wm5.0系统备份联系人最简单有效的方法
打开《资源管理器》,在《我的设备》中复制pim文件,备份到SD卡或者电脑上。恢复时将《我的设备》中pim文件先重命名随便增加或减少一个字母(不然无法将同名的pim备份文件替换现有的pim文件),再将备份的pim文件粘贴后,重启后即恢复备份时原有的联系人。随后再在《我的设备》中将恢复前重命名的原pim文件删除。
优点:在系统硬启清空后及时恢复联系人,免除非要系统整体备份或电脑outlook同步来恢复联系人的麻烦,还可将同一系统的联系人相互复制。
联系人备份导出软件Contact2CSV(绿色)!支持PPC2003,WM5,WM6
软件简介:
导出手机中的联系人,信息字段包含:
姓名、移动电话、公司名称、办公电话、家庭电话、电子邮件
浏览时,拖动即可查看上下翻看。
导出的联系人信息保存于手机根目录下的:contacts_backup.csv.txt文件。
保存格式为CSV形式的文本文件,方便查看及修改。(日后增加导入恢复至手机功能时,会很方便哟,在电脑里修改好文本文件,然后导入即可)
人生的最大遗憾莫过于错误地坚持了不该坚持的,轻易地放弃了不该放弃的……
TOP2
新式morning call——生前何必久睡,死后自会长眠
TOP3
使你疲劳的不是远方的高山,而且是你鞋里面的一粒砂子
TOP4
有时在饭堂排队打饭时最大的欣慰不是前面的人越来越少而是后面等的人越来越多
TOP5
逆风的方向,更适合飞翔。我不怕万人阻挡,只怕自己投降
TOP6
酒,装在瓶里像水,喝到肚里闹鬼,说起话来走嘴,走起路来闪腿,半夜起来找水,早上起来后悔,中午酒杯一端还是挺美。
TOP7
你要不理我我就成包子了…而且还是天津最有名的…嘿嘿…
TOP8
妈妈说人最好不要错过两样东西,最后一班回家的车和一个深爱你的人
TOP9
我问一个在深圳工作了二十年的朋友:“如果你死后,你的墓志铭打算写点啥?”他说:“我解决了住房问题!”
TOP10
那天看到一位大妈在烧纸,边烧边嘟囔着:收到了全都买基金吧~~
TOP11
学问之美,在于使人一头雾水;诗歌之美,在于煽动男女出轨;女人之美,在于蠢得无怨无悔;男人之美,在于说谎说得白日见鬼
TOP12
如果你看到面前的阴影,别怕,那是因为你的背后有阳光
TOP13
诸葛亮出山前,也没带过兵!凭啥我就要工作经验?
TOP14
本人made in china,出厂日期1981年X月X日,长180cm,净重67kg。采用人工智能,各部分零件齐全,运转稳定,经二十多年的运行,属信得过产品。该产品手续齐全,无限期包退包换。现因发展需要,诚招志同道合者共同研制开发第二代产品,有意者请联系!
TOP15
干掉熊猫,我就是国宝!
TOP16
我能容忍身材是假的,脸是假的,胸是假的,臀是假的!!!但就是不容忍钱是假的!!!!
TOP17
脱机的人永远不知道联机的人等了她多久……
TOP18
紧 急 通 知:请准备一寸彩照,身份证复印件,学历复印件,个人简历,送到国家航天局,据可靠消息,为庆祝中秋,要招聘嫦娥!(自带兔子)
TOP19
命运负责洗牌,但是玩牌的是我们自己!
两个免费的Flash Chart
1.amchart
官方地址:http://www.amcharts.com/
2.open flash chart
官方地址:http://teethgrinder.co.uk/open-flash-chart/
>>>>>>>>>>>>>>>>>>>>>>>>>>
SQLite适用的范围
SQLite不同于其他大部分的SQL数据库引擎,因为它的首要设计目标就是简单化:
- 易于管理
- 易于使用
- 易于嵌入其他大型程序
- 易于维护和配置
许多人喜欢SQLite因为它的小巧和快速. 但是这些特性只是它的部分优点, 使用者还会发现SQLite是非常稳定的. 出色的稳定性源于它的简单, 越简单就越不容易出错. 除了上述的简单、小巧和稳定性外, 最重要的在于SQLite力争做到简单化.
