VirtualBoxにCentOS8をインストール
新規
- Name: centos8
- Machine Folder: C:\Users(ユーザー)\VirtualBox VMs
- タイプ: Linux
- バージョン: Red-Hat (64bit)
- メモリサイズ: 2048MB
- ハードディスク: 仮想ハードディスクを作成する
- ハードディスクのファイルタイプ: VDI (VirtualBox Disk Image)
- 物理ハードディスクにあるストレージ: 固定サイズ
- ファイルの場所とサイズ: centos8 16GB
- 作成
設定
- ストレージ > "コントローラー:IDE"に"***.iso"を追加
- ネットワーク > 割り当て: ブリッジアダプター
- システム > 起動順序:ハードディスク=>光学
- システム > ポインティングデバイス: USBタブレット
起動
- インストール言語 > 日本語
- ソフトウェアの選択> 最小限のインストール
- ネットワーク > Ethernet・オン (IPアドレスを覚えておく→ 192.168.11.100)
- 時刻と日付 > アジア/東京 ネットワーク時刻・オン
- KDUMP > "kdumpを有効にする"のチェックを外す
- インストール先 > 完了
- インストールの開始
- rootパスワード
- ユーザーの作成(→ hoge)
- 再起動
確認
ssh-copy-id hoge@192.168.11.100
ssh hoge@192.168.11.100
su
echo 'hoge ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/hoge
exit
sudo dnf update -y
sudo dnf install vim tar -y
389dsのインストールと実行
インストール
sudo dnf module enable 389-ds -y
sudo dnf install 389-ds-base -y
設定
- ツール(dscreate)で簡単にできることを自力でやってみる
- ☞ ツールの使い方
sudo -s
#テンプレート変換のためのsedスクリプト
pwd=`pwdhash -s MD5 secret`
cat <<EOS | while read k v; do echo "s|%$k%|$v|g"; done >/tmp/x
fqdn localhost
dsid localhost
ds_user dirsrv
ds_port 389
rootdn cn=manager
ds_suffix dc=example,dc=com
ds_bename userRoot
ds_passwd $pwd
inst_dir /usr/lib64/dirsrv
config_dir /etc/dirsrv
cert_dir /etc/dirsrv
schema_dir /etc/dirsrv/schema
db_dir /var/lib/dirsrv/db
bak_dir /var/lib/dirsrv/bak
ldif_dir /var/lib/dirsrv/ldif
run_dir /var/lib/dirsrv
lock_dir /var/lib/dirsrv
log_dir /var/log/dirsrv
tmp_dir /tmp
EOS
#テンプレートから基本設定(dse.ldif)を作成
>/etc/dirsrv/dse.ldif
for k in dse suffix-db; do
cat /usr/share/dirsrv/data/template-$k.ldif | sed -f /tmp/x >>/etc/dirsrv/dse.ldif
done
#必要なスキーマをコピー
#cp /usr/share/dirsrv/data/{60samba3,60radius}.ldif /etc/dirsrv/schema/
#各ディレクトリのオーナー設定
for d in /etc/dirsrv /var/lib/dirsrv /var/log/dirsrv; do
chown -R dirsrv. $d
done
#起動設定(.service)を作成
#find /{etc,usr/lib}/systemd/system/ -name "dirsrv*" -prune -exec rm -rf {} +
cat <<EOS >/etc/systemd/system/dirsrv.service
[Service]
ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv -d 266354688
[Install]
WantedBy=multi-user.target
EOS
#サービスの有効化
systemctl daemon-reload
systemctl enable dirsrv
#外から接続する場合はポートを解放
#firewall-cmd --add-service=ldap --permanent
#firewall-cmd --reload
exit
サーバーを起動
sudo systemctl start dirsrv
データ登録
pwd=`pwdhash -s MD5 secret`
cat <<EOS | ldapadd -D cn=manager -wsecret
dn: dc=example,dc=com
objectClass: dcObject
dc: example
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users
dn: uid=admin,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
uid: admin
cn: admin
sn: admin
userPassword: $pwd
EOS
データ検索
ldapsearch -D cn=manager -wsecret -b dc=example,dc=com -LLL
dn: dc=example,dc=com
objectClass: dcObject
objectClass: top
dc: example
