'''LDAP'''

'''¹®ÅÂÁØ''' [[DateTime(2007-01-04T07:57:22)]]
http://tunelinux.pe.kr
http://database.sarang.net

[[TableOfContents]]

== µé¾î°¡±âÀü¿¡ ==
º» ¹®¼­¸¦ óÀ½¿¡´Â ¸ð´ÏÀ§Å°·Î ÀÛ¼ºÇÏ´Ù°¡ »ç³» À§Å°°¡ ¹Ù²î¾ú½À´Ï´Ù. ±×·¡¼­ ÀϺΠ¼öÁ¤ÇÑ ³»¿ëÀº ¾Æ·¡¿¡ µé¾î°¡ÀÖÁö ¾Ê°í ÀÏÀÏÀÌ º¯È¯ÇϱⰡ ºÒÆíÇϳ׿ä.

¼öÁ¤µÈ ÃÖÁ¾ ³»¿ëÀº ¾Æ·¡ url¿¡¼­ ¹ÞÀ¸½Ã¸é µË´Ï´Ù.
(2007.3.30)
[http://tunelinux.pe.kr/gboard/bbs/board.php?bo_table=info&wr_id=37| LDAPÀ» ÀÌ¿ëÇÑ °èÁ¤ÅëÇÕ, °¢Á¾ ¾ÖÇø®ÄÉÀÌ¼Ç ¿¬µ¿]
== LDAP °³·« ==
 * LDAP ¿ëµµ´Â ¹«¾ùÀΰ¡ : Àб⿡ ÃÖÀûÈ­µÇ¾îÀÖ½À´Ï´Ù. µð·ºÅ丮±¸Á¶¿¡ À¯¿ëÇÕ´Ï´Ù. (ÀÎÅͳÝȸ»ç¿¡¼­ DHCP ·Î ipÇÒ´çÇÏ´Â Á¤º¸ÀúÀå, ÀÎÁõ¼­ Á¤º¸ÀúÀå µî¿¡ »ç¿ëµÇ°í ÀÖ½À´Ï´Ù)
 * LDAPÀ» °¡Áö°í È°¿ëÇÒ ¼ö ÀÖ´Â °ÍÀº? 
   * »ç¿ëÀÚÁ¤º¸ÅëÇÕ : os°èÁ¤, À̸ÞÀÏ°èÁ¤, ftp, http, outlookÀÇ Áּҷϵî ÅëÇÕ°¡´É. OS°èÁ¤ÀÇ °æ¿ì È£½ºÆ®¿Í »ç¿ëÀÚ Á¶ÇÕÀ¸·Î Á¢¼ÓÁ¦ÇÑÀ» ÇÒ ¼ö ÀÖÀ½. 
   * Âü°í·Î À©µµ¿ìÁîÀÇ Active Directory´Â LDAP°ú Ä¿¹ö·¯½º¸¦ ÀÌ¿ëÇÔ. LDAPÀº °èÁ¤ÅëÇÕ, °¢Á¾ Á¤º¸ÅëÇÕ¿¡ »ç¿ëÀ» ÇÏ°í Ä¿¹ö·¯½º´Â ½Ì±Û»çÀοÂ(SSO)¿¡ »ç¿ëÀ» ÇÔ. Ä¿¹ö·¯½º¸¦ ÀÌ¿ëÇÏ¿© ³×Æ®¿öÅ©¸¦ ÅëÇØ Æнº¿ö½º¸¦ º¸³»Áö ¾Ê°í Å°¼­¹ö¸¦ ÅëÇÏ¿© Åë½ÅÀ» ÇÏ°í ƼÄÏÀ» ¹ß±ÞÇÑ ÀÏÁ¤ÇÑ ½Ã°£µ¿¾ÈÀº ÇÊ¿äÇÑ ÀÚ¿ø¿¡ ´ëÇÑ º°µµ ·Î±×ÀÎÀÌ ÇÊ¿ä¾øÀ½.

== ¹®¼­¼Ò°³ ==
 * º» ³»¿ëÀº Redhat Enterprise Linux 3, CentOS4.4 ¿¡¼­ Å×½ºÆÃÀ» ÇÑ ³»¿ëÀÌ¸ç ´Ù¸¥ ¸®´ª½º ¹èÆ÷ÆÇ¿¡¼­µµ ºñ½ÁÇÏ°Ô Àû¿ëÀÌ °¡´ÉÇÕ´Ï´Ù. PAM ¼³Á¤µîÀº ½Ã½ºÅÛ¿¡ µû¶ó ´Ù¸¦ ¼ö ÀÖ½À´Ï´Ù.
 * LDAP ¿¡ ´ëÇÑ ¼Ò°³°¡ ¾Æ´Ï¹Ç·Î ÀÌ¿¡ ´ëÇÑ ¼³¸íÀº ´Ù¸¥ ¹®¼­¸¦ Âü°íÇϽñ⠹ٶø´Ï´Ù. 
 * openldapÀ» ÀÌ¿ëÇÏ¿© °èÁ¤ÅëÇÕÀ» ÇÏ´Â ºÎºÐ¿¡ ´ëÇÑ ÀÚ·á´Â ¿©·¯°¡Áö°¡ Àִµ¥ ÀÌ ¹®¼­´Â °Å±â¿¡ Ãß°¡·Î ÇÊ¿äÇÑ »ó¼¼ÇÑ ³»¿ëÀ» ´ã¾Ò½À´Ï´Ù.
 * LDAPÀ» ÀÌ¿ëÇÑ »ç¿ëÀÚ ÀÎÁõ ÅëÇÕ (id, group, hosts)
 * »ç¿ëÀÚº°, È£½ºÆ®º° »ç¿ëÀÚ Á¢¼Ó Á¦ÇÑ
 * ¾ÆÀ̵ð, ±×·ì°ü¸® ÇÁ·Î±×·¥(cpu)
 * ldap replication (1 master, 1 slave)
 * TLS »ç¿ëÇÑ ¾ÏȣȭÅë½Å
 * nfs, autofs ÀÌ¿ëÇÑ »ç¿ëÀÚ È¨µð·ºÅ丮 °øÀ¯
 * outlook µî ÁÖ¼Ò·Ï È°¿ë
 * ¾ÆÆÄÄ¡ ÀÎÁõ È°¿ë
 * ·Î±×È®ÀÎ(syslog)
 * gui °ü¸® ÇÁ·Î±×·¥
 * [[DateTime(2007-01-07T07:36:50)]] NIS ±â´ÉÀ¸·Î È£½ºÆ® Á¢±ÙÁ¦ÇÑ Ãß°¡

