· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
LDAP-Tips

LDAP

¹®ÅÂÁØ 2007-01-04 16:57:22 http://tunelinux.pe.kr http://database.sarang.net

Contents

1. µé¾î°¡±âÀü¿¡
2. LDAP °³·«
3. ¹®¼­¼Ò°³
4. °ü·ÃÀÚ·á
4.1. LDAP Ãʺ¸ÀÚ¸¦ À§ÇÑ ±âÃÊÀÚ·á
4.2. LDAPÀ» ÀÌ¿ëÇÑ °èÁ¤ÅëÇÕ
4.3. ±âŸ Âü°íÀÚ·á
5. »çÀü È®ÀλçÇ×
5.1. Á¤Ã¥°áÁ¤
5.2. ¼³Ä¡ÇÁ·Î±×·¥
6. ldap ¼­¹ö¼³Á¤
7. ±âº» Á¤º¸ ÀÔ·Â
7.1. directory structure »ý¼º
7.2. ldap ÇÁ·Î±×·¥¿¡¼­ÀÇ ¿É¼ÇÂü°í
7.3. À§¿¡¼­ ÀÔ·ÂÇÑ ³»¿ëÀ» °Ë»öÇϱâ
8. °èÁ¤Ãß°¡Çϱâ
8.1. ldap À¸·Î ´ÜÀÏÇÑ ¸®´ª½º ·Î±×ÀÎ ¸¸µé±â
8.2. ·ÎÄà ÄÄÇ»ÅÍ »ç¿ëÀÚ ¿£Æ®¸® ¸¸µé±â
8.3. ±âÁ¸°èÁ¤Á¤º¸ ÀÌ¿ëÇÏ¿© ¸¶À̱׷¹À̼ÇÇϱâ
8.4. ±×·ì ¿£Æ®¸® ¸¸µé±â
9. ldap client ¼³Á¤
9.1. ldap client ¼³Á¤Çϱâ
9.2. group Á¤º¸Ç¥½Ã
10. »ç¿ëÀÚ È¨µð·ºÅ丮 ó¸®
11. /etc/hosts Á¤º¸ LDAP¿¡ ³Ö±â
12. ¼­¹ö, Ŭ¶óÀ̾ðÆ® ¸î°¡Áö ¿É¼Ç
12.1. ¼­¹ö¿¡¼­ °Ë»öÁ¦ÇÑÇϱâ
12.2. /etc/ldap.conf ÁÖ¿ä ¿É¼Ç¿¡ ´ëÇÏ¿©
13. È£½ºÆ®, »ç¿ëÀÚº° Á¢±ÙÁ¦ÇÑ
13.1. ƯÁ¤ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ Á¦ÇÑÇϱâ
13.2. ƯÁ¤ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ Á¦ÇÑÇϱâ
13.3. NIS netgroup »ç¿ëÇÏ¿© »ç¿ëÀÚ, È£½ºÆ®º° Á¢±ÙÁ¦ÇÑÇϱâ
13.3.1. °ü·ÃÀÚ·á
13.3.2. NIS netgroup ±â´É
13.3.3. LDAP ¿¡¼­ netgroup ±¸Çö
13.3.4. PAM Á¢±ÙÁ¦¾î ¿¬µ¿
13.3.5. cfengine ¿¡¼­ÀÇ »ç¿ë
13.3.6. Âü°í»çÇ×
13.3.6.1. host À̸§¿¡ ´ëÇÏ¿©
13.3.6.2. nisNetgroupTriple Ãß°¡, º¯°æ½Ã
13.4. »ç¿ëÀÚ Á¢±ÙÁ¦ÇÑ ¾î¶² ¹æ¹ýÀÌ ÁÁÀ»±î?
14. user º¯°æ ÇÁ·Î±×·¥ - cpu
15. nfs, autofs ¼¼ÆÃ
15.1. nfs ¼­¹ö ¼¼ÆÃ
15.2. autofs ¼¼ÆÃ
16. °¢Á¾ ¾ÖÇø®ÄÉÀÌ¼Ç LDAP ¿¬µ¿
16.1. outlook µî À̸ÞÀÏŬ¶óÀ̾ðÆ® ¼¼ÆÃÇϱâ
16.1.1. ¾Æ¿ô·è
16.1.2. ¼±´õ¹öµå
16.1.3. Âü°í»çÇ×
16.1.4. À¥ÁÖ¼Ò·Ï ÇÁ·Î±×·¥
16.1.5. À¥ÁÖ¼Ò·Ï ACL ¼³Á¤À¸·Î ÀÎÁõµÈ »ç¿ëÀÚ¸¸ Àеµ·Ï Çϱâ
16.2. ¾ÆÆÄÄ¡ ÀÎÁõ¿¡ LDAP »ç¿ëÇϱâ
16.3. samba, ldap ¿¬µ¿
17. ldap ¿¡¼­ TLS »ç¿ëÇÑ ¾Ïȣȭ Åë½Å
17.1. ÀÎÁõ ¸ÞÄ¿´ÏÁò
17.2. ÀÎÁõ¼­ »ý¼º
18. replication ±¸Çö
18.1. ÁÖÀÇ»çÇ×
18.2. LDAP Sync Replication
18.3. ±¸Çö¼ø¼­
18.4. ¸¶½ºÅͼ­¹ö ¼³Á¤
18.5. ½½·¹À̺꼭¹ö ¼³Á¤
18.6. ¸®Çø®ÄÉÀ̼ǽà ÀÛµ¿¹æ½Ä
19. ±âŸ
19.1. GUI tool
19.2. ·Î±×È®ÀÎ
19.3. µ¿ÀûÀÎ ¼­¹ö¼³Á¤ Áö¿ø
19.4. Object Class Types
19.5. Á¢±ÙÁ¦¾î
19.6. db »ý¼º, °ü¸®ÇÁ·Î±×·¥
19.7. nscd ³×ÀÓ¼­ºñ½º ij½³ ´ë¸ó »ç¿ëÇϱâ

1. µé¾î°¡±âÀü¿¡

º» ¹®¼­¸¦ óÀ½¿¡´Â ¸ð´ÏÀ§Å°·Î ÀÛ¼ºÇÏ´Ù°¡ »ç³» À§Å°°¡ ¹Ù²î¾ú½À´Ï´Ù. ±×·¡¼­ ÀϺΠ¼öÁ¤ÇÑ ³»¿ëÀº ¾Æ·¡¿¡ µé¾î°¡ÀÖÁö ¾Ê°í ÀÏÀÏÀÌ º¯È¯ÇϱⰡ ºÒÆíÇϳ׿ä.

¼öÁ¤µÈ ÃÖÁ¾ ³»¿ëÀº ¾Æ·¡ url¿¡¼­ ¹ÞÀ¸½Ã¸é µË´Ï´Ù. (2007.3.30) [http] LDAPÀ» ÀÌ¿ëÇÑ °èÁ¤ÅëÇÕ, °¢Á¾ ¾ÖÇø®ÄÉÀÌ¼Ç ¿¬µ¿

2. LDAP °³·«

  • LDAP ¿ëµµ´Â ¹«¾ùÀΰ¡ : Àб⿡ ÃÖÀûÈ­µÇ¾îÀÖ½À´Ï´Ù. µð·ºÅ丮±¸Á¶¿¡ À¯¿ëÇÕ´Ï´Ù. (ÀÎÅͳÝȸ»ç¿¡¼­ DHCP ·Î ipÇÒ´çÇÏ´Â Á¤º¸ÀúÀå, ÀÎÁõ¼­ Á¤º¸ÀúÀå µî¿¡ »ç¿ëµÇ°í ÀÖ½À´Ï´Ù)
  • LDAPÀ» °¡Áö°í È°¿ëÇÒ ¼ö ÀÖ´Â °ÍÀº?
    • »ç¿ëÀÚÁ¤º¸ÅëÇÕ : os°èÁ¤, À̸ÞÀÏ°èÁ¤, ftp, http, outlookÀÇ Áּҷϵî ÅëÇÕ°¡´É. OS°èÁ¤ÀÇ °æ¿ì È£½ºÆ®¿Í »ç¿ëÀÚ Á¶ÇÕÀ¸·Î Á¢¼ÓÁ¦ÇÑÀ» ÇÒ ¼ö ÀÖÀ½.
    • Âü°í·Î À©µµ¿ìÁîÀÇ Active Directory´Â LDAP°ú Ä¿¹ö·¯½º¸¦ ÀÌ¿ëÇÔ. LDAPÀº °èÁ¤ÅëÇÕ, °¢Á¾ Á¤º¸ÅëÇÕ¿¡ »ç¿ëÀ» ÇÏ°í Ä¿¹ö·¯½º´Â ½Ì±Û»çÀοÂ(SSO)¿¡ »ç¿ëÀ» ÇÔ. Ä¿¹ö·¯½º¸¦ ÀÌ¿ëÇÏ¿© ³×Æ®¿öÅ©¸¦ ÅëÇØ Æнº¿ö½º¸¦ º¸³»Áö ¾Ê°í Å°¼­¹ö¸¦ ÅëÇÏ¿© Åë½ÅÀ» ÇÏ°í ƼÄÏÀ» ¹ß±ÞÇÑ ÀÏÁ¤ÇÑ ½Ã°£µ¿¾ÈÀº ÇÊ¿äÇÑ ÀÚ¿ø¿¡ ´ëÇÑ º°µµ ·Î±×ÀÎÀÌ ÇÊ¿ä¾øÀ½.

3. ¹®¼­¼Ò°³

  • º» ³»¿ëÀº Redhat Enterprise Linux 3, CentOS4.4 ¿¡¼­ Å×½ºÆÃÀ» ÇÑ ³»¿ëÀÌ¸ç ´Ù¸¥ ¸®´ª½º ¹èÆ÷ÆÇ¿¡¼­µµ ºñ½ÁÇÏ°Ô Àû¿ëÀÌ °¡´ÉÇÕ´Ï´Ù. PAM ¼³Á¤µîÀº ½Ã½ºÅÛ¿¡ µû¶ó ´Ù¸¦ ¼ö ÀÖ½À´Ï´Ù.
  • LDAP ¿¡ ´ëÇÑ ¼Ò°³°¡ ¾Æ´Ï¹Ç·Î ÀÌ¿¡ ´ëÇÑ ¼³¸íÀº ´Ù¸¥ ¹®¼­¸¦ Âü°íÇϽñ⠹ٶø´Ï´Ù.
  • openldapÀ» ÀÌ¿ëÇÏ¿© °èÁ¤ÅëÇÕÀ» ÇÏ´Â ºÎºÐ¿¡ ´ëÇÑ ÀÚ·á´Â ¿©·¯°¡Áö°¡ Àִµ¥ ÀÌ ¹®¼­´Â °Å±â¿¡ Ãß°¡·Î ÇÊ¿äÇÑ »ó¼¼ÇÑ ³»¿ëÀ» ´ã¾Ò½À´Ï´Ù.
  • LDAPÀ» ÀÌ¿ëÇÑ »ç¿ëÀÚ ÀÎÁõ ÅëÇÕ (id, group, hosts)
  • »ç¿ëÀÚº°, È£½ºÆ®º° »ç¿ëÀÚ Á¢¼Ó Á¦ÇÑ
  • ¾ÆÀ̵ð, ±×·ì°ü¸® ÇÁ·Î±×·¥(cpu)
  • ldap replication (1 master, 1 slave)
  • TLS »ç¿ëÇÑ ¾ÏȣȭÅë½Å
  • nfs, autofs ÀÌ¿ëÇÑ »ç¿ëÀÚ È¨µð·ºÅ丮 °øÀ¯
  • outlook µî ÁÖ¼Ò·Ï È°¿ë
  • ¾ÆÆÄÄ¡ ÀÎÁõ È°¿ë
  • ·Î±×È®ÀÎ(syslog)
  • gui °ü¸® ÇÁ·Î±×·¥
  • 2007-01-07 16:36:50 NIS ±â´ÉÀ¸·Î È£½ºÆ® Á¢±ÙÁ¦ÇÑ Ãß°¡

4. °ü·ÃÀÚ·á

4.1. LDAP Ãʺ¸ÀÚ¸¦ À§ÇÑ ±âÃÊÀÚ·á

  • LDAP¿¡ ´ëÇÑ ÇѱÛÀÚ·á´Â DSNÀÇ ÀÚ·á 1°³¿Í KLDPÀÇ LDAP ÇÏ¿ìÅõ ¹× ±âŸ ¸î°³ÀÇ ¹®¼­°¡ ÀÖ½À´Ï´Ù. »ó¼¼ÇÑ ³»¿ëÀº ¿µ¹®ÀڷḦ º¸¾Æ¾ß ÇÕ´Ï´Ù.
  • http://database.sarang.net/?inc=read&aid=1243&criteria=ldap&subcrit=tutorials&id=&limit=20&keyword=&page=1 : LDAPÀÇ ¸ðµç°Í ver 20011126. DSN¿¡ 2001³â ¿Ã¶ó¿Ô´ø ldap Àü¹ÝÀûÀÎ ÀÚ·á. ±¹³»¿¡ ldap ¿¡ ´ëÇÑ ÇѱÛÀÚ·á°¡ º°·Î ¾ø´Âµ¥ ±×³ª¸¶ »ó¼¼ÇÏ°Ô ldap ¿¡ ´ëÇÑ ¼³¸íÀÌ µéÀº Çѱ۹®¼­ÀÔ´Ï´Ù. ÀüüÀûÀ¸·Î´Â LDAP±âÃʺÎÅÍ ±âº»ÀûÀÎ »ç¿ë¹ýÀ» ´ã°í ÀÖ¾î óÀ½¿¡ Âü°í¸¦ ÇÒ ¸¸ ÇÕ´Ï´Ù.
  • http://wiki.kldp.org/wiki.php/LinuxdocSgml/LDAP-HOWTO : KLDP LDAP ÇÏ¿ìÅõÀÚ·á
  • O'REILLY ÀÇ LDAP System Administration ¼­Àû : LDAP Àü¹ÝÀûÀÎ ¼³¸íÀ» ´ã°í ÀÖÀ¸¸ç °¢Á¾ ¾ÖÇø®ÄÉÀ̼ÇÀ» ldapÀ¸·Î ÅëÇÕÇÏ´Â °æ¿ì¿¡ ´ëÇÑ »ó¼¼ÇÑ ÀڷḦ Á¦°øÇÏ°í ÀÖÀ½
  • http://www.openldap.org/doc/admin23/ openldap ¹®¼­ : openldap¿¡ ´ëÇÑ ±âº» »ç¿ë¹ýÀº openldap ¿¡¼­ Á¦°øÇÏ´Â ¹®¼­¸¦ Âü°í

4.2. LDAPÀ» ÀÌ¿ëÇÑ °èÁ¤ÅëÇÕ

4.3. ±âŸ Âü°íÀÚ·á

  • http://www.redhat.com/docs/manuals/dir-server/ ·¹µåÇÞÀÇ LDAP ¹®¼­. Administrator's Guide µîÀº Âü°í·Î º¸¸é ÁÁÀ»µíÇϸç Deployment Guide ´Â ldap ¼³°è¿¡ ´ëÇÑ »ó¼¼ÇÑ ³»¿ëÀ» ´ã°í ÀÖ½À´Ï´Ù.
    • http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/deployTOC.html Deployment Guide Red Hat Directory Server . µ¥ÀÌŸ µðÀÚÀÎ, ½ºÅ°¸¶ µðÀÚÀÎ, µð·ºÅ丮 Æ®¸® µðÀÚÀÎ, ÅäÆú¸®Áö µðÀÚÀÎ, ¸®Çø®ÄÉÀÌ¼Ç µðÀÚÀÎ, º¸¾È µðÀÚÀÎ, Æ©´× ¹× ÃÖÀûÈ­, ¿î¿µ°ü·Ã °áÁ¤»çÇ×
  • http://directory.fedora.redhat.com/ Æäµµ¸® µð·ºÅ丮 ¼­¹ö. ·¹µåÇÞ¿¡¼­ ³Ý½ºÄÉÀÌÇÁ µð·ºÅ丮¸¦ ÀμöÇÏ¿© Á¦Ç°È­ÇÑ °ÍÀÌ ·¹µåÇÞ µð·ºÅ丮 ¼­¹öÀ̸ç ÀÌ¿¡ ´ëÇÑ °ø°³¹öÀüÀÌ Æäµµ¸® µð·ºÅ丮 ¼­¹öÀÔ´Ï´Ù.

