Solaris 10にはSASLライブラリが付属しますが、いくつか問題がありま す。
よってインストールします。
crypt.hのマクロ展開でエラーが出ますので、以下のように変更します。
--- saslauthd/auth_getpwent.c.orig 2007-03-09 01:32:34.903776000 ----+0900 +++ saslauthd/auth_getpwent.c 2007-03-09 01:21:45.609070000 +0900 @@ -41,6 +41,10 @@ #include#include +#ifdef HAVE_CRYPT_H +#include +#endif + # ifdef WITH_DES # ifdef WITH_SSL_DES # include @@ -49,9 +53,6 @@ # endif /* WITH_SSL_DES */ # endif /* WITH_DES */ -#ifdef HAVE_CRYPT_H -#include -#endif /* END PUBLIC DEPENDENCIES */ #define RETURN(x) return strdup(x)
ライブラリ検索パスはすべて環境変数で設定するので、余計なフラグが つかないようにconfigureスクリプトを修正します。
% vi configure
- GSSAPIBASE_LIBS="-L$gssapi_dir"
+ GSSAPIBASE_LIBS=""
- LDFLAGS="-L$with_bdb_lib ${LDFLAGS} $andrew_runpath_switch$with_bdb_lib"
+ LDFLAGS="${LDFLAGS}"
- LDFLAGS="-L$with_bdb_lib ${LDFLAGS} $andrew_runpath_switch$with_bdb_lib"
+ LDFLAGS="${LDFLAGS}"
- LDFLAGS="-L${with_openssl}/$CMU_LIB_SUBDIR $andrew_runpath_switch${with_openssl}/$CMU_LIB_SUBDIR ${LDFLAGS}"
+ LDFLAGS="${LDFLAGS}"
- LDFLAGS="$LDFLAGS -L$gssapi/lib"
+ LDFLAGS="$LDFLAGS"
- LDFLAGS="-L${with_ldap}/lib $andrew_runpath_switch${with_ldap}/lib ${LDFLAGS}"
+ LDFLAGS="${LDFLAGS}"
pluginのインストールパスを修正します。
--- plugins/Makefile.in.orig 2006-05-19 04:30:15.000000000 +0900
+++ plugins/Makefile.in 2009-03-12 17:00:34.210935000 +0900
@@ -262,7 +262,7 @@
common_sources = plugin_common.c plugin_common.h
-sasldir = $(prefix)/lib/sasl2
+sasldir = $(plugindir)
sasl_LTLIBRARIES = @SASL_MECHS@
EXTRA_LTLIBRARIES = libplain.la libanonymous.la libkerberos4.la
libcrammd5.la \
libgssapiv2.la libdigestmd5.la liblogin.la libsrp.la libotp.la \
以下のスクリプトを実行します。
setup.sh
#!/bin/sh
if [ $# -eq 1 ]; then
. ../setup-pre.sh $1
else
. ../setup-pre.sh
fi
# for saslauthd
LIBS="-lkrb5"; export LIBS
./configure $CONFLIBDIR \
--sbindir=/usr/local/sbin/$ISA \
--libdir=/usr/local/lib$LIBISA \
--sysconfdir=/etc/sasl \
--localstatedir=/var \
--mandir=/usr/local/share/man \
--enable-static \
--enable-shared \
--enable-auth-sasldb \
--enable-java \
--enable-gssapi \
--enable-gss_mutexes \
--enable-login \
--enable-ntlm \
--enable-ldapdb \
--enable-cram \
--enable-digest \
--enable-plain \
--enable-anon \
--disable-otp \
--with-configdir=/usr/local/lib/sasl2 \
--with-plugindir=/usr/local/lib/sasl2$LIBISA \
--with-dbpath=/etc/sasl/sasldb2 \
--with-dblib=berkeley \
--with-bdb-libdir=$bdblib \
--with-bdb-incdir=$bdbinc \
--with-openssl=$sslpath \
--with-rc4=openssl \
--with-des=yes \
--with-gss_impl=$gss_impl \
--with-ldap=$ldappath \
--with-saslauthd=/var/run/saslauthd
% ./setup.sh [i386|amd64|sparcv8plus|sparcv9] % gmake
いくつかのプラグインのライブラリ検索パスが不十分なため、リンクし 直す必要があります。以下のスクリプトでリンクし直します。
#!/bin/sh
if [ $# -eq 1 ]; then
. ../setup-pre.sh $1
else
. ../setup-pre.sh
fi