== °ü·ÃÀÚ·á ==
=== LDAP Ãʺ¸ÀÚ¸¦ À§ÇÑ ±âÃÊÀÚ·á ===
 * LDAP¿¡ ´ëÇÑ ÇѱÛÀÚ·á´Â DSNÀÇ ÀÚ·á 1°³¿Í KLDPÀÇ LDAP ÇÏ¿ìÅõ ¹× ±âŸ ¸î°³ÀÇ ¹®¼­°¡ ÀÖ½À´Ï´Ù. »ó¼¼ÇÑ ³»¿ëÀº ¿µ¹®ÀڷḦ º¸¾Æ¾ß ÇÕ´Ï´Ù.
 * http://database.sarang.net/?inc=read&aid=1243&criteria=ldap&subcrit=tutorials&id=&limit=20&keyword=&page=1 : LDAPÀÇ ¸ðµç°Í ver 20011126. DSN¿¡ 2001³â ¿Ã¶ó¿Ô´ø ldap Àü¹ÝÀûÀÎ ÀÚ·á. ±¹³»¿¡ ldap ¿¡ ´ëÇÑ ÇѱÛÀÚ·á°¡ º°·Î ¾ø´Âµ¥ ±×³ª¸¶ »ó¼¼ÇÏ°Ô ldap ¿¡ ´ëÇÑ ¼³¸íÀÌ µéÀº Çѱ۹®¼­ÀÔ´Ï´Ù. ÀüüÀûÀ¸·Î´Â LDAP±âÃʺÎÅÍ ±âº»ÀûÀÎ »ç¿ë¹ýÀ» ´ã°í ÀÖ¾î óÀ½¿¡ Âü°í¸¦ ÇÒ ¸¸ ÇÕ´Ï´Ù.
 * http://wiki.kldp.org/wiki.php/LinuxdocSgml/LDAP-HOWTO : KLDP LDAP ÇÏ¿ìÅõÀÚ·á
 * O'REILLY ÀÇ LDAP System Administration ¼­Àû : LDAP Àü¹ÝÀûÀÎ ¼³¸íÀ» ´ã°í ÀÖÀ¸¸ç °¢Á¾ ¾ÖÇø®ÄÉÀ̼ÇÀ» ldapÀ¸·Î ÅëÇÕÇÏ´Â °æ¿ì¿¡ ´ëÇÑ »ó¼¼ÇÑ ÀڷḦ Á¦°øÇÏ°í ÀÖÀ½
 * http://www.openldap.org/doc/admin23/ openldap ¹®¼­ : openldap¿¡ ´ëÇÑ ±âº» »ç¿ë¹ýÀº openldap ¿¡¼­ Á¦°øÇÏ´Â ¹®¼­¸¦ Âü°í 
=== LDAPÀ» ÀÌ¿ëÇÑ °èÁ¤ÅëÇÕ ===
 * http://www.linuxjournal.com/article/8119 :  OpenLDAP Everywhere - openldap À» ÅëÇÑ °èÁ¤ÅëÇÕ ¹× autofs ¿¡ ´ëÇÑ ³»¿ë. »ó¼¼ÇÑ ¼¼Æó»¿ëÀÌ ´ã°ÜÀÖÀ½. ÁÖ·Î Âü°íÇÏ¿´À½.
 * http://www-128.ibm.com/developerworks/library/l-openldap/index.html openldap À» ÀÌ¿ëÇÑ °èÁ¤ÅëÇÕ. ·Î±×Á¶Á¤, relication, TLS ¼¼Æÿ¡ ´ëÇÑ ÀÚ·á°¡ ÀÖÀ½
 * http://www.samag.com/documents/s=9494/sam0502a/0502a.htm : Centralized User Management with Kerberos and LDAP - kerberos, ldapÀ» ÀÌ¿ëÇÑ »ç¿ëÀÚ ÅëÇÕ¿¡ ´ëÇÑ ¹®¼­·Î cpu ÇÁ·Î±×·¥¿¡ ´ëÇÑ ¼Ò°³°¡ ÀÖÀ½
 * http://www.linuxjournal.com/article/5505 : Highly Available LDAP - °ø°³ ha ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏÇÑ ldap ha ±¸¼º¿¡ ´ëÇÑ ³»¿ëÀÓ.  ldap ±¸¼º¿¡ ´ëÇÑ ³»¿ëÀº ¾Æ´Ï¹Ç·Î µµ¿òÀº µÇÁö ¾ÊÀ» µí ÇÏÁö¸¸ Âü°í·Î ³Ö¾îµÎ¾úÀ½
=== ±âŸ Âü°íÀÚ·á ===
 * http://www.redhat.com/docs/manuals/dir-server/ ·¹µåÇÞÀÇ LDAP ¹®¼­. Administrator's Guide µîÀº Âü°í·Î º¸¸é ÁÁÀ»µíÇϸç Deployment Guide ´Â ldap ¼³°è¿¡ ´ëÇÑ »ó¼¼ÇÑ  ³»¿ëÀ» ´ã°í ÀÖ½À´Ï´Ù.
    *  http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/deployTOC.html Deployment Guide Red Hat Directory Server . µ¥ÀÌŸ µðÀÚÀÎ, ½ºÅ°¸¶ µðÀÚÀÎ, µð·ºÅ丮 Æ®¸® µðÀÚÀÎ, ÅäÆú¸®Áö µðÀÚÀÎ, ¸®Çø®ÄÉÀÌ¼Ç µðÀÚÀÎ, º¸¾È µðÀÚÀÎ, Æ©´× ¹× ÃÖÀûÈ­, ¿î¿µ°ü·Ã °áÁ¤»çÇ× 
 * http://directory.fedora.redhat.com/ Æäµµ¸® µð·ºÅ丮 ¼­¹ö. ·¹µåÇÞ¿¡¼­ ³Ý½ºÄÉÀÌÇÁ µð·ºÅ丮¸¦ ÀμöÇÏ¿© Á¦Ç°È­ÇÑ °ÍÀÌ ·¹µåÇÞ µð·ºÅ丮 ¼­¹öÀ̸ç ÀÌ¿¡ ´ëÇÑ °ø°³¹öÀüÀÌ Æäµµ¸® µð·ºÅ丮 ¼­¹öÀÔ´Ï´Ù.

==  »çÀü È®ÀλçÇ× ==
=== Á¤Ã¥°áÁ¤ ===
 * LDAP ¼³°èÇϱâ : µ¥ÀÌŸ µðÀÚÀÎ, ½ºÅ°¸¶ µðÀÚÀÎ, µð·ºÅ丮 Æ®¸® µðÀÚÀÎ, ÅäÆú¸®Áö µðÀÚÀÎ, ¸®Çø®ÄÉÀÌ¼Ç µðÀÚÀÎ, º¸¾È µðÀÚÀÎ, Æ©´× ¹× ÃÖÀûÈ­, ¿î¿µ°ü·Ã °áÁ¤»çÇ× 
 * dc(suffix) Á¤Çϱâ : »ç¿ëÇÒ µµ¸ÞÀÎ rootdn ÀÇ Æнº¿öµå °áÁ¤
 * °èÁ¤Á¤Ã¥ : UID, GID ¹üÀ§ 

