LoginSignup
0
0
@kohuku(Kodai Fukuda)

VMクラスタを作ってみる:LDAP編

Last updated at Posted at 2024-04-24

LDAPログインについて

*ほぼUbuntu Serverの公式ドキュメントからのコピペです。自分用に書き換えただけ。
イメージ画像
Screen Shot 2024-04-25 at 0.00.02.png
(引用:https://qiita.com/y-araki-qiita/items/0c954c3ae25d4ed9dbb8)

サーバ側設定(FQDN: node1.example.com)

自己証明書の作成

Install the gnutls-bin and ssl-cert packages:

sudo apt install gnutls-bin ssl-cert

Create a private key for the Certificate Authority:

sudo certtool --generate-privkey --bits 4096 --outfile /etc/ssl/private/mycakey.pem

Create the template/file /etc/ssl/ca.info to define the CA:

cn = Example Company
ca
cert_signing_key
expiration_days = 3650

Create the self-signed CA certificate:

sudo certtool --generate-self-signed \
--load-privkey /etc/ssl/private/mycakey.pem \
--template /etc/ssl/ca.info \
--outfile /usr/local/share/ca-certificates/mycacert.crt

sudo update-ca-certificates

各クライアントへ送信

scp /usr/local/share/ca-certificates/mycacert.crt kodai4@node4:~/

LDAPサービスの証明書作成

Make a private key for the server:

sudo certtool --generate-privkey \
--bits 2048 \
--outfile /etc/ldap/node1_slapd_key.pem

Create the /etc/ssl/node1.info info file containing:

organization = Example Company
cn = node1.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 365

Create the server’s certificate:

sudo certtool --generate-certificate \
--load-privkey /etc/ldap/node1_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/mycacert.pem \
--load-ca-privkey /etc/ssl/private/mycakey.pem \
--template /etc/ssl/node1.info \
--outfile /etc/ldap/node1_slapd_cert.pem

Adjust permissions and ownership:

sudo chgrp openldap /etc/ldap/node1_slapd_key.pem
sudo chmod 0640 /etc/ldap/node1_slapd_key.pem

Create the file certinfo.ldif with the following contents (adjust paths and filenames accordingly):

dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/mycacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/node1_slapd_cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/node1_slapd_key.pem

Use the ldapmodify command to tell slapd about our TLS work via the slapd-config database:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

If you need access to LDAPS (LDAP over SSL), then you need to edit /etc/default/slapd and include ldaps:/// in SLAPD_SERVICES like below:

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

And restart slapd with:

sudo systemctl restart slapd

クライアント側の設定

証明書の設定

sudo chown root:root mycacert.crt
sudo mv mycacert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

sssdをldapと連携

sudo apt install sssd-ldap ldap-utils

Create the /etc/sssd/sssd.conf configuration file, with permissions 0600 and ownership root:root, and add the following content:

[sssd]
config_file_version = 2
domains = example.com

[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://node1.example.com
cache_credentials = True
ldap_search_base = dc=example,dc=com

Make sure to start the sssd service:

sudo chmod 600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
sudo systemctl restart sssd.service

To enable automatic home directory creation, run the following command:

sudo pam-auth-update --enable mkhomedir

ここまででパスワード認証を用いたSSHログインをユーザ名johnで行えるようになった。

気を付けるべきこと

sudo certtool --generate-certificate \
--load-privkey /etc/ldap/ldap01_slapd_key.pem \
--load-ca-certificate /etc/ssl/certs/mycacert.pem \
--load-ca-privkey /etc/ssl/private/mycakey.pem \
--template /etc/ssl/ldap01.info \
--outfile /etc/ldap/ldap01_slapd_cert.pem

で使用される/etc/ssl/ldap01.infoの内容が以下

organization = Example Company
cn = ldap01.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 365

ここでcnはホスト名を指定する。

この時ホスト名はDNSサーバに登録している必要がある

ローカルDNSを設置する

SSH公開鍵の共有

スキーマの追加

https://openssh-ldap-pubkey.readthedocs.io/en/latest/openldap.html

$ vim openssh-lpk.ldif
-----------------
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 f6bf57a2
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
 C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
 1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
  'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MAY ( sshPublicKey $ 
 uid ) )
-------------------

sudo ldapadd -H ldapi:/// -Y EXTERNAL -f openssh-lpk.ldif

公開鍵をLDIFで追加

https://teratail.com/questions/283183

dn: uid=john,ou=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqFDgQXi2ndSdZJhLIhr85TeT9dAUc85EShTGGVm0HZ john@node1

sudo ldapmodify -D cn=admin,dc=example,dc=com -W -H ldapi:/// -f add_sshpubkey.ldif

sudo ldapadd -H ldapi:/// -Y EXTERNAL -f openssh-lpk.ldif

クライアント側のSSSDとsshdの設定変更

https://qiita.com/s5601026/items/8c5f16a2935ccd7fb305

$ sudo vim /etc/ssh/sshd_config
-------------------
PubkeyAuthentication yes

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
--------------------

sudo systemctl restart sshd
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0