服务器评测
安装 Fedora 8 以后,有一些空闲时间考虑ldap 如何与开发的应用整合,我的习惯,不喜欢安装一大堆版本各异的软件,最好都能从fedora 8 的repository安装,需要的软件yum install 就直接安装
LDAP 的规划如图所示
openldap
修改/etc/openldap/slad.conf
include 部分
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/samba.schema
dn 部分
database bdb
suffix “dc=linuxwork,dc=com”
rootdn “cn=Manager,dc=linuxwork,dc=com”
toorpw 888888
制作初始结构的ldif 文件
linuxwork.ldif
dn: dc=linuxwork,dc=com
dc: linuxwork
objectClass: dcObject
objectClass: organizationalUnit
ou: linuxwork.com
ou_people.ldif
dn: ou=people, dc=linuxwork, dc=com
objectclass: organizationalunit
ou: people
ou_group.ldif
dn: ou=group, dc=linuxwork, dc=com
objectclass: organizationalunit
ou: group
如果有必要,例如配置错了,可以通过删除/var/lib/ldap 下的数据文件来恢复到初始化
拷贝 /etc/openldap/DB_CONFIG.example 到 /var/lib/ldap 下 改为DB_CONFIG
把上述三个文件导入到ldap 中
slapadd -vl linux.ldif
slapadd -vl ou_people.ldif
slapadd -vl ou_group.ldif
改 /var/lib/ldap 下数据文件的属性
cd /var/lib/ldap
chown ldap.ldap *
启动服务
service ldap start
可以用windows 端测试一下,或者用命令行
ldapsearch -x -b “dc=linuxwork,dc=com”
迁移用户数据
修改迁移配置文件 /usr/share/openldap/migration/migrate_common.ph,主要是下面三行
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = “linuxwork.com”;
# Default base
$DEFAULT_BASE = “dc=linuxwork,dc=com”;
$EXTENDED_SCHEMA = 1;
然后运行对应的迁移工具
/usr/share/openldap/mimgration/migrate_group.pl /etc/group >mygroup.ldif
/usr/share/openldap/mimgration/migrate_passwd.pl /etc/passwd >myuser.ldif
phpldapadmin
安装phpldapadmin 后不用做任何配置就可以本地使用,如果要其他机器使用,可以修改/etc/httpd/conf.d/phpldapadmin.conf,注释掉下面几行
#<Directory /usr/share/phpldapadmin/htdocs>
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.1
#</Directory>
svn
安装 mod_dav_svn-1.4.4-7.i386
打开 /etc/httpd/conf.d/subversion.conf,按注释中的说明,生成数据库
cd /var/www/svn
svnadmin create linuxwork
chown -R apache.apache linuxwork
在subversion.conf 中配置为
<Location /repos>
DAV svn
SVNParentPath /var/www/svn
AuthBasicProvider ldap
AuthLDAPUrl ldap://localhost:389/ou=people,dc=linuxwork,dc=com
AuthzLDAPAuthoritative on
AuthType Basic
AuthName “Subversion repository”
Require valid-user
</Location>
在浏览器中可以进行测试
http://localhost/repos/linuxwork
剩下的事情就是加入项目
bugzilla
bugzilla 的安装依赖比较复杂,建议用 yum install bugzilla 安装,它会自动查找需要perl 包
安装完成后按要求在mysql 中建database 和 user
create database bugs;
create user bugs@localhost;
set password for bugs = password(‘888888’);
grant all on bugs.* to ‘bugs’;
按 /usr/share/doc/bugzilla-3.0.2 的要求,先运行一遍 /usr/share/bugzilla/checksetup.pl, 生成/etc/bugzilla/localconfig, 然后手工修改 localconfig 中的数据库参数
# The DNS name of the host that the database server runs on.
$db_host = ‘localhost’;
# The name of the database
$db_name = ‘bugs’;
# Who we connect to the database as.
$db_user = ‘bugs’;