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: uid=admin,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: admin
cn: admin
sn: admin
userPassword:: e01ENX1YcjRpbE96UTRQQ09xM2FRMHFidWFRPT0=
ログの確認
sudo tail /var/log/dirsrv/access
[20/Mar/2020:10:10:05.766918357 +0900] conn=5 op=3 RESULT err=0 tag=105 nentries=0 etime=0.0001688342
[20/Mar/2020:10:10:05.768214265 +0900] conn=5 op=4 UNBIND
[20/Mar/2020:10:10:05.768229611 +0900] conn=5 op=4 fd=64 closed - U1
[20/Mar/2020:10:10:17.772144572 +0900] conn=6 fd=64 slot=64 connection from ::1 to ::1
[20/Mar/2020:10:10:17.772236985 +0900] conn=6 op=0 BIND dn="cn=manager" method=128 version=3
[20/Mar/2020:10:10:17.772403024 +0900] conn=6 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000216976 dn="cn=manager"
[20/Mar/2020:10:10:17.772556217 +0900] conn=6 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(objectClass=*)" attrs=ALL
[20/Mar/2020:10:10:17.772902599 +0900] conn=6 op=1 RESULT err=0 tag=101 nentries=3 etime=0.0000397831 notes=U
[20/Mar/2020:10:10:17.774684399 +0900] conn=6 op=2 UNBIND
[20/Mar/2020:10:10:17.774707013 +0900] conn=6 op=2 fd=64 closed - U1
アクセスコントロール
認証専用のアクセスコントロール
1. 匿名での検索を許可(ただし検索結果は1件のみ→"nsslapd-sizelimit")
2. 上検索結果は("dn"と)"uid"のみ表示
3. 自分のエントリは全ての属性を表示
cat <<EOS | ldapmodify -D cn=manager -wsecret
dn: dc=example,dc=com
changeType: modify
replace: aci
aci: (targetattr="*")(version 3.0; acl "1"; allow(search) userdn="ldap:///anyone";)
aci: (targetattr="uid")(version 3.0; acl "2"; allow(read) userdn="ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "3"; allow(read) userdn="ldap:///self";)
dn: cn=config
changeType: modify
replace: nsslapd-sizelimit
nsslapd-sizelimit: 1
EOS
レプリケーション
-
389ds同士 ☞ 参考
- push方式 ☞ 手順
- ADとの同期もこの方法の拡張
-
389ds <=> OpenLDAP ☞ 参考
- OpenLDAP => 389ds ... slurpdを使う方法
- OpenLDAP2.4以降slurpdはない
- 389ds => OpenLDAP ... "可能だが資料はない"とのこと
- ☞ "389dsのSyncRepl対応"
- ☞ 手順
- OpenLDAP => 389ds ... slurpdを使う方法
-
389dsのSyncRepl対応 ☞ 参考
- 389dsをSyncReplプロバイダーにする方法
- SyncReplプラグインの有効化
- クライアント側にベースDNが必要
- 389dsをクライアントにする方法はない
- 389dsをSyncReplプロバイダーにする方法
LDAPS
cd /tmp
#証明書(PEM)を作成
openssl req -x509 -new -keyout key -out crt -nodes -days 3650 -subj '/C=JP/ST=Fukuoka/L=Fukuoka/O=Example/CN=example.com'
#PCKS12に変換
openssl pkcs12 -export -inkey key -in crt -out p12 -nodes -name Server-Cert
#NSSデータに変換
sudo pk12util -d /etc/dirsrv -i p12
#オーナーを変更
sudo chown -R dirsrv. /etc/dirsrv
#LDAPSの有効化
cat <<EOS | ldapmodify -D cn=manager -wsecret
dn: cn=config
changetype: modify
replace: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
EOS
#再起動
sudo systemctl restart dirsrv
#ポートを解放
sudo firewall-cmd --add-service=ldaps --permanent
sudo firewall-cmd --reload
ベースDNを追加する
#テンプレート変換のためのsedスクリプト
cat <<EOS | while read k v; do echo "s|%$k%|$v|g"; done >/tmp/x
ds_suffix dc=example2,dc=com
ds_bename userRoot2
db_dir /var/lib/dirsrv/db
