LDAP-Tips
LDAP
¹®ÅÂÁØ 2007-01-04 16:57:22
http://tunelinux.pe.kr
http://database.sarang.net
Contents
1. µé¾î°¡±âÀü¿¡ ¶º» ¹®¼¸¦ óÀ½¿¡´Â ¸ð´ÏÀ§Å°·Î ÀÛ¼ºÇÏ´Ù°¡ »ç³» À§Å°°¡ ¹Ù²î¾ú½À´Ï´Ù. ±×·¡¼ ÀϺΠ¼öÁ¤ÇÑ ³»¿ëÀº ¾Æ·¡¿¡ µé¾î°¡ÀÖÁö ¾Ê°í ÀÏÀÏÀÌ º¯È¯ÇϱⰡ ºÒÆíÇϳ׿ä.
¼öÁ¤µÈ ÃÖÁ¾ ³»¿ëÀº ¾Æ·¡ url¿¡¼ ¹ÞÀ¸½Ã¸é µË´Ï´Ù.
(2007.3.30)
LDAPÀ» ÀÌ¿ëÇÑ °èÁ¤ÅëÇÕ, °¢Á¾ ¾ÖÇø®ÄÉÀÌ¼Ç ¿¬µ¿
2. LDAP °³·« ¶
3. ¹®¼¼Ò°³ ¶
4.1. LDAP Ãʺ¸ÀÚ¸¦ À§ÇÑ ±âÃÊÀÚ·á ¶
4.2. LDAPÀ» ÀÌ¿ëÇÑ °èÁ¤ÅëÇÕ ¶
4.3. ±âŸ Âü°íÀÚ·á ¶
5.1. Á¤Ã¥°áÁ¤ ¶
5.2. ¼³Ä¡ÇÁ·Î±×·¥ ¶
6. ldap ¼¹ö¼³Á¤ ¶/etc/openldap/slapd.conf ¿¡¼ rootpw ¸¦ Ãß°¡ÇÔ. À̸¦ ÅëÇÏ¿© root ±ÇÇÑ ÀÎÁõ »ç¿ëÇÔ
¾Æ·¡ Æнº¿öµå´Â slappasswd ¸¦ ÀÌ¿ëÇÏ¿© »ý¼ºÇÔ
[root@localhost openldap]# grep -v "^#" slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args loglevel 256 TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/slapdcert.pem TLSCertificateKeyFile /etc/openldap/slapdkey.pem database bdb suffix "dc=samjung,dc=com" rootdn "cn=manager,dc=samjung,dc=com" rootpw {SSHA}aaaaaamoxk2Sswm8NbHZbCx9LxextJ directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub cachesize 2000 access to dn.subtree="dc=samjung,dc=com" attr=userPassword by self write by * auth access to dn.subtree="ou=people,dc=samjung,dc=com" by * read access to dn.subtree="ou=group,dc=samjung,dc=com" by * read access to dn.subtree="ou=hosts,dc=samjung,dc=com" by * read access to * by * auth replogfile /var/lib/ldap/openldap-master-replog replica uri=ldap://cent.tunelinux.pe.kr:389 suffix="dc=samjung,dc=com" binddn="cn=replica,dc=samjung,dc=com" credentials=xxxxxx bindmethod=simple tls=yes # /etc/init.d/ldap start Starting slapd: [ OK ] À§¿¡¼ Ãʱ⠼¼Æýà TLS ºÎºÐÀº »©µµ µÈ´Ù. ACI ´Â »ç¿ëÀÚºñ¹Ð¹øÈ£´Â ÀڽŸ¸ ¹Ù²Ü¼ö ÀÖµµ·Ï ÇÏ¿´°í people, group, hosts Á¤º¸´Â ´©±¸³ª ÀÐÀ» ¼ö ÀÖµµ·Ï ÇÏ¿´´Ù.
replication ºÎºÐµµ Ãʱ⠼¼Æýà »©µµ µÈ´Ù.
database backend ¸ðµâÀº ldbm, bdb µîÀÌ ÀÖ´Ù. bdb´Â openldap 2.1ºÎÅÍ µµÀÔÀÌ µÇ¾úÀ¸¸ç
Berkeley DB4 ¶óÀ̺귯¸®¸¸ »ç¿ëÇϵµ·Ï ¸ÂÃß¾îÁ®ÀÖ´Ù. bdb °¡ ldbm¿¡ ºñÇØ ³´°í Çϴµ¥ ¾î¶² Á¡ÀÌ ³ªÀºÁö±îÁö´Â È®ÀÎÇÏÁö ¾Ê¾Ò´Ù.
7.1. directory structure »ý¼º ¶¾Æ·¡ ³»¿ëÀ» top.ldif ·Î ÀúÀå
dn: dc=samjung,dc=com objectclass: dcObject objectclass: organization o: samjung Company dc:samjung dn: cn=manager, dc=samjung, dc=com objectclass: organizationalRole cn: manager dn: ou=people, dc=samjung, dc=com ou: people objectclass: organizationalUnit objectclass: domainRelatedObject associatedDomain: samjung.com dn: ou=contacts,ou=people, dc=samjung, dc=com ou: contacts ou: people objectclass: organizationalUnit objectclass: domainRelatedObject associatedDomain: samjung.com dn: ou=group, dc=samjung, dc=com ou: group objectclass: organizationalUnit objectclass: domainRelatedObject associatedDomain: samjung.com À§¿¡¼ ou=contacts ´Â ¾Æ·¡¿¡¼ ½ÇÁ¦ »ç¿ëÇÏÁö´Â ¾ÊÀ¸¸ç À̸ÞÀÏÁÖ¼Ò·ÏÀ» ldapÀ» ÀÌ¿ëÇÒ °æ¿ì¿¡ »ç¿ëÇÏ¸é µÈ´Ù.
# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f top.ldif Enter LDAP Password: adding new entry "dc=samjung,dc=com" adding new entry "cn=manager, dc=samjung, dc=com" adding new entry "ou=people, dc=samjung, dc=com" adding new entry "ou=contacts,ou=people, dc=samjung, dc=com" adding new entry "ou=group, dc=samjung, dc=com" 7.2. ldap ÇÁ·Î±×·¥¿¡¼ÀÇ ¿É¼ÇÂü°í ¶** -w password ·Î Çصµ µÊ. -W ´Â ¸í·ÉÇà¿¡¼ ÀÔ·Â
-x : simple authentication. ±âº»ÀÎÁõ¹æ½ÄÀÓ
-D : binddn ÁöÁ¤
-f file : ÆÄÀÏ¿¡¼ ÀÔ·ÂÀ» ¹ÞÀ» °æ¿ì »ç¿ë
-W : prompt for simple authentication . ±âº»ÀÎÁõ¿¡¼ ºñ¹Ð¹øÈ£¸¦ º°µµ ÀÔ·ÂÀ¸·Î ¹ÞÀ» °æ¿ì »ç¿ë
-w : ºñ¹Ð¹øÈ£¸¦ ¸í·ÉÇà¿¡¼ ¹Ù·Î ¿É¼ÇÀ¸·Î ÁÜ
-b : searchbase °Ë»ö¹üÀ§ ÁöÁ¤
7.3. À§¿¡¼ ÀÔ·ÂÇÑ ³»¿ëÀ» °Ë»öÇϱ⠶# ldapsearch -x -b 'dc=samjung,dc=com' version: 2 # # filter: (objectclass=*) # requesting: ALL # # samjung, com dn: dc=samjung,dc=com objectClass: dcObject objectClass: organization o: samjung Company dc: samjung Áß·«... # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5 8.1. ldap À¸·Î ´ÜÀÏÇÑ ¸®´ª½º ·Î±×ÀÎ ¸¸µé±â ¶¸ÕÀú °èÁ¤Á¤Ã¥À» °áÁ¤ÇÑ´Ù. ¾Æ·¡¿¡¼´Â ´ÙÀ½°ú °°ÀÌ ÇÏ¿´´Ù°í °¡Á¤ÇÑ´Ù.
System accounts : UID < 500
Real people in LDAP : 499 < UID < 10,000
Local users, groups (not in LDAP ) > 10,000
8.2. ·ÎÄà ÄÄÇ»ÅÍ »ç¿ëÀÚ ¿£Æ®¸® ¸¸µé±â ¶ldaptest ¶ó´Â °èÁ¤À» ¸¸µé¸ç uid 1000 gid 1000À¸·Î ÇÏ°í Ȩµð·ºÅ丮´Â /home/ldaptest ·Î ÇÔ
# cat people.ldif # ldaptest, people, samjung.com dn: uid=ldaptest,ou=people,dc=samjung,dc=com cn: ldaptest objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/ldaptest loginShell: /bin/bash shadowLastChange: 11192 shadowMin: -1 shadowMax: 99999 shadowWarning: 7 shadowInactive: -1 shadowExpire: -1 shadowFlag: 134538308 uid: ldaptest userPassword: {crypt}$1$OQAQLKrD$ktucNP.aAo/w5gbuAIV6H1 ¾Æ·¡¿Í °°ÀÌ Ãß°¡ÇÏ¿©ÁÜ
# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f people.ldif Enter LDAP Password: adding new entry "uid=ldaptest,ou=people,dc=samjung,dc=com" ¾Æ·¡¿Í °°ÀÌ °Ë»öÇÔ
# ldapsearch -x -b "dc=samjung,dc=com" "(objectclass=*)" »ç¿ëÀÚ Áö¿ì±â
ldapdelete -x -D 'cn=manager,dc=samjung,dc=com' 'uid=ldaptest,ou=people,dc=samjung,dc=com' -W 8.3. ±âÁ¸°èÁ¤Á¤º¸ ÀÌ¿ëÇÏ¿© ¸¶À̱׷¹À̼ÇÇϱ⠶/usr/share/openldap/migration/ µð·ºÅ丮¿¡ ±âÁ¸ÀÇ Á¤º¸¸¦ ¸¶À̱׷¹À̼ÇÇϱâ À§ÇÑ ÇÁ·Î±×·¥ÀÌ ÀÖ´Ù.
»çÀü¿¡ migrate_common.ph ¿¡¼ ¸î°¡Áö ¿É¼ÇÀ» ¼öÁ¤ÇÔ. migrate_common.ph °¡ º¯°æÇÑ ÇÁ·Î±×·¥ÀÌ°í migrate_common.ph.orig °¡ ¿ø·¡ÀÇ ¼³Á¤ÀÌ´Ù.
# diff migrate_common.ph migrate_common.ph.orig 71c71 < $DEFAULT_MAIL_DOMAIN = "sds.co.kr"; --- > $DEFAULT_MAIL_DOMAIN = "padl.com"; 74c74 < $DEFAULT_BASE = "dc=samjung,dc=com"; --- > $DEFAULT_BASE = "dc=padl,dc=com"; 90c90 < $EXTENDED_SCHEMA = 1; --- > $EXTENDED_SCHEMA = 0; /usr/share/openldap/migration/migrate_passwd.pl /etc/passwd /usr/share/openldap/migration/migrate_group.pl /etc/group ÀÌ ÇÁ·Î±×·¥À¸·Î passwd, gorup »Ó¸¸ ¾Æ´Ï¶ó /etc/networks, /etc/protocols, /etc/services, /etc/netgroup µîµµ °¡´ÉÇÏ´Ù. ³ªÁß¿¡ /etc/hosts ¸¦ LDAPÀ¸·Î ÀÌÀüÇÏ´Â °÷¿¡¼ ´Ù½Ã ¼³¸íÀ» ÇÑ´Ù.
