http://ebm.dxy.cn/bbs/topic/21829039
http://ebm.dxy.cn/bbs/topic/22342269?onlyHost=1
http://www.dxy.cn/bbs/topic/22011394

embase.com
pubmed
http://www.ncbi.nlm.nih.gov/books/NBK3827/#pubmedhelp.Search_Field_Descrip

http://www.meddir.cn/htm/1197652867640.htm

web of science
http://images.webofknowledge.com/WOKRS5132R4.2/help/zh_CN/WOK/hs_search_rules.html

WSO2 Identity Server默认使用9443端口，且内置SSL，这里我们使用Apache代理IS服务器，代理时使用StartSSL的Class1免费SSL，配置如下：

[2014-04-08 13:23:34,237] ERROR {org.wso2.carbon.user.core.ldap.LDAPConnectionContext} -  Error obtaining connection. simple bind failed: ldap.crscd.org:636
javax.naming.CommunicationException: simple bind failed: ldap.crscd.org:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.s
ecurity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]


By default WSO2 IS uses embedded ldap, which is shipped with the product, as the primary user store. But it’s possible to configure other user stores (such as OpenLDAP, Active Directory and JDBC user stores) as primary user store. In this blog post I’m going to explain how to configure OpenLDAP as the primary user store of WSO2 IS 4.5.0 in following modes.

Since we no longer need embedded ldap, let’s disable starting it at server start up. This can be changed in IS_HOME/repository/conf/embedded-ldap.xml

<EmbeddedLDAP>
<Property name="enable">false</Property>
.......................
</EmbeddedLDAP>


• groupofnames stores its members in the member attribute (using DN as the value)
• groupofuniquenames stores its members in the uniquemember attribute (again using DN as value).
• The uniquemember attribute however is designed to be able to hold an extra unique identifier to tell the difference between two DN’s who have the same value in a group. The reason why this might happen is that a user is deleted from the directory, but not from all of the groups. Later a new entry is added with the same DN, but it is a different person. This person needs access to the group, but you need a way to differentiate between this recent addition and the earlier DN (if you have several thousand members, simply deleting the earlier DN may not be a reasonable option).

### 服务器修改

SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"


StartSSL获取相应的Web Server SSL/TLS Certificate证书，并下载StartCom Class1服务器根证书，保存在/etc/ssl/ldap目录中。

root@server0:/tmp# cat olcSSL.ldif
dn: cn=config
olcTLSCACertificateFile: /etc/ssl/ldap/sub.class1.server.ca.pem
-
olcTLSCertificateKeyFile: /etc/ssl/ldap/ldap-key.pem
-
olcTLSCertificateFile: /etc/ssl/ldap/ldap-cert.pem
root@server0:/tmp# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./olcSSL.ldif
SASL/EXTERNAL authentication started
SASL SSF: 0
modifying entry "cn=config"


usermod -a -G ssl-cert openldap


###客户端配置

### 参考文献

# OLC (cn=config) form
olcDbIndex: attrlist | default indices

# indices = [pres [,approx] [,eq] [,sub] [,special]]


dn: olcDatabase={1}hdb,cn=config
changetype: modify
olcDbIndex: cn,givenName,sn,displayName,mail pres,sub,eq
-
olcDbIndex: uidNumber,gidNumber eq
-
olcDbIndex: uid eq
-
olcDbIndex: default eq,sub
-
olcDbIndex: telephonenumber


OpenLDAP under olc(On-line configuration) (cn=config) either as part of the standard installation or they can be added using this procedure or by the include statement in the slapd.conf configuration file).

commonName (cn)

surname(姓)

• An attribute definition includes its type (or SYNTAX), for example, a string or number, and how it behaves in certain conditions, for instance, whether comparison operations are case-sensitive or case-insensitive using what are called matchingRules (more on this later, much later).
• entries must contain one, and only one, STRUCTURAL objectClass. A STRUCTURAL objectClass may have a SUPerior (may be part of a hierarchy) which is also STRUCTURAL and thus the hierarchy may be viewed as a single STRUCTURAL objectClass
• entries may contain any number of AUXILIARY objectClasses.
• Each objectclass supported by an LDAP server forms part of a collection called objectclasses which can be discovered via the subschema.

cuckoo@server0:~$echo "dn: olcDatabase={0}config,cn=config changetype: modify add: olcAccess olcAccess: to * by dn="cn=admin,dc=crscd,dc=org" write" > /tmp/access.ldif cuckoo@server0:~$ sudo ldapmodify -c -Y EXTERNAL -H ldapi:/// -f /tmp/access.ldif
SASL/EXTERNAL authentication started