5. »çÀü È®ÀλçÇ×

5.1. Á¤Ã¥°áÁ¤

  • LDAP ¼³°èÇϱâ : µ¥ÀÌŸ µðÀÚÀÎ, ½ºÅ°¸¶ µðÀÚÀÎ, µð·ºÅ丮 Æ®¸® µðÀÚÀÎ, ÅäÆú¸®Áö µðÀÚÀÎ, ¸®Çø®ÄÉÀÌ¼Ç µðÀÚÀÎ, º¸¾È µðÀÚÀÎ, Æ©´× ¹× ÃÖÀûÈ­, ¿î¿µ°ü·Ã °áÁ¤»çÇ×
  • dc(suffix) Á¤Çϱâ : »ç¿ëÇÒ µµ¸ÞÀÎ rootdn ÀÇ Æнº¿öµå °áÁ¤
  • °èÁ¤Á¤Ã¥ : UID, GID ¹üÀ§

5.2. ¼³Ä¡ÇÁ·Î±×·¥

  • RPMÀ» ÀÌ¿ëÇÏ¿© ¼³Ä¡
    • openldap-devel : openldap °ú ¿¬°üµÈ ÇÁ·Î±×·¥À» °³¹ßÇÒ¶§ ÇÊ¿äÇÔ. cpu ÇÁ·Î±×·¥À» »ç¿ëÇØ¾ß ÇÒ °æ¿ì ÇÊ¿äÇÔ
    • openldap : OpenLDAP ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ® ÇÁ·Î±×·¥À» ½ÇÇàÇϱâ À§ÇÑ ¶óÀ̺귯¸®
    • openldap-clients : client ÇÁ·Î±×·¥
    • openldap-servers : server ÇÁ·Î±×·¥
    • nss_ldap : NSS library and PAM module for LDAP

6. ldap ¼­¹ö¼³Á¤

/etc/openldap/slapd.conf ¿¡¼­ rootpw ¸¦ Ãß°¡ÇÔ. À̸¦ ÅëÇÏ¿© root ±ÇÇÑ ÀÎÁõ »ç¿ëÇÔ ¾Æ·¡ Æнº¿öµå´Â slappasswd ¸¦ ÀÌ¿ëÇÏ¿© »ý¼ºÇÔ

[root@localhost openldap]# grep -v "^#" slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
loglevel        256

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem

database        bdb
suffix          "dc=samjung,dc=com"
rootdn          "cn=manager,dc=samjung,dc=com"
rootpw                {SSHA}aaaaaamoxk2Sswm8NbHZbCx9LxextJ

directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

cachesize       2000

access to dn.subtree="dc=samjung,dc=com" attr=userPassword
        by self write
        by * auth
access to dn.subtree="ou=people,dc=samjung,dc=com"
        by * read
access to dn.subtree="ou=group,dc=samjung,dc=com"
        by * read
access to dn.subtree="ou=hosts,dc=samjung,dc=com"
        by * read
access to *
        by * auth

replogfile /var/lib/ldap/openldap-master-replog
replica uri=ldap://cent.tunelinux.pe.kr:389
        suffix="dc=samjung,dc=com"
        binddn="cn=replica,dc=samjung,dc=com"
        credentials=xxxxxx
        bindmethod=simple
        tls=yes

À§¿¡¼­ suffix ¸¦ Á¶Á¤ÇÏ°í rootdnµµ ÀÌ¿Í ¸ÂÃ߸ç rootpw ¸¦ ¼³Á¤ÇÏ¸é µÊ
# /etc/init.d/ldap start
Starting slapd:                                            [  OK  ]

À§¿¡¼­ Ãʱ⠼¼Æýà TLS ºÎºÐÀº »©µµ µÈ´Ù. ACI ´Â »ç¿ëÀÚºñ¹Ð¹øÈ£´Â ÀڽŸ¸ ¹Ù²Ü¼ö ÀÖµµ·Ï ÇÏ¿´°í people, group, hosts Á¤º¸´Â ´©±¸³ª ÀÐÀ» ¼ö ÀÖµµ·Ï ÇÏ¿´´Ù. replication ºÎºÐµµ Ãʱ⠼¼Æýà »©µµ µÈ´Ù.

{*} database backend ¸ðµâÀº ldbm, bdb µîÀÌ ÀÖ´Ù. bdb´Â openldap 2.1ºÎÅÍ µµÀÔÀÌ µÇ¾úÀ¸¸ç Berkeley DB4 ¶óÀ̺귯¸®¸¸ »ç¿ëÇϵµ·Ï ¸ÂÃß¾îÁ®ÀÖ´Ù. bdb °¡ ldbm¿¡ ºñÇØ ³´°í Çϴµ¥ ¾î¶² Á¡ÀÌ ³ªÀºÁö±îÁö´Â È®ÀÎÇÏÁö ¾Ê¾Ò´Ù.

7. ±âº» Á¤º¸ ÀÔ·Â

7.1. directory structure »ý¼º

¾Æ·¡ ³»¿ëÀ» top.ldif ·Î ÀúÀå
dn: dc=samjung,dc=com
objectclass: dcObject
objectclass: organization
o: samjung Company
dc:samjung

dn: cn=manager, dc=samjung, dc=com
objectclass: organizationalRole
cn: manager

dn: ou=people,  dc=samjung, dc=com
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: samjung.com

dn: ou=contacts,ou=people,  dc=samjung, dc=com
ou: contacts
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: samjung.com

dn: ou=group,  dc=samjung, dc=com
ou: group
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: samjung.com

À§¿¡¼­ ou=contacts ´Â ¾Æ·¡¿¡¼­ ½ÇÁ¦ »ç¿ëÇÏÁö´Â ¾ÊÀ¸¸ç À̸ÞÀÏÁÖ¼Ò·ÏÀ» ldapÀ» ÀÌ¿ëÇÒ °æ¿ì¿¡ »ç¿ëÇÏ¸é µÈ´Ù.

# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f top.ldif 
Enter LDAP Password: 
adding new entry "dc=samjung,dc=com"

adding new entry "cn=manager, dc=samjung, dc=com"

adding new entry "ou=people,  dc=samjung, dc=com"

adding new entry "ou=contacts,ou=people,  dc=samjung, dc=com"

adding new entry "ou=group,  dc=samjung, dc=com"


7.2. ldap ÇÁ·Î±×·¥¿¡¼­ÀÇ ¿É¼ÇÂü°í

** -w password ·Î Çصµ µÊ. -W ´Â ¸í·ÉÇà¿¡¼­ ÀÔ·Â
-x : simple authentication. ±âº»ÀÎÁõ¹æ½ÄÀÓ -D : binddn ÁöÁ¤ -f file : ÆÄÀÏ¿¡¼­ ÀÔ·ÂÀ» ¹ÞÀ» °æ¿ì »ç¿ë -W : prompt for simple authentication . ±âº»ÀÎÁõ¿¡¼­ ºñ¹Ð¹øÈ£¸¦ º°µµ ÀÔ·ÂÀ¸·Î ¹ÞÀ» °æ¿ì »ç¿ë -w : ºñ¹Ð¹øÈ£¸¦ ¸í·ÉÇà¿¡¼­ ¹Ù·Î ¿É¼ÇÀ¸·Î ÁÜ -b : searchbase °Ë»ö¹üÀ§ ÁöÁ¤

7.3. À§¿¡¼­ ÀÔ·ÂÇÑ ³»¿ëÀ» °Ë»öÇϱâ

# ldapsearch -x -b 'dc=samjung,dc=com'
version: 2

#
# filter: (objectclass=*)
# requesting: ALL
#

# samjung, com
dn: dc=samjung,dc=com
objectClass: dcObject
objectClass: organization
o: samjung Company
dc: samjung

Áß·«...

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

8. °èÁ¤Ãß°¡Çϱâ

8.1. ldap À¸·Î ´ÜÀÏÇÑ ¸®´ª½º ·Î±×ÀÎ ¸¸µé±â

¸ÕÀú °èÁ¤Á¤Ã¥À» °áÁ¤ÇÑ´Ù. ¾Æ·¡¿¡¼­´Â ´ÙÀ½°ú °°ÀÌ ÇÏ¿´´Ù°í °¡Á¤ÇÑ´Ù.

System accounts : UID < 500 Real people in LDAP : 499 < UID < 10,000 Local users, groups (not in LDAP ) > 10,000

8.2. ·ÎÄà ÄÄÇ»ÅÍ »ç¿ëÀÚ ¿£Æ®¸® ¸¸µé±â

ldaptest ¶ó´Â °èÁ¤À» ¸¸µé¸ç uid 1000 gid 1000À¸·Î ÇÏ°í Ȩµð·ºÅ丮´Â /home/ldaptest ·Î ÇÔ
# cat people.ldif 
# ldaptest, people, samjung.com
dn: uid=ldaptest,ou=people,dc=samjung,dc=com
cn: ldaptest
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/ldaptest
loginShell: /bin/bash
shadowLastChange: 11192
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 134538308
uid: ldaptest
userPassword: {crypt}$1$OQAQLKrD$ktucNP.aAo/w5gbuAIV6H1

¾Æ·¡¿Í °°ÀÌ Ãß°¡ÇÏ¿©ÁÜ
# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f people.ldif 
Enter LDAP Password: 
adding new entry "uid=ldaptest,ou=people,dc=samjung,dc=com"

¾Æ·¡¿Í °°ÀÌ °Ë»öÇÔ
# ldapsearch -x -b "dc=samjung,dc=com" "(objectclass=*)"

»ç¿ëÀÚ Áö¿ì±â
ldapdelete -x  -D 'cn=manager,dc=samjung,dc=com'  'uid=ldaptest,ou=people,dc=samjung,dc=com' -W


8.3. ±âÁ¸°èÁ¤Á¤º¸ ÀÌ¿ëÇÏ¿© ¸¶À̱׷¹À̼ÇÇϱâ

/usr/share/openldap/migration/ µð·ºÅ丮¿¡ ±âÁ¸ÀÇ Á¤º¸¸¦ ¸¶À̱׷¹À̼ÇÇϱâ À§ÇÑ ÇÁ·Î±×·¥ÀÌ ÀÖ´Ù. »çÀü¿¡ migrate_common.ph ¿¡¼­ ¸î°¡Áö ¿É¼ÇÀ» ¼öÁ¤ÇÔ. migrate_common.ph °¡ º¯°æÇÑ ÇÁ·Î±×·¥ÀÌ°í migrate_common.ph.orig °¡ ¿ø·¡ÀÇ ¼³Á¤ÀÌ´Ù.
# diff migrate_common.ph migrate_common.ph.orig
71c71
< $DEFAULT_MAIL_DOMAIN = "sds.co.kr";
---
> $DEFAULT_MAIL_DOMAIN = "padl.com";
74c74
< $DEFAULT_BASE = "dc=samjung,dc=com";
---
> $DEFAULT_BASE = "dc=padl,dc=com";
90c90
< $EXTENDED_SCHEMA = 1;
---
> $EXTENDED_SCHEMA = 0;

/usr/share/openldap/migration/migrate_passwd.pl /etc/passwd
/usr/share/openldap/migration/migrate_group.pl /etc/group

ÀÌ ÇÁ·Î±×·¥À¸·Î passwd, gorup »Ó¸¸ ¾Æ´Ï¶ó /etc/networks, /etc/protocols, /etc/services, /etc/netgroup µîµµ °¡´ÉÇÏ´Ù. ³ªÁß¿¡ /etc/hosts ¸¦ LDAPÀ¸·Î ÀÌÀüÇÏ´Â °÷¿¡¼­ ´Ù½Ã ¼³¸íÀ» ÇÑ´Ù.

8.4. ±×·ì ¿£Æ®¸® ¸¸µé±â

# cat group.ldif 
dn: cn=webdev,ou=group,dc=samjung,dc=com
objectClass: posixGroup
objectClass: top
cn: webdev
gidNumber: 2000
memberUid: ldaptest

# ldapadd  -x -D 'cn=manager,dc=samjung,dc=com' -W -f group.ldif 
Enter LDAP Password: 
adding new entry "cn=webdev,ou=group,dc=samjung,dc=com"

2000 gid ¿¡ ÇØ´çÇÏ´Â webdev ±×·ìÀ» ¸¸µé±â ldaptest ¸¦ ÀÌ ±×·ì¿¡ ³Ö¾îÁÜ

¾Æ·¡¿Í °°ÀÌ °Ë»öÇÔ # ldapsearch -x -b 'dc=samjung,dc=com'

9. ldap client ¼³Á¤

9.1. ldap client ¼³Á¤Çϱâ

authconfig ÀÌ¿ëÇÏ¿© ¼³Á¤ÇÑ´Ù. ÀÌ ÇÁ·Î±×·¥À» ÀÌ¿ëÇϸé /etc/ldap.conf , /etc/nsswitch.conf, /etc/sysconfig/authconfig, /etc/pam.d/system-auth ÆÄÀÏÀ» ÀÚµ¿À¸·Î ¹Ù²Ù¾îÁØ´Ù.

User Information Configuration ¿¡¼­ Use LDAP ¼±Åà -> Next -> Authentication Configuration ¿¡¼­ Use LDAP Authentication »ç¿ëÇÔ. Server ¹× Base DN¿¡ Àû´çÇÏ°Ô °ªÀ» ³ÖÀ½. ¿©±â¼­´Â dc=samjung,dc=com start_tls ´Â ³ªÁß¿¡ ´Ù½Ã ¼³¸íÇÑ´Ù.