8.4. ±×·ì ¿£Æ®¸® ¸¸µé±â ¶# cat group.ldif dn: cn=webdev,ou=group,dc=samjung,dc=com objectClass: posixGroup objectClass: top cn: webdev gidNumber: 2000 memberUid: ldaptest # ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f group.ldif Enter LDAP Password: adding new entry "cn=webdev,ou=group,dc=samjung,dc=com" 2000 gid ¿¡ ÇØ´çÇÏ´Â webdev ±×·ìÀ» ¸¸µé±â ldaptest ¸¦ ÀÌ ±×·ì¿¡ ³Ö¾îÁÜ
¾Æ·¡¿Í °°ÀÌ °Ë»öÇÔ
# ldapsearch -x -b 'dc=samjung,dc=com'
9.1. ldap client ¼³Á¤Çϱ⠶authconfig ÀÌ¿ëÇÏ¿© ¼³Á¤ÇÑ´Ù. ÀÌ ÇÁ·Î±×·¥À» ÀÌ¿ëÇϸé /etc/ldap.conf , /etc/nsswitch.conf, /etc/sysconfig/authconfig, /etc/pam.d/system-auth ÆÄÀÏÀ» ÀÚµ¿À¸·Î ¹Ù²Ù¾îÁØ´Ù.
User Information Configuration ¿¡¼ Use LDAP ¼±Åà -> Next -> Authentication Configuration ¿¡¼ Use LDAP Authentication »ç¿ëÇÔ. Server ¹× Base DN¿¡ Àû´çÇÏ°Ô °ªÀ» ³ÖÀ½. ¿©±â¼´Â dc=samjung,dc=com
start_tls ´Â ³ªÁß¿¡ ´Ù½Ã ¼³¸íÇÑ´Ù.
# diff /etc/ldap.conf.orig /etc/ldap.conf 18c18 < base dc=example,dc=com --- > base dc=samjung,dc=com # diff /etc/openldap/ldap.conf.orig /etc/openldap/ldap.conf 16c16 < BASE dc=example,dc=com --- > BASE dc=samjung,dc=com # diff /etc/nsswitch.conf.orig /etc/nsswitch.conf 33,35c33,35 < passwd: files < shadow: files < group: files --- > passwd: files ldap > shadow: files ldap > group: files ldap 53c53 < protocols: files --- > protocols: files ldap 55c55 < services: files --- > services: files ldap 57c57 < netgroup: files --- > netgroup: files ldap 61c61 < automount: files --- > automount: files ldap /etc/ldap.conf´Â ldap Ŭ¶óÀ̾ðÆ® ¼³Á¤¿¡¼ ÇÊ¿äÇѵ¥ ¸î°¡Áö Ãß°¡¿É¼ÇÀÌ ÀÖ´Ù. ±âº»¼³Á¤Àº base, hosts ¸¸ ¹Ù²Ù¸é ÀÛµ¿Çϴµ¥ ¾Æ·¡´Â ¸î°¡Áö¸¦ Ãß°¡ÇÏ¿´´Ù. start_tls ¸¦ ÀÌ¿ëÇÏ¿© tls ¼³Á¤, pam_check_host_attr ¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚº° ¼¹öÁ¢¼ÓÁ¦ÇÑ, pam_filter , pam_login_attribute ¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ°Ë»ö½Ã »ç¿ëÇÒ objectclass¿Í login ¾ÖÆ®¸®ºäÆ®¸¦ ¼³Á¤ÇÏ¿´´Ù. ¶ÇÇÑ nss_base ¸¦ ÀÌ¿ëÇÏ¿© ÇØ´ç Á¤º¸¿¡ ´ëÇÏ¿© ºü¸£°Ô °Ë»öÇÒ ¼ö ÀÖµµ·Ï ±âº» ÇÊÅ͸¦ ¼³Á¤ÇÏ¿´´Ù. Ãʱâ Å×½ºÆÃÀ» ÇÒ °æ¿ì¿¡´Â ¾Æ·¡¿Í °°ÀÌ ¿É¼ÇÀ» ÇÒ ÇÊ¿ä´Â ¾ø´Ù.
# grep -v "^#" /etc/ldap.conf host cent3.tunelinux.pe.kr base dc=samjung,dc=com timelimit 120 bind_timelimit 120 idle_timelimit 3600 ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem pam_password md5 pam_check_host_attr yes pam_filter objectclass=posixAccount pam_login_attribute uid nss_base_passwd ou=people,dc=samjung,dc=com?one nss_base_shadow ou=people,dc=samjung,dc=com?one nss_base_group ou=group,dc=samjung,dc=com?one nss_base_hosts ou=hosts,dc=samjung,dc=com?one nss_base_netgroup ou=netgroup,dc=samjung,dc=com?one Âü°í·Î ldap ¼¹ö¸¦ replication µîÀ» ÀÌ¿ëÇÏ¿© ¿©·¯´ë¸¦ »ç¿ëÇÏ´Â °æ¿ì host ¿¡¼ ½ºÆäÀ̽º¸¦ ÀÌ¿ëÇØ ¿©·¯ ¼¹ö¸¦ ÁöÁ¤ÇÏ¸é µÈ´Ù. authconfig¿¡¼´Â Áß°£¿¡ , ¸¦ ÀÌ¿ëÇÏ¿© ¿©·¯ ¼¹ö¸¦ ÁöÁ¤ÇÑ´Ù.
# grep ^host /etc/ldap.conf host cent3.tunelinux.pe.kr cent.tunelinux.pe.kr 9.2. group Á¤º¸Ç¥½Ã ¶/etc/ldap.conf¿¡ host, base Á¤º¸¸¸ ³ÖÀº °æ¿ì id µî¿¡¼ ±×·ìÁ¤º¸°¡ º¸ÀÌÁö ¾Ê°í ¼ýÀڷθ¸ ³ª¿Â °æ¿ì°¡ ÀÖ¾ú´Ù. ÀÌ°æ¿ì /etc/ldap.conf ¿¡¼ ¹Ù·Î À§¿¡¼ º¸µíÀÌ nss_base_group À» ¼³Á¤ÇØÁÖ¸é µÇ¾ú´Ù.
nss_base_group ou=group,dc=samjung,dc=com?one ÀÌ·¯ÇÑ Á¤º¸µéÀº getent ·Î È®ÀÎÇغ¸¸é µÈ´Ù. getent passwd, getent group µîÀ¸·Î È®ÀÎÇغ¸¸é µÈ´Ù.
# getent passwd # getent group 10. »ç¿ëÀÚ È¨µð·ºÅ丮 ó¸® ¶LDAPÀ» ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ ÀÎÁõÀ» ÇÏ´Â °æ¿ì »ç¿ëÀÚ LDIF ÆÄÀÏ¿¡¼ Ȩµð·ºÅ丮¸¦ ÁöÁ¤ÇÑ´Ù°í ÇÏ´õ¶óµµ ½ÇÁ¦ µð·ºÅ丮°¡ »ý±âÁö´Â ¾Ê´Â´Ù. ÀÌ¿¡ ´ëÇÑ Ã³¸®¹æ¹ýÀº µÎ°¡Áö°¡ ÀÖ´Ù.
session optional /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077 11. /etc/hosts Á¤º¸ LDAP¿¡ ³Ö±â ¶/usr/share/openldap/migration/ ¿¡ °¢Á¾ ¸¶À̱׷¹ÀÌ¼Ç µµ±¸µéÀÌ ÀÖ´Ù.
migrate_base.pl ´Â ¸¶À̱׷¹ÀÌ¼Ç °¡´ÉÇÑ °¢Á¾ ±âº»Á¤º¸¿¡ ´ëÇؼ º¸¿©ÁØ´Ù.
migrate_base.pl ¸¦ ÀÌ¿ëÇÏ¿© hosts ¿¡ ´ëÇÑ ±âº»Á¤º¸¸¦ »Ì°í /etc/hosts Á¤º¸¸¦ º¯È¯ÇÏ¿© ldap¿¡ ³Ö¾îÁØ´Ù. ¼¼ºÎ¼³¸íÀº »ý·«ÇÏ°Ú´Ù.
# ./migrate_base.pl dn: ou=Hosts,dc=samjung,dc=com ou: Hosts objectClass: top objectClass: organizationalUnit objectClass: domainRelatedObject associatedDomain: sds.co.kr À§¿¡¼ hosts¿¡ ÇØ´çÇÏ´Â ³»¿ëÀ» ldif ÆÄÀÏ·Î Çؼ ÀÔ·ÂÇØÁØ´Ù.
migrate_hosts.pl ´Â /etc/hosts Á¤º¸¸¦ ldif ÆÄÀÏ·Î ¹Ù²Ù¾îÁØ´Ù.
[root@cent3 migration]# ./migrate_hosts.pl /etc/hosts > hosts.ldif dn: cn=localhost.localdomain,ou=Hosts,dc=samjung,dc=com objectClass: top objectClass: ipHost objectClass: device ipHostNumber: 127.0.0.1 cn: localhost.localdomain cn: localhost dn: cn=cent3.tunelinux.pe.kr,ou=Hosts,dc=samjung,dc=com objectClass: top objectClass: ipHost objectClass: device ipHostNumber: 222.112.137.138 cn: cent3.tunelinux.pe.kr # ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f hosts.ldif±×·±ÈÄ /etc/nsswitch.conf ¸¦ º¯°æÇÑ´Ù. [root@cent3 migration]# grep hosts /etc/nsswitch.conf #hosts: db files ldap nis dns #hosts: files dns hosts: files dns ldap ÀÌÁ¦ /etc/ldap.conf ¿¡¼ hosts Á¤º¸¸¦ ãÀ» ¼ö ÀÖµµ·Ï Á¤º¸¸¦ º¯°æÇÑ´Ù.
[root@cent3 migration]# grep hosts /etc/ldap.conf # Multiple hosts may be specified, each separated by a #nss_base_hosts ou=Hosts,dc=example,dc=com?one nss_base_hosts ou=hosts,dc=samjung,dc=com?one [root@cent3 migration]# getent hosts Å×½ºÆðúÁ¤Áß¿¡ ¹ß°ßÇÑ Áß¿äÇÑ ³»¿ëÀÌ ÀÖ´Ù. /etc/nsswitch.conf ¿¡¼ hosts ¼³Á¤¼ø¼°¡ Áß¿äÇÏ´Ù. ldap Ŭ¶óÀ̾ðÆ®¿¡¼ ÀÚ½ÅÀÇ È£½ºÆ®³×ÀÓÀ» Ç®¾î¾ßÇÑ´Ù. À̶§¹®¿¡ dns Ç׸ñÀÌ ldap º¸´Ù ¾Õ¿¡ ¿À°Å³ª È£½ºÆ®¸íÀ» /etc/hosts ÆÄÀÏ¿¡ Àû¾îÁÖ¾î¾ß ÇÑ´Ù. ÀÌ·¸°Ô ÇÏÁö ¾ÊÀ¸¸é segmentation fault ¿¡·¯°¡ ³ª°í ÀÌÈĺÎÅÍ´Â id µî °¢Á¾ ÇÁ·Î±×·¥¿¡¼ °è¼Ó ¼¼±×¸àÅ×ÀÌ¼Ç ÆúÆ®°¡ ³ª¸é¼ ½Ã½ºÅÛ ÀÛµ¿ÀÌ ÀÌ»óÇØÁø´Ù.