简单化在一个数据库引擎中可以说是一个优点, 但也可能是个缺点, 主要决定于你想要做什么. 为了达到简单化, SQLite省略了一些人们认为比较有用的特性, 例如高并发性、 严格的存取控制、 丰富的内置功能、 存储过程、复杂的SQL语言特性、 XML以及Java的扩展, 超大的万亿级别的数据测量等等. 如果你需要使用上述的这些特性并且不介意它们的复杂性, 那么SQLite也许就不适合你了. SQLite没有打算作为一个企业级的数据库引擎, 也并不打算和Oracle或者PostgreSQL竞争.
仅凭经验来说SQLite适用于以下场合: 当你更看中简单的管理、使用和维护数据库, 而不是那些企业级数据库提供的不计其数的复杂功能的时候,使用SQLite是一个比较明智的选择. 事实也证明, 人们在许多情况下已经清楚的认识到简单就是最好的选择.
SQLite最佳试用场合
网站
作为数据库引擎SQLite适用于中小规模流量的网站(也就是说, 99.9%的网站). SQLite可以处理多少网站流量在于网站的数据库有多大的压力. 通常来说, 如果一个网站的点击率少于100000次/天的话, SQLite是可以正常运行的. 100000次/天是一个保守的估计, 不是一个准确的上限. 事实证明, 即使是10倍的上述流量的情况下SQLite依然可以正常运行.
嵌入式设备和应用软件
因为SQLite数据库几乎不需要管理, 因此对于那些无人值守运行或无人工技术支持的设备或服务, SQLite是一个很好的选择. SQLite能很好的适用于手机, PDA, 机顶盒, 以及其他仪器. 作为一个嵌入式数据库它也能够很好的应用于客户端程序.
应用程序文件格式
SQLite作为桌面应用程序的本地磁盘文件格式取得了巨大成功.例如金融分析工具、CAD 包、档案管理程序等等. 一般的数据库打开操作需要调用sqlite3_open()函数,并且标记一个显式本地事务的起始点(BEGIN TRANSACTION)来保证以独占的方式得到文件的内容. 文件保存将执行一个提交(COMMIT)同时标记另一个显式本地事务起始点. 这种事务处理的作用就是保证对于应用程序数据文件的更新是原子的、持久的、独立的和一致的.
数据库里可以加入一些临时的触发器,用来把所有的改变记录在一张临时的取消/重做日志表中. 当用户按下取消/重做按钮的时候这些改变将可以被回滚. 应用这项技术实现一个无限级的取消/重做功能只需要编写很少的代码.
替代某些特别的文件格式
许多程序使用fopen(), fread(), 或 fwrite()函数创建和管理一些自定义的文件用来保存数据. 使用SQLite替代这些自定义的文件格式将是一种很好的选择.
内部的或临时的数据库
对于那些有大量的数据需要用不同的方式筛选分类的程序, 相对于编写同样功能的代码, 如果你把数据读入一个内存中的SQLite数据库, 然后使用连接查询和ORDER BY子句按一定的顺序和排列提取需要的数据, 通常会更简单和快速. 按照上述的方法使用内嵌的SQLite数据库将会使程序更富有灵活性, 因为添加新的列或索引不用重写任何查询语句.
命令行数据集分析工具
有经验的SQL用户可以使用SQLite命令行程序去分析各种混杂的数据集. 原是数据可以从CSV(逗号分隔值文件)文件中导入, 然后被切分产生无数的综合数据报告. 可能得用法包括网站日志分析, 运动统计分析, 编辑规划标准, 分析试验结果.
当然你也可以用企业级的客户端/服务器数据库来做同样的事情. 在这种情况下使用SQLite的好处是: SQLite的部署更为简单并且结果数据库是一个单独的文件, 你可以把它存储在软盘或者优盘或者直接通过email发给同事.
