim?server.conf###內容如下：port?1194proto?udpdev?tunca?/etc/open***/easy-rsa/2.0/keys/ca.crtcert?/etc/open***/easy-rsa/2.0/keys/server.crtkey?/etc/open***/easy-rsa/2.0/keys/server.keydh?/etc/open***/easy-rsa/2.0/keys/dh1024.pemtls-auth?/etc/open***/easy-rsa/2.0/keys/ta.key?0server?10.8.0.0?255.255.255.0ifconfig-pool-persist?ipp.txtpush?"redirect-gateway?def1"push?"dhcp-option?DNS?10.8.0.1"client-to-clientkeepalive?10?120comp-lzopersist-keypersist-tunstatus?open***-status.loglog?open***.logverb?3client-cert-not-requiredusername-as-common-nameplugin?./open***-auth-pam.so?/usr/local/open***/sbin/open***

16?開啟內核路由轉發：

123	vim?/etc/sysctl.confnet.ipv4.ip_forward?=?0改成?net.ipv4.ip_forward?=?1sysctl?-p

17?設置防火墻的端口轉發：

123	###iptables?-t?nat?-A?POSTROUTING?-s?10.8.0.0/24?-j?SNAT?--to-source?服務器的ipiptables?-t?nat?-A?POSTROUTING?-s?10.8.0.0/24-o?eth0?-j?MASQUERADEiptables?-t?nat?-A?POSTROUTING?-s?10.8.0.0/24-j?SNAT?--to-source192.168.80.151

18?保存并重啟iptables：

12	service?iptables?saveservice?iptables?restart

19?創建啟動腳本：

1	cp-f?/root/open***-2.2.2/sample-scripts/open***.init?/etc/init.d/open***

123456

vim?/etc/init.d/open***###編譯安裝的需要將第69行改成：open***_locations="/usr/local/open***/sbin/open***?/usr/sbin/open***?/usr/local/sbin/open***"chkconfig?--add?open***chkconfig?open***?on/etc/init.d/open***start

------------------至此服務端配置完成---------------

下載open***客戶端：

1	http://swupdate.open***.org/community/releases/open***-2.2.1-install.exe

客戶端的安裝配置：

在服務端操作將ca.crt?ca.key?ta.key?拷貝到客戶端的conf目錄下面：

C:\Program?Files?(x86)\Open×××\config

新建文件以.o***?為結尾，并輸入以下內容（remote服務器外網網卡地址）：

1234567891011121314

clientdev?tunproto?udpremote?192.168.80.151?1194?##服務端的IPresolv-retry?infinitenobindpersist-keypersist-tunca?ca.crttls-auth?ta.key?1ns-cert-typeservercomp-lzoverb?5auth-user-pass

撥號-->輸入mysql里面添加的用戶名:user1?123456?-->OK

右下角出現的2個小電腦?變成綠色的?即表示連接到open***服務器上，在本地cmd執行ipconfig

查看是否得到了open***?設置的網段地址。

本文出自?“振興的空間”?博客，請務必保留此出處http://renzhenxing.blog.51cto.com/728846/1341147

?

轉載于:https://blog.51cto.com/ljl2013/1343615

總結

以上是生活随笔為你收集整理的open×××+Mysql+PAM构建强大的***系统的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。