# Enter your database password here.
$db_pass = ‘888888’;
再次运行checksetup.pl,生成数据库表结构,初始管理帐号设置为admin@linuxwork.com
通过浏览器登陆bugzilla, 选择参数parameter 准备切换到ladp 认证
设置LDAP 的参数如下
‘LDAPBaseDN’ => ‘ou=people,dc=linuxwork,dc=com’,
‘LDAPbinddn’ => ”,
‘LDAPfilter’ => ‘(objectClass=*)’,
‘LDAPmailattribute’ => ‘mail’,
‘LDAPserver’ => ‘localhost’,
‘LDAPstarttls’ => 0,
‘LDAPuidattribute’ => ‘uid’,
配置完成后检查一下 /var/lib/bugzilla/data/param, 确认上述参数
需要特别注意的是,由于bugzilla 的认证机制是先到ldap 认证,通过后再查看本地数据库,若本地没有这个账号,就新建一个,以后的权限控制从数据库中获得,换句话说,权限控制是保存在数据库中的,在切换到ldap 认证之前,一定要建一个可以在ldap 找到,并且有管理权限的账号,以便为其他ldap 账号配置权限,否则切换到ldap 后,原来的管理账号不可用,能通过ldap 认证的账号却没有管理权限。例如指定root@linuxwork.com 这应该算一个设计缺陷,应该保留一个始终由数据库认证的超级账号,不过可以通过修改/var/lib/bugzilla/data/param,换回数据库认证,多少弥补一些缺陷
另外使用数据库认证时,输入是邮件地址,而使用LDAP 认证,输入的是uid,不带域名后缀
mediawiki
最大的问题是国内访问不了它的帮助站点,否则应该是最容易配置的,用 yum 安装,建议再安装下面的php 加速包
php-eaccelerator-0.9.5.1-7.fc8.i386.rpm
不知道什么原因,Fedora 8 安装包把配置程序放到 /var/www/wiki 下,按道理应该放置到 /var/www/html/下才能访问,故配置有些不同
cd /var/www/html
ln -s ../wiki wikiconfig
在浏览器中 http://localhost/wikiconfig 进行配置,然后按要求拷贝生成的LocalSetting.php 到 /usr/share/mediawiki/ 下面
在 /etc/httpd/conf.d 下面加一个配置文件mediawiki.conf, 内容如下
Alias /wiki /usr/share/mediawiki/
就可以从浏览器中访问了
mediawiki 的主要站点不能访问,但代码库是可以访问的,下载http://svn.wikimedia.org/svnroot/mediawiki/trunk/extensions/LdapAuthentication/LdapAuthentication.php ,拷贝到/usr/share/mediawiki/include目录,然后修改 LocalSetting 如下
require_once( ‘includes/LdapAuthentication.php’ );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( “linuxwork” );
$wgLDAPServerNames = array( “linuxwork”=>”127.0.0.1”);
$wgLDAPSearchStrings = array( “linuxwork”=>”uid=USER-NAME,ou=people,dc=linuxwork,dc=com”);
$wgLDAPUseSSL = false;
$wgLDAPUseLocal = true;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = false;
$wgMinimalPasswordLength = 1;
$wgLDAPEncryptionType = off;
网上大部分配置说明都没有最后一行,90%会导致验证失败,因为代码流程默认$wgLDAPEncryptionType是 tls
wordpress
安装 wordpress-2.2.3-0.fc8.noarch.rpm 或直接yum install wordpress,安装完成后按/usr/doc/wordpress-2.3.1/README.Fedora 要求配置数据库
mysql> create database wordpress;
mysql> grant all privileges on wordpress.* to wordpress identified by ‘wordpress’;
mysql> grant all privileges on wordpress.* to wordpress@localhost identified by ‘wordpress’;
然后修改 /etc/wordpress/wp-config.php, 适应数据库变化
运行http://localhost/wordpress/wp-admin/install.php 开始安装配置
从 URL http://downloads.wordpress.org/plugin/wpdirauth.1.0.zip 下载plugin, 展开到 wp-content/plugins/下,用admin 登录 ,过程如readme.txt 描述
Please refer to your friendly neighbourhood LDAP sysadmin for more information.
1. Upload the `wpDirAuth` directory to the `/wp-content/plugins/` directory.
1. Login to your WordPress instance as an admin user.
1. Activate the plugin through the ‘Plugins’ menu in WordPress.
1. Go to the `Directory Auth.` menu found in the WordPress `Options` section.
1. Enter your directory server(s) information and set your preferences.
You should now be able to login as a directory user.
ldap 配置如下
base dn -> ou=people,dc=linuxce,dc=com
account filter->uid
需要注意的是认证逻辑也是同bugzilla,mediawiki一样,如果ldap 认证通过而本地没有,则在本地创建一个账号,配置信息保存在本地数据库,缺省的新建用户是subscriber 角色,而且用户不能自注册,故最好在admin 的 options 中设置缺省的新建用户为author 角色
dotproject
dotproject 是唯一一个不能用yum 来安装的工具,我用的是dotproject-2.1.1.tar.gz,不过它的安装帮助写的很细,直接转载如下
2 Installing a New System
Do not attempt to hand install dotProject 2.0 OR THE DATABASE OR ANY COMPONENT THEREFORE OR ANYTHING TO DO WITH 2.0 and/or adjust configuration files manually as this will fail and the permissions environment will not be correctly generated.