在Demo或测试版的时候作为企业级数据库的替代品
如果你正在编写一个使用企业级数据库引擎的客户端程序, 使用一个允许你连接不同SQL数据库引擎的通用型数据库后台将是很有意义的. 其更大的意义在于将SQLite数据库引擎静态的连接到客户端程序当中,从而内嵌SQLite作为混合的数据库支持. 这样客户端程序就可以使用SQLite数据库文件做独立的测试或者验证.
数据库教学
因为SQLite的安装和使用非常的简单(安装过程几乎忽略不计, 只需要拷贝SQLite源代码或sqlite.exe可执行文件到目标主机, 然后直接运行就可以) 所以它非常适合用来讲解SQL语句. 同学们可以非常简单的创建他们喜欢的数据库, 然后通过电子邮件发给老师批注或打分. 对于那些感兴趣怎样实现一个关系型数据库管理系统(RDBMS)的高层次的学生, 按照模块化设计且拥有很好的注释和文档的SQLite源代码, 将为他们打下良好的基础. 这并不是说SQLite就是如何实现其他数据库引擎的精确模型, 但是很适合学生们了解SQLite是如何快速工作的, 从而掌握其他数据库系统的设计实现原则.
试验SQL语言的扩展
SQLite简单且模块化的设计使得它可以成为一个用来测试数据库语言特性或新想法的优秀的原型平台.
哪些场合适合使用其他的关系型数据库管理系统(RDBMS)
客户端/服务器程序
如果你有许多的客户端程序要通过网络访问一个共享的数据库, 你应当考虑用一个客户端/服务器数据库来替代SQLite. SQLite可以通过网络文件系统工作, 但是因为和大多数网络文件系统都存在延时, 因此执行效率不会很高. 此外大多数网络文件系统在实现文件逻辑锁的方面都存在着bug(包括Unix 和windows). 如果文件锁没有正常的工作, 就可能出现在同一时间两个或更多的客户端程序更改同一个数据库的同一部分, 从而导致数据库出错. 因为这些问题是文件系统执行的时候本质上存在的bug, 因此SQLite没有办法避免它们.
好的经验告诉我们, 应该避免在许多计算机需要通过一个网络文件系统同时访问同一个数据库的情况下使用SQLite.
高流量网站
SQLite通常情况下用作一个网站的后台数据库可以很好的工作. 但是如果你的网站的访问量大到你开始考虑采取分布式的数据库部署, 那么你应当毫不犹豫的考虑用一个企业级的客户端/服务器数据库来替代SQLite.
超大的数据集
当你在SQLite中开始一个事务处理的时候(事务处理会在任何写操作发生之前产生, 而不是必须要显示的调用BEGIN...COMMIT), 数据库引擎将不得不分配一小块脏页(文件缓冲页面)来帮助它自己管理回滚操作. 每1MB的数据库文件SQLite需要256字节. 对于小型的数据库这些空间不算什么, 但是当数据库增长到数十亿字节的时候, 缓冲页面的尺寸就会相当的大了. 如果你需要存储或修改几十GB的数据, 你应该考虑用其他的数据库引擎.
高并发访问
SQLite对于整个数据库文件进行读取/写入锁定. 这意味着如果任何进程读取了数据库中的某一部分, 其他所有进程都不能再对该数据库的任何部分进行写入操作. 同样的, 如果任何一个进程在对数据库进行写入操作, 其他所有进程都不能再读取该数据库的任何部分. 对于大多数情况这不算是什么问题. 在这些情况下每个程序使用数据库的时间都很短暂, 并且不会独占, 这样锁定至多会存在十几毫秒. 但是如果有些程序需要高并发, 那么这些程序就需要寻找其他的解决方案了.
Scheduling Backups for SQL Server 2005 Express
Problem
One problem with SQL Server 2005 Express is that it does not offer a way to schedule jobs. In a previous tip, Free Job Scheduling Tool for SQL Server Express and MSDE, we looked at a free tool that allows you to create scheduled jobs for SQL Server. The one issue people often face though is what to install and what not to install on their production servers and therefore these items go without resolution. One very important part of managing SQL Server is to ensure you run backups on a set schedule. I often hear about corrupt databases and no backups, so let's take a look at another approach of scheduling backups using the included tools in both the operating system and SQL Server.