# diff /etc/ldap.conf.orig /etc/ldap.conf
18c18
< base dc=example,dc=com
---
> base dc=samjung,dc=com


# diff /etc/openldap/ldap.conf.orig /etc/openldap/ldap.conf
16c16
< BASE dc=example,dc=com
---
> BASE dc=samjung,dc=com

# diff /etc/nsswitch.conf.orig /etc/nsswitch.conf
33,35c33,35
< passwd:     files
< shadow:     files
< group:      files
---
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
53c53
< protocols:  files
---
> protocols:  files ldap
55c55
< services:   files
---
> services:   files ldap
57c57
< netgroup:   files
---
> netgroup:   files ldap
61c61
< automount:  files
---
> automount:  files ldap

/etc/ldap.conf´Â ldap Ŭ¶óÀ̾ðÆ® ¼³Á¤¿¡¼­ ÇÊ¿äÇѵ¥ ¸î°¡Áö Ãß°¡¿É¼ÇÀÌ ÀÖ´Ù. ±âº»¼³Á¤Àº base, hosts ¸¸ ¹Ù²Ù¸é ÀÛµ¿Çϴµ¥ ¾Æ·¡´Â ¸î°¡Áö¸¦ Ãß°¡ÇÏ¿´´Ù. start_tls ¸¦ ÀÌ¿ëÇÏ¿© tls ¼³Á¤, pam_check_host_attr ¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚº° ¼­¹öÁ¢¼ÓÁ¦ÇÑ, pam_filter , pam_login_attribute ¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ°Ë»ö½Ã »ç¿ëÇÒ objectclass¿Í login ¾ÖÆ®¸®ºäÆ®¸¦ ¼³Á¤ÇÏ¿´´Ù. ¶ÇÇÑ nss_base ¸¦ ÀÌ¿ëÇÏ¿© ÇØ´ç Á¤º¸¿¡ ´ëÇÏ¿© ºü¸£°Ô °Ë»öÇÒ ¼ö ÀÖµµ·Ï ±âº» ÇÊÅ͸¦ ¼³Á¤ÇÏ¿´´Ù. Ãʱâ Å×½ºÆÃÀ» ÇÒ °æ¿ì¿¡´Â ¾Æ·¡¿Í °°ÀÌ ¿É¼ÇÀ» ÇÒ ÇÊ¿ä´Â ¾ø´Ù.

# grep -v "^#" /etc/ldap.conf
host cent3.tunelinux.pe.kr
base dc=samjung,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600

ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem

pam_password md5

pam_check_host_attr yes

pam_filter objectclass=posixAccount
pam_login_attribute uid

nss_base_passwd         ou=people,dc=samjung,dc=com?one
nss_base_shadow         ou=people,dc=samjung,dc=com?one
nss_base_group          ou=group,dc=samjung,dc=com?one
nss_base_hosts          ou=hosts,dc=samjung,dc=com?one
nss_base_netgroup       ou=netgroup,dc=samjung,dc=com?one

Âü°í·Î ldap ¼­¹ö¸¦ replication µîÀ» ÀÌ¿ëÇÏ¿© ¿©·¯´ë¸¦ »ç¿ëÇÏ´Â °æ¿ì host ¿¡¼­ ½ºÆäÀ̽º¸¦ ÀÌ¿ëÇØ ¿©·¯ ¼­¹ö¸¦ ÁöÁ¤ÇÏ¸é µÈ´Ù. authconfig¿¡¼­´Â Áß°£¿¡ , ¸¦ ÀÌ¿ëÇÏ¿© ¿©·¯ ¼­¹ö¸¦ ÁöÁ¤ÇÑ´Ù.
# grep ^host /etc/ldap.conf
host cent3.tunelinux.pe.kr cent.tunelinux.pe.kr

9.2. group Á¤º¸Ç¥½Ã

/etc/ldap.conf¿¡ host, base Á¤º¸¸¸ ³ÖÀº °æ¿ì id µî¿¡¼­ ±×·ìÁ¤º¸°¡ º¸ÀÌÁö ¾Ê°í ¼ýÀڷθ¸ ³ª¿Â °æ¿ì°¡ ÀÖ¾ú´Ù. ÀÌ°æ¿ì /etc/ldap.conf ¿¡¼­ ¹Ù·Î À§¿¡¼­ º¸µíÀÌ nss_base_group À» ¼³Á¤ÇØÁÖ¸é µÇ¾ú´Ù.
nss_base_group          ou=group,dc=samjung,dc=com?one

ÀÌ·¯ÇÑ Á¤º¸µéÀº getent ·Î È®ÀÎÇغ¸¸é µÈ´Ù. getent passwd, getent group µîÀ¸·Î È®ÀÎÇغ¸¸é µÈ´Ù.
# getent passwd
# getent group

10. »ç¿ëÀÚ È¨µð·ºÅ丮 ó¸®

LDAPÀ» ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ ÀÎÁõÀ» ÇÏ´Â °æ¿ì »ç¿ëÀÚ LDIF ÆÄÀÏ¿¡¼­ Ȩµð·ºÅ丮¸¦ ÁöÁ¤ÇÑ´Ù°í ÇÏ´õ¶óµµ ½ÇÁ¦ µð·ºÅ丮°¡ »ý±âÁö´Â ¾Ê´Â´Ù. ÀÌ¿¡ ´ëÇÑ Ã³¸®¹æ¹ýÀº µÎ°¡Áö°¡ ÀÖ´Ù.
  • autofs ¿Í nfs¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ°¡ ·Î±×ÀÎÇÒ¶§ nfs¿¡¼­ ÀÚµ¿À¸·Î Ȩµð·ºÅ丮 ¸¶¿îÆ®Çϱâ : »ç¿ëÀÚ µ¥ÀÌÅ͵µ µ¿ÀÏÇÏ°Ô ¼³Á¤ÇÒ °æ¿ì Æí¸®ÇÔ.
  • pam ÀÇ ±â´ÉÀ» ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ È¨µð·ºÅ丮°¡ ¾øÀ» °æ¿ì ÀÚµ¿À¸·Î »ý¼ºÇϱâ : /etc/pam.d/system-auth ¿¡ ´ÙÀ½ ¸ðµâÀ» Ãß°¡ÇØÁÖ¸é µÊ. umask ´Â ¾Æ·¡¿¡¼­´Â ±âº» 700À¸·Î »ý¼ºÇϵµ·Ï ¼³Á¤Çß°í ÇÊ¿ä¿¡ µû¶ó º¯°æÇÏ¸é µÊ
 session     optional      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077

11. /etc/hosts Á¤º¸ LDAP¿¡ ³Ö±â

/usr/share/openldap/migration/ ¿¡ °¢Á¾ ¸¶À̱׷¹ÀÌ¼Ç µµ±¸µéÀÌ ÀÖ´Ù. migrate_base.pl ´Â ¸¶À̱׷¹ÀÌ¼Ç °¡´ÉÇÑ °¢Á¾ ±âº»Á¤º¸¿¡ ´ëÇؼ­ º¸¿©ÁØ´Ù. migrate_base.pl ¸¦ ÀÌ¿ëÇÏ¿© hosts ¿¡ ´ëÇÑ ±âº»Á¤º¸¸¦ »Ì°í /etc/hosts Á¤º¸¸¦ º¯È¯ÇÏ¿© ldap¿¡ ³Ö¾îÁØ´Ù. ¼¼ºÎ¼³¸íÀº »ý·«ÇÏ°Ú´Ù.

# ./migrate_base.pl

dn: ou=Hosts,dc=samjung,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: sds.co.kr

À§¿¡¼­ hosts¿¡ ÇØ´çÇÏ´Â ³»¿ëÀ» ldif ÆÄÀÏ·Î Çؼ­ ÀÔ·ÂÇØÁØ´Ù.

migrate_hosts.pl ´Â /etc/hosts Á¤º¸¸¦ ldif ÆÄÀÏ·Î ¹Ù²Ù¾îÁØ´Ù.
[root@cent3 migration]# ./migrate_hosts.pl /etc/hosts > hosts.ldif
dn: cn=localhost.localdomain,ou=Hosts,dc=samjung,dc=com
objectClass: top
objectClass: ipHost
objectClass: device
ipHostNumber: 127.0.0.1
cn: localhost.localdomain
cn: localhost

dn: cn=cent3.tunelinux.pe.kr,ou=Hosts,dc=samjung,dc=com
objectClass: top
objectClass: ipHost
objectClass: device
ipHostNumber: 222.112.137.138
cn: cent3.tunelinux.pe.kr
# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f hosts.ldif
±×·±ÈÄ /etc/nsswitch.conf ¸¦ º¯°æÇÑ´Ù.
[root@cent3 migration]# grep hosts /etc/nsswitch.conf
#hosts:     db files ldap nis dns
#hosts:      files dns
hosts:      files dns ldap

ÀÌÁ¦ /etc/ldap.conf ¿¡¼­ hosts Á¤º¸¸¦ ãÀ» ¼ö ÀÖµµ·Ï Á¤º¸¸¦ º¯°æÇÑ´Ù.
[root@cent3 migration]# grep hosts /etc/ldap.conf
# Multiple hosts may be specified, each separated by a
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
nss_base_hosts          ou=hosts,dc=samjung,dc=com?one
[root@cent3 migration]# getent hosts 

{*} Å×½ºÆðúÁ¤Áß¿¡ ¹ß°ßÇÑ Áß¿äÇÑ ³»¿ëÀÌ ÀÖ´Ù. /etc/nsswitch.conf ¿¡¼­ hosts ¼³Á¤¼ø¼­°¡ Áß¿äÇÏ´Ù. ldap Ŭ¶óÀ̾ðÆ®¿¡¼­ ÀÚ½ÅÀÇ È£½ºÆ®³×ÀÓÀ» Ç®¾î¾ßÇÑ´Ù. À̶§¹®¿¡ dns Ç׸ñÀÌ ldap º¸´Ù ¾Õ¿¡ ¿À°Å³ª È£½ºÆ®¸íÀ» /etc/hosts ÆÄÀÏ¿¡ Àû¾îÁÖ¾î¾ß ÇÑ´Ù. ÀÌ·¸°Ô ÇÏÁö ¾ÊÀ¸¸é segmentation fault ¿¡·¯°¡ ³ª°í ÀÌÈĺÎÅÍ´Â id µî °¢Á¾ ÇÁ·Î±×·¥¿¡¼­ °è¼Ó ¼¼±×¸àÅ×ÀÌ¼Ç ÆúÆ®°¡ ³ª¸é¼­ ½Ã½ºÅÛ ÀÛµ¿ÀÌ ÀÌ»óÇØÁø´Ù.
# getent hosts
127.0.0.1       localhost.localdomain localhost
Segmentation fault


4.7.5.1 Host Resolving (2) looping resolver - segmentation fault The order within /etc/nsswitch.conf is important, and the ldap client code needs to resolve its own hostname! Therefor dns must be before ldap or the hostname must be in /etc/hosts!

12. ¼­¹ö, Ŭ¶óÀ̾ðÆ® ¸î°¡Áö ¿É¼Ç

12.1. ¼­¹ö¿¡¼­ °Ë»öÁ¦ÇÑÇϱâ

slapd.conf ¿¡¼­ sizelimit , timelimit¸¦ ÀÌ¿ëÇÏ¿© °Ë»ö¿¡ ´ëÇÑ Á¦ÇÑÀ» °É ¼ö ÀÖ´Ù.
  • sizelimit : °Ë»ö¿äûÀ» ÇÒ °æ¿ì Ŭ¶óÀ̾ðÆ®ÀÇ ¿äû¿¡ ´äÇÏ´Â ÃÖ´ë ¿£Æ®¸® ¼ýÀÚ. ±âº»°ªÀº 500
  • timelimit : °Ë»ö¿äû¿¡ ÀÀ´äÀ» ÇÒ¶§ °É¸®´Â ÃÖ´ë ½Ã°£. ±âº»°ªÀº 3600ÃÊ(1½Ã°£)

12.2. /etc/ldap.conf ÁÖ¿ä ¿É¼Ç¿¡ ´ëÇÏ¿©

/etc/ldap.conf ÁÖ¿ä ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù.
  • host´Â ldap ¼­¹ö, base ´Â base dnÀÌ´Ù.
  • ssl start_tls ´Â TLS¸¦ »ç¿ëÇÏ´Â °æ¿ì üũÇÏ´Â ¿É¼ÇÀÌ´Ù. ¾ÏȣȭµÇ¾î Åë½ÅÇÏ´Â °ÍÀÌ´Ù.
  • pam_check_host_attr ´Â hosts¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚº°·Î Á¢¼ÓÇÒ È£½ºÆ®¸¦ Á¦ÇÑÇϴµ¥ »ç¿ëÇÑ´Ù.
  • pam_filter ´Â »ç¿ëÀÚ ÀÎÁõ½Ã »ç¿ëÇÒ ÇÊÅÍÀÌ´Ù. pam_login_attribute ´Â »ç¿ëÀÚÀÇ ·Î±×ÀÎ ¸í°ú ÀÏÄ¡ÇÏ´Â attribute¸¦ ÁöÁ¤ÇÑ´Ù.
  • nss_base_xxx ´Â nss_ldap ¿¡¼­ °Ë»öÇÏ´Â ºÎºÐÀ» ÁöÁ¤ÇÏ¿© LDAP ¼­¹öÀÇ ºÎÇϸ¦ ÁÙÀÏ ¼ö ÀÖ´Ù. passwd, shadow´Â »ó°ü¾øÁö¸¸ group, hosts´Â µî·ÏÀ» ÇØÁÖ¾î¾ßÇß´Ù.
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
pam_check_host_attr yes

pam_filter objectclass=posixAccount
pam_login_attribute uid

nss_base_passwd         ou=people,dc=samjung,dc=com?one
nss_base_shadow         ou=people,dc=samjung,dc=com?one
nss_base_group          ou=group,dc=samjung,dc=com?one
nss_base_hosts          ou=hosts,dc=samjung,dc=com?one

13. È£½ºÆ®, »ç¿ëÀÚº° Á¢±ÙÁ¦ÇÑ

ƯÁ¤ È£½ºÆ®, »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÏ¿© Á¢±ÙÀ» Á¦ÇÑÇÒ ¼ö Àִµ¥ µÎ°¡Áö ¹æ¹ýÀÌ ÀÖ´Ù. ù¹ø°´Â ƯÁ¤ÇÑ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚµéÀ» ÁöÁ¤ÇÏ´Â ¹æ½Ä(a.server ¿¡ a,b,c »ç¿ëÀÚ Á¢¼Ó°¡´É)ÀÌ ÀÖ°í µÎ¹ø°´Â ƯÁ¤ÇÑ »ç¿ëÀÚ°¡ Á¢¼Ó°¡´ÉÇÑ È£½ºÆ®µéÀ» ÁöÁ¤ÇÏ´Â ¹æ½Ä(a »ç¿ëÀÚ´Â °¡,³ª,´Ù ¼­¹ö¿¡ Á¢¼Ó°¡´É)ÀÌ ÀÖ´Ù. ½ÇÁ¦ »ç¿ëÇÏ´Â °æ¿ì µÚÀÇ ¹æ½ÄÀÌ ´õ Æí¸®ÇÏ´Ù. ¾ÕÀÇ ¹æ½ÄÀº Ŭ¶óÀ̾ðÆ®¿¡¼­ ¼³Á¤À» ÀÏÀÏÀÌ ¼¼ÆÃÇؾßÇÏÁö¸¸ µÚÀÇ ¹æ½ÄÀº Ŭ¶óÀ̾ðÆ®¿¡¼­ µ¿ÀÏÇÑ ¼³Á¤À» À¯ÁöÇ쵂 ldap¼­¹ö¿¡¼­ º¯°æÀ» ÇÒ ¼ö°¡ ÀÖ´Ù.

13.1. ƯÁ¤ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ Á¦ÇÑÇϱâ

/etc/ldap.conf ¿¡¼­ pam_check_host_attr yes·Î ÇØÁÜ. /etc/openldap/ldap.conf°¡ ¾Æ´Ï´Ù. »ç¿ëÀÚ¸¦ Ãß°¡ÇÒ¶§ host ¿¡ Á¢¼Ó°¡´ÉÇÑ È£½ºÆ® ÁöÁ¤. ¿©±â¼­ IP·Î ÁöÁ¤Çϸé Á¢¼ÓÀÌ µÇÁö ¾Ê¾Ò°í Á¤È®ÇÑ µµ¸ÞÀθíÀ» ÁöÁ¤ÇؾßÇÑ´Ù.
# test, people, samjung.com
dn: uid=test,ou=people,dc=samjung,dc=com
Áß°£³»¿ë »ý·«
host: kldp.org
host: cent3.tunelinux.pe.kr

pam ¼³Á¤Àº º¯°æÇÒ ÇÊ¿ä°¡ ¾ø´Ù.