=== ¼³Ä¡ÇÁ·Î±×·¥ ===
 * RPMÀ» ÀÌ¿ëÇÏ¿© ¼³Ä¡
  * openldap-devel :  openldap °ú ¿¬°üµÈ ÇÁ·Î±×·¥À» °³¹ßÇÒ¶§ ÇÊ¿äÇÔ. cpu ÇÁ·Î±×·¥À» »ç¿ëÇØ¾ß ÇÒ °æ¿ì ÇÊ¿äÇÔ
  * openldap : OpenLDAP ¼­¹ö¿Í Ŭ¶óÀ̾ðÆ® ÇÁ·Î±×·¥À» ½ÇÇàÇϱâ À§ÇÑ ¶óÀ̺귯¸®
  * openldap-clients : client ÇÁ·Î±×·¥
  * openldap-servers : server ÇÁ·Î±×·¥
  * nss_ldap : NSS library and PAM module for LDAP

== ldap ¼­¹ö¼³Á¤ ==
/etc/openldap/slapd.conf ¿¡¼­ rootpw ¸¦ Ãß°¡ÇÔ. À̸¦ ÅëÇÏ¿© root ±ÇÇÑ ÀÎÁõ »ç¿ëÇÔ
¾Æ·¡ Æнº¿öµå´Â slappasswd ¸¦ ÀÌ¿ëÇÏ¿© »ý¼ºÇÔ

{{{
[root@localhost openldap]# grep -v "^#" slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
loglevel        256

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem

database        bdb
suffix          "dc=samjung,dc=com"
rootdn          "cn=manager,dc=samjung,dc=com"
rootpw                {SSHA}aaaaaamoxk2Sswm8NbHZbCx9LxextJ

directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

cachesize       2000

access to dn.subtree="dc=samjung,dc=com" attr=userPassword
        by self write
        by * auth
access to dn.subtree="ou=people,dc=samjung,dc=com"
        by * read
access to dn.subtree="ou=group,dc=samjung,dc=com"
        by * read
access to dn.subtree="ou=hosts,dc=samjung,dc=com"
        by * read
access to *
        by * auth

replogfile /var/lib/ldap/openldap-master-replog
replica uri=ldap://cent.tunelinux.pe.kr:389
        suffix="dc=samjung,dc=com"
        binddn="cn=replica,dc=samjung,dc=com"
        credentials=xxxxxx
        bindmethod=simple
        tls=yes
}}}

 
À§¿¡¼­ suffix ¸¦ Á¶Á¤ÇÏ°í rootdnµµ ÀÌ¿Í ¸ÂÃ߸ç rootpw ¸¦ ¼³Á¤ÇÏ¸é µÊ
{{{
# /etc/init.d/ldap start
Starting slapd:                                            [  OK  ]
}}}

À§¿¡¼­ Ãʱ⠼¼Æýà TLS ºÎºÐÀº »©µµ µÈ´Ù. ACI ´Â »ç¿ëÀÚºñ¹Ð¹øÈ£´Â ÀڽŸ¸ ¹Ù²Ü¼ö ÀÖµµ·Ï ÇÏ¿´°í people, group, hosts Á¤º¸´Â ´©±¸³ª ÀÐÀ» ¼ö ÀÖµµ·Ï ÇÏ¿´´Ù. 
replication ºÎºÐµµ Ãʱ⠼¼Æýà »©µµ µÈ´Ù. 

{*} database backend ¸ðµâÀº ldbm, bdb µîÀÌ ÀÖ´Ù. bdb´Â openldap 2.1ºÎÅÍ µµÀÔÀÌ µÇ¾úÀ¸¸ç {{{Berkeley}}} DB4 ¶óÀ̺귯¸®¸¸ »ç¿ëÇϵµ·Ï ¸ÂÃß¾îÁ®ÀÖ´Ù. bdb °¡ ldbm¿¡ ºñÇØ ³´°í Çϴµ¥ ¾î¶² Á¡ÀÌ ³ªÀºÁö±îÁö´Â È®ÀÎÇÏÁö ¾Ê¾Ò´Ù.

==  ±âº» Á¤º¸ ÀÔ·Â ==
=== directory structure »ý¼º ===
¾Æ·¡ ³»¿ëÀ» top.ldif ·Î ÀúÀå
{{{
dn: dc=samjung,dc=com
objectclass: dcObject
objectclass: organization
o: samjung Company
dc:samjung

dn: cn=manager, dc=samjung, dc=com
objectclass: organizationalRole
cn: manager

dn: ou=people,  dc=samjung, dc=com
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: samjung.com

dn: ou=contacts,ou=people,  dc=samjung, dc=com
ou: contacts
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: samjung.com

dn: ou=group,  dc=samjung, dc=com
ou: group
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: samjung.com
}}}

À§¿¡¼­ ou=contacts ´Â ¾Æ·¡¿¡¼­ ½ÇÁ¦ »ç¿ëÇÏÁö´Â ¾ÊÀ¸¸ç À̸ÞÀÏÁÖ¼Ò·ÏÀ» ldapÀ» ÀÌ¿ëÇÒ °æ¿ì¿¡ »ç¿ëÇÏ¸é µÈ´Ù.

{{{
# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f top.ldif 
Enter LDAP Password: 
adding new entry "dc=samjung,dc=com"

adding new entry "cn=manager, dc=samjung, dc=com"

adding new entry "ou=people,  dc=samjung, dc=com"

adding new entry "ou=contacts,ou=people,  dc=samjung, dc=com"

adding new entry "ou=group,  dc=samjung, dc=com"
}}}


=== ldap ÇÁ·Î±×·¥¿¡¼­ÀÇ ¿É¼ÇÂü°í ===
** -w password ·Î Çصµ µÊ. -W ´Â ¸í·ÉÇà¿¡¼­ ÀÔ·Â
 -x : simple authentication. ±âº»ÀÎÁõ¹æ½ÄÀÓ
 -D : binddn ÁöÁ¤
 -f file : ÆÄÀÏ¿¡¼­ ÀÔ·ÂÀ» ¹ÞÀ» °æ¿ì »ç¿ë
 -W : prompt for simple authentication . ±âº»ÀÎÁõ¿¡¼­ ºñ¹Ð¹øÈ£¸¦ º°µµ ÀÔ·ÂÀ¸·Î ¹ÞÀ» °æ¿ì »ç¿ë
 -w : ºñ¹Ð¹øÈ£¸¦ ¸í·ÉÇà¿¡¼­ ¹Ù·Î ¿É¼ÇÀ¸·Î ÁÜ
 -b : searchbase °Ë»ö¹üÀ§ ÁöÁ¤

=== À§¿¡¼­ ÀÔ·ÂÇÑ ³»¿ëÀ» °Ë»öÇϱâ ===
{{{
# ldapsearch -x -b 'dc=samjung,dc=com'
version: 2

#
# filter: (objectclass=*)
# requesting: ALL
#

# samjung, com
dn: dc=samjung,dc=com
objectClass: dcObject
objectClass: organization
o: samjung Company
dc: samjung

Áß·«...