# getent hosts 127.0.0.1 localhost.localdomain localhost Segmentation fault 4.7.5.1 Host Resolving
(2) looping resolver - segmentation fault
The order within /etc/nsswitch.conf is important, and the ldap client code needs to resolve its own hostname! Therefor dns must be before ldap or the hostname must be in /etc/hosts!
12.1. ¼¹ö¿¡¼ °Ë»öÁ¦ÇÑÇϱ⠶slapd.conf ¿¡¼ sizelimit , timelimit¸¦ ÀÌ¿ëÇÏ¿© °Ë»ö¿¡ ´ëÇÑ Á¦ÇÑÀ» °É ¼ö ÀÖ´Ù.
12.2. /etc/ldap.conf ÁÖ¿ä ¿É¼Ç¿¡ ´ëÇÏ¿© ¶/etc/ldap.conf ÁÖ¿ä ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù.
ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password md5 pam_check_host_attr yes pam_filter objectclass=posixAccount pam_login_attribute uid nss_base_passwd ou=people,dc=samjung,dc=com?one nss_base_shadow ou=people,dc=samjung,dc=com?one nss_base_group ou=group,dc=samjung,dc=com?one nss_base_hosts ou=hosts,dc=samjung,dc=com?one 13. È£½ºÆ®, »ç¿ëÀÚº° Á¢±ÙÁ¦ÇÑ ¶Æ¯Á¤ È£½ºÆ®, »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÏ¿© Á¢±ÙÀ» Á¦ÇÑÇÒ ¼ö Àִµ¥ µÎ°¡Áö ¹æ¹ýÀÌ ÀÖ´Ù.
ù¹ø°´Â ƯÁ¤ÇÑ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚµéÀ» ÁöÁ¤ÇÏ´Â ¹æ½Ä(a.server ¿¡ a,b,c »ç¿ëÀÚ Á¢¼Ó°¡´É)ÀÌ ÀÖ°í µÎ¹ø°´Â ƯÁ¤ÇÑ »ç¿ëÀÚ°¡ Á¢¼Ó°¡´ÉÇÑ È£½ºÆ®µéÀ» ÁöÁ¤ÇÏ´Â ¹æ½Ä(a »ç¿ëÀÚ´Â °¡,³ª,´Ù ¼¹ö¿¡ Á¢¼Ó°¡´É)ÀÌ ÀÖ´Ù.
½ÇÁ¦ »ç¿ëÇÏ´Â °æ¿ì µÚÀÇ ¹æ½ÄÀÌ ´õ Æí¸®ÇÏ´Ù. ¾ÕÀÇ ¹æ½ÄÀº Ŭ¶óÀ̾ðÆ®¿¡¼ ¼³Á¤À» ÀÏÀÏÀÌ ¼¼ÆÃÇؾßÇÏÁö¸¸ µÚÀÇ ¹æ½ÄÀº Ŭ¶óÀ̾ðÆ®¿¡¼ µ¿ÀÏÇÑ ¼³Á¤À» À¯ÁöÇ쵂 ldap¼¹ö¿¡¼ º¯°æÀ» ÇÒ ¼ö°¡ ÀÖ´Ù.
13.1. ƯÁ¤ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ Á¦ÇÑÇϱ⠶/etc/ldap.conf ¿¡¼ pam_check_host_attr yes·Î ÇØÁÜ. /etc/openldap/ldap.conf°¡ ¾Æ´Ï´Ù.
»ç¿ëÀÚ¸¦ Ãß°¡ÇÒ¶§ host ¿¡ Á¢¼Ó°¡´ÉÇÑ È£½ºÆ® ÁöÁ¤. ¿©±â¼ IP·Î ÁöÁ¤Çϸé Á¢¼ÓÀÌ µÇÁö ¾Ê¾Ò°í Á¤È®ÇÑ µµ¸ÞÀθíÀ» ÁöÁ¤ÇؾßÇÑ´Ù.
# test, people, samjung.com dn: uid=test,ou=people,dc=samjung,dc=com Áß°£³»¿ë »ý·« host: kldp.org host: cent3.tunelinux.pe.kr pam ¼³Á¤Àº º¯°æÇÒ ÇÊ¿ä°¡ ¾ø´Ù.
13.2. ƯÁ¤ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ Á¦ÇÑÇϱ⠶ou=hosts °¡ ¸ÕÀú ÀÖ¾î¾ß ÇÑ´Ù.
# cat host.ldif dn: ou=hosts, dc=samjung, dc=com ou: hosts objectclass: organizationalUnit objectclass: domainRelatedObject associatedDomain: samjung.com # ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f host.ldif ÀÌÁ¦ ƯÁ¤ È£½ºÆ®¿Í »ç¿ëÀÚ¿¡ ´ëÇÑ Á¤º¸¸¦ ÀÔ·ÂÇÑ´Ù. ¾Æ·¡¿¡¼´Â cnÀ» linux ¸¦ ÇÏ¿´´Ù.
# cat iphost.ldif dn: cn=linux,ou=hosts,dc=samjung,dc=com objectClass: ipHost objectClass: device objectClass: extensibleObject ipHostNumber: 192.168.0.23 cn: linux.samjung.com cn: linux member: uid=test,ou=people,dc=samjung,dc=com member: uid=test2,ou=people,dc=samjung,dc=com # ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f iphost.ldif À§¿¡¼´Â 192.168.0.23 ¿¡ test, test2 °èÁ¤¸¸ Á¢¼Ó°¡´ÉÇϵµ·Ï ¼³Á¤ÇÏ¿´´Ù.
ldap¿¡ À§ÀÇ Á¤º¸¸¦ ÀÔ·ÂÇÑ ÈÄ °¢ ldap client ¿¡ À§ ±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ¼³Á¤ÇØ¾ß ÇÑ´Ù.
ÀÌ´Â /etc/ldap.conf ¿¡ ´ÙÀ½ Ç׸ñÀ» Ãß°¡ÇÑ´Ù. À§¿¡¼ »ç¿ëÇÑ dnÀ» ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.
pam_groupdn cn=linux,ou=hostss,dc=samjung,dc=com pam_member_attribute member iphost.ldif ¿¡ ¼³Á¤ÇÑ ³»¿ëÀ» °¢ ldap client º°·Î ldap¿¡ ³Ö¾îÁÖ°í ÀÌÈÄ¿¡´Â ±× ¼³Á¤³»¿ë¸¸ °è¼Ó ¼öÁ¤ÇÏ¸é µÈ´Ù.
13.3.1. °ü·ÃÀÚ·á ¶¿À·¼¸® LDAP admin 117ÂÊ
Æäµµ¶ó µð·ºÅ丮 ¼¹ö À§Å°ÀÇ ¹®¼Áß "System Access Control using LDAP backed NIS netgroup" http://directory.fedora.redhat.com/wiki/Howto:netgroup
13.3.2. NIS netgroup ±â´É ¶NIS´Â Sun¿¡¼ ³ª¿Â ±â¼ú·Î ¿©·¯´ëÀÇ ½Ã½ºÅÛÀ» ÅëÇÕÀûÀ¸·Î °ü¸®Çϱâ À§ÇØ ³ª¿Ô´Ù. »ç¿ëÀÚ°èÁ¤, ±×·ì, /etc/hosts µîÀ» ÅëÇÕÇؼ °ü¸®ÇÒ ¼ö ÀÖ´Ù.
NIS netgroupÀº ´ÙÀ½°ú °°Àº ±â´ÉÀ» Á¦°øÇÑ´Ù.
# /etc/hosts.deny sshd: ALL # /etc/hosts.allow sshd: @sysadmin À§¿¡¼ sysadmin netgroup´Â ´ÙÀ½°ú °°ÀÌ °³º° È£½ºÆ®·Î ±¸¼ºÇÒ ¼ö ÀÖ´Ù.
sysadmin (a.com,-,-)(b.com,-,-)¶Ç´Â ´Ù¸¥ netgroupÀ» Æ÷ÇÔÇÒ ¼ö ÀÖ´Ù. all_sysadmin sysadmin secure_clients(a.com,-,-) ±¸¼ºÀº host, user, NIS-domain À¸·Î ±¸¼ºÀÌ µÇ¸ç -´Â »ý·«À» Çصµ µÈ´Ù. ¸¶Áö¸· NIS-domainÀº »ý·«À» Çصµ LDAP°ú cfengine ¿¡¼ »ç¿ëÀÌ °¡´ÉÇÏ¿´´Ù. À̸¦ ÀÌ¿ëÇÏ¸é ½Ã½ºÅ۱׷캰, »ç¿ëÀڱ׷캰·Î ¿©·¯°¡Áö ÀÛ¾÷À» Á¦¾îÇÒ ¼ö ÀÖ°í ½Ã½ºÅÛ±×·ì°ú »ç¿ëÀÚ±×·ìÀÇ Á¶ÇÕµµ °¡´ÉÇÏ´Ù.
13.3.3. LDAP ¿¡¼ netgroup ±¸Çö ¶LDAP¿¡¼´Â structural nisNetgroup ¿ÀºêÁ§Æ® Ŭ·¡½º¸¦ ÀÌ¿ëÇÏ¿© netgroup ±â´ÉÀ» ±¸ÇöÇÒ ¼ö ÀÖ´Ù.
nisNetgroup ¿ÀºêÁ§Æ® Ŭ·¡½º¿¡¼ rdnÀº cnÀ» ¾²¸çµÎ°¡Áö Áß¿äÇÑ attributes °¡ ÀÖ´Ù.
nisNetgroupTriple : »ç¿ëÀÚ(,love,samjung.com), ½Ã½ºÅÛ (cent.tunelinux.pe.kr,,samjung.com) À» ÁöÁ¤ÇÒ ¼ö ÀÖÀ¸¸ç ¿©·¯°³ÀÇ °ªÀÌ µé¾î°¥ ¼ö ÀÖ´Ù.
memberNisNetgroup : ´Ù¸¥ netgroup ¸¦ Æ÷ÇÔÇÒ ¼ö ÀÖ´Ù. ´ë±×·ì, ¼Ò±×·ì µîÀ¸·Î ºÐ·ùÇÏ¿© Æí¸®ÇÏ°Ô »ç¿ëÇÒ ¼ö ÀÖ´Â ±â´ÉÀÌ´Ù. À̶ÇÇÑ ¿©·¯°³ÀÇ °ªÀ» °¡Áú ¼ö ÀÖ´Ù.