13.2. ƯÁ¤ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ Á¦ÇÑÇϱâ

ou=hosts °¡ ¸ÕÀú ÀÖ¾î¾ß ÇÑ´Ù.
# cat host.ldif 
dn: ou=hosts,  dc=samjung, dc=com
ou: hosts
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: samjung.com

# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f host.ldif 

ÀÌÁ¦ ƯÁ¤ È£½ºÆ®¿Í »ç¿ëÀÚ¿¡ ´ëÇÑ Á¤º¸¸¦ ÀÔ·ÂÇÑ´Ù. ¾Æ·¡¿¡¼­´Â cnÀ» linux ¸¦ ÇÏ¿´´Ù.
# cat iphost.ldif 
dn: cn=linux,ou=hosts,dc=samjung,dc=com
objectClass: ipHost
objectClass: device
objectClass: extensibleObject
ipHostNumber: 192.168.0.23
cn: linux.samjung.com
cn: linux
member: uid=test,ou=people,dc=samjung,dc=com
member: uid=test2,ou=people,dc=samjung,dc=com

# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f iphost.ldif 

À§¿¡¼­´Â 192.168.0.23 ¿¡ test, test2 °èÁ¤¸¸ Á¢¼Ó°¡´ÉÇϵµ·Ï ¼³Á¤ÇÏ¿´´Ù.

ldap¿¡ À§ÀÇ Á¤º¸¸¦ ÀÔ·ÂÇÑ ÈÄ °¢ ldap client ¿¡ À§ ±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ¼³Á¤ÇØ¾ß ÇÑ´Ù.

ÀÌ´Â /etc/ldap.conf ¿¡ ´ÙÀ½ Ç׸ñÀ» Ãß°¡ÇÑ´Ù. À§¿¡¼­ »ç¿ëÇÑ dnÀ» ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.
pam_groupdn cn=linux,ou=hostss,dc=samjung,dc=com
pam_member_attribute member
Å×½ºÆÃÀ» ÇÑ °á°ú /etc/ldap.conf ¿¡ pam_groupdn ¼³Á¤À» µÎ°³ ³ÖÀ¸¸é ÀÛµ¿À» ÇÏÁö ¾Ê¾Ò´Ù. ±×·¸Áö¸¸ °¢ ldap client ÂÊ¿¡ ÀÌ ¼³Á¤ÀÌ µÎ°¡Áö µé¾î°¥ ÀÏÀÌ ¾øÀ¸¹Ç·Î ¹®Á¦°¡ µÇÁö´Â ¾Ê´Â´Ù.

iphost.ldif ¿¡ ¼³Á¤ÇÑ ³»¿ëÀ» °¢ ldap client º°·Î ldap¿¡ ³Ö¾îÁÖ°í ÀÌÈÄ¿¡´Â ±× ¼³Á¤³»¿ë¸¸ °è¼Ó ¼öÁ¤ÇÏ¸é µÈ´Ù.

13.3. NIS netgroup »ç¿ëÇÏ¿© »ç¿ëÀÚ, È£½ºÆ®º° Á¢±ÙÁ¦ÇÑÇϱâ

13.3.1. °ü·ÃÀÚ·á

¿À·¼¸® LDAP admin 117ÂÊ Æäµµ¶ó µð·ºÅ丮 ¼­¹ö À§Å°ÀÇ ¹®¼­Áß "System Access Control using LDAP backed NIS netgroup" http://directory.fedora.redhat.com/wiki/Howto:netgroup

13.3.2. NIS netgroup ±â´É

NIS´Â Sun¿¡¼­ ³ª¿Â ±â¼ú·Î ¿©·¯´ëÀÇ ½Ã½ºÅÛÀ» ÅëÇÕÀûÀ¸·Î °ü¸®Çϱâ À§ÇØ ³ª¿Ô´Ù. »ç¿ëÀÚ°èÁ¤, ±×·ì, /etc/hosts µîÀ» ÅëÇÕÇؼ­ °ü¸®ÇÒ ¼ö ÀÖ´Ù. NIS netgroupÀº ´ÙÀ½°ú °°Àº ±â´ÉÀ» Á¦°øÇÑ´Ù.
  • °³º° ½Ã½ºÅÛ ¶Ç´Â ½Ã½ºÅÛ±×·ì¿¡ »ç¿ëÀÚ¿Í ±×·ì ·Î±×ÀÎ Á¢±Ù Á¦¾î
  • NFS Á¢±Ù Á¦¾î ¸ñ·Ï °ü¸®
  • »ç¿ëÀÚ,±×·ì¿¡ ´ëÇÑ sudo ¸í·É¾î Á¢±ÙÁ¦¾î
  • dsh(distributed shell)À» ÀÌ¿ëÇÏ¿© ¿ø°Ý ¸í·É ½ÇÇà ¶Ç´Â ½Ã½ºÅÛ±×·ì¿¡ ÀÛ¾÷
  • cfengineÀ» ÀÌ¿ëÇÏ¿© Á¤Ã¥ ±â¹ÝÀÇ ½Ã½ºÅÛ ¼³Á¤°ü¸®

tcp ·¡ÆÛ¸¦ ÅëÇÏ¿© °£´ÜÇÑ ¿¹¸¦ »ìÆ캸ÀÚ.
# /etc/hosts.deny
sshd: ALL
# /etc/hosts.allow
sshd: @sysadmin

À§¿¡¼­ sysadmin netgroup´Â ´ÙÀ½°ú °°ÀÌ °³º° È£½ºÆ®·Î ±¸¼ºÇÒ ¼ö ÀÖ´Ù.
sysadmin (a.com,-,-)(b.com,-,-)
¶Ç´Â ´Ù¸¥ netgroupÀ» Æ÷ÇÔÇÒ ¼ö ÀÖ´Ù.
all_sysadmin sysadmin secure_clients
(a.com,-,-) ±¸¼ºÀº host, user, NIS-domain À¸·Î ±¸¼ºÀÌ µÇ¸ç -´Â »ý·«À» Çصµ µÈ´Ù. ¸¶Áö¸· NIS-domainÀº »ý·«À» Çصµ LDAP°ú cfengine ¿¡¼­ »ç¿ëÀÌ °¡´ÉÇÏ¿´´Ù.

À̸¦ ÀÌ¿ëÇÏ¸é ½Ã½ºÅ۱׷캰, »ç¿ëÀڱ׷캰·Î ¿©·¯°¡Áö ÀÛ¾÷À» Á¦¾îÇÒ ¼ö ÀÖ°í ½Ã½ºÅÛ±×·ì°ú »ç¿ëÀÚ±×·ìÀÇ Á¶ÇÕµµ °¡´ÉÇÏ´Ù.

13.3.3. LDAP ¿¡¼­ netgroup ±¸Çö

LDAP¿¡¼­´Â structural nisNetgroup ¿ÀºêÁ§Æ® Ŭ·¡½º¸¦ ÀÌ¿ëÇÏ¿© netgroup ±â´ÉÀ» ±¸ÇöÇÒ ¼ö ÀÖ´Ù.

nisNetgroup ¿ÀºêÁ§Æ® Ŭ·¡½º¿¡¼­ rdnÀº cnÀ» ¾²¸çµÎ°¡Áö Áß¿äÇÑ attributes °¡ ÀÖ´Ù.

nisNetgroupTriple : »ç¿ëÀÚ(,love,samjung.com), ½Ã½ºÅÛ (cent.tunelinux.pe.kr,,samjung.com) À» ÁöÁ¤ÇÒ ¼ö ÀÖÀ¸¸ç ¿©·¯°³ÀÇ °ªÀÌ µé¾î°¥ ¼ö ÀÖ´Ù. memberNisNetgroup : ´Ù¸¥ netgroup ¸¦ Æ÷ÇÔÇÒ ¼ö ÀÖ´Ù. ´ë±×·ì, ¼Ò±×·ì µîÀ¸·Î ºÐ·ùÇÏ¿© Æí¸®ÇÏ°Ô »ç¿ëÇÒ ¼ö ÀÖ´Â ±â´ÉÀÌ´Ù. À̶ÇÇÑ ¿©·¯°³ÀÇ °ªÀ» °¡Áú ¼ö ÀÖ´Ù.

¸ÕÀú ou¸¦ »ý¼ºÇÑ´Ù. LDIF ÆÄÀÏ·Î ÀúÀåÇÏ¿© ldapadd·Î ³ÖÀ¸¸é µÈ´Ù.
dn: ou=netgroup,dc=samjung,dc=com
objectClass: organizationalUnit
ou: netgroup

dn: cn=sysadmin,ou=netgroup,dc=samjung,dc=com
objectClass: nisNetgroup
objectClass: top
cn: sysadmin
description: netgroup test group
nisNetgroupTriple: (cent1.tunelinux.pe.kr,-,-)
nisNetgroupTriple: (cent2.tunelinux.pe.kr,-,-)

dn: cn=sysadmin2,ou=netgroup,dc=samjung,dc=com
objectClass: nisNetgroup
objectClass: top
cn: sysadmin2
description: netgroup test group2
memberNisNetgroup: sysadmin
memberNisNetgroup: sysadmin2

dn: cn=allusers,ou=Netgroup,dc=samjung,dc=com
objectClass: nisNetgroup
objectClass: top
cn: users0
nisNetgroupTriple: (,a,)
nisNetgroupTriple: (,b,)
description: All QA users in my organization

sysadminÀº host°¡ cent1.tunelinux.pe.kr, cent2.tunelinux.pe.kr ¸¦ ³Ý±×·ìÀ¸·Î ¹­À¸¸ç sysadmin2´Â memberNisNetgroupÀ» ÀÌ¿ëÇÏ¿© sysadmin, sysadmin2 ³Ý±×·ìÀ» ¹­´Â °ÍÀÌ´Ù. nisNetgroupTriple °ú memberNisNetgroupÀº °°ÀÌ µé¾î°¥ ¼öµµ ÀÖ´Ù. alluser´Â a,b »ç¿ëÀÚ¸¦ ¹­¾ú´Ù. À§¿¡¼­ ¼³¸íÇÑ¹Ù¿Í °°ÀÌ NIS µµ¸ÞÀÎ ¸íÀº ÀÔ·ÂÀ» ÇÏÁö ¾Ê¾Æµµ ÀÛµ¿Çϴµ¥´Â ¹®Á¦°¡ ¾ø¾ú´Ù. Æäµµ¶ó µð·ºÅ丮 ¼­¹ö À§Å°ÀÇ ¹®¼­Áß "System Access Control using LDAP backed NIS netgroup"¿¡´Â ´ÙÀ½°ú °°ÀÌ ³ª¿ÍÀÖ´Ù. http://directory.fedora.redhat.com/wiki/Howto:netgroup
Finally to enable the netgroup query, NISDOMAIN must be defined (in /etc/sysconfig/network) even though it is not used. This is required because the innetgr() call is used and it requires a nisdomainname as a paramter. Once the functions resolves to LDAP via nsswitch.conf, the nisdomainname in no longer required.

ÇÊ¿äÇÑ ¿£Æ®¸®¸¦ Ãß°¡ÇÑ ÈÄ /etc/ldap.conf ¿¡¼­ netgroup °Ë»öÀ» À§ÇÏ¿© nss_base_netgroup À» Ãß°¡ÇÑ´Ù.
nss_base_netgroup       ou=netgroup,dc=samjung,dc=com?one

OS¿¡¼­ netgroupÀ» ãÀ» ¼ö ÀÖµµ·Ï /etc/nsswitch.conf ¿¡¼­ netgroup ¿¡ ´ëÇÑ ¼³Á¤À» ÇÑ´Ù.
netgroup:   ldap

getent ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© À§¿¡¼­ ÀÔ·ÂÇÑ netgroupÀ» °Ë»öÇغ»´Ù.
# getent netgroup sysadmin
sysadmin               (cent1.tunelinux.pe.kr, , ) (cent2.tunelinux.pe.kr, , )


ÀÌ·¯ÇÑ ¼³Á¤À» ÀÌ¿ëÇÏ¿© À§¿¡¼­ sshd´Â sysadmin ¿¡ ¼ÓÇÑ È£½ºÆ®¿¡¼­¸¸ Á¢¼ÓÀ» Çϵµ·Ï ¼³Á¤À» ÇÒ ¼ö ÀÖ´Â °ÍÀÌ´Ù.

13.3.4. PAM Á¢±ÙÁ¦¾î ¿¬µ¿

tcp ·¡ÆÛ¸¸ÀÌ ¾Æ´Ï¶ó ³Ý±×·ìÀ» ÀÌ¿ëÇÏ¿© PAM ÀÇ Á¢±Ù±ÇÇÑ Á¦¾î¿Í ¿¬°üÀ» ½Ãų ¼ö°¡ ÀÖ´Ù. ÀÌ¿¡ ´ëÇÑ ³»¿ëÀº Æäµµ¶ó µð·ºÅ丮 ¼­¹öÀÇ À§Å°¿¡ ÀÚ¼¼È÷ ³ª¿ÍÀÖ´Ù.

À§¿Í °°Àº ÀÛ¾÷À» ÇÏ¿© ƯÁ¤ È£½ºÆ®¿Í ƯÁ¤ »ç¿ëÀÚº°·Î ±×·ìÀ» ¹­´Â´Ù. bobby, joey »ç¿ëÀÚ¸¦ QAUsers ±×·ìÀ¸·Î ¸¸µç´Ù.
dn: cn=QAUsers,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: QAUsers
nisNetgroupTriple: (,bobby,example.com)
nisNetgroupTriple: (,joey,example.com)
description: All QA users in my organization

qa01, qa02 È£½ºÆ®¸¦ QASystems ±×·ìÀ¸·Î ¸¸µç´Ù.
dn: cn=QASystems,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: QASystems
nisNetgroupTriple: (qa01,,example.com)
nisNetgroupTriple: (qa02,,example.com)
description: All QA systems on our network

PAM ¿¡¼­ /etc/security/access.conf ÆÄÀÏÀ» ÀÌ¿ëÇÏ¿© ip ¿¡ µû¶ó Á¢¼Ó°¡´ÉÇÑ È£½ºÆ®¿Í »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÒ ¼ö ÀÖ´Ù. ÀÌ¿¡ ´ëÇؼ­´Â º°µµ·Î PAM Á¤º¸¸¦ Âü°íÇÑ´Ù. access.conf ÆÄÀÏ¿¡¼­ nisÀÇ ³Ý±×·ìÀº @netgroupname ÇüÅ·ΠÀÌ¿ëÇÏ¸é µÈ´Ù. ¿©±â¼­ È£½ºÆ®¸íÀ̳ª »ç¿ëÀÚ¸í ÇÑ°¡Áö¸¸ ÀÌ¿ëÇÏ´Â °ÍÀÌ ¾Æ´Ï¶ó µÎ°¡Áö¸¦ °áÇÕÇÏ¸é ¿©·¯°¡Áö Æí¸®ÇÑ Á¡ÀÌ ÀÖ´Ù. ¾Æ·¡ÀÇ ³»¿ëÀº 10.x.x.x ³×Æ®¿öÅ©¿¡¼­ QASystems¿¡ QAUsers °¡ Á¢¼ÓÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â °ÍÀÌ´Ù.
+ : @QAUsers@@QASystems : 10.

