LoginSignup
2
2

More than 3 years have passed since last update.

@k02160

Ubuntu 18.04.3 LTS LDAP Authセットアップ

Last updated at Posted at 2019-09-22

注意点

  • SHELLはdashであり、bashではない。CentOS/ArchLinuxに慣れていると注意が必要。

インストール直後の設定

rootでの操作に慣れているので、rootのパスワードを作成する。

$ sudo passwd root
$ su -

以後、rootでの操作
#

ネットワーク設定

# vi /etc/netplan/50-cloud-init.yaml
/etc/netplan/50-cloud-init.yaml
network:
    ethernets:
        enp0s3:
            addresses:
            - 192.168.11.139/24
            gateway4: 192.168.11.1
            dhcp4: false
            accept-ra: false
            nameservers:
                addresses:
                - 192.168.11.1
    version: 2

# netplan generate
# netplan apply
# systemctl status systemd-networkd

VirtualBoxのウィンドウでは操作しづらいので、rootのssh接続を許可する。

# vi /etc/ssh/sshd_config
PermitRootLogin yes
# systemctl restart sshd

以降、puttyなどで操作する。

アップデート

# apt -y update
# apt -y upgrade

パッケージのインストール

# apt -y install slapd ldap-utils
# apt -y install samba
# apt -y install smbldap-tools
# apt -y install sssd sssd-ldap

slapdセットアップ

# cd /etc/ldap
# cp /usr/share/doc/samba/examples/LDAP/samba.schema.gz .
# gunzip samba.schema.gz
# mv samba.schema /etc/ldap/schema/

# systemctl stop slapd
# cd /etc/ldap
# mv /etc/ldap/slapd.d /etc/ldap/slapd.d.orig

# mkdir /etc/ldap/ssl
# cd    /etc/ldap/ssl

# openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 3650
# chmod 400 slapdkey.pem
# chmod 444 slapdcert.pem
# chown openldap:openldap /etc/ldap/ssl/slapdkey.pem

# ls -l
-r--r--r-- 1 root     root     1302 Jul 20 12:47 slapdcert.pem
-r-------- 1 openldap openldap 1704 Jul 20 12:47 slapdkey.pem

# vi /etc/ldap/slapd.conf
/etc/ldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include     /etc/ldap/schema/corba.schema
include     /etc/ldap/schema/core.schema
include     /etc/ldap/schema/cosine.schema
include     /etc/ldap/schema/duaconf.schema
include     /etc/ldap/schema/dyngroup.schema
include     /etc/ldap/schema/inetorgperson.schema
include     /etc/ldap/schema/java.schema
include     /etc/ldap/schema/misc.schema
include     /etc/ldap/schema/nis.schema
include     /etc/ldap/schema/openldap.schema
include     /etc/ldap/schema/pmi.schema
include     /etc/ldap/schema/ppolicy.schema
include     /etc/ldap/schema/collective.schema
include     /etc/ldap/schema/samba.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

# Load dynamic backend modules:
modulepath  /usr/lib/ldap
moduleload  back_mdb.la
moduleload  back_ldap.la

# Certificate/SSL Section
#TLSCipherSuite          DEFAULT
TLSCertificateFile      /etc/ldap/ssl/slapdcert.pem
TLSCertificateKeyFile   /etc/ldap/ssl/slapdkey.pem

# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#   Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

access to attrs=userPassword,givenName,sn,photo
    by self write
    by anonymous auth
    by dn.base="cn=Manager,dc=my-domain,dc=com" write
    by * none

access to *
    by self read
    by dn.base="cn=Manager,dc=my-domain,dc=com" write
    by * read

#######################################################################
# MDB database definitions
#######################################################################

database    mdb
maxsize     1073741824
suffix      "dc=my-domain,dc=com"
rootdn      "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw      secret
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/ldap
# Indices to maintain
index   objectClass eq
index   uid     pres,eq
index   mail        pres,sub,eq
index   cn      pres,sub,eq
index   sn      pres,sub,eq
index   dc      eq

# systemctl edit slapd.service

[Service]
ExecStart=
ExecStart=/usr/sbin/slapd -u openldap -g openldap -f /etc/ldap/slapd.conf -h "ldap:/// ldaps:///"

# mkdir /var/run/slapd
# chown openldap:openldap /var/run/slapd


# ls -ld /var/run/slapd/
drwxr-xr-x 2 openldap openldap 80 Sep 22 00:21 /var/run/slapd/


# vi /usr/lib/tmpfiles.d/slapd.conf
d /run/slapd 0755 openldap openldap -

# systemctl start slapd

# vi /etc/ldap/ldap.conf
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
BASE    dc=my-domain,dc=com
URI     ldap://localhost
TLS_REQCERT     allow

# ldapsearch -H ldap://localhost  -x -w secret -D cn=Manager,dc=my-domain,dc=com
# ldapsearch -H ldaps://localhost -x -w secret -D cn=Manager,dc=my-domain,dc=com

# systemctl enable slapd

smbldap-toolsセットアップ

# cd /etc/smbldap-tools/
# cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz .
# cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf .

# gunzip smbldap.conf.gz
# chmod 600 smbldap_bind.conf

# vi smbldap.conf
# vi smbldap_bind.conf

ユーザー/グループ追加

# smbldap-populate
# smbldap-groupadd -a ldapusers
# smbldap-groupadd -a ldapwheel
# smbldap-useradd  -a -m -g ldapusers -G ldapwheel -c "First Last" (ユーザー名)
# smbldap-passwd (ユーザー名)

# systemctl restart slapd

# systemctl start  sssd
# systemctl enable sssd

# id (ユーザー名)
uid=1000(ユーザー名) gid=1000(ldapusers) groups=1000(ldapusers),1001(ldapwheel)

# visudo

Sambaセットアップ

# cd /etc/samba
# vi ldap_smb.conf

# vi /etc/samba/smb.conf
    include = /etc/samba/ldap_smb.conf
    # passdb backend = tdbsam       ← コメントアウトする

    ...

[homes]
    comment = Home Directories
    browseable = yes

# smbpasswd -W
# systemctl start  smbd
# systemctl enable smbd

Ubuntuではauthconfigやauthselectを実行しなくてもpamの設定が変更されている。

エラー対応

Ubuntuを再起動後、slapdが以下のエラーで起動しない。

unable to open pid file "/var/run/slapd/slapd.pid": 2 (No such file or directory)

以下のファイルを新規作成し、起動時にフォルダを作成させる。

# vi /etc/tmpfiles.d/slapd-init.conf
d /var/run/slapd 0755 openldap openldap -

パスワード強化

# apt install libpam-cracklib
# vi /etc/pamd./common-password
password   requisite   pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-1 dcredit=-2 ocredit=-1
2
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
2