EOS
#定義の追加
cat /usr/share/dirsrv/data/template-suffix-db.ldif | sed -f /tmp/x | ldapadd -D cn=manager -wsecret
#データの追加
cat <<EOS | ldapadd -D cn=manager -wsecret
dn: dc=example2,dc=com
objectClass: dcObject
dc: example2
EOS
その他
参考
モジュールの一覧
dnf module list
Name Stream Profiles Summary
389-ds 1.4 [e] 389 Directory Server (base)
ant 1.10 [d] common [d] Java build tool
container-tools rhel8 [d] common [d] Common tools and dependencies for container runtimes
container-tools 1.0 common [d] Common tools and dependencies for container runtimes
freeradius 3.0 [d] server [d] High-performance and highly configurable free RADIUS server
gimp 2.8 [d] common [d], devel gimp module
go-toolset rhel8 [d] common [d] Go
httpd 2.4 [d] common [d], devel, minimal Apache HTTP Server
idm DL1 common [d], adtrust, client, dns, server The Red Hat Enterprise Linux Identity Management system module
idm client [d] common [d] RHEL IdM long term support client module
inkscape 0.92.3 [d] common [d] Vector-based drawing program using SVG
javapackages-runtime 201801 [d] common [d] Basic runtime utilities to support Java applications
jmc rhel8 common, core Java Mission Control is a profiling and diagnostics tool for the Hotspot JVM
libselinux-python 2.8 common Python 2 bindings for libselinux
llvm-toolset rhel8 [d] common [d] LLVM
mailman 2.1 [d] common [d] Electronic mail discussion and e-newsletter lists managing software
mariadb 10.3 [d] client, server [d], galera MariaDB Module
maven 3.5 [d] common [d] Java project management and project comprehension tool
mercurial 4.8 [d] common [d] Mercurial -- a distributed SCM
mod_auth_openidc 2.3 Apache module suporting OpenID Connect authentication
mysql 8.0 [d] client, server [d] MySQL Module
nginx 1.14 [d] common [d] nginx webserver
nginx 1.16 common nginx webserver
nodejs 10 [d] common [d], development, minimal, s2i Javascript runtime
nodejs 12 common, development, minimal, s2i Javascript runtime
parfait 0.5 common Parfait Module
perl 5.24 common [d], minimal Practical Extraction and Report Language
perl 5.26 [d] common [d], minimal Practical Extraction and Report Language
perl-App-cpanminus 1.7044 [d] common [d] Get, unpack, build and install CPAN modules
perl-DBD-MySQL 4.046 [d] common [d] A MySQL interface for Perl
perl-DBD-Pg 3.7 [d] common [d] A PostgreSQL interface for Perl
perl-DBD-SQLite 1.58 [d] common [d] SQLite DBI driver
perl-DBI 1.641 [d] common [d] A database access API for Perl
perl-FCGI 0.78 [d] common [d] FastCGI Perl bindings
perl-YAML 1.24 [d] common [d] Perl parser for YAML
php 7.2 [d] common [d], devel, minimal PHP scripting language
php 7.3 common, devel, minimal PHP scripting language
pki-core 10.6 PKI Core module for PKI 10.6 or later
pki-deps 10.6 PKI Dependencies module for PKI 10.6 or later