Solution
There are two components to this; the first is the backup command and the second is the scheduling needed to run the backups.
Backup Commands
There are a few things that we need to setup. The first is to create a stored procedure that allows us to dynamically generate the backup file name as well as what type of backup to run Full, Differential or Transaction Log backup. The default for this stored procedure is to create the backups in the "C:\Backup" folder. This can be changed to any folder you like.
The following stored procedure should be created in the master database. This is just one way of handling this. There are several other options and enhancements that can be made.
USE [master] GO /****** Object: StoredProcedure [dbo].[sp_BackupDatabase] Script Date: 02/07/2007 11:40:47 ******/ SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO -- ============================================= -- Author: Edgewood Solutions -- Create date: 2007-02-07 -- Description: Backup Database -- Parameter1: databaseName -- Parameter2: backupType F=full, D=differential, L=log -- ============================================= CREATE PROCEDURE [dbo].[sp_BackupDatabase] @databaseName sysname, @backupType CHAR(1) AS BEGIN SET NOCOUNT ON; DECLARE @sqlCommand NVARCHAR(1000) DECLARE @dateTime NVARCHAR(20) SELECT @dateTime = REPLACE(CONVERT(VARCHAR, GETDATE(),111),'/','') + REPLACE(CONVERT(VARCHAR, GETDATE(),108),':','') IF @backupType = 'F' SET @sqlCommand = 'BACKUP DATABASE ' + @databaseName + ' TO DISK = ''C:\Backup\' + @databaseName + '_Full_' + @dateTime + '.BAK''' IF @backupType = 'D' SET @sqlCommand = 'BACKUP DATABASE ' + @databaseName + ' TO DISK = ''C:\Backup\' + @databaseName + '_Diff_' + @dateTime + '.BAK'' WITH DIFFERENTIAL' IF @backupType = 'L' SET @sqlCommand = 'BACKUP LOG ' + @databaseName + ' TO DISK = ''C:\Backup\' + @databaseName + '_Log_' + @dateTime + '.TRN''' EXECUTE sp_executesql @sqlCommand END |
The second part of this is to create a SQLCMD file to run the backup commands. Here is a simple SQLCMD file that backups databases master, model and msdb.
This file gets saved as backup.sql and for our purposes this is created in the "C:\Backup" folder, but again this could be put anywhere.
sp_BackupDatabase 'master', 'F' GO sp_BackupDatabase 'model', 'F' GO sp_BackupDatabase 'msdb', 'F' GO QUIT |
Scheduling
Included with the Windows operating system is a the ability to setup and run scheduled tasks. This is generally not used for SQL Server environments, because SQL Server Agent is so robust and gives you a lot more control and options for setting up re-occurring jobs. With SQL Server 2005 Express the only choice is to set a scheduled task at the operating system level or look for some third party tool.
To setup a scheduled task you need to open the folder where you can create a new scheduled task. This can be found under Accessories -> System Tools -> Scheduled Tasks or under Control Panel.