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5
}}} 

==  °èÁ¤Ãß°¡Çϱâ ==
=== ldap À¸·Î ´ÜÀÏÇÑ ¸®´ª½º ·Î±×ÀÎ ¸¸µé±â ===
¸ÕÀú °èÁ¤Á¤Ã¥À» °áÁ¤ÇÑ´Ù. ¾Æ·¡¿¡¼­´Â ´ÙÀ½°ú °°ÀÌ ÇÏ¿´´Ù°í °¡Á¤ÇÑ´Ù.

System accounts : UID < 500
Real people in LDAP : 499 < UID < 10,000
Local users, groups (not in LDAP ) > 10,000

===  ·ÎÄà ÄÄÇ»ÅÍ »ç¿ëÀÚ ¿£Æ®¸® ¸¸µé±â ===
ldaptest ¶ó´Â °èÁ¤À» ¸¸µé¸ç uid 1000 gid 1000À¸·Î ÇÏ°í Ȩµð·ºÅ丮´Â /home/ldaptest ·Î ÇÔ
{{{
# cat people.ldif 
# ldaptest, people, samjung.com
dn: uid=ldaptest,ou=people,dc=samjung,dc=com
cn: ldaptest
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/ldaptest
loginShell: /bin/bash
shadowLastChange: 11192
shadowMin: -1
shadowMax: 99999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 134538308
uid: ldaptest
userPassword: {crypt}$1$OQAQLKrD$ktucNP.aAo/w5gbuAIV6H1
}}}

¾Æ·¡¿Í °°ÀÌ Ãß°¡ÇÏ¿©ÁÜ
{{{
# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f people.ldif 
Enter LDAP Password: 
adding new entry "uid=ldaptest,ou=people,dc=samjung,dc=com"
}}}

¾Æ·¡¿Í °°ÀÌ °Ë»öÇÔ
{{{
# ldapsearch -x -b "dc=samjung,dc=com" "(objectclass=*)"
}}}

»ç¿ëÀÚ Áö¿ì±â
{{{
ldapdelete -x  -D 'cn=manager,dc=samjung,dc=com'  'uid=ldaptest,ou=people,dc=samjung,dc=com' -W
}}}


=== ±âÁ¸°èÁ¤Á¤º¸ ÀÌ¿ëÇÏ¿© ¸¶À̱׷¹À̼ÇÇϱâ ===
/usr/share/openldap/migration/ µð·ºÅ丮¿¡ ±âÁ¸ÀÇ Á¤º¸¸¦ ¸¶À̱׷¹À̼ÇÇϱâ À§ÇÑ ÇÁ·Î±×·¥ÀÌ ÀÖ´Ù. 
»çÀü¿¡ migrate_common.ph ¿¡¼­ ¸î°¡Áö ¿É¼ÇÀ» ¼öÁ¤ÇÔ. migrate_common.ph °¡ º¯°æÇÑ ÇÁ·Î±×·¥ÀÌ°í migrate_common.ph.orig °¡ ¿ø·¡ÀÇ ¼³Á¤ÀÌ´Ù.
{{{
# diff migrate_common.ph migrate_common.ph.orig
71c71
< $DEFAULT_MAIL_DOMAIN = "sds.co.kr";
---
> $DEFAULT_MAIL_DOMAIN = "padl.com";
74c74
< $DEFAULT_BASE = "dc=samjung,dc=com";
---
> $DEFAULT_BASE = "dc=padl,dc=com";
90c90
< $EXTENDED_SCHEMA = 1;
---
> $EXTENDED_SCHEMA = 0;

/usr/share/openldap/migration/migrate_passwd.pl /etc/passwd
/usr/share/openldap/migration/migrate_group.pl /etc/group
}}}

ÀÌ ÇÁ·Î±×·¥À¸·Î passwd, gorup »Ó¸¸ ¾Æ´Ï¶ó /etc/networks, /etc/protocols, /etc/services, /etc/netgroup µîµµ °¡´ÉÇÏ´Ù. ³ªÁß¿¡ /etc/hosts ¸¦ LDAPÀ¸·Î ÀÌÀüÇÏ´Â °÷¿¡¼­ ´Ù½Ã ¼³¸íÀ» ÇÑ´Ù.
=== ±×·ì ¿£Æ®¸® ¸¸µé±â ===
{{{
# cat group.ldif 
dn: cn=webdev,ou=group,dc=samjung,dc=com
objectClass: posixGroup
objectClass: top
cn: webdev
gidNumber: 2000
memberUid: ldaptest

# ldapadd  -x -D 'cn=manager,dc=samjung,dc=com' -W -f group.ldif 
Enter LDAP Password: 
adding new entry "cn=webdev,ou=group,dc=samjung,dc=com"
}}}

2000 gid ¿¡ ÇØ´çÇÏ´Â webdev ±×·ìÀ» ¸¸µé±â ldaptest ¸¦ ÀÌ ±×·ì¿¡ ³Ö¾îÁÜ

¾Æ·¡¿Í °°ÀÌ °Ë»öÇÔ
# ldapsearch -x -b 'dc=samjung,dc=com'

==  ldap client ¼³Á¤ ==
=== ldap client ¼³Á¤Çϱâ ===
authconfig ÀÌ¿ëÇÏ¿© ¼³Á¤ÇÑ´Ù. ÀÌ ÇÁ·Î±×·¥À» ÀÌ¿ëÇϸé /etc/ldap.conf , /etc/nsswitch.conf, /etc/sysconfig/authconfig, /etc/pam.d/system-auth ÆÄÀÏÀ» ÀÚµ¿À¸·Î ¹Ù²Ù¾îÁØ´Ù. 

User Information Configuration ¿¡¼­ Use LDAP ¼±Åà -> Next -> Authentication Configuration ¿¡¼­ Use LDAP Authentication »ç¿ëÇÔ. Server ¹× Base DN¿¡ Àû´çÇÏ°Ô °ªÀ» ³ÖÀ½. ¿©±â¼­´Â dc=samjung,dc=com 
start_tls ´Â ³ªÁß¿¡ ´Ù½Ã ¼³¸íÇÑ´Ù.

{{{
# diff /etc/ldap.conf.orig /etc/ldap.conf
18c18
< base dc=example,dc=com
---
> base dc=samjung,dc=com


# diff /etc/openldap/ldap.conf.orig /etc/openldap/ldap.conf
16c16
< BASE dc=example,dc=com
---
> BASE dc=samjung,dc=com

# diff /etc/nsswitch.conf.orig /etc/nsswitch.conf
33,35c33,35
< passwd:     files
< shadow:     files
< group:      files
---
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
53c53
< protocols:  files
---
> protocols:  files ldap
55c55
< services:   files
---
> services:   files ldap
57c57
< netgroup:   files
---
> netgroup:   files ldap
61c61
< automount:  files
---
> automount:  files ldap
}}}