¾Æ·¡ÀÇ °æ¿ì´Â root »ç¿ëÀÚ´Â ·ÎÄÿ¡¼­¸¸ Á¢¼ÓÇÏ°í Admins ³Ý±×·ìÀº 10.x ³×Æ®¿öÅ©¿¡¼­ Á¢¼ÓÇÒ ¼ö ÀÖµµ·Ï ÇÏ¸ç ³ª¸ÓÁö´Â ¸ðµÎ ¸·´Â ¼³Á¤ÀÌ´Ù.
+ : root : LOCAL
+ : @Admins : 10.
- : ALL : ALL

13.3.5. cfengine ¿¡¼­ÀÇ »ç¿ë

cfengineÀº °¢Á¾ ½Ã½ºÅÛÀÛ¾÷À» ÀÚµ¿È­ÇÒ ¼ö ÀÖ´Â ÇÁ·Î±×·¥ÀÌ¸ç º°µµ ÀڷḦ Âü°íÇϱ⠹ٶõ´Ù. http://www.cfengine.org/docs/cfengine-Reference.html#groups NIS netgroupÀ» ÀÌ¿ëÇÏ´Â °æ¿ì¿¡´Â +³ª +@ ±âÈ£¸¦ ÀÌ¿ëÇÑ´Ù. ¿©±â¼­ À¯¿ëÇÑ °ÍÀÌ netgroup except ÀÌ´Ù. ¾Æ·¡¿¡¼­ testgroupÀº mynetgoupÀ» Æ÷ÇÔÇÏ°í Àִµ¥ mynetgoup ¿¡¼­ ƯÁ¤ È£½ºÆ®¸¸ »©·Á°í ÇÒ °æ¿ì¿¡´Â - ±âÈ£¸¦ ÀÌ¿ëÇÏ¿© ÁöÁ¤ÇÏ¸é µÈ´Ù.
     groups:
        science = ( +science-allhosts )
        physics = ( +physics-allhosts )
        physics_theory = ( +@physics-theory-sun4 dirac feynman schwinger )
        testgroup = ( +mynetgroup -specialhost -otherhost )

13.3.6. Âü°í»çÇ×

13.3.6.1. host À̸§¿¡ ´ëÇÏ¿©
dns¿¡ µî·ÏµÇ¾îÀÖÁö ¾Ê¾Æµµ ldapÀÇ hosts ¿¡ µé¾î°¡ÀÖÀ¸¸é µ¿ÀÏÇÏ°Ô µ¿ÀÛÇÑ´Ù.
13.3.6.2. nisNetgroupTriple Ãß°¡, º¯°æ½Ã
½ÇÁ¦ »ç¿ëÇϸ鼭 ¹®Á¦°¡ ºÎµúÈù °ÍÀÌ ÀÖ´Ù. nisNetgroupTriple À» Ãß°¡ÇÏ·Á°í ÇÏ´Â °æ¿ì¿¡´Â additional info: modify/add: nisNetgroupTriple: no equality matching rule ¶ó´Â ¿¡·¯°¡ ³­´Ù. attribute Á¤ÀÇ¿¡¼­ nisNetgroupTriple Àº ¸ÅĪ ·êÀÌ ¾ø´Ù. ÀÌ ºÎºÐÀÌ ¿µÇâÀ» ¹ÌÄ¡´Â °Í °°´Ù. ÁÁÀº ¹æ¹ýÀº ¾Æ´ÑµíÇÏÁö¸¸ ½ºÅ°¸¶¿¡¼­ EQUALITY ¿Í SYNTAX¸¦ ¼öÁ¤ÇØÁÖ¾úÁö¸¸ Á¦´ë·Î ÀÛµ¿ÇÏÁö´Â ¾Ê¾Ò´Ù.
# cat mod.txt
dn: cn=sysadmin2,ou=netgroup,dc=samjung,dc=com
changetype: modify
add: nisNetgroupTriple
nisNetgroupTriple: (cent2.tunelinux.pe.kr,,)

#  ldapmodify -D "cn=manager,dc=samjung,dc=com" -W -x -v -f mod.txt
ldap_initialize( <DEFAULT> )
add nisNetgroupTriple:
        (cent2.tunelinux.pe.kr,,)
modifying entry "cn=sysadmin2,ou=netgroup,dc=samjung,dc=com"
modify complete
ldap_modify: Inappropriate matching (18)
        additional info: modify/add: nisNetgroupTriple: no equality matching rule

nisNetgroupTripple attibutetype
attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
        DESC 'Netgroup triple'
        SYNTAX 1.3.6.1.1.1.0.0 )

nisNetgroupTripleÀº Ãʱâ ÇÑ°³ ÀԷ°¡´ÉÇϸç ÇÑ°³¸¸ ÀÖÀ» °æ¿ì ¼öÁ¤, »èÁ¦°¡ °¡´ÉÇѵ¥ µÎ°³ÀÌ»ó Ãß°¡°¡ µÇÁö ¾Ê´Â´Ù. ¸ÅĪ·ê¶§¹®¿¡ »ý±â´Â ¹®Á¦¶ó°í ÆÇ´ÜÀÌ µÇ¸ç ÀÌ·² °æ¿ì ÇØ´ç dnÀ» »èÁ¦ÇÏ°í ½Å±Ô·Î dn¸¦ ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.

13.4. »ç¿ëÀÚ Á¢±ÙÁ¦ÇÑ ¾î¶² ¹æ¹ýÀÌ ÁÁÀ»±î?

È£½ºÆ®º°·Î Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÏ´Â ¹æ½ÄÀº Á¢¼ÓÇÏ·Á´Â Ŭ¶óÀ̾ðÆ® ¼³Á¤ÀÌ ¸ðµÎ ´Þ¶óÁö¹Ç·Î ºÒÆíÇÏ´Ù. (pam_groupdn, pam_member_attribute ¼³Á¤) pam_check_host_attr ¶Ç´Â LDAP¿¡ NIS¸¦ ¿¬µ¿ÇÏ´Â ¹æ½ÄÀÌ °ü¸®»ó Æí¸®ÇÒ °ÍÀÌ´Ù.

°¢ÀÚÀÇ Àå´ÜÁ¡À» »ý°¢Çغ¸ÀÚ. pam_check_host_attr À» ÀÌ¿ëÇÏ¸é °¢ »ç¿ëÀÚº°·Î Á¢¼ÓÇÒ ¼ö Àִ ȣ½ºÆ®¸¦ ÁöÁ¤ÇÑ´Ù. ¸ðµç °ÍÀ» LDAP¿¡¼­ °ü¸®ÇÏ°í /etc/ldap.conf ¿¡¼­ pam_check_host_attr ÁöÁ¤ÇÏ´Â °Í ¿Ü¿¡ º°µµÀÇ ¼³Á¤ÀÌ ÇÊ¿ä¾øÀ¸¹Ç·Î ±¸¼ºÀÌ °£´ÜÇÏ´Ù. ÇÏÁö¸¸ ½Ã½ºÅÛ°ú »ç¿ëÀڱԸ𰡠ĿÁö¸é º°µµÀÇ °ü¸®ÅøÀ» ¸¸µéÁö ¾ÊÀ¸¸é ºÒÆíÇÏ´Ù.

NIS¸¦ ÀÌ¿ëÇÏ´Â °æ¿ì¿¡´Â ¼³Á¤Àº Á»´õ º¹ÀâÇØÁöÁö¸¸ »ç¿ëÀÚ, ½Ã½ºÅÛº°·Î ±×·ìÀ» ¸¸µé°í ÀÌ ±×·ìÀ» ÇÊ¿ä¿¡ µû¶ó Á¶Á¤ÇÒ ¼ö ÀÖ´Ù. /etc/security/access.conf´Â ½Ã½ºÅÛ¿¡ ´Þ¶óÁö´Â°ÍÀÌ ¾Æ´Ï¶ó ¸ðµç ½Ã½ºÅÛ¿¡¼­ µ¿ÀÏÇÑ ³»¿ëÀ» °øÀ¯ÇÒ ¼ö ÀÖ´Ù. ±âº»¼³Á¤Àº µ¿ÀÏÇÏµÇ Æ¯Á¤ ±×·ì¿¡ ´ëÇÑ Á¶Á¤Àº ldapÀ» ÅëÇÏ¿© ÇÏ¸é µÈ´Ù. ÇÑ°¡Áö ´ÜÁ¡À̶ó¸é nisNetgroupTripleÀº ÇÑ°³¸¸ ÀԷ°¡´É, ÇÑ°³¸¸ ÀÖÀ» °æ¿ì ¼öÁ¤, »èÁ¦°¡ °¡´ÉÇѵ¥ µÎ°³ÀÌ»ó Ãß°¡´Â µÇÁö°¡ ¾Ê´Â´Ù. ¸ÅĪ·ê¶§¹®¿¡ »ý±â´Â ¹®Á¦¶ó°í ÆÇ´ÜÀÌ µÇ¸ç ÀÌ·² °æ¿ì ÇØ´ç dnÀ» »èÁ¦ÇÏ°í ½Å±Ô·Î dn¸¦ ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù. ÀÌ·¯ÇÑ ºÒÆíÇÔÀº ÀÖÁö¸¸ ±âº» Á¦°øµÇ´Â ±â´É¸¸À¸·Î °¡Àå °­·ÂÇÏ°Ô Á¢±ÙÁ¦¾î¸¦ ÇÒ ¼ö°¡ ÀÖ´Ù. ¶ÇÇÑ NIS±â´ÉÀ» cfengine µî ´Ù¸¥ ÇÁ·Î±×·¥¿¡¼­µµ È°¿ëÀÌ °¡´ÉÇÏ´Ù.

14. user º¯°æ ÇÁ·Î±×·¥ - cpu

passwd ÇÁ·Î±×·¥À» ÀÌ¿ëÇؼ­ »ç¿ëÀÚ¸¦ º¯°æÇÏ¿©µµ µÈ´Ù. ±×·¸Áö¸¸ »ç¿ëÀÚ »ý¼ºÀº ldif ÆÄÀÏ·Î Á÷Á¢ ³Ö°Å³ª cpu ÇÁ·Î±×·¥ ÀÌ¿ë ¶Ç´Â ldap °ü¸®ÀÚÅøÀ» ÀÌ¿ëÇØ¾ß ÇÑ´Ù. cpu°¡ »ç¿ëÀÚ °èÁ¤ ¹× ±×·ì°ü¸®¿¡ Æí¸®ÇÏ´Ù.

http://cpu.sourceforge.net/ ÃֽŹöÀü ´Ù¿î·Îµå

  • rpmfind ¿¡¼­ cpu rpmÀ» ´Ù¿î·Îµå ¹Þ¾Æµµ µÊ. [ftp]rhel4 ¹öÀü¿¡ ¸ÂÃá rpmÀÌ ÀÖÀ½. ¿©±â¼­ ¼³Ä¡ÇÑ rpmÀÇ cpu ÇÁ·Î±×·¥Àº ´Ù¸¥ »ç¿ëÀÚµµ »ç¿ëÇÒ ¼ö ÀÖÀ¸¹Ç·Î root¸¸ »ç¿ëÇϵµ·Ï Á¶Á¤ÇÑ´Ù.
[root@cent3 migration]# ll /usr/sbin/cpu
-rwxr-xr-x  1 root root 12127 Feb 17  2005 /usr/sbin/cpu
[root@cent3 migration]# chmod 700 /usr/sbin/cpu

openldap-devel ÇÊ¿äÇÔ
./configure --prefix=/usr/local/cpu
make
make install
ÀÌÁ¦ /usr/local/cpu ¿¡ ÇÁ·Î±×·¥ÀÌ ¼³Ä¡°¡ µÈ´Ù.

# grep samjung /usr/local/cpu/etc/cpu.conf 
BIND_DN         = cn=Manager,dc=samjung,dc=com
USER_BASE       = ou=People,dc=samjung,dc=com
GROUP_BASE      = ou=Group,dc=samjung,dc=com

À§¿Í °°ÀÌ dnÀ» ¹Ù²Ù¾îÁØ´Ù.
#HASH = "md5"
HASH = "crypt"

HASH ¸¦ md5 ¿¡¼­ crypt ·Î ¹Ù²Ù¾îÁØ´Ù.


¿©±â¼­ sldapd.conf ÀÇ root ºñ¹Ð¹øÈ£¸¦ ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.
BIND_PASS       = xxxx 


MAX_UIDNUMBER = 10000
MIN_UIDNUMBER = 1000
MAX_GIDNUMBER = 10000
MIN_GIDNUMBER = 1000

MIN_UIDNUMBER, MIN_GIDNUMBER ¸¦ 100¿¡¼­ ÀûÀýÇÑ °ªÀ¸·Î ¹Ù²Û´Ù.

# /usr/local/cpu/sbin/cpu useradd test 
# /usr/local/cpu/sbin/cpu userdel test 
$ /usr/local/cpu/sbin/cpu usermod -p  test2

[root@localhost openldap]# id test
uid=1001(test) gid=1001(test) groups=1001(test)
[root@localhost openldap]# /usr/local/cpu/sbin/cpu groupmod -g 1005 test
Group test successfully modified!
[root@localhost openldap]# id test
uid=1001(test) gid=1001 groups=1001,1005(test)
[root@localhost openldap]# /usr/local/cpu/sbin/cpu groupmod -n test222 test
Group test222 successfully modified!
[root@localhost openldap]# id test
uid=1001(test) gid=1001 groups=1001,1005(test222)

ÆíÇÏ°Ô »ç¿ëÀ» ÇÏ·Á¸é path¿¡ Ãß°¡ÇØÁÖ¸é ÁÁ´Ù.

export PATH=$PATH:/usr/local/cpu/sbin
export MANPATH=$MANPATH:/usr/local/cpu/man
man cpu-ldap

cpu cat Àº Àüü »ç¿ëÀÚ, ±×·ìÀ» º»´Ù.
[root@cent ~]# cpu cat
User Accounts
ldaptest:x:1001:1001::/home/ldaptest:/bin/bash
ldap2:x:1000:1002::/home/ldap2:/bin/bash

Group Entries
webdev:x:2000:
test:x:1000:
ldaptest:x:1001:
ldap2:x:1002:

»ç¿ëÀÚ Æнº¿öµå º¯°æÇÑ´Ù.
[root@cent ~]# cpu usermod -p ldaptest

°ü¸®¸¦ À§Çؼ­´Â ¸ÕÀú ÇÊ¿äÇÑ ±×·ìÀ» »ý¼ºÇÏ°í ±× »ç¿ëÀÚ¸¦ Ãß°¡ÇØÁÖ´Â °ÍÀÌ ÁÁÀ» °ÍÀÌ´Ù. ±âº»°ªÀº »ç¿ëÀÚ¸¦ »ý¼º½Ã µ¿ÀÏÇÑ À̸§ÀÇ ±×·ìÀ» »ý¼ºÇÑ´Ù. ±×·¯¹Ç·Î óÀ½ »ý¼º½Ã -g ¿É¼ÇÀ» ÀÌ¿ëÇÏ¿© ±×·ìÀ» ÁöÁ¤Çϴ°ÍÀÌ ÁÁ´Ù. ¾Æ´Ï¸é »ç¿ëÀÚ »ý¼ºÈÄ ±×·ìÀ» ¹Ù²Ù¾îÁ־ µÈ´Ù.

