dnsmasq可通过ipset配合iptables实现真正意义上路由层级的按域名访问,此乃真神器也!

但是现在很多网站使用CDN服务,例如facebook与microsoft均使用akamai的服务,所有akamai的访问均走服务器显然没有必要,此时如果dnsmasq支持regex将使ipset如虎添翼。

当前网上已存在针对域名解析server的regex支持,但是没有提供相应ipset的支持,因此以此为基础增加了ipset对regex的支持,源代码托管于dnsmasq-regex,并添加debian编译相关配置文件。

正则表达式部分通过libpcre实现,支持标准语法,为与常规域名分开,首尾使用:分隔,示例如下:

1
2
ipset=/:^fbcdn-[a-z\-]+\.akamaihd\.net$:/vpn
server=/:^fbcdn-[a-z\-]+\.akamaihd\.net$:/8.8.8.8

最后提供openwrt下编译文件openwrt-dnsmasq-makefile

错误信息

206 error Error: ENOENT, utime '/home/cuckoo/Project/ContactManager/node_modules/grunt-cli/node_modules/findup-sync/README.md'
207 error If you need help, you may report this *entire* log,
207 error including the npm and node versions, at:
207 error     <http://github.com/npm/npm/issues>
208 error System Linux 3.12-1-amd64
209 error command "/usr/bin/nodejs" "/usr/bin/npm" "install" "grunt-cli"
210 error cwd /home/cuckoo/Project/ContactManager
211 error node -v v0.10.26
212 error npm -v 1.4.4
213 error path /home/cuckoo/Project/ContactManager/node_modules/grunt-cli/node_modules/findup-sync/README.md
214 error fstream_path /home/cuckoo/Project/ContactManager/node_modules/grunt-cli/node_modules/findup-sync/README.md
215 error fstream_type File
216 error fstream_class FileWriter
217 error fstream_finish_call utimes
218 error code ENOENT
219 error errno 34
220 error fstream_stack /usr/lib/nodejs/fstream/lib/writer.js:305:19
220 error fstream_stack Object.oncomplete (fs.js:107:15)
221 verbose exit [ 34, true ]

解决方法

1
rm ~/.npm/grunt-cli -r

然后再重新运行npm install grunt-cli安装。

在文章Configuring OpenLDAP as external user store of WSO2 IS 4.6.0一文中使用ldap连接数据库,当设置成ldaps时,将产生如下错误信息:

[2014-04-08 13:23:34,237] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} -  Error obtaining connection. simple bind failed: ldap.crscd.org:636
javax.naming.CommunicationException: simple bind failed: ldap.crscd.org:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.s
ecurity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

此时需要导入OpenLDAP服务器相对应的CA证书,本系统使用StartSSL Class1的免费证书,因此需要导入StartSSL的根证书。

阅读更多

原文链接
官方文档

By default WSO2 IS uses embedded ldap, which is shipped with the product, as the primary user store. But it’s possible to configure other user stores (such as OpenLDAP, Active Directory and JDBC user stores) as primary user store. In this blog post I’m going to explain how to configure OpenLDAP as the primary user store of WSO2 IS 4.5.0 in following modes.

  • Read/Write mode
  • Read-only mode

Since we no longer need embedded ldap, let’s disable starting it at server start up. This can be changed in IS_HOME/repository/conf/embedded-ldap.xml

<EmbeddedLDAP>
    <Property name="enable">false</Property>
    .......................
  </EmbeddedLDAP>

阅读更多

原文链接

  • groupofnames stores its members in the member attribute (using DN as the value)
  • groupofuniquenames stores its members in the uniquemember attribute (again using DN as value).
  • The uniquemember attribute however is designed to be able to hold an extra unique identifier to tell the difference between two DN’s who have the same value in a group. The reason why this might happen is that a user is deleted from the directory, but not from all of the groups. Later a new entry is added with the same DN, but it is a different person. This person needs access to the group, but you need a way to differentiate between this recent addition and the earlier DN (if you have several thousand members, simply deleting the earlier DN may not be a reasonable option).

服务器修改

首先配置服务器只能本地非加密访问,远程访问必须通过SSL,修改文件/etc/default/slapd:

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"

StartSSL获取相应的Web Server SSL/TLS Certificate证书,并下载StartCom Class1服务器根证书,保存在/etc/ssl/ldap目录中。

生成LDIF配置文件并导入

root@server0:/tmp# cat olcSSL.ldif
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/ldap/sub.class1.server.ca.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/ldap/ldap-key.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/ldap/ldap-cert.pem
root@server0:/tmp# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcSSL.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

为保证密匙安全,Debian中推荐将密匙修改成用户组root:ssl-cert,并设置权限640,将openldap用户加入组ssl-cert

usermod -a -G ssl-cert openldap

重启slapd服务,此时外部即可且只能通过SSL连接OpenLDAP服务器。

###客户端配置

修改LDAP Admin中配置文件,使用SSL连接,并且Host设置成域名。

参考文献

  1. LDAP OpenLDAPSetup