- 论坛徽章:
- 0
|
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Normal
0
false
7.8 磅
0
2
false
false
false
EN-US
ZH-CN
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:普通表格;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.5pt;
mso-bidi-font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-font-kerning:1.0pt;}
Contents Page
目录
TOC \o "1-3" \h \z \u 1 说明... PAGEREF _Toc219027659 \h 2
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600350039000000
1.1 所需软件及下载地址... PAGEREF _Toc219027660 \h 2
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360030000000
1.2 实现过程及功能特性... PAGEREF _Toc219027661 \h 3
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360031000000
2 架设服务器... PAGEREF _Toc219027662 \h 4
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360032000000
2.1 准备工作—编译内核... PAGEREF _Toc219027663 \h 4
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360033000000
2.2 架设PPPOE服务器... PAGEREF _Toc219027664 \h 8
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360034000000
2.3 架设Raius服务器并挂接PPPOE服务器... PAGEREF _Toc219027665 \h 13
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360035000000
2.5 挂接Radius与PPPOE服务器... PAGEREF _Toc219027666 \h 34
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360036000000
2.6 架设OpenLDAP服务器并挂接Radius服务器... PAGEREF _Toc219027667 \h 36
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360037000000
2.7 实现Radius服务器的Web管理功能... PAGEREF _Toc219027668 \h 39
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360038000000
2.8 实现OpenLDAP服务器的Web管理功能... PAGEREF _Toc219027669 \h 51
08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F0054006F0063003200310039003000320037003600360039000000
1
说明
1.1
所需软件及下载地址
1.1.1
CentOS
5.2-----------------------------------------------------最稳定的linux服务器
1.1.2
linux-2.6.19.tar.gz
------------------------------------------2.6.19内核
1.1.3
linux-2.6.19-mppe-mppc-1.3.patch.bz2
--------------内核的mppe-mppc补丁
1.1.4
ppp-2.4.3.tar.gz
---------------------------------------------PPP主程序
1.1.5
ppp-2.4.3-mppe-mppc-1.1.patch.gz
------------------ppp的mppe-mppc补丁
1.1.6
rp-pppoe-3.10.tar.gz
---------------------------------------PPPOE主程序
1.1.7
freeradius-server-2.1.3.tar
-------------------------------FreeRadius服务器主程序
1.1.8
mysql-5.0.67-linux-i686.tar.gz
---------------------------MySQL数据库主程序
1.1.9
MySQL-shared-compat-5.0.67-0.rhel5.i386.rpm
—MySQL共享库
1.1.10
freeradius-mysql-1.1.3-1.2.el5
--------------------------freeradius与MySQL链接程序
1.1.11
httpd-2.2.9.tar.gz
-------------------------------------------最流行的web服务器
1.1.12
php-4.4.9.tar.gz
----------------------------------------------PHP程序
1.1.13
ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
----优化PHP程序代码的工具
1.1.14
phpMyAdmin-2.11.9.4-all-languages.tar.gz
-------web方式管理mysql数据库的工具
1.1.15
db-4.2.52.tar.gz
----------------------------伯克利数据库—openldap的后台数据库
1.1.16
gettext-0.17.tar.gz-
-----------------------OpenLDAP实现web管理方式的后台语言支持工具
1.1.17
openldap-2.4.11-stable-20080813.tgz
-------------OpenLDAP主程序
1.1.18
phpldapadmin-0.9.8.4.tar.gz
--------------------------OpenLDAP的WEB访问工具
1.2
实现过程及功能特性
我们的试验网络拓扑如下图所示:
![]()
首先编译内核,以加入对mppe和mppc的支持,然后架设PPPOE服务器,实现终结用户PPPOE拨号的功能,此时,对用户的验证以文本文件(存储在PPPOE程序组)的方式进行。
然后架设Radius服务器,将用户的PPPOE拨号请求转送到Radius服务器进行验证。
Radius服务器分别挂接OpenLDAP服务器和MySQL服务器,其中的OpenLDAP服务器实现对用户名、密码等信息的验证和属性返回,Mysql服务器实现对用户带宽、连接时间、产生流量等的记录和属性返回。
