OpenLDAPをAWSのEC2上に設定しました。
以下記事を参考にさせていただきました。ありがとうございます。
OpenLDAP導入
インストール
$ sudo apt install slapd ldap-utils
$ slapd -V
@(#) $OpenLDAP: slapd (Ubuntu) (May 30 2017 19:20:53) $
buildd@lgw01-18:/build/openldap-JXEADB/openldap-2.4.42+dfsg/debian/build/servers/slapd
$
アンインストールする場合はこちら
$ sudo apt remove --purge slapd ldap-utils
初期情報の確認
設定情報の保管先
$ sudo ls -l /etc/ldap/slapd.d/cn=config
合計 28
-rw------- 1 openldap openldap 436 3月 5 17:14 cn=module{0}.ldif
drwxr-x--- 2 openldap openldap 4096 3月 5 17:14 cn=schema
-rw------- 1 openldap openldap 378 3月 5 17:14 cn=schema.ldif
-rw------- 1 openldap openldap 396 3月 5 17:14 olcBackend={0}mdb.ldif
-rw------- 1 openldap openldap 657 3月 5 17:14 olcDatabase={-1}frontend.ldif
-rw------- 1 openldap openldap 624 3月 5 17:26 olcDatabase={0}config.ldif
-rw------- 1 openldap openldap 926 3月 5 17:14 olcDatabase={1}mdb.ldif
$
/etc/ldap/slapd.d/cn=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 94795c50
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: ff0c989a-b498-1037-8b2c-173c01517ae1
creatorsName: cn=config
createTimestamp: 20180305081440Z
entryCSN: 20180305081440.112996Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180305081440Z
$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}mdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config
$
$ sudo slapcat
dn: dc=nodomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: nodomain
dc: nodomain
structuralObjectClass: organization
entryUUID: f90c00ea-b464-1037-825b-6ba3f79a2502
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20180305020216Z
entryCSN: 20180305020216.212850Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20180305020216Z
dn: cn=admin,dc=nodomain
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9V0pyT3RaWFMrZU1aOG9hZ1YxVmsrMldveFhoZXlUNVc=
structuralObjectClass: organizationalRole
entryUUID: f90c5d88-b464-1037-825c-6ba3f79a2502
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20180305020216Z
entryCSN: 20180305020216.215248Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20180305020216Z
$
/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e453a658
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=nodomain
olcRootPW:: e1NTSEF9Vll2d3FuWmgxZXRHdnFESlJZMGVYVWVzVWtFK0tjSy8=
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: ff0d16d0-b498-1037-8b36-173c01517ae1
creatorsName: cn=config
createTimestamp: 20180305081440Z
entryCSN: 20180305081440.116261Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180305081440Z
管理者パスワード(LDAP Password)の設定
$ slappasswd
New password: # 試しに"pw"で設定した
Re-enter new password: # 再入力
{SSHA}KarYOdBwrCU2/sNQjHP3vKqQua9MR83o
$
管理者パスワード変更用のldifファイルを作成。
/etc/ldap/changepw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}KarYOdBwrCU2/sNQjHP3vKqQua9MR83o
設定適用。
$ sudo ldapadd -Y EXTERNAL -H ldapi:// -f changepw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
$
適用後の状態。
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 418a3f6d
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: ff0ca376-b498-1037-8b2e-173c01517ae1
creatorsName: cn=config
createTimestamp: 20180305081440Z
olcRootPW:: e1NTSEF9S2FyWU9kQndyQ1UyL3NOUWpIUDN2S3FRdWE5TVI4M28= #項目が追加された
entryCSN: 20180305082612.053107Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180305082612Z
以降passwordを求められた際は"pw"を入力する。
サフィックス変更
変更用のファイルを作成。("replace"で変更する)
/etc/ldap/chdomain.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=local
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=test,dc=local
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}KarYOdBwrCU2/sNQjHP3vKqQua9MR83o
設定適用。
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
modifying entry "olcDatabase={1}mdb,cn=config"
modifying entry "olcDatabase={1}mdb,cn=config"
$
適用後の状態。
/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0915cb02
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: ff0d16d0-b498-1037-8b36-173c01517ae1
creatorsName: cn=config
createTimestamp: 20180305081440Z
olcSuffix: dc=test,dc=local # 変更された
olcRootDN: cn=Manager,dc=test,dc=local # 変更された
olcRootPW:: e1NTSEF9S2FyWU9kQndyQ1UyL3NOUWpIUDN2S3FRdWE5TVI4M28= # 変更された
entryCSN: 20180305090703.943977Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180305090703Z
ドメイン名の登録
変更用のファイル作成。
/etc/ldap/add_object.ldif
dn: dc=test,dc=local
objectClass: top
objectClass: dcObject
objectclass: organization
o: test.inc
dc: test
dn: cn=Manager,dc=test,dc=local
objectClass: organizationalRole
cn: Manager
dn: ou=users,dc=test,dc=local
objectClass: organizationalUnit
ou: users
設定適用。
$ sudo ldapadd -x -D cn=Manager,dc=test,dc=local -W -f add_object.ldif
Enter LDAP Password:
adding new entry "dc=test,dc=local"
adding new entry "cn=Manager,dc=test,dc=local"
adding new entry "ou=users,dc=test,dc=local"
$
ユーザ追加
変更用のファイル作成。
/etc/ldap/add_user.ldif
dn: uid=user001,ou=users,dc=test,dc=local
objectClass: account
objectClass: posixAccount
objectClass: top
uid: user001
cn: user001
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user001
loginShell: /bin/bash
設定適用。
$ sudo ldapadd -x -D cn=Manager,dc=test,dc=local -W -f add_user.ldif
Enter LDAP Password:
adding new entry "uid=user001,ou=users,dc=test,dc=local"
$
作成したユーザを検索。
$ ldapsearch -x -D cn=Manager,dc=test,dc=local -W -b ou=users,dc=test,dc=local
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=test,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# users, test.local
dn: ou=users,dc=test,dc=local
objectClass: organizationalUnit
ou: users
# user001, users, test.local
dn: uid=user001,ou=users,dc=test,dc=local
objectClass: account
objectClass: posixAccount
objectClass: top
uid: user001
cn: user001
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/user001
loginShell: /bin/bash
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
$