postgresql 9.6 client, server [d] PostgreSQL server and client module
postgresql 10 [d] client, server [d] PostgreSQL server and client module
postgresql 12 client, server PostgreSQL server and client module
python27 2.7 [d] common [d] Python programming language, version 2.7
python36 3.6 [d] common [d], build Python programming language, version 3.6
redis 5 [d] common [d] Redis persistent key-value database
rhn-tools 1.0 [d] common [d] Red Hat Satellite 5 tools for RHEL
ruby 2.5 [d] common [d] An interpreter of object-oriented scripting language
ruby 2.6 common An interpreter of object-oriented scripting language
rust-toolset rhel8 [d] common [d] Rust
satellite-5-client 1.0 [d][e] common [d], gui Red Hat Satellite 5 client packages
scala 2.10 [d] common [d] A hybrid functional/object-oriented language for the JVM
squid 4 [d] common [d] Squid - Optimising Web Delivery
subversion 1.10 [d] common [d], server Apache Subversion
swig 3.0 [d] common [d], complete Connects C/C++/Objective C to some high-level programming languages
varnish 6 [d] common [d] Varnish HTTP cache
virt rhel [d] common [d] Virtualization module
"389-ds"モジュールのパッケージ
dnf module info 389-ds
Name : 389-ds
Stream : 1.4 [e] [a]
Version : 8010020191119214651
Context : eb48df33
Architecture : x86_64
Repo : AppStream
Summary : 389 Directory Server (base)
Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration.
Artifacts : 389-ds-base-0:1.4.1.3-7.module_el8.1.0+234+96aec258.src
: 389-ds-base-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: 389-ds-base-debuginfo-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: 389-ds-base-debugsource-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: 389-ds-base-devel-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: 389-ds-base-legacy-tools-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: 389-ds-base-legacy-tools-debuginfo-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: 389-ds-base-libs-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: 389-ds-base-libs-debuginfo-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: 389-ds-base-snmp-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: 389-ds-base-snmp-debuginfo-0:1.4.1.3-7.module_el8.1.0+234+96aec258.x86_64
: python3-lib389-0:1.4.1.3-7.module_el8.1.0+234+96aec258.noarch
"389-ds-base"の依存パッケージ
パッケージ アーキテクチャー バージョン リポジトリー サイズ
=============================================================================================================================
インストール:
389-ds-base x86_64 1.4.1.3-7.module_el8.1.0+234+96aec258 AppStream 1.9 M
依存関係のインストール:
389-ds-base-libs x86_64 1.4.1.3-7.module_el8.1.0+234+96aec258 AppStream 994 k
nspr x86_64 4.21.0-2.el8_0 AppStream 143 k
nss x86_64 3.44.0-9.el8_1 AppStream 724 k
nss-softokn x86_64 3.44.0-9.el8_1 AppStream 472 k