最后实现Radius服务器、MySQL服务器、OpenLDAP服务器的Web管理功能,从而能够批量产生用户,并方便管理用户(新建、删除、修改属性等)。通过以上步骤建立的一个服务器体系完全能够适应现代网络对拨号
快速认证、属性返回等要求,达到物理服务器的水平,如Redback SmartEdge、Juniper ERX。但却拥有更高的性价比。同时Radius服务器和OpenLDAP服务器同现在各省市正在使用的服务器拥有相近的稳定性和性能,甚至有的省份只采用Radius来管理用户,并没有OpenLDAP服务器,如浙江省。
具体步骤不再赘述,主要配置文件如下:
1.[root@mm
modules]# cat /etc/ppp/options
lock
crtscts
nobsdcomp
nodeflate
nopcomp
#require-mppe
#mppe-40
#mppe-128
#mppe-stateless
plugin /etc/ppp/plugins/radius.so
radius-config-file
/etc/ppp/radius/radiusclient.conf
2.[root@mm
modules]# cat /etc/ppp/pppoe-server-options
# PPP options for
the PPPoE server
# LIC: GPL
#require-pap
#login
#lcp-echo-interval
10
#lcp-echo-failure
2
##############################################
auth
require-chap
#require-mppe
default-mru
default-asyncmap
lcp-echo-interval
60
lcp-echo-failure 5
ms-dns
202.101.172.35
ms-dns
202.101.172.47
noipdefault
noipx
nodefaultroute
noproxyarp
noktune
172.16.1.10:172.17.1.254
netmask
255.255.255.255
logfile
/var/log/pppd.log
3.OpenLDAP的数据库设置如下:
dn: cn=radius,ou=profils,dc=mm,dc=comobjectClass: radiusObjectProfileobjectClass: radiusprofilecn: radiusradiusGroupName: radiusradiusServiceType: Framed-UserradiusFramedProtocol: pppradiusFramedIPAddress: 10.10.10.11radiusFramedIPNetmask: 255.255.255.0uid: ldaptest1radiusFramedCompression: Van-Jacobsen-TCP-IPradiusFramedRouting: Broadcast-ListenradiusFramedMTU: 1500radiusFilterId: "std.ppp"userPassword: ldaptest1radiusAuthType: chap
4.然后在MYSQL中加入该用户信息(ldaptest1),以便计费:
mysql> insert into radcheck (username,attribute,op,value) values ('ldaptest1','User-Password','==','ldaptest1');
然后把用户加到组里:
mysql> insert into usergroup(username,groupname) values('ldaptest1','user');
5.设置radius的ldap认证模块
/usr/local/freeradius/etc/raddb/modules/ldap,修改如下:
ldap {
server = "localhost"
identity =
"cn=Manager,dc=mm,dc=com"
password = testing123
basedn = "ou=profils,dc=mm,dc=com"
filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
password_attribute = userPassword
edir_account_policy_check = no
set_auth_type = yes
}
6.修改/usr/local/freeradius/etc/raddb/sites-available/,
来指定Radius认证方式,相应部分修改如下:
authorize {
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
accounting {
sql
}
其它的方式全部注释掉即可。
通过以上配置,我们就完成了全部服务器的配置:
#radiusd -X
验证过程如下:(包括认证请求、计费开始请求、计费结束请求三个部分)
rad_recv:
Access-Request packet from host 127.0.0.1 port 32768, id=10, length=114
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "ldaptest1"
CHAP-Challenge =
0x7abcb9ac6f368f318969c7351fbdb7b615a49e
CHAP-Password =
0x242e7e2035dad2d954264e4eef46c00047
Calling-Station-Id =
"00:1C:C4:CD:68:06"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group
authorize {...}
++[preprocess]
returns ok
[chap] Setting 'Auth-Type
:= CHAP'
++[chap] returns
ok
++[mschap] returns
noop
[ldap] performing
user authorization for ldaptest1
[ldap] WARNING:
Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] expand:
(uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=ldaptest1)
[ldap] expand: ou=profils,dc=mm,dc=com ->
ou=profils,dc=mm,dc=com
rlm_ldap:
ldap_get_conn: Checking Id: 0
rlm_ldap:
ldap_get_conn: Got Id: 0
rlm_ldap:
performing search in ou=profils,dc=mm,dc=com, with filter (uid=ldaptest1)
[ldap] Added
User-Password = ldaptest1 in check items
[ldap] looking for
check items in directory...
rlm_ldap:
userPassword -> Cleartext-Password == "ldaptest1"
rlm_ldap:
radiusAuthType -> Auth-Type == CHAP
[ldap] looking for
reply items in directory...