Run Command: sqlcmd -S serverName -E -i C:\Backup\Backup.sql
Start In: C:\Program Files\Microsoft SQL Server\90\Tools\Binn
This is broken down as follows:
- sqlcmd
- -S (this specifies the server\instance name for SQL Server)
- serverName (this is the server\instance name for SQL Server)
- -E (this allows you to make a trusted connection)
- -i (this specifies the input command file)
- C:\Backup\Backup.sql (this is the file that we created above with the command steps)
USE [master]
DECLARE @sqlCommand NVARCHAR(1000) SELECT @dateTime = REPLACE(CONVERT(VARCHAR, GETDATE(),111),'/','') + REPLACE(CONVERT(VARCHAR, GETDATE(),108),':','') IF @backupType = 'F' |
事件查看器被拒绝访问
“安全性”可以查看,但“应用程序”和“系统”不行,提示“无法完成“应用程序”
解决办法:
关闭Guest帐户,把当前用户加到Administrators组,并把当前用户从Guests组中删除。
重新登录即可。
Fedora 9下安装Fedora Directory Server
主要参考了FDS的官方文档:
http://directory.fedoraproject.org/wiki/Install_Guide
(如果没有特别说明,以下要求root权限安装)
(鱼漂,一直漂[admin.net#163.com]原创,转载请注明)
1.环境要求
Apache2
Java runtime
可以安装Fedora9光盘自带的httpd,openjdk包
2. 配置你的机器名
假设你的Domain为systemadmin.cn,你的DC名字为dc.systemadmin.cn,需要先将hostname设置为dc.systemadmin.cn
(运行hostname命令,并修改/etc/sysconfig/network, /etc/hosts)
3. 配置FDS的yum源
cd /etc/yum.repos.d
wget http://directory.fedoraproject.org/sources/idmcommon.repo
wget http://directory.fedoraproject.org/sources/dirsrv.repo
4. 安装FDS
yum install fedora-ds
安装Directory Server Gateway
yum install fedora-ds-dsgw
5.初始配置
运行/usr/sbin/setup-ds-admin.pl进行初始配置
记住配置的admin, directory manager的密码,以及控制面板的端口(假设端口配置为8088,后面需要用到)
配置完成后,自动启动了Fedora Directory Server
如果安装了DSGW,运行/usr/sbin/setup-ds-dsgw 配置DSGW
6.验证安装
访问 http://localhost:8088/ 如果无法访问,说明没有启动FDS的dirsrv-admin服务
使用以下命令查询:
/usr/lib/mozldap/ldapsearch [-h <your host>] [-p <your port>] -s base -b "" "objectclass=*"
如果是openldap的ldapsearch:
/usr/bin/ldapsearch -x [-h <your host>] [-p <your port>] -s base -b "" "objectclass=*"
如果没有输出错误,说明FDS运行成功.
检查是否可以执行java -version,如果不可以,需要安装java runtime,并将配置java环境,使得可以执行java命令(export JAVA_HOME, export PATH=$JAVA_HOME/bin:$PATH)
运行/usr/bin/fedora-idm-console启动管理终端
用户为admin,密码为前面设置的密码,址址为: http://localhost:8088/
如果能看到管理界面,说明配置和运行成功.
7.自动启动Fedora Directory Server
chkconfig dirsrv on
chkconfig dirsrv-admin on
从管理界面上看,FDS比openldap易用很多
RedHat的官方文档: http://www.redhat.com/docs/manuals/dir-server/
OpenLDAP MigrationTools
http://www.padl.com/OSS/MigrationTools.html
The MigrationTools are a set of Perl scripts for migrating users, groups, aliases, hosts, netgroups, networks, protocols, RPCs, and services from existing nameservices (flat files, NIS, and NetInfo) to LDAP.
The tools require the ldapadd and ldif2dbm commands, which are distributed with most LDAP servers derived from the University of Michigan LDAP distribution. The source code for these is available with OpenLDAP. Additionally, Netscape provide an implementation of ldapmodify which subsumes the functionality of ldapadd. If you are using Netscape's Directory Server, you should set the $NSHOME and $serverId environment variables to assist the MigrationTools in locating your LDAP database and LDIF tools; they will use ldapmodify instead of ldapadd.
These tools are freely redistributable according to the license included with the source files. They may be bundled with NIS/LDAP migration products. See RFC 2307 for more information on the schema used by these scripts. THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY AND WITHOUT SUPPORT.
Scripts
- migrate_base.pl creates naming context entries, including subordinate contexts such as ou=people and ou=devices.
- migrate_aliases.pl migrates aliases in /etc/aliases to entries conforming to the rfc822MailGroup schema. Organizations who have deployed LDAP-based messaging solutions, such as Netscape's Messaging Server, may wish to use a different schema for representing mail aliases. Ypldapd does not use X.500 groups (such as groupOfUniqueNames) for mail alias expansion because flattening an arbitrarily nested group at runtime may be expensive. (It is possible to write a ypldapd plug-in to support such a schema, however.)