nss-softokn-freebl x86_64 3.44.0-9.el8_1 AppStream 273 k
nss-sysinit x86_64 3.44.0-9.el8_1 AppStream 69 k
nss-tools x86_64 3.44.0-9.el8_1 AppStream 572 k
nss-util x86_64 3.44.0-9.el8_1 AppStream 135 k
perl-Algorithm-Diff noarch 1.1903-9.el8 AppStream 52 k
perl-Archive-Tar noarch 2.30-1.el8 AppStream 79 k
perl-Compress-Raw-Bzip2 x86_64 2.081-1.el8 AppStream 40 k
perl-Compress-Raw-Zlib x86_64 2.081-1.el8 AppStream 68 k
perl-DB_File x86_64 1.842-1.el8 AppStream 83 k
perl-Digest noarch 1.17-395.el8 AppStream 27 k
perl-Digest-MD5 x86_64 2.55-396.el8 AppStream 37 k
perl-IO-Compress noarch 2.081-1.el8 AppStream 258 k
perl-IO-Zlib noarch 1:1.10-416.el8 AppStream 80 k
perl-Net-SSLeay x86_64 1.88-1.el8 AppStream 379 k
perl-Text-Diff noarch 1.45-2.el8 AppStream 45 k
perl-URI noarch 1.73-3.el8 AppStream 116 k
perl-libnet noarch 3.11-3.el8 AppStream 121 k
python3-argcomplete noarch 1.9.3-6.el8 AppStream 60 k
python3-ldap x86_64 3.1.0-5.el8 AppStream 226 k
python3-lib389 noarch 1.4.1.3-7.module_el8.1.0+234+96aec258 AppStream 954 k
python3-pyasn1 noarch 0.3.7-6.el8 AppStream 126 k
python3-pyasn1-modules noarch 0.3.7-6.el8 AppStream 110 k
checkpolicy x86_64 2.9-1.el8 BaseOS 348 k
cyrus-sasl-gssapi x86_64 2.1.27-1.el8 BaseOS 49 k
cyrus-sasl-md5 x86_64 2.1.27-1.el8 BaseOS 65 k
cyrus-sasl-plain x86_64 2.1.27-1.el8 BaseOS 47 k
libicu x86_64 60.3-1.el8 BaseOS 8.8 M
openldap-clients x86_64 2.4.46-11.el8_1 BaseOS 204 k
openssl-perl x86_64 1:1.1.1c-2.el8 BaseOS 77 k
perl-Carp noarch 1.42-396.el8 BaseOS 30 k
perl-Data-Dumper x86_64 2.167-399.el8 BaseOS 58 k
perl-Encode x86_64 4:2.97-3.el8 BaseOS 1.5 M
perl-Errno x86_64 1.28-416.el8 BaseOS 76 k
perl-Exporter noarch 5.72-396.el8 BaseOS 34 k
perl-File-Path noarch 2.15-2.el8 BaseOS 38 k
perl-File-Temp noarch 0.230.600-1.el8 BaseOS 63 k
perl-Getopt-Long noarch 1:2.50-4.el8 BaseOS 63 k
perl-HTTP-Tiny noarch 0.074-1.el8 BaseOS 58 k
perl-IO x86_64 1.38-416.el8 BaseOS 141 k
perl-MIME-Base64 x86_64 3.15-396.el8 BaseOS 31 k
perl-PathTools x86_64 3.74-1.el8 BaseOS 90 k
perl-Pod-Escapes noarch 1:1.07-395.el8 BaseOS 20 k
perl-Pod-Perldoc noarch 3.28-396.el8 BaseOS 86 k
perl-Pod-Simple noarch 1:3.35-395.el8 BaseOS 213 k
perl-Pod-Usage noarch 4:1.69-395.el8 BaseOS 34 k
perl-Scalar-List-Utils x86_64 3:1.49-2.el8 BaseOS 68 k
perl-Socket x86_64 4:2.027-3.el8 BaseOS 59 k
perl-Storable x86_64 1:3.11-3.el8 BaseOS 98 k
perl-Term-ANSIColor noarch 4.06-396.el8 BaseOS 46 k
perl-Term-Cap noarch 1.17-395.el8 BaseOS 23 k
perl-Text-ParseWords noarch 3.30-395.el8 BaseOS 18 k
perl-Text-Tabs+Wrap noarch 2013.0523-395.el8 BaseOS 24 k
perl-Time-Local noarch 1:1.280-1.el8 BaseOS 34 k
perl-Unicode-Normalize x86_64 1.25-396.el8 BaseOS 82 k
perl-constant noarch 1.33-396.el8 BaseOS 25 k
perl-interpreter x86_64 4:5.26.3-416.el8 BaseOS 6.3 M