rlm_ldap: radiusFramedCompression
-> Framed-Compression = Van-Jacobson-TCP-IP
rlm_ldap:
radiusFramedMTU -> Framed-MTU = 1500
rlm_ldap:
radiusFilterId -> Filter-Id = "std.ppp"
rlm_ldap:
radiusFramedRouting -> Framed-Routing = Broadcast-Listen
rlm_ldap:
radiusFramedIPNetmask -> Framed-IP-Netmask = 255.255.255.0
rlm_ldap:
radiusFramedIPAddress -> Framed-IP-Address = 10.10.10.11
rlm_ldap:
radiusFramedProtocol -> Framed-Protocol = PPP
rlm_ldap:
radiusServiceType -> Service-Type = Framed-User
[ldap] user
ldaptest1 authorized to use remote access
rlm_ldap:
ldap_release_conn: Release Id: 0
++[ldap] returns
ok
++[expiration]
returns noop
++[logintime]
returns noop
[pap] Found
existing Auth-Type, not changing it.
++[pap] returns
noop
Found Auth-Type =
CHAP
+- entering group
CHAP {...}
[chap] login
attempt by "ldaptest1" with CHAP password
[chap] Using clear
text password "ldaptest1" for user ldaptest1 authentication.
[chap] chap user
ldaptest1 authenticated succesfully
++[chap] returns
ok
+- entering group
post-auth {...}
++[exec] returns
noop
Sending
Access-Accept of id 10 to 127.0.0.1 port 32768
Framed-Compression =
Van-Jacobson-TCP-IP
Framed-MTU = 1500
Filter-Id = "std.ppp"
Framed-Routing = Broadcast-Listen
Framed-IP-Netmask = 255.255.255.0
Framed-IP-Address = 10.10.10.11
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request
3.
Going to the next
request
Waking up in 4.9
seconds.
rad_recv:
Accounting-Request packet from host 127.0.0.1 port 32768, id=11, length=120
Acct-Session-Id =
"49631DF90A6E00"
User-Name = "ldaptest1"
Acct-Status-Type = Start
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id =
"00:1C:C4:CD:68:06"
Acct-Authentic = RADIUS
NAS-Port-Type = Async
Framed-IP-Address = 10.10.10.11
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group
preacct {...}
++[preprocess]
returns ok
[acct_unique]
Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address =
127.0.0.1,Acct-Session-Id = "49631DF90A6E00",User-Name =
"ldaptest1"'
[acct_unique]
Acct-Unique-Session-ID = "b4f40c620cbc699b".
++[acct_unique]
returns ok
[suffix] No '@' in
User-Name = "ldaptest1", looking up realm NULL
[suffix] No such
realm "NULL"
++[suffix] returns
noop
++[files] returns
noop
+- entering group
accounting {...}
[detail] expand:
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
-> /usr/local/freeradius/var/log/radius/radacct/127.0.0.1/detail-20090106
[detail]
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to
/usr/local/freeradius/var/log/radius/radacct/127.0.0.1/detail-20090106
[detail] expand: %t -> Tue Jan 6 17:01:45 2009
++[detail] returns
ok
++[unix] returns
ok
[radutmp] expand:
/usr/local/freeradius/var/log/radius/radutmp ->
/usr/local/freeradius/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> ldaptest1
++[radutmp]
returns ok
[sql] expand: %{User-Name} -> ldaptest1
[sql] sql_set_user
escaped user --> 'ldaptest1'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql):
Reserving sql socket id: 2
rlm_sql_mysql:
MYSQL check_error: 1054 received
[sql] Couldn't
insert SQL accounting START record - Unknown column 'xascendsessionsvrkey' in
'field list'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start =
'%{Connect-Info}' WHERE
acctsessionid =
'%{Acct-Session-Id}' AND
username =
'%{SQL-User-Name}' AND
nasipaddress = '%{NAS-IP-Address}'
-> UPDATE radacct SET acctstarttime = '2009-01-06 17:01:45', acctstartdelay = '0', connectinfo_start = '' WHERE acctsessionid = '49631DF90A6E00' AND username = 'ldaptest1' AND nasipaddress = '127.0.0.1'
rlm_sql (sql):
Released sql socket id: 2
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> ldaptest1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response]
returns updated
Sending
Accounting-Response of id 11 to 127.0.0.1 port 32768
Finished request
4.