[root@cent3 openldap]# cpu useradd -g test5 ilove
[root@cent3 openldap]# cpu usermod -g test ilove

15. nfs, autofs ¼¼ÆÃ

nfs, autofs´Â Ȩµð·ºÅ丮¸¦ »ç¿ëÀÚ°¡ ·Î±×Àνà ÀÚµ¿À¸·Î ÆÄÀϼ­¹ö¿¡¼­ ¸¶¿îÆ®ÇÏ´Â °æ¿ì¿¡¸¸ »ç¿ëÇÏ¸é µË´Ï´Ù.

15.1. nfs ¼­¹ö ¼¼ÆÃ

# cat /etc/exports
/tmp   192.168.0.0/255.255.255.0(rw,sync)

# /etc/init.d/nfs start

15.2. autofs ¼¼ÆÃ

auto.master ÆÄÀÏÀÌ ¸ÞÀÎÆÄÀÏÀÌ¸ç ¿©±â¿¡¼­ ¸¶¿îÆ® Æ÷ÀÎÆ®¿Í ¼¼ºÎ ¼³Á¤ÆÄÀÏÀ» ÁöÁ¤ÇÔ. ¾Æ·¡¿¡¼­´Â /home µð·ºÅ丮¿¡ Á¢±ÙÇÏ´Â °æ¿ì /etc/auto.home ÆÄÀÏÀ» Âü°íÇϸç auto.home Àº /home ÀÇ ¸ðµç ÇÏÀ§ µð·ºÅ丮(*)¿¡ Á¢±ÙÇÏ´Â °æ¿ì nfs 192.168.0.24:/tmp ÀÇ ÇØ´ç µð·ºÅ丮¿¡ ¸¶¿îÆ®ÇÔ
# cat /etc/auto.master 
/home   /etc/auto.home --timeout=5

# cat /etc/auto.home 
*               -rw,soft,intr           192.168.0.24:/tmp/&


home µð·ºÅ丮 °øÀ¯Çϱâ À§ÇØ automount ¼¼ÆÃÇϱâ (»çÀü¿¡ autofs ´Â ¼¼ÆÃÀ» ÇؾßÇÔ)

# cat auto.master.ldif 
dn: ou=auto.master,dc=samjung,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master

dn: cn=/home,ou=auto.master,dc=samjung,dc=com
objectClass: automount
cn: /home
automountInformation: ldap:ou=auto.home,dc=samjung,dc=com

# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f auto.master.ldif 
Enter LDAP Password: 
adding new entry "ou=auto.master,dc=samjung,dc=com"

adding new entry "cn=/home,ou=auto.master,dc=samjung,dc=com"
 
# cat auto.home.ldifc 
dn: ou=auto.home,dc=samjung,dc=com
objectClass: top
objectClass: automountMap
ou: auto.home

dn: cn=/,ou=auto.home,dc=samjung,dc=com
objectClass: automount
cn: *
automountInformation:   192.168.0.24:/tmp/&

# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f auto.home.ldifc 
Enter LDAP Password: 
adding new entry "ou=auto.home,dc=samjung,dc=com"

adding new entry "cn=test,ou=auto.home,dc=samjung,dc=com"
ÀÌ·¸°Ô ÇÏ´Â °æ¿ì /etc/auto.master ¸¦ ldap ¿¡¼­ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ¹Ù²Ù¾î ÁÙ¼ö ÀÖÀ½
# cat /etc/auto.master 
#/home  /etc/auto.home --timeout=5
/home   ldap:192.168.0.23:ou=auto.home,dc=samjung,dc=com --timeout=5

16. °¢Á¾ ¾ÖÇø®ÄÉÀÌ¼Ç LDAP ¿¬µ¿

16.1. outlook µî À̸ÞÀÏŬ¶óÀ̾ðÆ® ¼¼ÆÃÇϱâ

À§¿¡¼­ ou=people,dc=samjung,dc=com ¿¡ ÀÔ·ÂÇÑ »ç¿ëÀÚÁ¤º¸´Â ¾Æ¿ô·è, ¼±´õ¹öµå µîÀÇ ÁÖ¼Ò·Ï¿¡¼­ È°¿ëÀ» ÇÒ ¼ö ÀÖ´Ù.

16.1.1. ¾Æ¿ô·è

outlook express ¿¡¼­´Â µµ±¸->°èÁ¤ À¸·Î °¡¼­ µð·ºÅ丮 ¼­ºñ½º¸¦ ¼±ÅÃÇÑ´Ù. µð·ºÅ丮 ¼­ºñ½º °èÁ¤¿¡ ÀûÀýÇÑ À̸§À» ÅÃÇÏ¿© ã±â ½±µµ·Ï ³Ö´Â´Ù. ¼­¹ö À̸§¿¡ ldap ¼­¹ö Á¤º¸¸¦ ÀÔ·ÂÇÑ´Ù. ·Î±×ÀÎ ÇÊ¿ä¿¡¼­´Â À§¿¡¼­ ¸¸µç ldaptest µîÀ» ÀÌ¿ëÇÏ¸é µÈ´Ù. uid=ldaptest,ou=people,dc=samjung,dc=com ¸¦ ³Ö¾îÁÖ¸é µÉ °ÍÀÌ´Ù. ¾ÏÈ£´Â À§ id¿¡ ÇØ´çÇÏ´Â ºñ¹Ð¹øÈ£¸¦ ³ÖÀ¸¸é µÈ´Ù. º¸¾È ¾ÏÈ£ ÀÎÁõÀ» »ç¿ëÇÏ¿© ·Î±×ÀÎÀº Àß ¸ð¸£°Ú´Ù. °í±Þ¿¡¼­ °Ë»ö±âÁØÀ» ÀÔ·ÂÇÑ´Ù. ou=people,dc=samjung,dc=com

ÀÌÁ¦ outlook express ¿¡¼­ ÁÖ¼Ò -> »ç¶÷ã±â¸¦ ¼±ÅÃÇÏ¿© ldap µð·ºÅ丮¸¦ ÁöÁ¤ÇÏ°í °Ë»öÁ¶°ÇÀ» ÀÔ·ÂÇÏ¸é µÈ´Ù.

16.1.2. ¼±´õ¹öµå

¼±´õ¹öµå¿¡¼­´Â °èÁ¤¼³Á¤->ÁÖ¼Ò->µð·ºÅ丮 ÆíÁý¿¡¼­ µð·ºÅ丮 ¼­ºñ½º¸¦ Ãß°¡ÇÑ´Ù. À̸§Àº ÀûÀýÇÑ À̸§À» ÅÃÇÏ¿© ã±â ½±µµ·Ï ³Ö´Â´Ù. È£½ºÆ® À̸§¿¡ ldap ¼­¹ö Á¤º¸¸¦ ÀÔ·ÂÇÑ´Ù. ±âº» dn¿¡ ou=people,dc=samjung,dc=com ¸¦ ÀÔ·ÂÇÑ´Ù. ±âÁØÀÌ µÇ´Â dnÀ» ÀÔ·ÂÇÏ´Â °ÍÀÌ´Ù. Æ÷Æ®¹øÈ£´Â ldap Æ÷Æ®¹øÈ£¸¦ Àû´Â´Ù. DN ¹ÙÀεå´Â ÀÎÁõÀ» »ç¿ëÇÒ °æ¿ì¿¡ ÇØ´çÇÑ´Ù. uid=ldaptest,ou=people,dc=samjung,dc=com ¾ÏÈ£´Â Á¢¼Ó½Ã ÀÔ·ÂÀ» ÇÏ¸é µÈ´Ù.

16.1.3. Âü°í»çÇ×

ÇöÀç ±âº»¼³Á¤Àº ´Ù¸¥ »ç¿ëÀÚµµ read ±ÇÇÑÀ» Áֱ⶧¹®¿¡ ¾Æ¿ô·è¿¡¼­ ·Î±×ÀÎÇÊ¿ä, ¼±´õ¹öµå¿¡¼­ DN ¹ÙÀε带 ¼±ÅÃÇÏÁö ¾Ê´Â´Ù°í ÇÏ´õ¶óµµ ÁÖ¼Ò·Ï °Ë»öÀÌ °¡´ÉÇÏ´Ù. ÀÌ ºÎºÐÀº ldap ¼­¹ö ¼³Á¤¿¡¼­ aclÀ» ÁÖ¾î¾ß ÇÒ °ÍÀÌ´Ù.

Âü°í·Î À̸ÞÀÏŬ¶óÀ̾ðÆ®´Â Àбâ Àü¿ëÀÌ´Ù. ¶Ç °Ë»öÀ» Çؼ­ ÀÌ¿ëÇؾßÇÏ´Â ºÒÆíÀÌ ÀÖ´Ù.

16.1.4. À¥ÁÖ¼Ò·Ï ÇÁ·Î±×·¥

  • /usr/share/doc/labe-3.3/REAME ÆÄÀÏÀ» Âü°í. ¿©±â¼­ ¸ÕÀú suffix, rootdn¸¦ ¸¸µé¾îÁÖ°í ldap ´ë¸óÀ» ´Ù½Ã ¶ç¿ò. ¾Æ·¡ ½ºÅ°¸¶ Ãß°¡µµ ¿©±â¿¡¼­ ¾ð±ÞÇÏ°í ÀÖÀ½.
  • http://sourceforge.net/projects/labe/ ¿©±â¿¡¼­ ´Ù¿î·Îµå ¹Þ¾Æ ¼³Ä¡ÇÏ¸é µÈ´Ù. ¼³Á¤Àº ldapÀ» ÀÌÇØÇÏ°í ÀÖÀ¸¸é °£´ÜÇÏ´Ù. rpmÀ¸·Î ¼³Ä¡Çϸé /var/www/html/labe/ µð·ºÅ丮¿¡ À¥ÇÁ·Î±×·¥¼³Ä¡°¡ µÇ°í setup.sh ¿¡¼­ ÀûÀýÇÑ ´äº¯À» ÇØÁÖ¸é µÈ´Ù. Âü°í·Î ÀÌÀ¯´Â ¸ð¸£°Ú´Âµ¥ /etc/openldap/slapd.conf ¿¡¼­ labe ÇÁ·Î±×·¥ÀÌ »ç¿ëÇÏ´Â ½ºÅ°¸¶¸¦ ¼öµ¿À¸·Î Ãß°¡ÇØÁØ´Ù. ÀÌ´Â ÀÚµ¿À¸·Î µÇÁö ¾Ê´Â µíÇÏ´Ù.
include /etc/openldap/schema/extension.schema
/etc/labe/connect.conf ÆÄÀÏÀÌ ldap Á¢¼Ó¿¡ ´ëÇÑ ¼³Á¤ÆÄÀÏÀÌ¸ç ¿©±â¿¡ ¼­¹öÁÖ¼Ò, port, bind, rootdn Á¤º¸°¡ µé¾î°£´Ù. ÀÌ´Â À§ÀÇ ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÏ¸é »ý¼ºÀÌ µÇ´Â °ÍÀÌ´Ù.

16.1.5. À¥ÁÖ¼Ò·Ï ACL ¼³Á¤À¸·Î ÀÎÁõµÈ »ç¿ëÀÚ¸¸ Àеµ·Ï Çϱâ

¾Æ·¡¿Í °°ÀÌ ±âº» ±ÇÇÑÀ» noneÀ¸·Î ÁÖ°í users (dnÀÌ Á¸ÀçÇÏ°í Æнº¿öµå¸¦ Á¦½ÃÇÑ »ç¿ëÀÚ)¿¡°Ô¸¸ read ±ÇÇÑÀ» ÁÖ´Â °ÍÀ¸·Î ¹Ù²Ù´Ï ÀÎÁõÀ» ÇØ¾ß Á¢¼ÓÀÌ µÈ´Ù. ACL ¼³Á¤ºÎºÐÀº ÃßÈÄ¿¡ Á»´õ »ìÆìºÁ¾ßÇÔ
access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=manager,dc=samjung,dc=com"        write
        by * compare
access to *
        by self write
        by dn="cn=manager,dc=samjung,dc=com"        write
        by users read
À§¿¡¼­ users ¿¡ read ±ÇÇÑÀ» ÁÖÁö ¾ÊÀ¸¸é ´Ù¸¥ Á¤º¸µµ º¼¼ö°¡ ¾ø´Ù.

defaultaccess none °¡ ¿À·¼¸® Ã¥µî¿¡¼­´Â ³ª¿À´Âµ¥ openldap ¹öÀüÀÌ ¿Ã¶ó°¡¸é¼­ ±âº»ÀûÀ¸·Î aci°¡ ¼³Á¤µÇÁö ¾ÊÀ¸¸é °ÅºÎ·Î µ¿ÀÛÀÌ ¹Ù²ïµíÇÏ´Ù.

16.2. ¾ÆÆÄÄ¡ ÀÎÁõ¿¡ LDAP »ç¿ëÇϱâ

  • ¿¬µ¿¹æ¹ý¸¸ °£·«È÷ ¼³¸í
  • [http]apache ¿¡¼­ ldap ÀÎÁõ ¾ÆÆÄÄ¡ °ø½ÄÇѱ۹®¼­Áß °ü·Ã³»¿ë
  • htaccess ¿¡¼­ ¾Æ·¡¿Í °°ÀÌ »ç¿ëÇÏ¸é µÊ. »ó¼¼ÇÑ ¼³Á¤À» À§Çؼ­´Â Á»´õ ¸Å´º¾óÀ» º¸°í ¿¬±¸°¡ ÇÊ¿äÇÔ. ¿©±â¼­´Â ¸Å´º¾ó¿¡ ³ª¿Â ³»¿ëÀ» °¡Áö°í ±¸Çö¸¸ Çغ»°ÍÀÓ. dc=samjung,dc=co ÀÌ ºÎºÐÀ» ÀûÀýÈ÷ ¹Ù²Ù¸é µÉ°ÍÀÓ.
[joon@localhost moniwiki]$ cat .htaccess
AuthType Basic
AuthName "joon wiki system"
AuthLDAPURL ldap://localhost:389/ou=people,dc=samjung,dc=com?uid?sub?(objectClass=*)
require valid-user

16.3. samba, ldap ¿¬µ¿

±¸±Û°Ë»öÇؼ­ http://aput.net/~jheiss/samba/ldap.shtml »çÀÌÆ®¸¦ º¸°íÇßÁö¸¸ Àß µÇÁö ¾Ê¾ÒÀ½. ½Ã°£°É¸±µíÇÏ¿© ±×³É ³Ñ¾î°¬À½

17. ldap ¿¡¼­ TLS »ç¿ëÇÑ ¾Ïȣȭ Åë½Å

17.1. ÀÎÁõ ¸ÞÄ¿´ÏÁò

LDAPv3 ¿¡¼­´Â Ŭ¶óÀ̾ðÆ® ÀÎÁõ¿¡ ¿©·¯°¡Áö ¸ÞÄ«´ÏÁòÀ» »ç¿ëÇÑ´Ù.
  • anonymous authentication
  • simple authentication
  • simple authentication over SSL/TLS
  • simple authentication and Security Layer (SASL)

SSL/TLS´Â µÎ°¡Áö ¹æ¹ýÀÌ ÀÖ´Ù. sslÀ» ÅëÇØ ldapÀ» »ç¿ëÇÏ´Â ¹æ¹ý(ldaps, tcp port 636)º¸´Ù´Â StartTLS LDAP È®Àå±â´ÉÀ¸·Î »ç¿ëÇÏ´Â °ÍÀÌ ÁÁ´Ù. StartTLS ´Â tcp 389 port(ldapÆ÷Æ®)¸¦ ÅëÇؼ­ TLS Åë½ÅÀ» ÇÒ ¼ö ÀÖ´Â ±â´ÉÀÌ´Ù. ¼­¹öÀÇ °°Àº Æ÷Æ®¿¡¼­ Ŭ¶óÀ̾ðÆ®ÀÇ ¿äû¿¡ µû¶ó ¾ÏȣȭµÈ ¼¼¼Ç°ú ¾ÏȣȭµÇÁö ¾ÊÀº ¼¼¼ÇÀ» ¸ðµÎ ó¸®ÇÒ ¼ö ÀÖ´Ù.