/etc/ldap.conf´Â ldap Ŭ¶óÀ̾ðÆ® ¼³Á¤¿¡¼­ ÇÊ¿äÇѵ¥ ¸î°¡Áö Ãß°¡¿É¼ÇÀÌ ÀÖ´Ù. ±âº»¼³Á¤Àº base, hosts ¸¸ ¹Ù²Ù¸é ÀÛµ¿Çϴµ¥ ¾Æ·¡´Â ¸î°¡Áö¸¦ Ãß°¡ÇÏ¿´´Ù. start_tls ¸¦ ÀÌ¿ëÇÏ¿© tls ¼³Á¤, pam_check_host_attr ¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚº° ¼­¹öÁ¢¼ÓÁ¦ÇÑ, pam_filter , pam_login_attribute ¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ°Ë»ö½Ã »ç¿ëÇÒ objectclass¿Í login ¾ÖÆ®¸®ºäÆ®¸¦ ¼³Á¤ÇÏ¿´´Ù. ¶ÇÇÑ nss_base ¸¦ ÀÌ¿ëÇÏ¿© ÇØ´ç Á¤º¸¿¡ ´ëÇÏ¿© ºü¸£°Ô °Ë»öÇÒ ¼ö ÀÖµµ·Ï ±âº» ÇÊÅ͸¦ ¼³Á¤ÇÏ¿´´Ù. Ãʱâ Å×½ºÆÃÀ» ÇÒ °æ¿ì¿¡´Â ¾Æ·¡¿Í °°ÀÌ ¿É¼ÇÀ» ÇÒ ÇÊ¿ä´Â ¾ø´Ù.

{{{
# grep -v "^#" /etc/ldap.conf
host cent3.tunelinux.pe.kr
base dc=samjung,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600

ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem

pam_password md5

pam_check_host_attr yes

pam_filter objectclass=posixAccount
pam_login_attribute uid

nss_base_passwd         ou=people,dc=samjung,dc=com?one
nss_base_shadow         ou=people,dc=samjung,dc=com?one
nss_base_group          ou=group,dc=samjung,dc=com?one
nss_base_hosts          ou=hosts,dc=samjung,dc=com?one
nss_base_netgroup       ou=netgroup,dc=samjung,dc=com?one
}}}

Âü°í·Î ldap ¼­¹ö¸¦ replication µîÀ» ÀÌ¿ëÇÏ¿© ¿©·¯´ë¸¦ »ç¿ëÇÏ´Â °æ¿ì host ¿¡¼­ ½ºÆäÀ̽º¸¦ ÀÌ¿ëÇØ ¿©·¯ ¼­¹ö¸¦ ÁöÁ¤ÇÏ¸é µÈ´Ù. authconfig¿¡¼­´Â Áß°£¿¡ , ¸¦ ÀÌ¿ëÇÏ¿© ¿©·¯ ¼­¹ö¸¦ ÁöÁ¤ÇÑ´Ù.
{{{
# grep ^host /etc/ldap.conf
host cent3.tunelinux.pe.kr cent.tunelinux.pe.kr
}}}
=== group Á¤º¸Ç¥½Ã ===
/etc/ldap.conf¿¡ host, base Á¤º¸¸¸ ³ÖÀº °æ¿ì id µî¿¡¼­ ±×·ìÁ¤º¸°¡ º¸ÀÌÁö ¾Ê°í ¼ýÀڷθ¸ ³ª¿Â °æ¿ì°¡ ÀÖ¾ú´Ù.  ÀÌ°æ¿ì /etc/ldap.conf ¿¡¼­ ¹Ù·Î À§¿¡¼­ º¸µíÀÌ nss_base_group À» ¼³Á¤ÇØÁÖ¸é µÇ¾ú´Ù.
{{{
nss_base_group          ou=group,dc=samjung,dc=com?one
}}}

ÀÌ·¯ÇÑ Á¤º¸µéÀº getent ·Î È®ÀÎÇغ¸¸é µÈ´Ù. getent passwd, getent group µîÀ¸·Î È®ÀÎÇغ¸¸é µÈ´Ù.
{{{
# getent passwd
# getent group
}}}

== »ç¿ëÀÚ È¨µð·ºÅ丮 ó¸® ==
LDAPÀ» ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ ÀÎÁõÀ» ÇÏ´Â °æ¿ì »ç¿ëÀÚ LDIF ÆÄÀÏ¿¡¼­ Ȩµð·ºÅ丮¸¦ ÁöÁ¤ÇÑ´Ù°í ÇÏ´õ¶óµµ ½ÇÁ¦ µð·ºÅ丮°¡ »ý±âÁö´Â ¾Ê´Â´Ù. ÀÌ¿¡ ´ëÇÑ Ã³¸®¹æ¹ýÀº µÎ°¡Áö°¡ ÀÖ´Ù.
 * autofs ¿Í nfs¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ°¡ ·Î±×ÀÎÇÒ¶§ nfs¿¡¼­ ÀÚµ¿À¸·Î Ȩµð·ºÅ丮 ¸¶¿îÆ®Çϱâ : »ç¿ëÀÚ µ¥ÀÌÅ͵µ µ¿ÀÏÇÏ°Ô ¼³Á¤ÇÒ °æ¿ì Æí¸®ÇÔ.
 * pam ÀÇ ±â´ÉÀ» ÀÌ¿ëÇÏ¿© »ç¿ëÀÚ È¨µð·ºÅ丮°¡ ¾øÀ» °æ¿ì ÀÚµ¿À¸·Î »ý¼ºÇϱâ : /etc/pam.d/system-auth ¿¡ ´ÙÀ½ ¸ðµâÀ» Ãß°¡ÇØÁÖ¸é µÊ. umask ´Â ¾Æ·¡¿¡¼­´Â ±âº» 700À¸·Î »ý¼ºÇϵµ·Ï ¼³Á¤Çß°í ÇÊ¿ä¿¡ µû¶ó º¯°æÇÏ¸é µÊ
{{{
 session     optional      /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
}}}

== /etc/hosts Á¤º¸ LDAP¿¡ ³Ö±â ==
/usr/share/openldap/migration/ ¿¡ °¢Á¾ ¸¶À̱׷¹ÀÌ¼Ç µµ±¸µéÀÌ ÀÖ´Ù.
migrate_base.pl ´Â ¸¶À̱׷¹ÀÌ¼Ç °¡´ÉÇÑ °¢Á¾ ±âº»Á¤º¸¿¡ ´ëÇؼ­ º¸¿©ÁØ´Ù.
migrate_base.pl ¸¦ ÀÌ¿ëÇÏ¿© hosts ¿¡ ´ëÇÑ ±âº»Á¤º¸¸¦ »Ì°í /etc/hosts Á¤º¸¸¦ º¯È¯ÇÏ¿© ldap¿¡ ³Ö¾îÁØ´Ù. ¼¼ºÎ¼³¸íÀº »ý·«ÇÏ°Ú´Ù.