- migrate_group.pl migrates groups in /etc/group
- migrate_hosts.pl migrates hosts in /etc/hosts
- migrate_networks.pl migrates networks in /etc/networks
- migrate_passwd.pl migrates users in /etc/passwd. Note that if users are allowed read the userPassword attribute, and your LDAP server doesn't support authenticating against hashed passwords then anyone may read the userPassword attribute's value and authenticate as that user. Modern LDAP servers, such as Netscape Directory Server, support authenticating against hashed passwords, so this is not an issue. The OpenLDAP LDAP server also supports such authentication.
- migrate_protocols.pl migrates protocols in /etc/protocols
- migrate_services.pl migrates services in /etc/services
- migrate_netgroup.pl migrates netgroups in /etc/netgroup
- migrate_netgroup_byuser.pl migrates the netgroup.byuser map. It requires revnetgroup.
- migrate_netgroup_byhost.pl migrates the netgroup.byhost map. It requires revnetgroup.
- migrate_rpc.pl migrates RPCs in /etc/rpc
Configuration
The configuration for these Perl scripts is contained at the head of migrate_common.ph:
Perl variable | Description |
$DEFAULT_MAIL_DOMAIN | The mail domain used for the mail attribute in migrate_passwd.pl when extended schema support is enabled. You may override this with the DEFAULT_MAIL_DOMAIN environment variable. |
$DEFAULT_BASE | The naming suffix to use in entries' distinguished names. If undefined, this will be constructed by mapping the mail domain name into a distinguished name (eg aceindustry.com becomes dc=aceindustry,dc=com). You may override this with the LDAP_BASEDN environment variable. |
$EXTENDED_SCHEMA | Enables extended schema support. This adds the organizationalPerson and inetOrgPerson object classes, amongst others, to users migrated by the migrate_passwd.pl script. |
NAMINGCONTEXT | Determines the LDAP/X.500 naming context to use for a migration tool. The dictionary is keyed by tool (as in migrate_tool.pl). Values are concatenated with $DEFAULT_BASE by the &getsuffix() subroutine. |
The following environment variables control the behavior of the migration shell scripts:
Environment variable | Description |
DEFAULT_MAIL_DOMAIN | See above |
LDAPADD | Path the ldapadd executable, for online migration (if not in the path or /usr/local/bin or /usr/bin) |
LDIF2LDBM | Path the ldif2ldbm executable, for offline migration (if not in the path or /usr/local/bin or /usr/bin) |
PERL | Path to the Perl interpreter (if not /usr/bin or /usr/local/bin) |
LDAPHOST | Your LDAP server, for online migration. This is optional; you'll be prompted if the environment variable is not set. |
LDAP_BASEDN | See above ($DEFAULT_BASE). This is optional; you'll be prompted if the environment variable is not set. |
LDAP_BINDDN | The distinguished name to bind to the LDAP server as, for online migration. This is optional; you'll be prompted if the environment variable is not set. |
LDAP_BINDCRED | The password to bind to the LDAP server with, for online migration. This is optional; you'll be prompted if the environment variable is not set. |
You will probably wish to use a shell script or makefile to automate population of your LDAP database, either off-lien (with ldif2ldbm) or on-line (with ldapadd). The migrate_all_*.sh shell scripts do this, but you may wish to customize their behaviour. The following table explains which migration scripts to use:
Shell script | Existing nameservice | LDAP running? |
migrate_all_online.sh | /etc flat files | Yes |
migrate_all_offline.sh | /etc flat files | No |
migrate_all_netinfo_online.sh | NetInfo | Yes |
migrate_all_netinfo_offline.sh | NetInfo | No |
migrate_all_nis_online.sh | NIS/YP | Yes |
migrate_all_nis_offline.sh | NIS/YP | No |
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
使用 OpenLDAP 集中管理用户帐号
使用 OpenLDAP 集中管理用户帐号
Red Hat 上的 OpenLDAP 提供了安全、可靠的帐号管理
使用轻量级目录访问协议(LDAP)构建集中的身份验证系统可以减少管理成本,增强安全性,避免数据复制的问题,并提高数据的一致性。随着 Linux® 的不断成熟,已经出现了很多工具用来简化用户帐号信息到 LDAP 目录的迁移。还开发了一些工具用来在客户机和目录服务器之间启用加密通信配置,并通过复制提供容错性。本文将向您展示如何配置服务器和客户机在 Red Hat Linux 上使用 OpenLDAP。
[鱼漂]补充说明:此文中提到的Migration Tools现在并没有包在openLDAP-Servers里面,需要从下面的地址下载:
http://www.padl.com/OSS/MigrationTools.html
此外, 配置完成后, 暂时还未发现合适的管理工具, 比如添加用户, 复制用户等操作还比较麻烦.