¸ÕÀú ou¸¦ »ý¼ºÇÑ´Ù. LDIF ÆÄÀÏ·Î ÀúÀåÇÏ¿© ldapadd·Î ³ÖÀ¸¸é µÈ´Ù.
dn: ou=netgroup,dc=samjung,dc=com objectClass: organizationalUnit ou: netgroup dn: cn=sysadmin,ou=netgroup,dc=samjung,dc=com objectClass: nisNetgroup objectClass: top cn: sysadmin description: netgroup test group nisNetgroupTriple: (cent1.tunelinux.pe.kr,-,-) nisNetgroupTriple: (cent2.tunelinux.pe.kr,-,-) dn: cn=sysadmin2,ou=netgroup,dc=samjung,dc=com objectClass: nisNetgroup objectClass: top cn: sysadmin2 description: netgroup test group2 memberNisNetgroup: sysadmin memberNisNetgroup: sysadmin2 dn: cn=allusers,ou=Netgroup,dc=samjung,dc=com objectClass: nisNetgroup objectClass: top cn: users0 nisNetgroupTriple: (,a,) nisNetgroupTriple: (,b,) description: All QA users in my organization sysadminÀº host°¡ cent1.tunelinux.pe.kr, cent2.tunelinux.pe.kr ¸¦ ³Ý±×·ìÀ¸·Î ¹À¸¸ç sysadmin2´Â memberNisNetgroupÀ» ÀÌ¿ëÇÏ¿© sysadmin, sysadmin2 ³Ý±×·ìÀ» ¹´Â °ÍÀÌ´Ù.
nisNetgroupTriple °ú memberNisNetgroupÀº °°ÀÌ µé¾î°¥ ¼öµµ ÀÖ´Ù.
alluser´Â a,b »ç¿ëÀÚ¸¦ ¹¾ú´Ù. À§¿¡¼ ¼³¸íÇÑ¹Ù¿Í °°ÀÌ NIS µµ¸ÞÀÎ ¸íÀº ÀÔ·ÂÀ» ÇÏÁö ¾Ê¾Æµµ ÀÛµ¿Çϴµ¥´Â ¹®Á¦°¡ ¾ø¾ú´Ù.
Æäµµ¶ó µð·ºÅ丮 ¼¹ö À§Å°ÀÇ ¹®¼Áß "System Access Control using LDAP backed NIS netgroup"¿¡´Â ´ÙÀ½°ú °°ÀÌ ³ª¿ÍÀÖ´Ù.
http://directory.fedora.redhat.com/wiki/Howto:netgroup
Finally to enable the netgroup query, NISDOMAIN must be defined (in /etc/sysconfig/network) even though it is not used. This is required because the innetgr() call is used and it requires a nisdomainname as a paramter. Once the functions resolves to LDAP via nsswitch.conf, the nisdomainname in no longer required. ÇÊ¿äÇÑ ¿£Æ®¸®¸¦ Ãß°¡ÇÑ ÈÄ /etc/ldap.conf ¿¡¼ netgroup °Ë»öÀ» À§ÇÏ¿© nss_base_netgroup À» Ãß°¡ÇÑ´Ù.
nss_base_netgroup ou=netgroup,dc=samjung,dc=com?one OS¿¡¼ netgroupÀ» ãÀ» ¼ö ÀÖµµ·Ï /etc/nsswitch.conf ¿¡¼ netgroup ¿¡ ´ëÇÑ ¼³Á¤À» ÇÑ´Ù.
netgroup: ldap getent ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© À§¿¡¼ ÀÔ·ÂÇÑ netgroupÀ» °Ë»öÇغ»´Ù.
# getent netgroup sysadmin sysadmin (cent1.tunelinux.pe.kr, , ) (cent2.tunelinux.pe.kr, , ) ÀÌ·¯ÇÑ ¼³Á¤À» ÀÌ¿ëÇÏ¿© À§¿¡¼ sshd´Â sysadmin ¿¡ ¼ÓÇÑ È£½ºÆ®¿¡¼¸¸ Á¢¼ÓÀ» Çϵµ·Ï ¼³Á¤À» ÇÒ ¼ö ÀÖ´Â °ÍÀÌ´Ù.
13.3.4. PAM Á¢±ÙÁ¦¾î ¿¬µ¿ ¶tcp ·¡ÆÛ¸¸ÀÌ ¾Æ´Ï¶ó ³Ý±×·ìÀ» ÀÌ¿ëÇÏ¿© PAM ÀÇ Á¢±Ù±ÇÇÑ Á¦¾î¿Í ¿¬°üÀ» ½Ãų ¼ö°¡ ÀÖ´Ù.
ÀÌ¿¡ ´ëÇÑ ³»¿ëÀº Æäµµ¶ó µð·ºÅ丮 ¼¹öÀÇ À§Å°¿¡ ÀÚ¼¼È÷ ³ª¿ÍÀÖ´Ù.
À§¿Í °°Àº ÀÛ¾÷À» ÇÏ¿© ƯÁ¤ È£½ºÆ®¿Í ƯÁ¤ »ç¿ëÀÚº°·Î ±×·ìÀ» ¹´Â´Ù.
bobby, joey »ç¿ëÀÚ¸¦ QAUsers ±×·ìÀ¸·Î ¸¸µç´Ù.
dn: cn=QAUsers,ou=Netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: QAUsers nisNetgroupTriple: (,bobby,example.com) nisNetgroupTriple: (,joey,example.com) description: All QA users in my organization qa01, qa02 È£½ºÆ®¸¦ QASystems ±×·ìÀ¸·Î ¸¸µç´Ù.
dn: cn=QASystems,ou=Netgroup,dc=example,dc=com objectClass: nisNetgroup objectClass: top cn: QASystems nisNetgroupTriple: (qa01,,example.com) nisNetgroupTriple: (qa02,,example.com) description: All QA systems on our network PAM ¿¡¼ /etc/security/access.conf ÆÄÀÏÀ» ÀÌ¿ëÇÏ¿© ip ¿¡ µû¶ó Á¢¼Ó°¡´ÉÇÑ È£½ºÆ®¿Í »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÒ ¼ö ÀÖ´Ù.
ÀÌ¿¡ ´ëÇؼ´Â º°µµ·Î PAM Á¤º¸¸¦ Âü°íÇÑ´Ù.
access.conf ÆÄÀÏ¿¡¼ nisÀÇ ³Ý±×·ìÀº @netgroupname ÇüÅ·ΠÀÌ¿ëÇÏ¸é µÈ´Ù. ¿©±â¼ È£½ºÆ®¸íÀ̳ª »ç¿ëÀÚ¸í ÇÑ°¡Áö¸¸ ÀÌ¿ëÇÏ´Â °ÍÀÌ ¾Æ´Ï¶ó µÎ°¡Áö¸¦ °áÇÕÇÏ¸é ¿©·¯°¡Áö Æí¸®ÇÑ Á¡ÀÌ ÀÖ´Ù.
¾Æ·¡ÀÇ ³»¿ëÀº 10.x.x.x ³×Æ®¿öÅ©¿¡¼ QASystems¿¡ QAUsers °¡ Á¢¼ÓÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â °ÍÀÌ´Ù.
+ : @QAUsers@@QASystems : 10. ¾Æ·¡ÀÇ °æ¿ì´Â root »ç¿ëÀÚ´Â ·ÎÄÿ¡¼¸¸ Á¢¼ÓÇÏ°í Admins ³Ý±×·ìÀº 10.x ³×Æ®¿öÅ©¿¡¼ Á¢¼ÓÇÒ ¼ö ÀÖµµ·Ï ÇÏ¸ç ³ª¸ÓÁö´Â ¸ðµÎ ¸·´Â ¼³Á¤ÀÌ´Ù.
+ : root : LOCAL + : @Admins : 10. - : ALL : ALL 13.3.5. cfengine ¿¡¼ÀÇ »ç¿ë ¶cfengineÀº °¢Á¾ ½Ã½ºÅÛÀÛ¾÷À» ÀÚµ¿ÈÇÒ ¼ö ÀÖ´Â ÇÁ·Î±×·¥ÀÌ¸ç º°µµ ÀڷḦ Âü°íÇϱ⠹ٶõ´Ù.
http://www.cfengine.org/docs/cfengine-Reference.html#groups
NIS netgroupÀ» ÀÌ¿ëÇÏ´Â °æ¿ì¿¡´Â +³ª +@ ±âÈ£¸¦ ÀÌ¿ëÇÑ´Ù. ¿©±â¼ À¯¿ëÇÑ °ÍÀÌ netgroup except ÀÌ´Ù. ¾Æ·¡¿¡¼ testgroupÀº mynetgoupÀ» Æ÷ÇÔÇÏ°í Àִµ¥ mynetgoup ¿¡¼ ƯÁ¤ È£½ºÆ®¸¸ »©·Á°í ÇÒ °æ¿ì¿¡´Â - ±âÈ£¸¦ ÀÌ¿ëÇÏ¿© ÁöÁ¤ÇÏ¸é µÈ´Ù.
groups: science = ( +science-allhosts ) physics = ( +physics-allhosts ) physics_theory = ( +@physics-theory-sun4 dirac feynman schwinger ) testgroup = ( +mynetgroup -specialhost -otherhost ) 13.3.6.1. host À̸§¿¡ ´ëÇÏ¿© ¶dns¿¡ µî·ÏµÇ¾îÀÖÁö ¾Ê¾Æµµ ldapÀÇ hosts ¿¡ µé¾î°¡ÀÖÀ¸¸é µ¿ÀÏÇÏ°Ô µ¿ÀÛÇÑ´Ù.
13.3.6.2. nisNetgroupTriple Ãß°¡, º¯°æ½Ã ¶½ÇÁ¦ »ç¿ëÇÏ¸é¼ ¹®Á¦°¡ ºÎµúÈù °ÍÀÌ ÀÖ´Ù. nisNetgroupTriple À» Ãß°¡ÇÏ·Á°í ÇÏ´Â °æ¿ì¿¡´Â additional info: modify/add: nisNetgroupTriple: no equality matching rule ¶ó´Â ¿¡·¯°¡ ³´Ù.
attribute Á¤ÀÇ¿¡¼ nisNetgroupTriple Àº ¸ÅĪ ·êÀÌ ¾ø´Ù. ÀÌ ºÎºÐÀÌ ¿µÇâÀ» ¹ÌÄ¡´Â °Í °°´Ù.
ÁÁÀº ¹æ¹ýÀº ¾Æ´ÑµíÇÏÁö¸¸ ½ºÅ°¸¶¿¡¼ EQUALITY ¿Í SYNTAX¸¦ ¼öÁ¤ÇØÁÖ¾úÁö¸¸ Á¦´ë·Î ÀÛµ¿ÇÏÁö´Â ¾Ê¾Ò´Ù.
# cat mod.txt dn: cn=sysadmin2,ou=netgroup,dc=samjung,dc=com changetype: modify add: nisNetgroupTriple nisNetgroupTriple: (cent2.tunelinux.pe.kr,,) # ldapmodify -D "cn=manager,dc=samjung,dc=com" -W -x -v -f mod.txt ldap_initialize( <DEFAULT> ) add nisNetgroupTriple: (cent2.tunelinux.pe.kr,,) modifying entry "cn=sysadmin2,ou=netgroup,dc=samjung,dc=com" modify complete ldap_modify: Inappropriate matching (18) additional info: modify/add: nisNetgroupTriple: no equality matching rule nisNetgroupTripple attibutetype
attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' SYNTAX 1.3.6.1.1.1.0.0 ) nisNetgroupTripleÀº Ãʱâ ÇÑ°³ ÀԷ°¡´ÉÇϸç ÇÑ°³¸¸ ÀÖÀ» °æ¿ì ¼öÁ¤, »èÁ¦°¡ °¡´ÉÇѵ¥ µÎ°³ÀÌ»ó Ãß°¡°¡ µÇÁö ¾Ê´Â´Ù.