perl-libs x86_64 4:5.26.3-416.el8 BaseOS 1.6 M
perl-macros x86_64 4:5.26.3-416.el8 BaseOS 72 k
perl-parent noarch 1:0.237-1.el8 BaseOS 20 k
perl-podlators noarch 4.11-1.el8 BaseOS 118 k
perl-threads x86_64 1:2.21-2.el8 BaseOS 61 k
perl-threads-shared x86_64 1.58-2.el8 BaseOS 48 k
policycoreutils-python-utils noarch 2.9-3.el8_1.1 BaseOS 250 k
python3-audit x86_64 3.0-0.10.20180831git0047a6c.el8 BaseOS 85 k
python3-libsemanage x86_64 2.9-1.el8 BaseOS 127 k
python3-policycoreutils noarch 2.9-3.el8_1.1 BaseOS 2.2 M
python3-setools x86_64 4.2.2-1.el8 BaseOS 600 k
弱い依存関係のインストール:
perl-IO-Socket-IP noarch 0.39-5.el8 AppStream 47 k
perl-IO-Socket-SSL noarch 2.066-3.el8 AppStream 297 k
perl-Mozilla-CA noarch 20160104-7.el8 AppStream 15 k
"389-ds-base"のファイル構成
/etc/dirsrv
/etc/dirsrv/config
/etc/dirsrv/config/certmap.conf
/etc/dirsrv/config/slapd-collations.conf
/etc/dirsrv/config/template-initconfig
/etc/dirsrv/schema
/etc/dirsrv/schema/99user.ldif
/etc/systemd/system/dirsrv.target.wants
/usr/bin/dbscan
/usr/bin/ds-logpipe.py
/usr/bin/ds-replcheck
/usr/bin/ldclt
/usr/bin/logconv.pl
/usr/bin/pwdhash
/usr/bin/readnsstate
/usr/lib/sysctl.d/70-dirsrv.conf
/usr/lib/systemd/system
/usr/lib/systemd/system/dirsrv.target
/usr/lib/systemd/system/dirsrv@.service
/usr/lib/systemd/system/dirsrv@.service.d
/usr/lib/systemd/system/dirsrv@.service.d/custom.conf
/usr/lib64/dirsrv/bin
/usr/lib64/dirsrv/bin/jeprof
/usr/lib64/dirsrv/lib
/usr/lib64/dirsrv/lib/libjemalloc.so.2
/usr/lib64/dirsrv/plugins
/usr/lib64/dirsrv/plugins/libacctpolicy-plugin.so
(...省略...)
/usr/lib64/dirsrv/python
/usr/lib64/dirsrv/python/failedbinds.py
/usr/lib64/dirsrv/python/logregex.py
/usr/libexec/dirsrv/ds_systemd_ask_password_acl
/usr/sbin/bak2db
/usr/sbin/db2bak
/usr/sbin/db2index
/usr/sbin/db2ldif
/usr/sbin/dbverify
/usr/sbin/ldif2db
/usr/sbin/ldif2ldap
/usr/sbin/ns-slapd
/usr/sbin/upgradedb
/usr/sbin/vlvindex
/usr/share/dirsrv
/usr/share/dirsrv/data
/usr/share/dirsrv/data/10rfc2307bis.ldif
(...省略...)
/usr/share/dirsrv/inf
/usr/share/dirsrv/inf/defaults.inf
/usr/share/dirsrv/inf/dscreate.map
/usr/share/dirsrv/inf/dsorgentries.map
/usr/share/dirsrv/inf/dsupdate.map
/usr/share/dirsrv/inf/slapd.inf
/usr/share/dirsrv/mibs
/usr/share/dirsrv/mibs/redhat-directory.mib
/usr/share/dirsrv/properties
/usr/share/dirsrv/properties/ns-slapd.properties
/usr/share/dirsrv/schema
/usr/share/dirsrv/schema/00core.ldif
(...省略...)
/usr/share/doc/389-ds-base
/usr/share/doc/389-ds-base/LICENSE
(...省略...)
/usr/share/gdb/auto-load/usr
/usr/share/gdb/auto-load/usr/sbin
/usr/share/gdb/auto-load/usr/sbin/ns-slapd-gdb.py
/usr/share/licenses/389-ds-base
/usr/share/licenses/389-ds-base/COPYING.jemalloc
/usr/share/man/man1/dbscan.1.gz
(...省略...)
/usr/share/man/man5/99user.ldif.5.gz
(...省略...)
/usr/share/man/man8/bak2db.8.gz
(...省略...)