{{{
# ./migrate_base.pl

dn: ou=Hosts,dc=samjung,dc=com
ou: Hosts
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: sds.co.kr
}}}

À§¿¡¼­ hosts¿¡ ÇØ´çÇÏ´Â ³»¿ëÀ» ldif ÆÄÀÏ·Î Çؼ­ ÀÔ·ÂÇØÁØ´Ù.

migrate_hosts.pl ´Â /etc/hosts Á¤º¸¸¦ ldif ÆÄÀÏ·Î ¹Ù²Ù¾îÁØ´Ù.
{{{
[root@cent3 migration]# ./migrate_hosts.pl /etc/hosts > hosts.ldif
dn: cn=localhost.localdomain,ou=Hosts,dc=samjung,dc=com
objectClass: top
objectClass: ipHost
objectClass: device
ipHostNumber: 127.0.0.1
cn: localhost.localdomain
cn: localhost

dn: cn=cent3.tunelinux.pe.kr,ou=Hosts,dc=samjung,dc=com
objectClass: top
objectClass: ipHost
objectClass: device
ipHostNumber: 222.112.137.138
cn: cent3.tunelinux.pe.kr
}}}
{{{
# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f hosts.ldif
}}}
±×·±ÈÄ /etc/nsswitch.conf ¸¦ º¯°æÇÑ´Ù. 
{{{
[root@cent3 migration]# grep hosts /etc/nsswitch.conf
#hosts:     db files ldap nis dns
#hosts:      files dns
hosts:      files dns ldap
}}}

ÀÌÁ¦ /etc/ldap.conf ¿¡¼­ hosts Á¤º¸¸¦ ãÀ» ¼ö ÀÖµµ·Ï Á¤º¸¸¦ º¯°æÇÑ´Ù.
{{{
[root@cent3 migration]# grep hosts /etc/ldap.conf
# Multiple hosts may be specified, each separated by a
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
nss_base_hosts          ou=hosts,dc=samjung,dc=com?one
[root@cent3 migration]# getent hosts 
}}}

{*} Å×½ºÆðúÁ¤Áß¿¡ ¹ß°ßÇÑ Áß¿äÇÑ ³»¿ëÀÌ ÀÖ´Ù. /etc/nsswitch.conf ¿¡¼­ hosts ¼³Á¤¼ø¼­°¡ Áß¿äÇÏ´Ù. ldap Ŭ¶óÀ̾ðÆ®¿¡¼­ ÀÚ½ÅÀÇ È£½ºÆ®³×ÀÓÀ» Ç®¾î¾ßÇÑ´Ù. À̶§¹®¿¡ dns Ç׸ñÀÌ ldap º¸´Ù ¾Õ¿¡ ¿À°Å³ª È£½ºÆ®¸íÀ» /etc/hosts ÆÄÀÏ¿¡ Àû¾îÁÖ¾î¾ß ÇÑ´Ù. ÀÌ·¸°Ô ÇÏÁö ¾ÊÀ¸¸é segmentation fault ¿¡·¯°¡ ³ª°í ÀÌÈĺÎÅÍ´Â id µî °¢Á¾ ÇÁ·Î±×·¥¿¡¼­ °è¼Ó ¼¼±×¸àÅ×ÀÌ¼Ç ÆúÆ®°¡ ³ª¸é¼­ ½Ã½ºÅÛ ÀÛµ¿ÀÌ ÀÌ»óÇØÁø´Ù.
{{{# getent hosts
127.0.0.1       localhost.localdomain localhost
Segmentation fault
}}}

[http://www.mathematik.uni-marburg.de/~gasi/Doc/install/tasks.html#ldap_client_host Âü°íÀÚ·á]

4.7.5.1 Host Resolving
(2) looping resolver - segmentation fault
The order within /etc/nsswitch.conf is important, and the ldap client code needs to resolve its own hostname! Therefor dns must be before ldap or the hostname must be in /etc/hosts!
== ¼­¹ö, Ŭ¶óÀ̾ðÆ® ¸î°¡Áö ¿É¼Ç ==
=== ¼­¹ö¿¡¼­ °Ë»öÁ¦ÇÑÇϱâ ===
slapd.conf ¿¡¼­ sizelimit , timelimit¸¦ ÀÌ¿ëÇÏ¿© °Ë»ö¿¡ ´ëÇÑ Á¦ÇÑÀ» °É ¼ö ÀÖ´Ù.
 * sizelimit : °Ë»ö¿äûÀ» ÇÒ °æ¿ì Ŭ¶óÀ̾ðÆ®ÀÇ ¿äû¿¡ ´äÇÏ´Â ÃÖ´ë ¿£Æ®¸® ¼ýÀÚ. ±âº»°ªÀº 500
 * timelimit : °Ë»ö¿äû¿¡ ÀÀ´äÀ» ÇÒ¶§ °É¸®´Â ÃÖ´ë ½Ã°£. ±âº»°ªÀº 3600ÃÊ(1½Ã°£)

=== /etc/ldap.conf ÁÖ¿ä ¿É¼Ç¿¡ ´ëÇÏ¿© ===
/etc/ldap.conf ÁÖ¿ä ¿É¼ÇÀº ´ÙÀ½°ú °°´Ù.
 * host´Â ldap ¼­¹ö, base ´Â base dnÀÌ´Ù.
 * {{{ssl start_tls}}} ´Â TLS¸¦ »ç¿ëÇÏ´Â °æ¿ì üũÇÏ´Â ¿É¼ÇÀÌ´Ù. ¾ÏȣȭµÇ¾î Åë½ÅÇÏ´Â °ÍÀÌ´Ù.
 * pam_check_host_attr ´Â hosts¸¦ ÀÌ¿ëÇÏ¿© »ç¿ëÀÚº°·Î Á¢¼ÓÇÒ È£½ºÆ®¸¦ Á¦ÇÑÇϴµ¥ »ç¿ëÇÑ´Ù.
 * pam_filter ´Â »ç¿ëÀÚ ÀÎÁõ½Ã »ç¿ëÇÒ ÇÊÅÍÀÌ´Ù. pam_login_attribute ´Â »ç¿ëÀÚÀÇ ·Î±×ÀÎ ¸í°ú ÀÏÄ¡ÇÏ´Â attribute¸¦ ÁöÁ¤ÇÑ´Ù.
 * nss_base_xxx ´Â nss_ldap ¿¡¼­ °Ë»öÇÏ´Â ºÎºÐÀ» ÁöÁ¤ÇÏ¿© LDAP ¼­¹öÀÇ ºÎÇϸ¦ ÁÙÀÏ ¼ö ÀÖ´Ù. passwd, shadow´Â »ó°ü¾øÁö¸¸ group, hosts´Â µî·ÏÀ» ÇØÁÖ¾î¾ßÇß´Ù.
{{{
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5
pam_check_host_attr yes

pam_filter objectclass=posixAccount
pam_login_attribute uid

nss_base_passwd         ou=people,dc=samjung,dc=com?one
nss_base_shadow         ou=people,dc=samjung,dc=com?one
nss_base_group          ou=group,dc=samjung,dc=com?one
nss_base_hosts          ou=hosts,dc=samjung,dc=com?one
}}}