¸ÅĪ·ê¶§¹®¿¡ »ý±â´Â ¹®Á¦¶ó°í ÆÇ´ÜÀÌ µÇ¸ç ÀÌ·² °æ¿ì ÇØ´ç dnÀ» »èÁ¦ÇÏ°í ½Å±Ô·Î dn¸¦ ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.
13.4. »ç¿ëÀÚ Á¢±ÙÁ¦ÇÑ ¾î¶² ¹æ¹ýÀÌ ÁÁÀ»±î? ¶È£½ºÆ®º°·Î Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÏ´Â ¹æ½ÄÀº Á¢¼ÓÇÏ·Á´Â Ŭ¶óÀ̾ðÆ® ¼³Á¤ÀÌ ¸ðµÎ ´Þ¶óÁö¹Ç·Î ºÒÆíÇÏ´Ù. (pam_groupdn, pam_member_attribute ¼³Á¤)
pam_check_host_attr ¶Ç´Â LDAP¿¡ NIS¸¦ ¿¬µ¿ÇÏ´Â ¹æ½ÄÀÌ °ü¸®»ó Æí¸®ÇÒ °ÍÀÌ´Ù.
°¢ÀÚÀÇ Àå´ÜÁ¡À» »ý°¢Çغ¸ÀÚ.
pam_check_host_attr À» ÀÌ¿ëÇÏ¸é °¢ »ç¿ëÀÚº°·Î Á¢¼ÓÇÒ ¼ö Àִ ȣ½ºÆ®¸¦ ÁöÁ¤ÇÑ´Ù.
¸ðµç °ÍÀ» LDAP¿¡¼ °ü¸®ÇÏ°í /etc/ldap.conf ¿¡¼ pam_check_host_attr ÁöÁ¤ÇÏ´Â °Í ¿Ü¿¡ º°µµÀÇ ¼³Á¤ÀÌ ÇÊ¿ä¾øÀ¸¹Ç·Î ±¸¼ºÀÌ °£´ÜÇÏ´Ù.
ÇÏÁö¸¸ ½Ã½ºÅÛ°ú »ç¿ëÀڱԸ𰡠ĿÁö¸é º°µµÀÇ °ü¸®ÅøÀ» ¸¸µéÁö ¾ÊÀ¸¸é ºÒÆíÇÏ´Ù.
NIS¸¦ ÀÌ¿ëÇÏ´Â °æ¿ì¿¡´Â ¼³Á¤Àº Á»´õ º¹ÀâÇØÁöÁö¸¸ »ç¿ëÀÚ, ½Ã½ºÅÛº°·Î ±×·ìÀ» ¸¸µé°í ÀÌ ±×·ìÀ» ÇÊ¿ä¿¡ µû¶ó Á¶Á¤ÇÒ ¼ö ÀÖ´Ù.
/etc/security/access.conf´Â ½Ã½ºÅÛ¿¡ ´Þ¶óÁö´Â°ÍÀÌ ¾Æ´Ï¶ó ¸ðµç ½Ã½ºÅÛ¿¡¼ µ¿ÀÏÇÑ ³»¿ëÀ» °øÀ¯ÇÒ ¼ö ÀÖ´Ù.
±âº»¼³Á¤Àº µ¿ÀÏÇÏµÇ Æ¯Á¤ ±×·ì¿¡ ´ëÇÑ Á¶Á¤Àº ldapÀ» ÅëÇÏ¿© ÇÏ¸é µÈ´Ù.
ÇÑ°¡Áö ´ÜÁ¡À̶ó¸é nisNetgroupTripleÀº ÇÑ°³¸¸ ÀԷ°¡´É, ÇÑ°³¸¸ ÀÖÀ» °æ¿ì ¼öÁ¤, »èÁ¦°¡ °¡´ÉÇѵ¥ µÎ°³ÀÌ»ó Ãß°¡´Â µÇÁö°¡ ¾Ê´Â´Ù.
¸ÅĪ·ê¶§¹®¿¡ »ý±â´Â ¹®Á¦¶ó°í ÆÇ´ÜÀÌ µÇ¸ç ÀÌ·² °æ¿ì ÇØ´ç dnÀ» »èÁ¦ÇÏ°í ½Å±Ô·Î dn¸¦ ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.
ÀÌ·¯ÇÑ ºÒÆíÇÔÀº ÀÖÁö¸¸ ±âº» Á¦°øµÇ´Â ±â´É¸¸À¸·Î °¡Àå °·ÂÇÏ°Ô Á¢±ÙÁ¦¾î¸¦ ÇÒ ¼ö°¡ ÀÖ´Ù.
¶ÇÇÑ NIS±â´ÉÀ» cfengine µî ´Ù¸¥ ÇÁ·Î±×·¥¿¡¼µµ È°¿ëÀÌ °¡´ÉÇÏ´Ù.
14. user º¯°æ ÇÁ·Î±×·¥ - cpu ¶passwd ÇÁ·Î±×·¥À» ÀÌ¿ëÇؼ »ç¿ëÀÚ¸¦ º¯°æÇÏ¿©µµ µÈ´Ù. ±×·¸Áö¸¸ »ç¿ëÀÚ »ý¼ºÀº ldif ÆÄÀÏ·Î Á÷Á¢ ³Ö°Å³ª cpu ÇÁ·Î±×·¥ ÀÌ¿ë ¶Ç´Â ldap °ü¸®ÀÚÅøÀ» ÀÌ¿ëÇØ¾ß ÇÑ´Ù. cpu°¡ »ç¿ëÀÚ °èÁ¤ ¹× ±×·ì°ü¸®¿¡ Æí¸®ÇÏ´Ù.
http://cpu.sourceforge.net/ ÃֽŹöÀü ´Ù¿î·Îµå
[root@cent3 migration]# ll /usr/sbin/cpu -rwxr-xr-x 1 root root 12127 Feb 17 2005 /usr/sbin/cpu [root@cent3 migration]# chmod 700 /usr/sbin/cpu openldap-devel ÇÊ¿äÇÔ
./configure --prefix=/usr/local/cpu make make installÀÌÁ¦ /usr/local/cpu ¿¡ ÇÁ·Î±×·¥ÀÌ ¼³Ä¡°¡ µÈ´Ù. # grep samjung /usr/local/cpu/etc/cpu.conf BIND_DN = cn=Manager,dc=samjung,dc=com USER_BASE = ou=People,dc=samjung,dc=com GROUP_BASE = ou=Group,dc=samjung,dc=com À§¿Í °°ÀÌ dnÀ» ¹Ù²Ù¾îÁØ´Ù.
#HASH = "md5" HASH = "crypt" HASH ¸¦ md5 ¿¡¼ crypt ·Î ¹Ù²Ù¾îÁØ´Ù.
¿©±â¼ sldapd.conf ÀÇ root ºñ¹Ð¹øÈ£¸¦ ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.
BIND_PASS = xxxx MAX_UIDNUMBER = 10000 MIN_UIDNUMBER = 1000 MAX_GIDNUMBER = 10000 MIN_GIDNUMBER = 1000 MIN_UIDNUMBER, MIN_GIDNUMBER ¸¦ 100¿¡¼ ÀûÀýÇÑ °ªÀ¸·Î ¹Ù²Û´Ù.
# /usr/local/cpu/sbin/cpu useradd test # /usr/local/cpu/sbin/cpu userdel test $ /usr/local/cpu/sbin/cpu usermod -p test2 [root@localhost openldap]# id test uid=1001(test) gid=1001(test) groups=1001(test) [root@localhost openldap]# /usr/local/cpu/sbin/cpu groupmod -g 1005 test Group test successfully modified! [root@localhost openldap]# id test uid=1001(test) gid=1001 groups=1001,1005(test) [root@localhost openldap]# /usr/local/cpu/sbin/cpu groupmod -n test222 test Group test222 successfully modified! [root@localhost openldap]# id test uid=1001(test) gid=1001 groups=1001,1005(test222) ÆíÇÏ°Ô »ç¿ëÀ» ÇÏ·Á¸é path¿¡ Ãß°¡ÇØÁÖ¸é ÁÁ´Ù.
export PATH=$PATH:/usr/local/cpu/sbin export MANPATH=$MANPATH:/usr/local/cpu/man man cpu-ldap cpu cat Àº Àüü »ç¿ëÀÚ, ±×·ìÀ» º»´Ù.
[root@cent ~]# cpu cat User Accounts ldaptest:x:1001:1001::/home/ldaptest:/bin/bash ldap2:x:1000:1002::/home/ldap2:/bin/bash Group Entries webdev:x:2000: test:x:1000: ldaptest:x:1001: ldap2:x:1002: »ç¿ëÀÚ Æнº¿öµå º¯°æÇÑ´Ù.
[root@cent ~]# cpu usermod -p ldaptest °ü¸®¸¦ À§Çؼ´Â ¸ÕÀú ÇÊ¿äÇÑ ±×·ìÀ» »ý¼ºÇÏ°í ±× »ç¿ëÀÚ¸¦ Ãß°¡ÇØÁÖ´Â °ÍÀÌ ÁÁÀ» °ÍÀÌ´Ù. ±âº»°ªÀº »ç¿ëÀÚ¸¦ »ý¼º½Ã µ¿ÀÏÇÑ À̸§ÀÇ ±×·ìÀ» »ý¼ºÇÑ´Ù. ±×·¯¹Ç·Î óÀ½ »ý¼º½Ã -g ¿É¼ÇÀ» ÀÌ¿ëÇÏ¿© ±×·ìÀ» ÁöÁ¤Çϴ°ÍÀÌ ÁÁ´Ù. ¾Æ´Ï¸é »ç¿ëÀÚ »ý¼ºÈÄ ±×·ìÀ» ¹Ù²Ù¾îÁ־ µÈ´Ù.
[root@cent3 openldap]# cpu useradd -g test5 ilove [root@cent3 openldap]# cpu usermod -g test ilove 15. nfs, autofs ¼¼Æà ¶nfs, autofs´Â Ȩµð·ºÅ丮¸¦ »ç¿ëÀÚ°¡ ·Î±×Àνà ÀÚµ¿À¸·Î ÆÄÀϼ¹ö¿¡¼ ¸¶¿îÆ®ÇÏ´Â °æ¿ì¿¡¸¸ »ç¿ëÇÏ¸é µË´Ï´Ù.
15.1. nfs ¼¹ö ¼¼Æà ¶# cat /etc/exports /tmp 192.168.0.0/255.255.255.0(rw,sync) # /etc/init.d/nfs start 15.2. autofs ¼¼Æà ¶auto.master ÆÄÀÏÀÌ ¸ÞÀÎÆÄÀÏÀÌ¸ç ¿©±â¿¡¼ ¸¶¿îÆ® Æ÷ÀÎÆ®¿Í ¼¼ºÎ ¼³Á¤ÆÄÀÏÀ» ÁöÁ¤ÇÔ.