VER='2.0.23'
PLUGINOBJ="plugin_common.o"
SASLDBOBJ="sasldb.o sasldb_init.o $PLUGINOBJ ../sasldb/db_berkeley.lo ../sasldb/allockey.lo"
LDAPDBOBJ="ldapdb.o ldapdb_init.o"
DIGESTMD5OBJ="digestmd5.o digestmd5_init.o $PLUGINOBJ"
GSSAPIOBJ="gssapi.o gssapiv2_init.o $PLUGINOBJ"
NTLMOBJ="ntlm.o ntlm_init.o $PLUGINOBJ"
LDAPLIBPATH="-L$ldaplib -R$ldaplib"
LDAPLIB="$LDAPLIBPATH -lldap -llber"
SSLLIBPATH="-L$ssllib -R$ssllib"
CRYPTOLIB="$SSLLIBPATH -lcrypto"
BDBLIBPATH="-L$bdblib -R$bdblib"
BDBLIB="$BDBLIBPATH -ldb"
KRB5LIBPATH="-L$krb5lib -R$krb5lib"
KRB5LIB="$KRB5LIBPATH -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
-lkrb5support"
if [ "$1" = "amd64" -o "$1" = "sparcv9" ]; then
FLAG=-64
else
FLAG=
fi
cd plugins
ld $FLAG -G -o .libs/libsasldb.so.$VER $SASLDBOBJ $BDBLIB
ld $FLAG -G -o .libs/libldapdb.so.$VER $LDAPDBOBJ $LDAPLIB
ld $FLAG -G -o .libs/libdigestmd5.so.${VER} $DIGESTMD5OBJ $CRYPTOLIB
ld $FLAG -G -o .libs/libgssapiv2.so.$VER $GSSAPIOBJ $KRB5LIB
ld $FLAG -G -o .libs/libntlm.so.$VER $NTLMOBJ $CRYPTOLIB
# gmake install
ISA自動起動リンクを作るために、以下のスクリプトを実行します。
#!/bin/sh
#
SBINPROG="testsaslauthd saslauthd pluginviewer sasldblistusers2 saslpasswd2"
if [ "${SBINDIR}" = "" ]; then
SBINDIR=/usr/local/sbin
fi
if [ "${SBINPROG}" != "" ]; then
cd ${SBINDIR}
for prog in ${SBINPROG}
do
rm -f $prog
ln /usr/lib/isaexec $prog
echo $prog
done
fi
manifest: saslauthd.xml
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
$Id: cyrus-sasl.html,v 1.21 2010/03/25 02:26:07 hiraga Exp $
Service manifest for the saslauthd service.
-->
<service_bundle type='manifest' name='saslauthd'>
<service
name='network/security/saslauthd'
type='service'
version='1'>
<create_default_instance enabled='false' />
<single_instance />
<dependency
name='fs-local'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/system/filesystem/local' />
</dependency>
<dependency
name='network-service'
grouping='require_all'
restart_on='none'
type='service'>
<service_fmri value='svc:/network/service' />
</dependency>
<dependency name='config_data'
grouping='require_all'
restart_on='restart'
type='path'>
<service_fmri
value='file://localhost/etc/sasl/saslauthd.conf'
/>
</dependency>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/saslauthd %m'
timeout_seconds='-1'>
</exec_method>
<exec_method
type='method'
name='stop'
exec='/lib/svc/method/saslauthd %m'
timeout_seconds='-1'>
</exec_method>
<exec_method
type='method'
name='restart'
exec='/lib/svc/method/saslauthd restart'
timeout_seconds='-1'>
</exec_method>
<property_group name='config' type='application'>
<propval name='auth_method' type='astring' value='pam' />
</property_group>
<template>
<common_name>
<loctext xml:lang='C'>
saslauthd, Cyrus SASL authentication server.