17.2. ÀÎÁõ¼­ »ý¼º

root CA °¡ ¾øÀ» °æ¿ì ¸ÕÀú »ý¼ºÀ» ÇØÁØ´Ù. ÇØ´ç Á¤º¸´Â ½Ã½ºÅÛ¿¡ ¸Â°Ô ÀûÀýÇÏ°Ô ¼öÁ¤À» ÇÑ´Ù. Common NameÀº ÇØ´ç ¼­¹öÀÇ È£½ºÆ®¸íÀ» ÁöÁ¤ÇÑ´Ù.
# cd /usr/share/ssl/misc
# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
............................................................++++++
.++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KO]:
State or Province Name (full name) [gurogu]:
Locality Name (eg, city) [seoul]:
Organization Name (eg, company) [Samjung dataservice]:
Organizational Unit Name (eg, section) [ITservice]:
Common Name (eg, your name or your server's hostname) [cent3.tunelinux.pe.kr]:
Email Address [joon@sds.co.kr]:


ÀÌÁ¦ LDAP¼­¹ö¿¡¼­ »ç¿ëÇÒ ¼­¹ö ÀÎÁõ¿äû¼­(CSR)À» »ý¼ºÇÑ´Ù. °³ÀÎÅ°´Â slapd-key.pem À¸·Î ÁöÁ¤ÇÏ°í slapd-req.pem ÀÌ CSRÀÌ´Ù. ¿©±â¼­ nodes ¿É¼ÇÀ» ¾´°ÍÀº ldap¼­¹ö¸¦ ³»¸®°í ¿Ã·ÁÁÙ¶§ ºñ¹Ð¹øÈ£¸¦ ³Ö¾îÁÖÁö ¾Êµµ·Ï Çϱâ À§Çؼ­ÀÌ´Ù.
openssl req -new -nodes  -keyout slapd-key.pem -out slapd-req.pem -days 365

ÀÌÁ¦ ¾Õ¿¡¼­ »ý¼ºÇÑ root CA·Î ÀÎÁõ¼­ »çÀÎÀ» ÇÑ´Ù.
openssl ca -out slapd-cert.pem -infiles slapd-req.pem

À§¿¡¼­ »ý¼ºÇÑ ÀÎÁõ¼­¸¦ ÀûÀýÇÑ µð·ºÅ丮·Î ¿Å±ä´Ù. Âü°í·Î CAÅ°´Â /etc/openldap/cacerts ¿¡ µÎ´Âµ¥ CA Å° ¸»°í ¾Æ·¡¿¡¼­ slapdcert.pem µµ ÀÌ µð·ºÅ丮¿¡ µÎ¸é TLS ±â´ÉÀÌ Á¦´ë·Î ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù. ÀÌ µð·ºÅ丮¿¡¼­ ca Å°¸¦ ãµµ·Ï ÇØ ³õ¾Æ¼­ ¿¡·¯°¡ ³ª´Â µíÇÏ´Ù. ÀÚ¼¼ÇÑ ÀÌÀ¯±îÁö´Â ¸ð¸£Áö¸¸ ´Ù¸¥ µð·ºÅ丮¿¡ µÎ¸é µÇ¹Ç·Î ÁÖÀǸ¸ ÇÏ¸é µÉ °ÍÀÌ´Ù.
# cp -p slapd-key.pem /etc/openldap/slapdkey.pem -> private key
# cp -p slapd-cert.pem /etc/openldap/slapdcert.pem -> certificate
# chown ldap:ldap /etc/openldap/slapdcert.pem
# chmod 644 /etc/openldap/slapdcert.pem
# chown ldap:ldap /etc/openldap/slapdkey.pem
# chmod 400 /etc/openldap/slapdkey.pem

# cp /usr/share/ssl/misc/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem -> CA certificate
# chown ldap:ldap /etc/openldap/cacerts/cacert.pem
# chmod 644 /etc/openldap/cacerts/cacert.pem

±ÍÂúÀº ÀÛ¾÷ÀÌ¶ó¼­ º¹»çÇؼ­ ¾²°Ô ¾Æ·¡¿¡ Àû¾î³õ´Â´Ù.
cp slapd-key.pem /etc/openldap/slapdkey.pem 
cp slapd-cert.pem /etc/openldap/slapdcert.pem
chown ldap:ldap /etc/openldap/slapdcert.pem
chmod 644 /etc/openldap/slapdcert.pem
chown ldap:ldap /etc/openldap/slapdkey.pem
chmod 400 /etc/openldap/slapdkey.pem

cp /usr/share/ssl/misc/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem
chown ldap:ldap /etc/openldap/cacerts/cacert.pem
chmod 644 /etc/openldap/cacerts/cacert.pem

ldap ¼­¹ö¼³Á¤(slapd.conf)¿¡ ´ÙÀ½ ³»¿ëÀ» Ãß°¡ÇÑ´Ù. global ¼½¼Ç¿¡ Ãß°¡ÇÏ¸é µÈ´Ù.
TLSCipherSuite HIGH:MEDIUM:+SSLv2  -> openssl ciphers
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem -> CA private key
TLSCertificateFile /etc/openldap/slapdcert.pem -> certificate
TLSCertificateKeyFile /etc/openldap/slapdkey.pem -> private key

LDAP ¼­¹ö¿¡¼­ /etc/openldap/ldap.conf ¿¡ ¾Æ·¡ ³»¿ëÀ» Ãß°¡ÇÑ´Ù.
TLS_CACERTDIR /etc/openldap/cacerts
#TLS_REQCERT allow

TLS_REQCERT ´Â TLS ¼¼¼Ç¿¡¼­ ¼­¹ö ÀÎÁõ¼­ üũ¿Í ¿¬°üµÈ ºÎºÐÀÌ´Ù. allow´Â ¼­¹öÀÎÁõ¼­°¡ ¾ø°Å³ª À߸øµÇ¾îµµ ¼¼¼ÇÀÌ ÁøÇàµÈ´Ù. TLS_REQCERT ¿¡¼­ demand·Î ÇÏ¸é ¼­¹öÀÎÁõ¼­¸¦ ¿äûÇ쵂 ¼­¹öÀÎÁõ¼­°¡ ¾ø°Å³ª ÀÎÁõ¼­°¡ À߸øµÇ¾úÀ¸¸é ¼¼¼ÇÀ» ¹Ù·Î ²÷´Â´Ù. (man ldap.conf) ldap ¼­¹ö¸¦ ³»·È´Ù°¡ ´Ù½Ã ¿Ã·ÁÁØ´Ù.

ÀÌÁ¦ ldap Ŭ¶óÀ̾ðÆ®¿¡¼­ ´ÙÀ½ÀÇ ¼³Á¤À» /etc/ldap.conf¿¡ ÇÑ´Ù. ¿©±â¼­ cacert.pemÀº ldap Ŭ¶óÀ̾ðÆ® ½Ã½ºÅÛ¿¡ º¹»ç¸¦ Çصξî¾ß ÇÑ´Ù.
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_checkpeer ¼­¹ö certificate ¸¦ ÇÊ¿ä·Î ÇÏ°í °ËÁõÀ» Çϵµ·Ï ÇÑ´Ù. (¼³Á¤ÆÄÀÏÀÇ ÁÖ¼®³»¿ë Âü°í)

Âü°í·Î Ŭ¶óÀ̾ðÆ® ¼³Á¤¿¡¼­ authconfig¸¦ ÀÌ¿ëÇϸé tls_cacertdir /etc/openldap/cacerts ·Î ¼³Á¤ÀÌ µÈ´Ù. À§¿Í °°ÀÌ tls_cacertfile ¿É¼ÇÀ» ÀÌ¿ëÇÏ¿© Á÷Á¢ ÆÄÀÏÀ» ÁöÁ¤ÇÒ ¼öµµ ÀÖ°í ¾Æ´Ï¸é /etc/opeanldap/cacerts ÆÄÀÏ¿¡ ÇØ´ç ÀÎÁõ¼­¸¦ ³Ö¾îµÎ¸é authconfig ¿¡¼­ ÀÚµ¿À¸·Î c_rehah À¯Æ¿¸®Æ¼¸¦ ÀÌ¿ëÇÏ¿© ÇØ´ç µð·ºÅ丮¿¡¼­ ÀÎÁõ¼­ÆÄÀÏÀ» °¡¸®Å°´Â ½Éº¼¸¯ ¸µÅ©¸¦ ¸¸µç´Ù.
# ls -alF /etc/openldap/cacerts
total 16
drwxr-xr-x  2 root root 4096 Jan  4 13:15 ./
drwxr-xr-x  4 root root 4096 Jan  4 13:18 ../
-rw-r--r--  1 root root 1346 Jan  4 13:15 cacert.pem
lrwxrwxrwx  1 root root   10 Jan  4 13:14 cc9fe289.0 -> cacert.pem
ÀÚ½ÅÀÌ ÆíÇÑ´ë·Î ¾²¸é µÇ°ÚÁö¸¸ authconfig ¸¦ ÀÌ¿ëÇÑ´Ù¸é ÀÚµ¿À¸·Î »ý¼ºµÇ´Â tls_cacertdir ¿É¼ÇÀ» ½áµµ µÉ °ÍÀÌ´Ù.

18. replication ±¸Çö

18.1. ÁÖÀÇ»çÇ×

openldapÀº ¿ø·¡ single master replication systemÀÌ´Ù. ¾÷µ¥ÀÌÆ®´Â ¸¶½ºÅÍ¿¡¼­¸¸ µÇ°í ³ª¸ÓÁö´Â ÀбâÀü¿ëÀ̶ó´Â °ÍÀÌ´Ù.ÇöÀç openldap¿¡¼­´Â multimaster ¸¦ Áö¿øÇÏ´Â ¾Ê´Â´Ù. replication¿¡µµ µÎ°¡Áö ¹æ½ÄÀÌ ÀÖÀ¸¸ç ±âÁ¸¿¡ »ç¿ëÇÏ´ø slurpd¿Í ÃÖ±ÙºÎÅÍ Áö¿øÇÑ LDAP Sync Replication ÀÌ ÀÖ´Ù. ÇöÀç´Â slurpd¸¸ Å×½ºÆÃÀ» ÇÏ¿´´Ù. ½½·¹À̺꿡¼­ LDAP¼­¹ö¸¦ ³»¸®´Â Å×½ºÆðá°ú Àá½Ãµ¿¾È ³×Æ®¿öÅ©µîÀÇ ¹®Á¦°¡ ÀÖ´Ù°í ÇÏ´õ¶óµµ ½½·¹À̺갡 Á¤»óÀ¸·Î µ¹¾Æ¿À¸é ¸®Çø®ÄÉÀ̼ÇÀÌ Á¤»óÀûÀ¸·Î µ¿À۵Ǿú´Ù. ±×·¸Áö¸¸ ¸îºÐÀ̳»ÀÇ °£´ÜÇÑ Å×½ºÆø¸ ÇÑ °ÍÀ̹ǷΠÀ̰͸¸À» °¡Áö°í ½Å·Ú¼ºÀ» È®ÀÎÇϱâ´Â Èûµé °ÍÀÌ´Ù. ±×·±µ¥ ³×Æ®¿öÅ©ÀÇ ÀÌ»óµîÀ¸·Î ¿¬°áÀÌ µÇ¾îÀÖÁö ¸øÇÒ¶§ ¸¶½ºÅÍ¿¡¼­ »õ·Î¿î °ªÀ» ÀÔ·ÂÇϸé ÀÌ´Â ³ªÁß¿¡ ¿¬°áÀÌ º¹±¸µÇ´õ¶óµµ ÀÚµ¿À¸·Î ½½·¹À̺꿡 µé¾î°¡Áö´Â ¾Ê´Â´Ù.

18.2. LDAP Sync Replication

LDAP Sync Replication Àº consumer-side replicationÀ¸·Î ¸¶½ºÅͼ­¹ö(provider ¼­¹ö)ÀÇ ¼³Á¤À» º¯°æÇϰųª Àç½ÃÀÛÇÏÁö ¾Ê°íµµ replicat¸¦ »ý¼ºÇÒ ¼ö ÀÖ¾î Æí¸®ÇÏ´Ù. slurpd ¹æ½Ä¿¡ ºñÇØ ¿©·¯°¡Áö ÀåÁ¡ÀÌ ÀÖ´Â µí ÇÏÁö¸¸ RHELÀ̳ª CentOS 4.4 ¿¡ ±âº» ¼³Ä¡µÇ¾î ÀÖ´Â openldap 2.2 ´ë¿¡¼­´Â ¸î°¡Áö Á¦¾àÀÌ ÀÖ¾î ½ÇÁ¦·Î ¾²±â´Â ºÒÆíÇÑ µí ÇÏ´Ù. ÀÌ ±â´ÉÀÌ ÇÊ¿äÇÏ´Ù¸é ¼Ò½º·Î ¼³Ä¡ÇÏ¿© ÇØ°áÇÒ ¼ö ÀÖÀ» µí Çѵ¥ °³ÀÎÀûÀ¸·Î´Â ÀÌ ±â´ÉÀÌ ´çÀå Àý½ÇÈ÷ ÇÊ¿äÇÑ °ÍÀº ¾Æ´Ï¶ó¼­ Ãß°¡ Å×½ºÆÃÀº ÇÏÁö ¾Ê¾Ò´Ù. 2.2´ë¿Í 2.3´ë¿¡¼­ ±¸ÇöÇÒ¶§ ¾à°£ÀÇ Â÷ÀÌÁ¡, Á¦¾àÀÌ ÀÖ´Ù.
http://www.openldap.org/doc/admin22/syncrepl.html (openldap 2.2 ¸Å´º¾ó)
While slapd (8) can function as the LDAP Sync provider only when it is configured with either back-bdb or back-hdb backend, the syncrepl engine, which is a consumer-side replication engine, can work with any backends.

http://www.openldap.org/doc/admin23/syncrepl.html (openldap 2.3¸Å´º¾ó)
The syncrepl engine, which is a consumer-side replication engine, can work with any backends. The LDAP Sync provider can be configured as an overlay on any backend, but works best with the back-bdb or back-hdb backend. The provider can not support refreshAndPersist mode on back-ldbm due to limits in that backend's locking architecture.
2.2 ¿¡¼­ ¸¶½ºÅͼ­¹ö´Â ¹é¿£µå·Î back-bdb, back-hdb °¡ ÇÊ¿äÇÏ°í ½½·¹À̺꿡¼­´Â ¹é¿£µå Á¦ÇÑÀÌ ¾ø´Ù. rpm ÆÐÅ°Áö¿¡´Â back-bdb °¡ µ¿ÀÛÇÏÁö ¾Ê¾ÒÀ¸¸ç ÀÌ¿¡ ´ëÇÑ Áö¿øÀº ºüÁ®ÀÖ´Â µíÇÏ´Ù. 2.3 ¿¡¼­´Â ÀÌ·¯ÇÑ Á¦ÇÑÀÌ ¾ø´Ù. ±×·¸Áö¸¸ 2.3¿¡¼­µµ ¹é¿£µå·Î back-bdb ³ª back-hdb¸¦ ÃßõÇÏ°í ÀÖ´Ù.