¾Æ·¡¿¡¼´Â /home µð·ºÅ丮¿¡ Á¢±ÙÇÏ´Â °æ¿ì /etc/auto.home ÆÄÀÏÀ» Âü°íÇϸç auto.home Àº /home ÀÇ ¸ðµç ÇÏÀ§ µð·ºÅ丮(*)¿¡ Á¢±ÙÇÏ´Â °æ¿ì nfs 192.168.0.24:/tmp ÀÇ ÇØ´ç µð·ºÅ丮¿¡ ¸¶¿îÆ®ÇÔ
# cat /etc/auto.master /home /etc/auto.home --timeout=5 # cat /etc/auto.home * -rw,soft,intr 192.168.0.24:/tmp/& home µð·ºÅ丮 °øÀ¯Çϱâ À§ÇØ automount ¼¼ÆÃÇϱâ (»çÀü¿¡ autofs ´Â ¼¼ÆÃÀ» ÇؾßÇÔ)
# cat auto.master.ldif dn: ou=auto.master,dc=samjung,dc=com objectClass: top objectClass: automountMap ou: auto.master dn: cn=/home,ou=auto.master,dc=samjung,dc=com objectClass: automount cn: /home automountInformation: ldap:ou=auto.home,dc=samjung,dc=com # ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f auto.master.ldif Enter LDAP Password: adding new entry "ou=auto.master,dc=samjung,dc=com" adding new entry "cn=/home,ou=auto.master,dc=samjung,dc=com" # cat auto.home.ldifc dn: ou=auto.home,dc=samjung,dc=com objectClass: top objectClass: automountMap ou: auto.home dn: cn=/,ou=auto.home,dc=samjung,dc=com objectClass: automount cn: * automountInformation: 192.168.0.24:/tmp/& # ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f auto.home.ldifc Enter LDAP Password: adding new entry "ou=auto.home,dc=samjung,dc=com" adding new entry "cn=test,ou=auto.home,dc=samjung,dc=com" ÀÌ·¸°Ô ÇÏ´Â °æ¿ì /etc/auto.master ¸¦ ldap ¿¡¼ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ¹Ù²Ù¾î ÁÙ¼ö ÀÖÀ½
# cat /etc/auto.master #/home /etc/auto.home --timeout=5 /home ldap:192.168.0.23:ou=auto.home,dc=samjung,dc=com --timeout=5 16.1. outlook µî À̸ÞÀÏŬ¶óÀ̾ðÆ® ¼¼ÆÃÇϱ⠶À§¿¡¼ ou=people,dc=samjung,dc=com ¿¡ ÀÔ·ÂÇÑ »ç¿ëÀÚÁ¤º¸´Â ¾Æ¿ô·è, ¼±´õ¹öµå µîÀÇ ÁÖ¼Ò·Ï¿¡¼ È°¿ëÀ» ÇÒ ¼ö ÀÖ´Ù.
16.1.1. ¾Æ¿ô·è ¶outlook express ¿¡¼´Â µµ±¸->°èÁ¤ À¸·Î °¡¼ µð·ºÅ丮 ¼ºñ½º¸¦ ¼±ÅÃÇÑ´Ù.
µð·ºÅ丮 ¼ºñ½º °èÁ¤¿¡ ÀûÀýÇÑ À̸§À» ÅÃÇÏ¿© ã±â ½±µµ·Ï ³Ö´Â´Ù.
¼¹ö À̸§¿¡ ldap ¼¹ö Á¤º¸¸¦ ÀÔ·ÂÇÑ´Ù.
·Î±×ÀÎ ÇÊ¿ä¿¡¼´Â À§¿¡¼ ¸¸µç ldaptest µîÀ» ÀÌ¿ëÇÏ¸é µÈ´Ù. uid=ldaptest,ou=people,dc=samjung,dc=com ¸¦ ³Ö¾îÁÖ¸é µÉ °ÍÀÌ´Ù.
¾ÏÈ£´Â À§ id¿¡ ÇØ´çÇÏ´Â ºñ¹Ð¹øÈ£¸¦ ³ÖÀ¸¸é µÈ´Ù.
º¸¾È ¾ÏÈ£ ÀÎÁõÀ» »ç¿ëÇÏ¿© ·Î±×ÀÎÀº Àß ¸ð¸£°Ú´Ù.
°í±Þ¿¡¼ °Ë»ö±âÁØÀ» ÀÔ·ÂÇÑ´Ù. ou=people,dc=samjung,dc=com
ÀÌÁ¦ outlook express ¿¡¼ ÁÖ¼Ò -> »ç¶÷ã±â¸¦ ¼±ÅÃÇÏ¿© ldap µð·ºÅ丮¸¦ ÁöÁ¤ÇÏ°í °Ë»öÁ¶°ÇÀ» ÀÔ·ÂÇÏ¸é µÈ´Ù.
16.1.2. ¼±´õ¹öµå ¶¼±´õ¹öµå¿¡¼´Â °èÁ¤¼³Á¤->ÁÖ¼Ò->µð·ºÅ丮 ÆíÁý¿¡¼ µð·ºÅ丮 ¼ºñ½º¸¦ Ãß°¡ÇÑ´Ù.
À̸§Àº ÀûÀýÇÑ À̸§À» ÅÃÇÏ¿© ã±â ½±µµ·Ï ³Ö´Â´Ù.
È£½ºÆ® À̸§¿¡ ldap ¼¹ö Á¤º¸¸¦ ÀÔ·ÂÇÑ´Ù.
±âº» dn¿¡ ou=people,dc=samjung,dc=com ¸¦ ÀÔ·ÂÇÑ´Ù. ±âÁØÀÌ µÇ´Â dnÀ» ÀÔ·ÂÇÏ´Â °ÍÀÌ´Ù.
Æ÷Æ®¹øÈ£´Â ldap Æ÷Æ®¹øÈ£¸¦ Àû´Â´Ù.
DN ¹ÙÀεå´Â ÀÎÁõÀ» »ç¿ëÇÒ °æ¿ì¿¡ ÇØ´çÇÑ´Ù.
uid=ldaptest,ou=people,dc=samjung,dc=com
¾ÏÈ£´Â Á¢¼Ó½Ã ÀÔ·ÂÀ» ÇÏ¸é µÈ´Ù.
16.1.3. Âü°í»çÇ× ¶ÇöÀç ±âº»¼³Á¤Àº ´Ù¸¥ »ç¿ëÀÚµµ read ±ÇÇÑÀ» Áֱ⶧¹®¿¡ ¾Æ¿ô·è¿¡¼ ·Î±×ÀÎÇÊ¿ä, ¼±´õ¹öµå¿¡¼ DN ¹ÙÀε带 ¼±ÅÃÇÏÁö ¾Ê´Â´Ù°í ÇÏ´õ¶óµµ ÁÖ¼Ò·Ï °Ë»öÀÌ °¡´ÉÇÏ´Ù.
ÀÌ ºÎºÐÀº ldap ¼¹ö ¼³Á¤¿¡¼ aclÀ» ÁÖ¾î¾ß ÇÒ °ÍÀÌ´Ù.
Âü°í·Î À̸ÞÀÏŬ¶óÀ̾ðÆ®´Â Àбâ Àü¿ëÀÌ´Ù. ¶Ç °Ë»öÀ» Çؼ ÀÌ¿ëÇؾßÇÏ´Â ºÒÆíÀÌ ÀÖ´Ù.
16.1.4. À¥ÁÖ¼Ò·Ï ÇÁ·Î±×·¥ ¶
include /etc/openldap/schema/extension.schema /etc/labe/connect.conf ÆÄÀÏÀÌ ldap Á¢¼Ó¿¡ ´ëÇÑ ¼³Á¤ÆÄÀÏÀÌ¸ç ¿©±â¿¡ ¼¹öÁÖ¼Ò, port, bind, rootdn Á¤º¸°¡ µé¾î°£´Ù. ÀÌ´Â À§ÀÇ ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÏ¸é »ý¼ºÀÌ µÇ´Â °ÍÀÌ´Ù.
16.1.5. À¥ÁÖ¼Ò·Ï ACL ¼³Á¤À¸·Î ÀÎÁõµÈ »ç¿ëÀÚ¸¸ Àеµ·Ï Çϱ⠶¾Æ·¡¿Í °°ÀÌ ±âº» ±ÇÇÑÀ» noneÀ¸·Î ÁÖ°í users (dnÀÌ Á¸ÀçÇÏ°í Æнº¿öµå¸¦ Á¦½ÃÇÑ »ç¿ëÀÚ)¿¡°Ô¸¸ read ±ÇÇÑÀ» ÁÖ´Â °ÍÀ¸·Î ¹Ù²Ù´Ï ÀÎÁõÀ» ÇØ¾ß Á¢¼ÓÀÌ µÈ´Ù. ACL ¼³Á¤ºÎºÐÀº ÃßÈÄ¿¡ Á»´õ »ìÆìºÁ¾ßÇÔ
access to attr=userPassword by self write by anonymous auth by dn="cn=manager,dc=samjung,dc=com" write by * compare access to * by self write by dn="cn=manager,dc=samjung,dc=com" write by users readÀ§¿¡¼ users ¿¡ read ±ÇÇÑÀ» ÁÖÁö ¾ÊÀ¸¸é ´Ù¸¥ Á¤º¸µµ º¼¼ö°¡ ¾ø´Ù. defaultaccess none °¡ ¿À·¼¸® Ã¥µî¿¡¼´Â ³ª¿À´Âµ¥ openldap ¹öÀüÀÌ ¿Ã¶ó°¡¸é¼ ±âº»ÀûÀ¸·Î aci°¡ ¼³Á¤µÇÁö ¾ÊÀ¸¸é °ÅºÎ·Î µ¿ÀÛÀÌ ¹Ù²ïµíÇÏ´Ù.
16.2. ¾ÆÆÄÄ¡ ÀÎÁõ¿¡ LDAP »ç¿ëÇϱ⠶
[joon@localhost moniwiki]$ cat .htaccess AuthType Basic AuthName "joon wiki system" AuthLDAPURL ldap://localhost:389/ou=people,dc=samjung,dc=com?uid?sub?(objectClass=*) require valid-user 16.3. samba, ldap ¿¬µ¿ ¶±¸±Û°Ë»öÇؼ http://aput.net/~jheiss/samba/ldap.shtml »çÀÌÆ®¸¦ º¸°íÇßÁö¸¸ Àß µÇÁö ¾Ê¾ÒÀ½. ½Ã°£°É¸±µíÇÏ¿© ±×³É ³Ñ¾î°¬À½
17. ldap ¿¡¼ TLS »ç¿ëÇÑ ¾ÏÈ£È Åë½Å ¶Âü°íÀÚ·á
http://www.openldap.org/doc/admin23/tls.html
Centralize user accounts with OpenLDAP http://www-128.ibm.com/developerworks/library/l-openldap/index.html
17.1. ÀÎÁõ ¸ÞÄ¿´ÏÁò ¶LDAPv3 ¿¡¼´Â Ŭ¶óÀ̾ðÆ® ÀÎÁõ¿¡ ¿©·¯°¡Áö ¸ÞÄ«´ÏÁòÀ» »ç¿ëÇÑ´Ù.