/var/lib/dirsrv
/var/lock/dirsrv
/var/log/dirsrv
"python3-lib389"のファイル構成
/usr/lib/python3.6/site-packages/lib389
(...省略...)
/usr/sbin/dsconf
/usr/sbin/dscontainer
/usr/sbin/dscreate
/usr/sbin/dsctl
/usr/sbin/dsidm
/usr/share/doc/python3-lib389
/usr/share/doc/python3-lib389/LICENSE
/usr/share/doc/python3-lib389/LICENSE.GPLv3+
/usr/share/man/man8/dsconf.8.gz
/usr/share/man/man8/dscreate.8.gz
/usr/share/man/man8/dsctl.8.gz
/usr/share/man/man8/dsidm.8.gz
389ds同士のレプリケーション
スレーブ側 (192.168.11.101)
#ベースDNの登録
cat <<EOS | ldapdd -D cn=manager -wsecret
dn: dc=example,dc=com
objectClass: dcObject
dc: example
EOS
#レプリケーション設定
cat <<EOS | ldapadd -D cn=manager -wsecret
dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaroot: dc=example,dc=com
nsds5ReplicaBindDN: cn=manager
nsds5replicaid: 65535
nsds5replicatype: 2
nsds5flags: 0
EOS
マスター側
#変更ログの設定
cat <<EOS | ldapadd -D cn=manager -wsecret
dn: cn=changelog5,cn=config
objectclass: top
objectclass: extensibleObject
cn: changelog5
nsslapd-changelogdir: /var/lib/dirsrv/changelog
nsslapd-changelogmaxage: 7d
EOS
#レプリケーション設定
cat <<EOS | ldapadd -D cn=manager -wsecret
dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaroot: dc=example,dc=com
nsds5ReplicaBindDN: cn=manager
nsds5replicaid: 1
nsds5replicatype: 3
nsds5flags: 1
EOS
#各スレーブの設定
for cn in 192.168.11.101; do
cat <<EOS | ldapadd -D cn=manager -wsecret
dn: cn=$cn,cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
objectclass: top
objectclass: nsds5ReplicationAgreement
cn: $cn
nsds5replicahost: $cn
nsds5replicaport: 389
nsds5ReplicaBindDN: cn=manager
nsds5replicaroot: dc=example,dc=com
nsds5replicacredentials: secret
EOS
done
#レプリケーション開始
ldapsearch -D cn=manager -wsecret -b cn=config '(objectClass=nsds5ReplicationAgreement)' -o ldif-wrap=no | grep ^dn: | while read -r dn; do
cat <<EOS | ldapmodify -D cn=manager -wsecret
$dn
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start
EOS
done
389ds => OpenLDAP のレプリケーション
389ds側 (192.168.11.100)
#プラグインを有効化
cat <<EOS | ldapmodify -D cn=manager -wsecret
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
changeType: modify
replace: nsslapd-attribute
nsslapd-attribute: nsUniqueId:targetUniqueId
-
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
dn: cn=Content Synchronization,cn=plugins,cn=config
changeType: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
EOS
#再起動
sudo systemctl restart dirsrv
OpenLDAP側 (CentOS7)
セットアップまで
sudo -s
#インストール
yum install openldap-clients openldap-servers -y
#設定
rm -rf /etc/openldap/slapd.d
cat <<EOS >/etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix dc=example,dc=com
rootdn cn=manager,dc=example,dc=com
rootpw secret
directory /var/lib/ldap
EOS
#起動
systemctl start slapd
exit
#ベースDNを登録
cat <<EOS | ldapadd -D cn=manager,example,dc=com -wsecret
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: example
EOS
#レプリケーション設定を追加
cat <<EOS | sudo sh -c 'cat >>/etc/openldap/slapd.conf'
syncrepl rid=1
provider=ldap://192.168.11.100
type=refreshOnly
interval=00:00:01:00
searchbase="dc=example,dc=com"
binddn="cn=manager"
credentials=secret
EOS
#再起動
sudo systemctl restart slapd