¼³Á¤ÇÏ´Â ¹æ¹ýµµ ¾à°£ÀÇ Â÷ÀÌ°¡ ÀÖÀ¸¸ç ÀÌ´Â ¸Å´º¾óÀ» Âü°íÇÑ´Ù.

18.3. ±¸Çö¼ø¼­

  • ¸¶½ºÅͼ­¹öÀÇ slapd ´ë¸ó ³»¸²
  • ¸¶½ºÅͼ­¹öÀÇ slapd.conf ¼³Á¤
  • ¸¶½ºÅͼ­¹öÀÇ µ¥ÀÌŸ¸¦ ½½·¹À̺꿡 º¹»çÇÏ°í ½½·¹ÀÌºê ¼­¹ö¿¡ ³Ö¾îÁÜ (ÀÌ°æ¿ì ½½·¹ÀÌºê ¼­¹ö´Â ³»·Á°¡ ÀÖ´Ù°í °¡Á¤ÇÏ°í ÀÌÈÄ¿¡ ¼¼ºÎ ¼³Á¤ÇÔ)
  • ½½·¹À̺꼭¹öÀÇ slpad.conf¸¦ ¼³Á¤
  • ½½·¹À̺꼭¹öÀÇ slapd ½ÃÀÛ
  • ¸¶½ºÅͼ­¹öÀÇ slapd ½ÃÀÛ
  • ¸¶½ºÅͼ­¹öÀÇ slurpd ½ÃÀÛ (centOS ¿¡¼­´Â replica ¼³Á¤ÀÌ ÀÖ´Â °æ¿ì ½ÃÀÛ½ºÅ©¸³Æ®¿¡¼­ ÀÚµ¿À¸·Î slapd, slurpd ÇÔ²² ½ÃÀÛÇÔ)

18.4. ¸¶½ºÅͼ­¹ö ¼³Á¤

¸¶½ºÅͼ­¹ö¿¡¼­´Â ¾Æ·¡ÀÇ ³»¿ëÀ» /etc/openldap/sldapd.conf ¿¡ Ãß°¡ÇÑ´Ù.
replogfile /var/lib/ldap/openldap-master-replog
replica uri=ldap://cent.tunelinux.pe.kr:389
        suffix="dc=samjung,dc=com"
        binddn="cn=replica,dc=samjung,dc=com"
        credentials=xxxx
        bindmethod=simple
        tls=yes
replogfile Àº ¸¶½ºÅͼ­¹ö¿¡¼­ slapd°¡ ·Î±× º¯È­¸¦ ±â·ÏÇÏ´Â ÆÄÀÏÀÌ´Ù. ÀÌ ÆÄÀÏÀ» slurpd°¡ Àо ½½·¹ÀÌºê ¼­¹ö·Î º¸³½´Ù. replica ¸¦ ÀÌ¿ëÇÏ¿© °¢ ½½·¹ÀÌºê ¼­¹ö¸¦ ÁöÁ¤ÇÑ´Ù.
  • uri : ½½·¹ÀÌºê ¼­¹ö ¹× Æ÷Æ®
  • suffix : suffix
  • binddn : ½½·¹ÀÌºê ¼­¹öÀÇ sldapd.conf ¿¡¼­ updatedn °ú ÀÏÄ¡ÇؾßÇÑ´Ù. ½½·¹ÀÌºê ¼­¹ö¿¡¼­ ÀÌ ±ÇÇÑÀ» °¡Áö°í ¸¶½ºÅͼ­¹ö¿¡¼­ ¿À´Â ·Î±×¸¦ ±â·ÏÇÑ´Ù. ¸¶½ºÅͼ­¹öÀÇ rootdn°ú´Â ´ç¿¬È÷ ´Ù¸£°Ô Çϴ°ÍÀÌ ÁÁÀ» °ÍÀÌ´Ù.
  • bindmethod´Â ½½·¹À̺ê¿Í Åë½ÅÀ» Çϴµ¥ »ç¿ëÇϸç simple, sasl À» ¼±ÅÃÇÒ ¼ö ÀÖ´Ù. ¿©±â¼­´Â simpleÀ» ¼±ÅÃÇÏ¿´À¸¸ç credentials ´Â ½½·¹ÀÌºê ¼­¹ö¿¡ ¹ÙÀεåÇϱâ À§ÇÑ Æнº¿öµåÀÌ´Ù. ÀÌ´Â ½½·¹À̺꼭¹ö¿¡¼­ ÁöÁ¤ÇÑ °ÍÀ» ³ÖÀ¸¸é µÈ´Ù.
  • tls ´Â ¸¶½ºÅͼ­¹ö¿Í ½½·¹À̺꼭¹ö°£ÀÇ Åë½ÅÀ» ¾ÏȣȭÇÑ´Ù.
  • ¸¶½ºÅͼ­¹ö¿¡¼­ µ¥ÀÌŸ¸¦ ½½·¹À̺꼭¹ö·Î ¿Å±â´Â °æ¿ì¿¡ ldap¼­¹ö¸¦ ³»¸®°í slapcat À» ÀÌ¿ëÇÏ¿© LDIF ÆÄÀÏÇüÅ·Π¿Å±æ ¼ö ÀÖ´Ù. ¸®Çø®Ä«(½½·¹À̺ê)¿¡¼­´Â slapadd ¸¦ ÀÌ¿ëÇÏ¿© µ¥ÀÌŸ¸¦ º¹¿øÇÏ¸é µÈ´Ù. ±×Àü¿¡ slapd.conf ¼³Á¤Àº µÇ¾îÀÖ¾î¾ß ÇÒ °ÍÀÌ´Ù.
root@master# slapcat -b "dc=samjung,dc=com" -l contents.ldif
... contents.ldif¸¦ ½½·¹À̺ê·Î º¹»çÇÑ´Ù.
root@replica# slapadd -l contents.ldif 

18.5. ½½·¹À̺꼭¹ö ¼³Á¤

> rootdn                "cn=replica,dc=samjung,dc=com"
> rootpw                {SSHA}IgT24XXXXEGN9aaLhBduKPJCp
> updatedn      "cn=replica,dc=samjung,dc=com"
> updateref     ldap://cent3.tunelinux.pe.kr
  • updatedn : ¸¶½ºÅͼ­¹öÀÇ ¼³Á¤°ú ÀÏÄ¡ÇؾßÇÑ´Ù. updatednÀº ÇØ´ç µ¥ÀÌŸ¿¡ ¾²±â ±ÇÇÑÀÌ ÀÖ¾î¾ß ÇÑ´Ù.
  • updateref : Ŭ¶óÀ̾ðÆ®¿¡°Ô ¸¶½ºÅÍ µð·ºÅ丮 ¼­¹ö¸¦ ¾Ë·ÁÁÖ´Â URL. Ŭ¶óÀ̾ðÆ®°¡ ¾÷µ¥ÀÌÆ® ¿äûÀ» ÇÏ´Â °æ¿ì ¸¶½ºÅͼ­¹ö¸¦ ¾Ë·ÁÁØ´Ù.

18.6. ¸®Çø®ÄÉÀ̼ǽà ÀÛµ¿¹æ½Ä

Ŭ¶óÀ̾ðÆ®¿¡¼­´Â /etc/ldap.conf ÀÇ host ¿¡ master, slave ¼­¹ö¸¦ ¸ðµÎ ÁöÁ¤ÇØÁØ´Ù. ½½·¹À̺꿡¼­´Â updateref¸¦ ÀÌ¿ëÇÏ¿© ½½·¹À̺꿡 ¾÷µ¥ÀÌÆ®¿äû½Ã ¸¶½ºÅͼ­¹ö·Î ¾÷µ¥ÀÌÆ® ¿äûÀ» º¸³½´Ù. ¿¹¸¦ µé¾î À§¿¡¼­ people¿¡ ¼ÓÇÑ »ç¿ëÀÚÀÇ °æ¿ì ÀÚ½ÅÀÇ Æнº¿öµå¸¦ º¯°æÇÒ ¼ö°¡ ÀÖ´Ù. ÀÌ°æ¿ì slave ¼­¹ö¿¡¼­ ÀÚ½ÅÀÇ Æнº¿öµå¸¦ º¯°æÇÒ °æ¿ì ÀÌ¿¡ ´ëÇÑ ¿äûÀº ¸¶½ºÅÍ·Î °¡°í ¸¶½ºÅÍ¿¡¼­ ¾÷µ¥ÀÌÆ®ÇÑÈÄ ´Ù½Ã ½½·¹À̺꼭¹ö·Î µ¿±âÈ­°¡ µÈ´Ù. ´Ü, rootdnÀº Á÷Á¢ ÀÛµ¿ÇÏ¿´´Ù.

19. ±âŸ

19.1. GUI tool

  • http://ldapadmin.sourceforge.net/ ldap °Ë»ö, ¼öÁ¤ µî ÇÒ ¼ö ÀÖ´Â À©µµ¿ì °ø°³ÇÁ·Î±×·¥(GPL) ÀÌ ½ÇÁ¦ »ç¿ëÇغ¸´Ï Æí¸®ÇÔ. GUI¿¡¼­ »ç¿ëÀÚ À̵¿, º¹»ç, ±×·ì¿¡ ¿©·¯ »ç¿ëÀÚ Ãß°¡µî °¡´ÉÇÔ
  • phpLDAPadmin (php), LDAP Account Manager(LAM, php), LDAP Browser(ÀÚ¹Ù)µîÀ¸·Î µÈ ÇÁ·Î±×·¥ÀÌ ÀÖÀ¸³ª »ç¿ëÇϱ⿡´Â ºÒÆíÇÔ
  • LDAP Account Manager: lam.sourceforge.net À¥À¸·Î °èÁ¤Ãß°¡ ¹× °ü¸® °¡´É
  • phpLDAPadmin: phpldapadmin.sourceforge.net
  • LDAP Browser: www-unix.mcs.anl.gov/~gawor/ldap

19.2. ·Î±×È®ÀÎ

sldapd.conf ¿¡¼­ loglevel À» ¼³Á¤ÇÑ´Ù. 296 = 256 log connections/operations/results + 32 search filter processing + 8 connection management
loglevel        256
LDAPÀº LOG_LOCAL4 facility¸¦ »ç¿ëÇϹǷΠ/etc/syslog.conf ¿¡ ¾Æ·¡ÀÇ ¼³Á¤À» ÇÑ´Ù. ldap¸¸ º°µµ ÆÄÀÏ·Î ÀúÀåÇÒ ¼öµµ ÀÖ´Ù. ÀÌ °æ¿ì¿¡´Â ·Î±×·ÎÅ×À̼ÇÀ» ÁÖ±âÀûÀ¸·Î ÇØÁÖ¾î¾ß ÇÑ´Ù.
# grep local4 /etc/syslog.conf
local4.*                                                /var/log/messages

ÀÌ°æ¿ì syslogd ¸¦ ´Ù½Ã Àç½ÃÀÛÇØÁÖ¾î¾ß ÇÑ´Ù.

Âü°í·Î openldap ¹®¼­¿¡µµ ·Î±×·¹º§¿¡ ´ëÇÑ ³»¿ëÀº ÀÖÁö¸¸ ³²°ÜÁø ·Î±×¸¦ ¾î¶»°Ô ºÐ¼®ÇÏ¸é µÇ´ÂÁö¿¡ ´ëÇؼ­´Â »ó¼¼ÇÑ ¼³¸íÀº ¾ø¾ú´Ù. ÀÌ¿¡ ´ëÇؼ­´Â ÀÛµ¿¹æ½ÄÀº ºñ½ÁÇÒ °ÍÀÌ¶ó ¿©°ÜÁö¹Ç·Î ·¹µåÇÞ µð·ºÅ丮 ¼­¹öÀÇ ¸Å´º¾óÀ» Âü°íÇÏ¸é µÉ µí ÇÏ´Ù. ÀÌ¿¡ ´ëÇÑ ³»¿ëÀº [http]·¹µåÇÞ µð·ºÅ丮 ¼­¹ö ¸Å´º¾ó Áß¿¡¼­ Configuration, Command, and File Reference ÀÇ Chapter 5 Access Log and Connection Code Reference ¸¦ Âü°íÇÑ´Ù. ¿©±â¼­ ·Î±×¿¡ ³²´Â ±â·ÏÀÌ ¾î¶² ¿¡·¯ÄÚµåÀÎÁö ¼³¸íÀ» Âü°íÇÏÀÚ.

19.3. µ¿ÀûÀÎ ¼­¹ö¼³Á¤ Áö¿ø

openldap 2.3¿¡¼­´Â slapd.conf ¼³Á¤µµ LDIF ÇüŸ¦ Áö¿øÇÑ´Ù. ±×·¡¼­ ¿î¿µÁßÀÎ »óÅ¿¡¼­µµ ldap ¼­¹öÀÇ ¼³Á¤°ªÀ» º¯°æÇÒ ¼ö ÀÖ´Ù. 2007-01-04 17:01:58 ÇöÀç CentOS 4.4 ¿¡ ÀÖ´Â rpmÀº 2.2 ¹öÀüÀÌ´Ù.

19.4. Object Class Types

Object Class Types Àº Structural , Auxiliary, Abstract ¼¼°¡Áö°¡ ÀÖ´Ù. ÁÖÀÇ»çÇ×À¸·Î´Â LDAP µð·ºÅ丮ÀÇ °¢ ¿£Æ®¿¡´Â ÇϳªÀÇ Structural object class¸¸ ÀÖ¾î¾ß ÇÑ´Ù. (¿À·¼¸® LDAP admin 20ÆäÀÌÁö)

19.6. db »ý¼º, °ü¸®ÇÁ·Î±×·¥

slapadd : ¿ÀÇÁ¶óÀο¡¼­ µ¥ÀÌŸ Ãß°¡ slapindex : ¿ÀÇÁ¶óÀο¡¼­ À妽º Àç»ý¼º. slapd.conf ¿¡¼­ ¼³Á¤ÀÌ ¹Ù²ï °æ¿ì ±âÁ¸ À妽º°¡ ÀÚµ¿À¸·Î º¯°æµÇÁö ¾Ê´Â´Ù. ÀÌ·¯ÇÑ °æ¿ì ÇÊ¿äÇÏ´Ù. slapcat : ¿ÀÇÁÆÄÀο¡¼­ µ¥ÀÌŸ¸¦ LDIF ÇüÅ·Π´ýÇÁ¶ã¶§ »ç¿ë. ¹é¾÷½Ã Æí¸®ÇÔ.

19.7. nscd ³×ÀÓ¼­ºñ½º ij½³ ´ë¸ó »ç¿ëÇϱâ

nscd´Â NIS, DNS µîÀÇ ³×ÀÓ¼­ºñ½º¸¦ ij½³ÇÒ ¼ö Àִµ¥ /etc/nscd.conf ¿¡¼­ ±âº»¼³Á¤Àº passwd, group, hosts °¡ ÁöÁ¤µÇ¾î ÀÖ´Ù. LDAP°ú ¿¬µ¿À» ÇÏ´Â °æ¿ì nscd¸¦ »ç¿ëÇÏ¿© Á»´õ ºü¸¥ °á°ú¸¦ ¾òÀ» ¼ö ÀÖÀ» °ÍÀÌ´Ù.

ID
Password
Join
Your mode of life will be changed for the better because of good news soon.


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2007-03-30 11:40:34
Processing time 0.0288 sec