2.1 Step One – Unpack the Files
Unpack the distribution file somewhere on your system under your web server’s root directory.
If you are using a web hoster this is likely to be called www or public_html in your home directory. Check with your hosting provider or your system administrator if you are unsure.
2.2 Step Two – Running the Installer
After you have checked that the web server is correctly configured, point your browser to dotproject/install. (Depending on where you put your files you may need to provide a different path).
Make sure you include your server details. For example, if you are installing on http://mydomain.com/ and you have unpacked in your public_html directory, the URL to use would be http://mydomain.com/dotproject/install/ [1][2]
If all is well you should be in the dotProject Installer.
2.3 Step Three – Check and Start Installation
Before continuing, review the details on the page, as some of the settings may result in either partial or complete failure of your dotProject installation.
For instance, you may need to make changes to your directory permissions to support file uploads or to allow the main configuration file to be written. If you need to make changes do so and then refresh the install page.
When you are satisfied, click on the Start Install button.
2.4 Step Four – Database Settings
At this point the Database Settings page will be shown.
The Database Server Type should be left at MySQL unless you have technical knowledge and a patch to support an alternative.
Enter the name of your database host. This is often the same host as your web server, so can be left as ‘localhost’. Check with your service provider for details.[3]
Either enter the name of a database that you have previously created, or if you have permission to create databases, the name of a new database. The database should not have any tables or other data in it at this stage.
Enter the name and password of the DATABASE user [4] that has access to the above named database on the database host you have entered.
If you have not yet created a database, and your database user has sufficient permissions, check the Create Database checkbox. If not, or if you already have created the database, leave this clear.
You can safely leave the other options clear.
Select the upgrade db & write cfg button.
If all is well the next screen will display the progress as dotProject is installed. The most common problem at this stage is incorrect database details. If this is the case, go back and enter the correct details before proceeding.
2.5 Step Five – Config.php
The config.php file is the file that dotProject reads for all it’s basic operational activity. No config.php and you won’t have a properly functioning dotProject installation.
When complete, you may be asked to cut and paste the config file contents to dotproject/includes/config.php.
This will only occur if the web server could not write to the includes directory. If this is shown, create the config.php file with the information displayed before you click on the Login and Configure the dotProject System Environment link, otherwise you will be redirected back to the installer.
2.6 Step Six – Login with Default User Name and Password
When you click on the Login and Configure the dotProject System Environment link, you will be asked to login. The default login is:
User Name:
admin
Password:
passwd
2.7 Step Seven – Secure your dotProject Installation
There are two steps you should undertake within dotProject to protect your installation.[5]
1. Remove the install directory from your dotProject environment. Failure to do this may affect your system security.
2. Change the admin password immediately.
由于上面的其它软件都是安装到 /usr/share 目录下,因此也展开到 /usr/share 下,修改属性为
chown -R root.apache dotproject
在 /etc/httpd/conf.d 下面加一个配置文件dotproject.conf, 内容如下
Alias /project /usr/share/dotproject/
2.5 步的描述似乎有问题,配置完成后是自动修改config.php, 不需要拷贝内容
ldap 的配置如下
auth_method =>ldap
ldap_host => localhost
ldap_port => 389
ldap_version => 3
ldap_base_dn => ou=people => dc=linuxwork => dc=com
ldap_user_filter => (uid=%USERNAME%)
postnuke_allow_login => true
上述配置是保存在 config 的表中,为确认起见,可在sql 中查询
select * from config ;
需要注意的是认证逻辑也是同bugzilla,mediawiki,wordpress一样,如果ldap 认证通过而本地没有,则在本地创建一个账号,配置信息保存在本地数据库,缺省的新建用户是Anonymous角色,需要admin 登陆用户为projectworker 角色
至此,subversion,bugzilla,mediawiki,wordpress dotproject 都实现了ldap 认证,覆盖了版本管理,缺陷和变更管理,以及集成知识管理,好用的进度任务管理,能够真正把这些工具都用起来的开发团队,应该是非常规范化的了