== È£½ºÆ®, »ç¿ëÀÚº° Á¢±ÙÁ¦ÇÑ ==
ƯÁ¤ È£½ºÆ®, »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÏ¿© Á¢±ÙÀ» Á¦ÇÑÇÒ ¼ö Àִµ¥ µÎ°¡Áö ¹æ¹ýÀÌ ÀÖ´Ù.
ù¹ø°´Â ƯÁ¤ÇÑ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚµéÀ» ÁöÁ¤ÇÏ´Â ¹æ½Ä(a.server ¿¡ a,b,c »ç¿ëÀÚ Á¢¼Ó°¡´É)ÀÌ ÀÖ°í µÎ¹ø°´Â ƯÁ¤ÇÑ »ç¿ëÀÚ°¡ Á¢¼Ó°¡´ÉÇÑ È£½ºÆ®µéÀ» ÁöÁ¤ÇÏ´Â ¹æ½Ä(a »ç¿ëÀÚ´Â °¡,³ª,´Ù ¼­¹ö¿¡ Á¢¼Ó°¡´É)ÀÌ ÀÖ´Ù.
½ÇÁ¦ »ç¿ëÇÏ´Â °æ¿ì µÚÀÇ ¹æ½ÄÀÌ ´õ Æí¸®ÇÏ´Ù. ¾ÕÀÇ ¹æ½ÄÀº Ŭ¶óÀ̾ðÆ®¿¡¼­ ¼³Á¤À» ÀÏÀÏÀÌ ¼¼ÆÃÇؾßÇÏÁö¸¸ µÚÀÇ ¹æ½ÄÀº Ŭ¶óÀ̾ðÆ®¿¡¼­ µ¿ÀÏÇÑ ¼³Á¤À» À¯ÁöÇ쵂 ldap¼­¹ö¿¡¼­ º¯°æÀ» ÇÒ ¼ö°¡ ÀÖ´Ù.
=== ƯÁ¤ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ Á¦ÇÑÇϱâ ===
/etc/ldap.conf ¿¡¼­ pam_check_host_attr yes·Î ÇØÁÜ. /etc/openldap/ldap.conf°¡ ¾Æ´Ï´Ù.
»ç¿ëÀÚ¸¦ Ãß°¡ÇÒ¶§ host ¿¡ Á¢¼Ó°¡´ÉÇÑ È£½ºÆ® ÁöÁ¤. ¿©±â¼­ IP·Î ÁöÁ¤Çϸé Á¢¼ÓÀÌ µÇÁö ¾Ê¾Ò°í Á¤È®ÇÑ µµ¸ÞÀθíÀ» ÁöÁ¤ÇؾßÇÑ´Ù.
{{{
# test, people, samjung.com
dn: uid=test,ou=people,dc=samjung,dc=com
Áß°£³»¿ë »ý·«
host: kldp.org
host: cent3.tunelinux.pe.kr
}}}

pam ¼³Á¤Àº º¯°æÇÒ ÇÊ¿ä°¡ ¾ø´Ù.
=== ƯÁ¤ È£½ºÆ®¿¡ Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ Á¦ÇÑÇϱâ ===
ou=hosts °¡ ¸ÕÀú ÀÖ¾î¾ß ÇÑ´Ù.
{{{
# cat host.ldif 
dn: ou=hosts,  dc=samjung, dc=com
ou: hosts
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: samjung.com

# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f host.ldif 
}}}

ÀÌÁ¦ ƯÁ¤ È£½ºÆ®¿Í »ç¿ëÀÚ¿¡ ´ëÇÑ Á¤º¸¸¦ ÀÔ·ÂÇÑ´Ù. ¾Æ·¡¿¡¼­´Â cnÀ» linux ¸¦ ÇÏ¿´´Ù.
{{{
# cat iphost.ldif 
dn: cn=linux,ou=hosts,dc=samjung,dc=com
objectClass: ipHost
objectClass: device
objectClass: extensibleObject
ipHostNumber: 192.168.0.23
cn: linux.samjung.com
cn: linux
member: uid=test,ou=people,dc=samjung,dc=com
member: uid=test2,ou=people,dc=samjung,dc=com

# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f iphost.ldif 
}}}

À§¿¡¼­´Â 192.168.0.23 ¿¡ test, test2 °èÁ¤¸¸ Á¢¼Ó°¡´ÉÇϵµ·Ï ¼³Á¤ÇÏ¿´´Ù.

ldap¿¡ À§ÀÇ Á¤º¸¸¦ ÀÔ·ÂÇÑ ÈÄ °¢ ldap client ¿¡ À§ ±â´ÉÀ» »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ¼³Á¤ÇØ¾ß ÇÑ´Ù.

ÀÌ´Â /etc/ldap.conf ¿¡ ´ÙÀ½ Ç׸ñÀ» Ãß°¡ÇÑ´Ù. À§¿¡¼­ »ç¿ëÇÑ dnÀ» ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.
{{{
pam_groupdn cn=linux,ou=hostss,dc=samjung,dc=com
pam_member_attribute member
}}}
 
Å×½ºÆÃÀ» ÇÑ °á°ú /etc/ldap.conf ¿¡ pam_groupdn ¼³Á¤À» µÎ°³ ³ÖÀ¸¸é ÀÛµ¿À» ÇÏÁö ¾Ê¾Ò´Ù.
±×·¸Áö¸¸ °¢ ldap client ÂÊ¿¡ ÀÌ ¼³Á¤ÀÌ µÎ°¡Áö µé¾î°¥ ÀÏÀÌ ¾øÀ¸¹Ç·Î ¹®Á¦°¡ µÇÁö´Â ¾Ê´Â´Ù.

iphost.ldif ¿¡ ¼³Á¤ÇÑ ³»¿ëÀ» °¢ ldap client º°·Î ldap¿¡ ³Ö¾îÁÖ°í ÀÌÈÄ¿¡´Â ±× ¼³Á¤³»¿ë¸¸ °è¼Ó ¼öÁ¤ÇÏ¸é µÈ´Ù.
=== NIS netgroup »ç¿ëÇÏ¿© »ç¿ëÀÚ, È£½ºÆ®º° Á¢±ÙÁ¦ÇÑÇϱâ ===
==== °ü·ÃÀÚ·á ====
¿À·¼¸® LDAP admin 117ÂÊ
Æäµµ¶ó µð·ºÅ丮 ¼­¹ö À§Å°ÀÇ ¹®¼­Áß "System Access Control using LDAP backed NIS netgroup" http://directory.fedora.redhat.com/wiki/Howto:netgroup
==== NIS netgroup ±â´É ====
NIS´Â Sun¿¡¼­ ³ª¿Â ±â¼ú·Î ¿©·¯´ëÀÇ ½Ã½ºÅÛÀ» ÅëÇÕÀûÀ¸·Î °ü¸®Çϱâ À§ÇØ ³ª¿Ô´Ù. »ç¿ëÀÚ°èÁ¤, ±×·ì, /etc/hosts µîÀ» ÅëÇÕÇؼ­ °ü¸®ÇÒ ¼ö ÀÖ´Ù. 
NIS netgroupÀº ´ÙÀ½°ú °°Àº ±â´ÉÀ» Á¦°øÇÑ´Ù.
 * °³º° ½Ã½ºÅÛ ¶Ç´Â ½Ã½ºÅÛ±×·ì¿¡ »ç¿ëÀÚ¿Í ±×·ì ·Î±×ÀÎ Á¢±Ù Á¦¾î
 * NFS Á¢±Ù Á¦¾î ¸ñ·Ï °ü¸®
 * »ç¿ëÀÚ,±×·ì¿¡ ´ëÇÑ sudo ¸í·É¾î Á¢±ÙÁ¦¾î
 * dsh(distributed shell)À» ÀÌ¿ëÇÏ¿© ¿ø°Ý ¸í·É ½ÇÇà ¶Ç´Â ½Ã½ºÅÛ±×·ì¿¡ ÀÛ¾÷
 * cfengineÀ» ÀÌ¿ëÇÏ¿© Á¤Ã¥ ±â¹ÝÀÇ ½Ã½ºÅÛ ¼³Á¤°ü¸®

tcp ·¡ÆÛ¸¦ ÅëÇÏ¿© °£´ÜÇÑ ¿¹¸¦ »ìÆ캸ÀÚ.
{{{
# /etc/hosts.deny
sshd: ALL
# /etc/hosts.allow
sshd: @sysadmin
}}}