Cleaning up
request 4 ID 11 with timestamp +224
Going to the next
request
Waking up in 4.9
seconds.
rad_recv:
Accounting-Request packet from host 127.0.0.1 port 32768, id=12, length=156
Acct-Session-Id =
"49631DF90A6E00"
User-Name = "ldaptest1"
Acct-Status-Type = Stop
Service-Type = Framed-User
Framed-Protocol = PPP
Acct-Authentic = RADIUS
Acct-Session-Time = 3
Acct-Output-Octets = 0
Acct-Input-Octets = 56882
Acct-Output-Packets = 0
Acct-Input-Packets = 233
Calling-Station-Id =
"00:1C:C4:CD:68:06"
NAS-Port-Type = Async
Acct-Terminate-Cause = User-Request
Framed-IP-Address = 10.10.10.11
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Acct-Delay-Time = 0
+- entering group
preacct {...}
++[preprocess]
returns ok
[acct_unique]
Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address =
127.0.0.1,Acct-Session-Id = "49631DF90A6E00",User-Name =
"ldaptest1"'
[acct_unique]
Acct-Unique-Session-ID = "b4f40c620cbc699b".
++[acct_unique]
returns ok
[suffix] No '@' in
User-Name = "ldaptest1", looking up realm NULL
[suffix] No such
realm "NULL"
++[suffix] returns
noop
++[files] returns
noop
+- entering group
accounting {...}
[detail] expand:
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
-> /usr/local/freeradius/var/log/radius/radacct/127.0.0.1/detail-20090106
[detail]
/usr/local/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to
/usr/local/freeradius/var/log/radius/radacct/127.0.0.1/detail-20090106
[detail] expand: %t -> Tue Jan 6 17:01:48 2009
++[detail] returns
ok
++[unix] returns
ok
[radutmp] expand:
/usr/local/freeradius/var/log/radius/radutmp ->
/usr/local/freeradius/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> ldaptest1
++[radutmp]
returns ok
[sql] expand: %{User-Name} -> ldaptest1
[sql] sql_set_user
escaped user --> 'ldaptest1'
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] expand: %{Acct-Input-Octets} -> 56882
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] expand: %{Acct-Output-Octets} -> 0
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}'
'%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}',
acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2009-01-06 17:01:48', acctsessiontime = '3', acctinputoctets = '0'
'56882',
acctoutputoctets = '0'
rlm_sql (sql):
Reserving sql socket id: 1
[sql] expand: %{Acct-Session-Time} -> 3
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] expand: %{Acct-Input-Octets} -> 56882
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] expand: %{Acct-Output-Octets} -> 0
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm,
nasipaddress, nasportid,
nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start,
connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}',
'%{Acct-Authentic}', '',
'%{Connect-Info}',
'%{%{Acct-Input-Gigawords}:-0}' '%{%{Acct-Inpu
rlm_sql (sql):
Released sql socket id: 1
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> ldaptest1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response]
returns updated
Sending
Accounting-Response of id 12 to 127.0.0.1 port 32768
Finished request
5.
Cleaning up
request 5 ID 12 with timestamp +227
Going to the next
request
Waking up in 1.3
seconds.
Cleaning up
request 3 ID 10 with timestamp +224
Ready to process
requests.
下面正式启用这些服务:
#cd /
#vi pppoeboot
/usr/local/sbin/pppoe-server
-k -I eth0 -L 192.168.1.251 -R 172.16.1.11 -N 65534
radiusd
httpd
slapd
/sbin/modprobe
ppp_mppe_mppc
添加以上内容,然后保存退出。
再在/etc/rc.d/rc.local文件中加入一行:
/pppoeboot
这样,以上服务就能够开机自启动了。
[root@mm /]#
pstree
init─┬─dbus-daemon
├─events/0
├─gam_server
├─hald───hald-runner─┬─hald-addon-acpi
│ ├─hald-addon-keyb
│ └─hald-addon-stor
├─httpd───10*[httpd]
├─khelper
├─klogd
├─ksoftirqd/0
├─migration/0
├─6*[mingetty]
├─mysqld_safe───mysqld───mysqld───13*[mysqld]
├─pppoe-server
├─radiusd───5*[{radiusd}]
├─slapd───4*[{slapd}]
├─sshd───sshd───bash───pstree
├─syslogd
├─udevd
├─watchdog/0
└─yum-updatesd
[root@mm /]#
图片欣赏:
![]()
![]()
Radius 管理界面:
![]()
![]()
OpenLDAP服务器管理界面:
![]()
![]()
整个服务器的架设大体就是这些内容了,其中有些功能还没实现,如eap验证等,并且OpenLDAP服务器也很有意思,有待进一步的研究、实践。
希望和朋友们一起讨论!
张蒙
2009-1-6
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u2/68952/showart_1777964.html |
|