17.2. ÀÎÁõ¼ »ý¼º ¶root CA °¡ ¾øÀ» °æ¿ì ¸ÕÀú »ý¼ºÀ» ÇØÁØ´Ù. ÇØ´ç Á¤º¸´Â ½Ã½ºÅÛ¿¡ ¸Â°Ô ÀûÀýÇÏ°Ô ¼öÁ¤À» ÇÑ´Ù. Common NameÀº ÇØ´ç ¼¹öÀÇ È£½ºÆ®¸íÀ» ÁöÁ¤ÇÑ´Ù.
# cd /usr/share/ssl/misc # ./CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ............................................................++++++ .++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KO]: State or Province Name (full name) [gurogu]: Locality Name (eg, city) [seoul]: Organization Name (eg, company) [Samjung dataservice]: Organizational Unit Name (eg, section) [ITservice]: Common Name (eg, your name or your server's hostname) [cent3.tunelinux.pe.kr]: Email Address [joon@sds.co.kr]: ÀÌÁ¦ LDAP¼¹ö¿¡¼ »ç¿ëÇÒ ¼¹ö ÀÎÁõ¿äû¼(CSR)À» »ý¼ºÇÑ´Ù.
°³ÀÎÅ°´Â slapd-key.pem À¸·Î ÁöÁ¤ÇÏ°í slapd-req.pem ÀÌ CSRÀÌ´Ù. ¿©±â¼ nodes ¿É¼ÇÀ» ¾´°ÍÀº ldap¼¹ö¸¦ ³»¸®°í ¿Ã·ÁÁÙ¶§ ºñ¹Ð¹øÈ£¸¦ ³Ö¾îÁÖÁö ¾Êµµ·Ï Çϱâ À§ÇؼÀÌ´Ù.
openssl req -new -nodes -keyout slapd-key.pem -out slapd-req.pem -days 365 ÀÌÁ¦ ¾Õ¿¡¼ »ý¼ºÇÑ root CA·Î ÀÎÁõ¼ »çÀÎÀ» ÇÑ´Ù.
openssl ca -out slapd-cert.pem -infiles slapd-req.pem À§¿¡¼ »ý¼ºÇÑ ÀÎÁõ¼¸¦ ÀûÀýÇÑ µð·ºÅ丮·Î ¿Å±ä´Ù. Âü°í·Î CAÅ°´Â /etc/openldap/cacerts ¿¡ µÎ´Âµ¥ CA Å° ¸»°í ¾Æ·¡¿¡¼ slapdcert.pem µµ ÀÌ µð·ºÅ丮¿¡ µÎ¸é TLS ±â´ÉÀÌ Á¦´ë·Î ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù. ÀÌ µð·ºÅ丮¿¡¼ ca Å°¸¦ ãµµ·Ï ÇØ ³õ¾Æ¼ ¿¡·¯°¡ ³ª´Â µíÇÏ´Ù. ÀÚ¼¼ÇÑ ÀÌÀ¯±îÁö´Â ¸ð¸£Áö¸¸ ´Ù¸¥ µð·ºÅ丮¿¡ µÎ¸é µÇ¹Ç·Î ÁÖÀǸ¸ ÇÏ¸é µÉ °ÍÀÌ´Ù.
# cp -p slapd-key.pem /etc/openldap/slapdkey.pem -> private key # cp -p slapd-cert.pem /etc/openldap/slapdcert.pem -> certificate # chown ldap:ldap /etc/openldap/slapdcert.pem # chmod 644 /etc/openldap/slapdcert.pem # chown ldap:ldap /etc/openldap/slapdkey.pem # chmod 400 /etc/openldap/slapdkey.pem # cp /usr/share/ssl/misc/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem -> CA certificate # chown ldap:ldap /etc/openldap/cacerts/cacert.pem # chmod 644 /etc/openldap/cacerts/cacert.pem ±ÍÂúÀº ÀÛ¾÷ÀÌ¶ó¼ º¹»çÇؼ ¾²°Ô ¾Æ·¡¿¡ Àû¾î³õ´Â´Ù. cp slapd-key.pem /etc/openldap/slapdkey.pem cp slapd-cert.pem /etc/openldap/slapdcert.pem chown ldap:ldap /etc/openldap/slapdcert.pem chmod 644 /etc/openldap/slapdcert.pem chown ldap:ldap /etc/openldap/slapdkey.pem chmod 400 /etc/openldap/slapdkey.pem cp /usr/share/ssl/misc/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem chown ldap:ldap /etc/openldap/cacerts/cacert.pem chmod 644 /etc/openldap/cacerts/cacert.pem ldap ¼¹ö¼³Á¤(slapd.conf)¿¡ ´ÙÀ½ ³»¿ëÀ» Ãß°¡ÇÑ´Ù. global ¼½¼Ç¿¡ Ãß°¡ÇÏ¸é µÈ´Ù.
TLSCipherSuite HIGH:MEDIUM:+SSLv2 -> openssl ciphers TLSCACertificateFile /etc/openldap/cacerts/cacert.pem -> CA private key TLSCertificateFile /etc/openldap/slapdcert.pem -> certificate TLSCertificateKeyFile /etc/openldap/slapdkey.pem -> private key LDAP ¼¹ö¿¡¼ /etc/openldap/ldap.conf ¿¡ ¾Æ·¡ ³»¿ëÀ» Ãß°¡ÇÑ´Ù.
TLS_CACERTDIR /etc/openldap/cacerts #TLS_REQCERT allow TLS_REQCERT ´Â TLS ¼¼¼Ç¿¡¼ ¼¹ö ÀÎÁõ¼ üũ¿Í ¿¬°üµÈ ºÎºÐÀÌ´Ù. allow´Â ¼¹öÀÎÁõ¼°¡ ¾ø°Å³ª À߸øµÇ¾îµµ ¼¼¼ÇÀÌ ÁøÇàµÈ´Ù. TLS_REQCERT ¿¡¼ demand·Î ÇÏ¸é ¼¹öÀÎÁõ¼¸¦ ¿äûÇ쵂 ¼¹öÀÎÁõ¼°¡ ¾ø°Å³ª ÀÎÁõ¼°¡ À߸øµÇ¾úÀ¸¸é ¼¼¼ÇÀ» ¹Ù·Î ²÷´Â´Ù. (man ldap.conf)
ldap ¼¹ö¸¦ ³»·È´Ù°¡ ´Ù½Ã ¿Ã·ÁÁØ´Ù.
ÀÌÁ¦ ldap Ŭ¶óÀ̾ðÆ®¿¡¼ ´ÙÀ½ÀÇ ¼³Á¤À» /etc/ldap.conf¿¡ ÇÑ´Ù. ¿©±â¼ cacert.pemÀº ldap Ŭ¶óÀ̾ðÆ® ½Ã½ºÅÛ¿¡ º¹»ç¸¦ Çصξî¾ß ÇÑ´Ù.
ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pemtls_checkpeer ¼¹ö certificate ¸¦ ÇÊ¿ä·Î ÇÏ°í °ËÁõÀ» Çϵµ·Ï ÇÑ´Ù. (¼³Á¤ÆÄÀÏÀÇ ÁÖ¼®³»¿ë Âü°í) Âü°í·Î Ŭ¶óÀ̾ðÆ® ¼³Á¤¿¡¼ authconfig¸¦ ÀÌ¿ëÇϸé
tls_cacertdir /etc/openldap/cacerts ·Î ¼³Á¤ÀÌ µÈ´Ù. À§¿Í °°ÀÌ tls_cacertfile ¿É¼ÇÀ» ÀÌ¿ëÇÏ¿© Á÷Á¢ ÆÄÀÏÀ» ÁöÁ¤ÇÒ ¼öµµ ÀÖ°í ¾Æ´Ï¸é /etc/opeanldap/cacerts ÆÄÀÏ¿¡ ÇØ´ç ÀÎÁõ¼¸¦ ³Ö¾îµÎ¸é authconfig ¿¡¼ ÀÚµ¿À¸·Î c_rehah À¯Æ¿¸®Æ¼¸¦ ÀÌ¿ëÇÏ¿© ÇØ´ç µð·ºÅ丮¿¡¼ ÀÎÁõ¼ÆÄÀÏÀ» °¡¸®Å°´Â ½Éº¼¸¯ ¸µÅ©¸¦ ¸¸µç´Ù.
# ls -alF /etc/openldap/cacerts total 16 drwxr-xr-x 2 root root 4096 Jan 4 13:15 ./ drwxr-xr-x 4 root root 4096 Jan 4 13:18 ../ -rw-r--r-- 1 root root 1346 Jan 4 13:15 cacert.pem lrwxrwxrwx 1 root root 10 Jan 4 13:14 cc9fe289.0 -> cacert.pemÀÚ½ÅÀÌ ÆíÇÑ´ë·Î ¾²¸é µÇ°ÚÁö¸¸ authconfig ¸¦ ÀÌ¿ëÇÑ´Ù¸é ÀÚµ¿À¸·Î »ý¼ºµÇ´Â tls_cacertdir ¿É¼ÇÀ» ½áµµ µÉ °ÍÀÌ´Ù. 18.1. ÁÖÀÇ»çÇ× ¶openldapÀº ¿ø·¡ single master replication systemÀÌ´Ù. ¾÷µ¥ÀÌÆ®´Â ¸¶½ºÅÍ¿¡¼¸¸ µÇ°í ³ª¸ÓÁö´Â ÀбâÀü¿ëÀ̶ó´Â °ÍÀÌ´Ù.ÇöÀç openldap¿¡¼´Â multimaster ¸¦ Áö¿øÇÏ´Â ¾Ê´Â´Ù.
replication¿¡µµ µÎ°¡Áö ¹æ½ÄÀÌ ÀÖÀ¸¸ç ±âÁ¸¿¡ »ç¿ëÇÏ´ø slurpd¿Í ÃÖ±ÙºÎÅÍ Áö¿øÇÑ LDAP Sync Replication ÀÌ ÀÖ´Ù. ÇöÀç´Â slurpd¸¸ Å×½ºÆÃÀ» ÇÏ¿´´Ù.
½½·¹À̺꿡¼ LDAP¼¹ö¸¦ ³»¸®´Â Å×½ºÆðá°ú Àá½Ãµ¿¾È ³×Æ®¿öÅ©µîÀÇ ¹®Á¦°¡ ÀÖ´Ù°í ÇÏ´õ¶óµµ ½½·¹À̺갡 Á¤»óÀ¸·Î µ¹¾Æ¿À¸é ¸®Çø®ÄÉÀ̼ÇÀÌ Á¤»óÀûÀ¸·Î µ¿À۵Ǿú´Ù. ±×·¸Áö¸¸ ¸îºÐÀ̳»ÀÇ °£´ÜÇÑ Å×½ºÆø¸ ÇÑ °ÍÀ̹ǷΠÀ̰͸¸À» °¡Áö°í ½Å·Ú¼ºÀ» È®ÀÎÇϱâ´Â Èûµé °ÍÀÌ´Ù. ±×·±µ¥ ³×Æ®¿öÅ©ÀÇ ÀÌ»óµîÀ¸·Î ¿¬°áÀÌ µÇ¾îÀÖÁö ¸øÇÒ¶§ ¸¶½ºÅÍ¿¡¼ »õ·Î¿î °ªÀ» ÀÔ·ÂÇϸé ÀÌ´Â ³ªÁß¿¡ ¿¬°áÀÌ º¹±¸µÇ´õ¶óµµ ÀÚµ¿À¸·Î ½½·¹À̺꿡 µé¾î°¡Áö´Â ¾Ê´Â´Ù.