</loctext>
</common_name>
<documentation>
<manpage title='saslauthd' section='1M'
manpath='/usr/local/share/man' />
<doc_link name='Project Cyrus'
uri='http://asg.web.cmu.edu/sasl/' />
</documentation>
</template>
</service>
</service_bundle>
method: saslauthd
!/sbin/sh
#
# Cyrus SASL saslauthd
#
. /lib/svc/share/smf_include.sh
result=${SMF_EXIT_OK}
# Read command line arguments
method="$1"
SMF_FMRI="svc:/network/security/saslauthd"
server="/usr/local/sbin/saslauthd"
I=`/usr/bin/basename $0`
RUNDIR=/var/run/saslauthd
PIDFILE=$RUNDIR/saslauthd.pid
case "$method" in
'start')
if [ ! -d ${RUNDIR} ]; then
mkdir -p ${RUNDIR}
fi
cmdopts="-a"
properties="auth_method"
for prop in $properties
do
value=`/usr/bin/svcprop -p config/${prop} ${SMF_FMRI}`
if [ -z "${value}" -o "${value}" = '""' ]; then
continue;
fi
case ${prop} in
'auth_method')
cmdopts="${cmdopts} ${value}"
;;
esac
done
if [ ${result} = ${SMF_EXIT_OK} ]; then
echo "$I: Executing: ${server} ${cmdopts}"
# Execute saslauthd(1M) with relevant command line
options.
${server} ${cmdopts}
result=$?
fi
;;
'stop')
/usr/bin/kill `cat ${PIDFILE}`
[ $? -ne 0 ] && exit 1
;;
*)
echo "Usage: $I [stop|start]" >&2
exit 1
;;
esac
exit ${result}
manifestとmethodを登録します。
# cp saslauthd /lib/svc/method # chown root:bin /lib/svc/method/saslauthd # chmod 555 /lib/svc/method/saslauthd # cp saslauthd.xml /var/svc/manifest/network/security # chown root:sys /var/svc/manifest/network/security/saslauthd.xml # chmod 444 /var/svc/manifest/network/security/saslauthd.xml # /usr/sbin/svccfg validate /var/svc/manifest/network/security/saslauthd.xml # /usr/sbin/svccfg -v import /var/svc/manifest/network/security/saslauthd.xml
PAM以外の認証方式を使用する場合はその認証方式を指定します。(オプション)
# svccfg -s svc:/network/security/saslauthd setprop config/auth_method=ldap
PAM以外の認証方式を使用する場合は設定ファイルを用意します。(オプション)
/etc/sasl/saslauthd.confの例(LDAP)
ldap_servers: ldap://ldap1.next-hop.net/ ldap://ldap2.next-hop.net/ ldap_search_base: ou=Users,dc=next-hop,dc=net ldap_start_tls: on ldap_bind_dn: cn=ProxyUser,dc=next-hop,dc=net ldap_bind_pw: secret ldap_filter: (&(uid=%u)(objectClass=posixAccount)) ldap_time_limit: 5 ldap_timeout: 5 ldap_tls_check_peer: yes ldap_tls_cacert_file: /usr/local/etc/cert/cacert.pem ldap_tls_cacert_dir: /usr/local/etc/cert ldap_tls_cert: /etc/certs/server.pem ldap_tls_key: /etc/certs/server.key ldap_use_sasl: no ldap_version: 3 ldap_group_attr: uniqueMember ldap_group_dn: cn=Mail,ou=SecurityGroup,dc=next-hop,dc=net
サービスを有効化します。
# svcadm enable svc:/network/security/saslauthd
| Copyright ©2001-2009 T.Hiraga <hiraga@next-hop.net> All Rights Reserved. Last modified: $Date: 2010/03/25 02:26:07 $ |
|