LoginSignup
3
3

More than 5 years have passed since last update.

@dafukui(dafukui)

EC2上のubuntu16にOpenLDAPを設定した。

Last updated at Posted at 2018-03-08

OpenLDAPをAWSのEC2上に設定しました。
以下記事を参考にさせていただきました。ありがとうございます。

OpenLDAP導入

インストール

$ sudo apt install slapd ldap-utils

$ slapd -V
@(#) $OpenLDAP: slapd  (Ubuntu) (May 30 2017 19:20:53) $
        buildd@lgw01-18:/build/openldap-JXEADB/openldap-2.4.42+dfsg/debian/build/servers/slapd

$

アンインストールする場合はこちら

$ sudo apt remove --purge slapd ldap-utils

初期情報の確認

設定情報の保管先

$ sudo ls -l /etc/ldap/slapd.d/cn=config
合計 28
-rw------- 1 openldap openldap  436  3月  5 17:14 cn=module{0}.ldif
drwxr-x--- 2 openldap openldap 4096  3月  5 17:14 cn=schema
-rw------- 1 openldap openldap  378  3月  5 17:14 cn=schema.ldif
-rw------- 1 openldap openldap  396  3月  5 17:14 olcBackend={0}mdb.ldif
-rw------- 1 openldap openldap  657  3月  5 17:14 olcDatabase={-1}frontend.ldif
-rw------- 1 openldap openldap  624  3月  5 17:26 olcDatabase={0}config.ldif
-rw------- 1 openldap openldap  926  3月  5 17:14 olcDatabase={1}mdb.ldif
$
/etc/ldap/slapd.d/cn=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 94795c50
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: ff0c989a-b498-1037-8b2c-173c01517ae1
creatorsName: cn=config
createTimestamp: 20180305081440Z
entryCSN: 20180305081440.112996Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180305081440Z

$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: olcBackend={0}mdb,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}mdb,cn=config

$

$ sudo slapcat
dn: dc=nodomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain
structuralObjectClass: organization
entryUUID: f90c00ea-b464-1037-825b-6ba3f79a2502
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20180305020216Z
entryCSN: 20180305020216.212850Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20180305020216Z

dn: cn=admin,dc=nodomain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9V0pyT3RaWFMrZU1aOG9hZ1YxVmsrMldveFhoZXlUNVc=
structuralObjectClass: organizationalRole
entryUUID: f90c5d88-b464-1037-825c-6ba3f79a2502
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20180305020216Z
entryCSN: 20180305020216.215248Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20180305020216Z

$
/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e453a658
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
 e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=nodomain
olcRootPW:: e1NTSEF9Vll2d3FuWmgxZXRHdnFESlJZMGVYVWVzVWtFK0tjSy8=
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: ff0d16d0-b498-1037-8b36-173c01517ae1
creatorsName: cn=config
createTimestamp: 20180305081440Z
entryCSN: 20180305081440.116261Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180305081440Z

管理者パスワード(LDAP Password)の設定

$ slappasswd
New password:    # 試しに"pw"で設定した
Re-enter new password:    # 再入力
{SSHA}KarYOdBwrCU2/sNQjHP3vKqQua9MR83o
$

管理者パスワード変更用のldifファイルを作成。

/etc/ldap/changepw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}KarYOdBwrCU2/sNQjHP3vKqQua9MR83o

設定適用。

$ sudo ldapadd -Y EXTERNAL -H ldapi:// -f changepw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

$

適用後の状態。

/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 418a3f6d
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: ff0ca376-b498-1037-8b2e-173c01517ae1
creatorsName: cn=config
createTimestamp: 20180305081440Z
olcRootPW:: e1NTSEF9S2FyWU9kQndyQ1UyL3NOUWpIUDN2S3FRdWE5TVI4M28=    #項目が追加された
entryCSN: 20180305082612.053107Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180305082612Z

以降passwordを求められた際は"pw"を入力する。

サフィックス変更

変更用のファイルを作成。("replace"で変更する)

/etc/ldap/chdomain.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=local

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=test,dc=local

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}KarYOdBwrCU2/sNQjHP3vKqQua9MR83o

設定適用。

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

modifying entry "olcDatabase={1}mdb,cn=config"

modifying entry "olcDatabase={1}mdb,cn=config"

$

適用後の状態。

/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0915cb02
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
 e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: ff0d16d0-b498-1037-8b36-173c01517ae1
creatorsName: cn=config
createTimestamp: 20180305081440Z
olcSuffix: dc=test,dc=local    # 変更された
olcRootDN: cn=Manager,dc=test,dc=local    # 変更された
olcRootPW:: e1NTSEF9S2FyWU9kQndyQ1UyL3NOUWpIUDN2S3FRdWE5TVI4M28=    # 変更された
entryCSN: 20180305090703.943977Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180305090703Z

ドメイン名の登録

変更用のファイル作成。

/etc/ldap/add_object.ldif
dn: dc=test,dc=local
objectClass: top
objectClass: dcObject
objectclass: organization
o: test.inc
dc: test

dn: cn=Manager,dc=test,dc=local
objectClass: organizationalRole
cn: Manager

dn: ou=users,dc=test,dc=local
objectClass: organizationalUnit
ou: users

設定適用。

$ sudo ldapadd -x -D cn=Manager,dc=test,dc=local -W -f add_object.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=local"

adding new entry "cn=Manager,dc=test,dc=local"

adding new entry "ou=users,dc=test,dc=local"

$

ユーザ追加

変更用のファイル作成。

/etc/ldap/add_user.ldif
dn: uid=user001,ou=users,dc=test,dc=local
objectClass: account
objectClass: posixAccount
objectClass: top
uid: user001
cn: user001
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user001
loginShell: /bin/bash

設定適用。

$ sudo ldapadd -x -D cn=Manager,dc=test,dc=local -W -f add_user.ldif
Enter LDAP Password:
adding new entry "uid=user001,ou=users,dc=test,dc=local"

$

作成したユーザを検索。

$ ldapsearch -x -D cn=Manager,dc=test,dc=local -W -b ou=users,dc=test,dc=local
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=test,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# users, test.local
dn: ou=users,dc=test,dc=local
objectClass: organizationalUnit
ou: users

# user001, users, test.local
dn: uid=user001,ou=users,dc=test,dc=local
objectClass: account
objectClass: posixAccount
objectClass: top
uid: user001
cn: user001
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user001
loginShell: /bin/bash

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
$
3
3
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
3