18.2. LDAP Sync Replication ¶LDAP Sync Replication Àº consumer-side replicationÀ¸·Î ¸¶½ºÅͼ¹ö(provider ¼¹ö)ÀÇ ¼³Á¤À» º¯°æÇϰųª Àç½ÃÀÛÇÏÁö ¾Ê°íµµ replicat¸¦ »ý¼ºÇÒ ¼ö ÀÖ¾î Æí¸®ÇÏ´Ù.
slurpd ¹æ½Ä¿¡ ºñÇØ ¿©·¯°¡Áö ÀåÁ¡ÀÌ ÀÖ´Â µí ÇÏÁö¸¸ RHELÀ̳ª CentOS 4.4 ¿¡ ±âº» ¼³Ä¡µÇ¾î ÀÖ´Â openldap 2.2 ´ë¿¡¼´Â ¸î°¡Áö Á¦¾àÀÌ ÀÖ¾î ½ÇÁ¦·Î ¾²±â´Â ºÒÆíÇÑ µí ÇÏ´Ù. ÀÌ ±â´ÉÀÌ ÇÊ¿äÇÏ´Ù¸é ¼Ò½º·Î ¼³Ä¡ÇÏ¿© ÇØ°áÇÒ ¼ö ÀÖÀ» µí Çѵ¥ °³ÀÎÀûÀ¸·Î´Â ÀÌ ±â´ÉÀÌ ´çÀå Àý½ÇÈ÷ ÇÊ¿äÇÑ °ÍÀº ¾Æ´Ï¶ó¼ Ãß°¡ Å×½ºÆÃÀº ÇÏÁö ¾Ê¾Ò´Ù. 2.2´ë¿Í 2.3´ë¿¡¼ ±¸ÇöÇÒ¶§ ¾à°£ÀÇ Â÷ÀÌÁ¡, Á¦¾àÀÌ ÀÖ´Ù.
http://www.openldap.org/doc/admin22/syncrepl.html (openldap 2.2 ¸Å´º¾ó) While slapd (8) can function as the LDAP Sync provider only when it is configured with either back-bdb or back-hdb backend, the syncrepl engine, which is a consumer-side replication engine, can work with any backends. http://www.openldap.org/doc/admin23/syncrepl.html (openldap 2.3¸Å´º¾ó) The syncrepl engine, which is a consumer-side replication engine, can work with any backends. The LDAP Sync provider can be configured as an overlay on any backend, but works best with the back-bdb or back-hdb backend. The provider can not support refreshAndPersist mode on back-ldbm due to limits in that backend's locking architecture.2.2 ¿¡¼ ¸¶½ºÅͼ¹ö´Â ¹é¿£µå·Î back-bdb, back-hdb °¡ ÇÊ¿äÇÏ°í ½½·¹À̺꿡¼´Â ¹é¿£µå Á¦ÇÑÀÌ ¾ø´Ù. rpm ÆÐÅ°Áö¿¡´Â back-bdb °¡ µ¿ÀÛÇÏÁö ¾Ê¾ÒÀ¸¸ç ÀÌ¿¡ ´ëÇÑ Áö¿øÀº ºüÁ®ÀÖ´Â µíÇÏ´Ù. 2.3 ¿¡¼´Â ÀÌ·¯ÇÑ Á¦ÇÑÀÌ ¾ø´Ù. ±×·¸Áö¸¸ 2.3¿¡¼µµ ¹é¿£µå·Î back-bdb ³ª back-hdb¸¦ ÃßõÇÏ°í ÀÖ´Ù. ¼³Á¤ÇÏ´Â ¹æ¹ýµµ ¾à°£ÀÇ Â÷ÀÌ°¡ ÀÖÀ¸¸ç ÀÌ´Â ¸Å´º¾óÀ» Âü°íÇÑ´Ù.
18.3. ±¸Çö¼ø¼ ¶
18.4. ¸¶½ºÅͼ¹ö ¼³Á¤ ¶¸¶½ºÅͼ¹ö¿¡¼´Â ¾Æ·¡ÀÇ ³»¿ëÀ» /etc/openldap/sldapd.conf ¿¡ Ãß°¡ÇÑ´Ù.
replogfile /var/lib/ldap/openldap-master-replog replica uri=ldap://cent.tunelinux.pe.kr:389 suffix="dc=samjung,dc=com" binddn="cn=replica,dc=samjung,dc=com" credentials=xxxx bindmethod=simple tls=yesreplogfile Àº ¸¶½ºÅͼ¹ö¿¡¼ slapd°¡ ·Î±× º¯È¸¦ ±â·ÏÇÏ´Â ÆÄÀÏÀÌ´Ù. ÀÌ ÆÄÀÏÀ» slurpd°¡ ÀÐ¾î¼ ½½·¹ÀÌºê ¼¹ö·Î º¸³½´Ù. replica ¸¦ ÀÌ¿ëÇÏ¿© °¢ ½½·¹ÀÌºê ¼¹ö¸¦ ÁöÁ¤ÇÑ´Ù.
root@master# slapcat -b "dc=samjung,dc=com" -l contents.ldif ... contents.ldif¸¦ ½½·¹À̺ê·Î º¹»çÇÑ´Ù. root@replica# slapadd -l contents.ldif 18.5. ½½·¹À̺꼹ö ¼³Á¤ ¶> rootdn "cn=replica,dc=samjung,dc=com" > rootpw {SSHA}IgT24XXXXEGN9aaLhBduKPJCp > updatedn "cn=replica,dc=samjung,dc=com" > updateref ldap://cent3.tunelinux.pe.kr
18.6. ¸®Çø®ÄÉÀ̼ǽà ÀÛµ¿¹æ½Ä ¶Å¬¶óÀ̾ðÆ®¿¡¼´Â /etc/ldap.conf ÀÇ host ¿¡ master, slave ¼¹ö¸¦ ¸ðµÎ ÁöÁ¤ÇØÁØ´Ù. ½½·¹À̺꿡¼´Â updateref¸¦ ÀÌ¿ëÇÏ¿© ½½·¹À̺꿡 ¾÷µ¥ÀÌÆ®¿äû½Ã ¸¶½ºÅͼ¹ö·Î ¾÷µ¥ÀÌÆ® ¿äûÀ» º¸³½´Ù. ¿¹¸¦ µé¾î À§¿¡¼ people¿¡ ¼ÓÇÑ »ç¿ëÀÚÀÇ °æ¿ì ÀÚ½ÅÀÇ Æнº¿öµå¸¦ º¯°æÇÒ ¼ö°¡ ÀÖ´Ù. ÀÌ°æ¿ì slave ¼¹ö¿¡¼ ÀÚ½ÅÀÇ Æнº¿öµå¸¦ º¯°æÇÒ °æ¿ì ÀÌ¿¡ ´ëÇÑ ¿äûÀº ¸¶½ºÅÍ·Î °¡°í ¸¶½ºÅÍ¿¡¼ ¾÷µ¥ÀÌÆ®ÇÑÈÄ ´Ù½Ã ½½·¹À̺꼹ö·Î µ¿±âÈ°¡ µÈ´Ù. ´Ü, rootdnÀº Á÷Á¢ ÀÛµ¿ÇÏ¿´´Ù.
19.1. GUI tool ¶
19.2. ·Î±×È®ÀÎ ¶sldapd.conf ¿¡¼ loglevel À» ¼³Á¤ÇÑ´Ù.
296 = 256 log connections/operations/results + 32 search filter processing + 8 connection management
loglevel 256LDAPÀº LOG_LOCAL4 facility¸¦ »ç¿ëÇϹǷΠ/etc/syslog.conf ¿¡ ¾Æ·¡ÀÇ ¼³Á¤À» ÇÑ´Ù. ldap¸¸ º°µµ ÆÄÀÏ·Î ÀúÀåÇÒ ¼öµµ ÀÖ´Ù. ÀÌ °æ¿ì¿¡´Â ·Î±×·ÎÅ×À̼ÇÀ» ÁÖ±âÀûÀ¸·Î ÇØÁÖ¾î¾ß ÇÑ´Ù. # grep local4 /etc/syslog.conf local4.* /var/log/messages ÀÌ°æ¿ì syslogd ¸¦ ´Ù½Ã Àç½ÃÀÛÇØÁÖ¾î¾ß ÇÑ´Ù.
Âü°í·Î openldap ¹®¼¿¡µµ ·Î±×·¹º§¿¡ ´ëÇÑ ³»¿ëÀº ÀÖÁö¸¸ ³²°ÜÁø ·Î±×¸¦ ¾î¶»°Ô ºÐ¼®ÇÏ¸é µÇ´ÂÁö¿¡ ´ëÇؼ´Â »ó¼¼ÇÑ ¼³¸íÀº ¾ø¾ú´Ù. ÀÌ¿¡ ´ëÇؼ´Â ÀÛµ¿¹æ½ÄÀº ºñ½ÁÇÒ °ÍÀÌ¶ó ¿©°ÜÁö¹Ç·Î ·¹µåÇÞ µð·ºÅ丮 ¼¹öÀÇ ¸Å´º¾óÀ» Âü°íÇÏ¸é µÉ µí ÇÏ´Ù. ÀÌ¿¡ ´ëÇÑ ³»¿ëÀº ·¹µåÇÞ µð·ºÅ丮 ¼¹ö ¸Å´º¾ó Áß¿¡¼ Configuration, Command, and File Reference ÀÇ Chapter 5 Access Log and Connection Code Reference ¸¦ Âü°íÇÑ´Ù. ¿©±â¼ ·Î±×¿¡ ³²´Â ±â·ÏÀÌ ¾î¶² ¿¡·¯ÄÚµåÀÎÁö ¼³¸íÀ» Âü°íÇÏÀÚ.
19.3. µ¿ÀûÀÎ ¼¹ö¼³Á¤ Áö¿ø ¶openldap 2.3¿¡¼´Â slapd.conf ¼³Á¤µµ LDIF ÇüŸ¦ Áö¿øÇÑ´Ù. ±×·¡¼ ¿î¿µÁßÀÎ »óÅ¿¡¼µµ ldap ¼¹öÀÇ ¼³Á¤°ªÀ» º¯°æÇÒ ¼ö ÀÖ´Ù. 2007-01-04 17:01:58 ÇöÀç CentOS 4.4 ¿¡ ÀÖ´Â rpmÀº 2.2 ¹öÀüÀÌ´Ù.
19.4. Object Class Types ¶Object Class Types Àº Structural , Auxiliary, Abstract ¼¼°¡Áö°¡ ÀÖ´Ù.
ÁÖÀÇ»çÇ×À¸·Î´Â LDAP µð·ºÅ丮ÀÇ °¢ ¿£Æ®¿¡´Â ÇϳªÀÇ Structural object class¸¸ ÀÖ¾î¾ß ÇÑ´Ù. (¿À·¼¸® LDAP admin 20ÆäÀÌÁö)
|
Your mode of life will be changed for the better because of good news soon. |