文档来源自IBM, 点击此处下载PDF版本:
[file]attachment/200810/linuxopenldap.zip[/file]
相文文档:OpenLDAP Admin Guide
[file]attachment/200810/openldap-admin-guide.zip[/file]
相文文档:LDAP System Administration
[file]attachment/200810/ldapsystemadministration.zip[/file]
Openldap + pam_ldap 在RHEL上的安装文档:
1. Installing and configuring OpenLDAP for RedHat Enterprise Linux3
2. Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3
Linux LDAP authentication
http://www.linux.com/feature/114074
When you have to administer a network of many machines, you quickly find out how much duplication of effort is involved with normal administrative tasks. Routine operations like changing passwords, canceling accounts, and modifying groups become time-consuming if repeated on many individual machines. Centralizing user and authentication information can solve these issues. The former king of centralized authentication systems was NIS, or Network Information System. NIS is a simple and well-supported technology, but it's also insecure. LDAP, short for Lightweight Directory Access Protocol, is now the preferred way of managing centralized user accounts.
LDAP's purpose is to describe how directory data should be presented and how it should travel across networks. LDAP servers typically allow information to be read very quickly at the expense of writing. The basic functionality of an LDAP server is similar to that of a database, but more like a database designed for fast reads of relatively static information. Passwords and groups are good examples of relatively static information that needs to be read quickly. OpenLDAP is a free software implementation of the LDAP protocol. Installing OpenLDAP gives you everything needed to present and store data through LDAP.
Learning LDAP can be a frustrating experience. LDAP is complicated, and centralized authentication is only one of its many legitimate uses. As a result, the task of making Linux machines consult an LDAP server for authentication is a black art. Documentation tends to be spotty and confusing. But learning about LDAP authentication, despite its difficulty, is worth the time and effort. LDAP can provide a scalable and secure approach to network management.
Setting up an LDAP-based network
We will setup a simple LDAP-based authentication system. Our example will use two Debian 3.1 (Sarge) machines, one acting as client and one as a server. To make the process even simpler, use User Mode Linux to create virtual Linux boxes that you can break and abuse to your heart's content. For simplicity, we will not be encrypting communication and will stick to basic examples.
First we will cover the server configuration. On your "server" Debian system, issue the following command:
apt-get install slapd ldap-utils
This will install OpenLDAP and related utilities. Debian will prompt you for slapd (the name of the OpenLDAP daemon) configuration values. The "Admin password" will be the password you want to use when adding or deleting from LDAP and for certain client tasks. "DNS domain name" is important and must be a domain name resolvable to your LDAP server.
Omit OpenLDAP server configuration? no
DNS domain name: example.org
Name of your organization: example_organization
Admin password: ldap
Database backend to use: BDB
Do you want your database to be removed when slapd is purged? no
Allow LDAPv2 protocol? no
With slapd configured, you can test if your installation is working correctly. After running the following command, you should see LDAP information:
ldapsearch -x -b dc=example,dc=org
We now have a functioning LDAP server, but it is of no use until we populate it with basic information. Make a file called base.ldif and populate it with the following values:
dn: ou=People,dc=example,dc=org
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=org
ou: Group
objectClass: top
objectClass: organizationalUnit
Save the file and add the data in it to the running LDAP server with the following command:
ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f base.ldif
You will be prompted for the password you chose during the configuration of slapd. If your password was correct and your ldif file was in good order, you will see a line beginning with "adding new entry."
Next we will add a group that our LDAP users will be a part of. Add the following values to a file called group.ldap:
dn: cn=ldapusers,ou=Group,dc=example,dc=org
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword: {crypt}x
gidNumber: 9000
Though in my example I chose "ldapusers," you can change this value to anything you like. You can also choose any gidNumber you like. Once you have a group.ldif you like, add it the same way as you added the base.ldif:
ldapadd -x -D "cn=admin,dc=example,dc=org" -W -f group.ldif
The final server step in this example is adding an LDAP user. Create an ldif file called myuser.ldif with the following values:
dn: cn=Myuser,ou=People,dc=example,dc=org
cn: Myuser
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
sn: User
uid: myuser
uidNumber: 1025
gidNumber: 9000
homeDirectory: /tmp
This will make a user called "myuser" with a uid of 1025 who lives in /tmp and is a member of the LDAP-only group "ldapusers." This user doesn't have a password yet, but we will save that task for the client machine.
Client configuration
The client steps provided here will work for any machine you wish to make authenticate via LDAP. Make sure your client can communicate with the server and that pinging "example.org" from the client returns the correct IP address of the server.
On the client machine, install OpenLDAP and PAM (Pluggable Authentication Modules) utilities, as well as NSCD, the Name Service Cache Daemon, with the command:
apt-get install ldap-utils libpam-ldap libnss-ldap nscd
One of the first packages Debian asks you to configure is libnss-ldap. Important values for your particular setup are the "LDAP server host" and the "distinguished name," or DN for short. The server host will be the IP address of the LDAP server, while the DN will be the server's host name. Also note the DN should be in the form of "dc=example,dc=org". The following is a typical libnss-ldap configuration:
LDAP Server host: 192.168.1.30
The distinguished name of the search base: dc=example,dc=org
LDAP version to use: 3
database requires login? no
make configuration readable/writeable by owner only? yes
The values for libpam-ldap will be similar to those of libnss-ldap. Note that the "Root login password" is the same password you chose during the server's slapd configuration. Enter the following when prompted:
The distinguished name of the search base: dc=example,dc=org
Make local root Database admin: yes
Database requires logging in: no
Root login account: cn=admin,dc=example,dc=org
Root login password: ldap
Local crypt to use when changing passwords: exop
Next, we need to tell the client's underlying authentication system to use LDAP to look for users. The first file to edit is /etc/nsswitch.conf. Make sure to add "ldap" to the passwd, group, and shadow lines:
passwd: ldap compat
group: ldap compat
shadow: ldap compat
We need to configure the client's PAM software to check LDAP for user authentication. There are three files to edit under /etc/pam.d: common-account, common-auth, and common-password. First,
/etc/pam.d/common-account should contain the following:
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass
/etc/pam.d/common-auth should contain:
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure try_first_pass
Finally, /etc/pam.d/common-password should contain:
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass
The changes we made to /etc/nsswitch.conf and the PAM configuration files allow the client to check LDAP before allowing a user on the system, but will also fall back on local authentication methods should LDAP fail or not have information about a given user.
The last file to edit is /etc/ldap/ldap.conf. Adding information about our LDAP server here makes issuing LDAP commands on the client easier. Add lines for your setup similar to the following:
BASE dc=example,dc=org
URI ldap://192.168.1.30
At this point, you should be able to change the password of the user you created earlier. First restart nscd, then change the ldap user's password:
/etc/init.d/nscd restart
password myuser
After changing the password, login as myuser on the client machine. Congratulations, you've just authenticated over LDAP.
Implementing LDAP on Linux isn't exactly difficult once you know the right changes to make. For reasons I cannot explain, however, most information I have read about LDAP seems to convey just how much trouble the author had implementing it. Finding the right changes in the first place is usually the most challenging part. Linux distributions could automate this process a little more; having front ends to server and client configuration would take Linux far in the LDAP world.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>