À§¿¡¼­ sysadmin netgroup´Â ´ÙÀ½°ú °°ÀÌ °³º° È£½ºÆ®·Î ±¸¼ºÇÒ ¼ö ÀÖ´Ù.
{{{
sysadmin (a.com,-,-)(b.com,-,-)
}}}
¶Ç´Â ´Ù¸¥ netgroupÀ» Æ÷ÇÔÇÒ ¼ö ÀÖ´Ù.
{{{
all_sysadmin sysadmin secure_clients
}}}
(a.com,-,-) ±¸¼ºÀº host, user, NIS-domain À¸·Î ±¸¼ºÀÌ µÇ¸ç -´Â »ý·«À» Çصµ µÈ´Ù. ¸¶Áö¸· NIS-domainÀº »ý·«À» Çصµ LDAP°ú cfengine ¿¡¼­ »ç¿ëÀÌ °¡´ÉÇÏ¿´´Ù.

À̸¦ ÀÌ¿ëÇÏ¸é ½Ã½ºÅ۱׷캰, »ç¿ëÀڱ׷캰·Î ¿©·¯°¡Áö ÀÛ¾÷À» Á¦¾îÇÒ ¼ö ÀÖ°í ½Ã½ºÅÛ±×·ì°ú »ç¿ëÀÚ±×·ìÀÇ Á¶ÇÕµµ °¡´ÉÇÏ´Ù.

==== LDAP ¿¡¼­ netgroup ±¸Çö ====
LDAP¿¡¼­´Â structural nisNetgroup ¿ÀºêÁ§Æ® Ŭ·¡½º¸¦ ÀÌ¿ëÇÏ¿© netgroup ±â´ÉÀ» ±¸ÇöÇÒ ¼ö ÀÖ´Ù.

nisNetgroup ¿ÀºêÁ§Æ® Ŭ·¡½º¿¡¼­ rdnÀº cnÀ» ¾²¸çµÎ°¡Áö Áß¿äÇÑ attributes °¡ ÀÖ´Ù. 

nisNetgroupTriple : »ç¿ëÀÚ(,love,samjung.com), ½Ã½ºÅÛ (cent.tunelinux.pe.kr,,samjung.com) À» ÁöÁ¤ÇÒ ¼ö ÀÖÀ¸¸ç ¿©·¯°³ÀÇ °ªÀÌ µé¾î°¥ ¼ö ÀÖ´Ù.
memberNisNetgroup : ´Ù¸¥ netgroup ¸¦ Æ÷ÇÔÇÒ ¼ö ÀÖ´Ù. ´ë±×·ì, ¼Ò±×·ì µîÀ¸·Î ºÐ·ùÇÏ¿© Æí¸®ÇÏ°Ô »ç¿ëÇÒ ¼ö ÀÖ´Â ±â´ÉÀÌ´Ù. À̶ÇÇÑ ¿©·¯°³ÀÇ °ªÀ» °¡Áú ¼ö ÀÖ´Ù.

¸ÕÀú ou¸¦ »ý¼ºÇÑ´Ù. LDIF ÆÄÀÏ·Î ÀúÀåÇÏ¿© ldapadd·Î ³ÖÀ¸¸é µÈ´Ù.
{{{
dn: ou=netgroup,dc=samjung,dc=com
objectClass: organizationalUnit
ou: netgroup

dn: cn=sysadmin,ou=netgroup,dc=samjung,dc=com
objectClass: nisNetgroup
objectClass: top
cn: sysadmin
description: netgroup test group
nisNetgroupTriple: (cent1.tunelinux.pe.kr,-,-)
nisNetgroupTriple: (cent2.tunelinux.pe.kr,-,-)

dn: cn=sysadmin2,ou=netgroup,dc=samjung,dc=com
objectClass: nisNetgroup
objectClass: top
cn: sysadmin2
description: netgroup test group2
memberNisNetgroup: sysadmin
memberNisNetgroup: sysadmin2

dn: cn=allusers,ou=Netgroup,dc=samjung,dc=com
objectClass: nisNetgroup
objectClass: top
cn: users0
nisNetgroupTriple: (,a,)
nisNetgroupTriple: (,b,)
description: All QA users in my organization
}}}

sysadminÀº host°¡ cent1.tunelinux.pe.kr, cent2.tunelinux.pe.kr ¸¦ ³Ý±×·ìÀ¸·Î ¹­À¸¸ç sysadmin2´Â memberNisNetgroupÀ» ÀÌ¿ëÇÏ¿© sysadmin, sysadmin2 ³Ý±×·ìÀ» ¹­´Â °ÍÀÌ´Ù.
nisNetgroupTriple °ú memberNisNetgroupÀº °°ÀÌ µé¾î°¥ ¼öµµ ÀÖ´Ù.
alluser´Â a,b »ç¿ëÀÚ¸¦ ¹­¾ú´Ù. À§¿¡¼­ ¼³¸íÇÑ¹Ù¿Í °°ÀÌ NIS µµ¸ÞÀÎ ¸íÀº ÀÔ·ÂÀ» ÇÏÁö ¾Ê¾Æµµ ÀÛµ¿Çϴµ¥´Â ¹®Á¦°¡ ¾ø¾ú´Ù.
Æäµµ¶ó µð·ºÅ丮 ¼­¹ö À§Å°ÀÇ ¹®¼­Áß "System Access Control using LDAP backed NIS netgroup"¿¡´Â ´ÙÀ½°ú °°ÀÌ ³ª¿ÍÀÖ´Ù.
http://directory.fedora.redhat.com/wiki/Howto:netgroup
{{{
Finally to enable the netgroup query, NISDOMAIN must be defined (in /etc/sysconfig/network) even though it is not used. This is required because the innetgr() call is used and it requires a nisdomainname as a paramter. Once the functions resolves to LDAP via nsswitch.conf, the nisdomainname in no longer required.
}}}

ÇÊ¿äÇÑ ¿£Æ®¸®¸¦ Ãß°¡ÇÑ ÈÄ /etc/ldap.conf ¿¡¼­ netgroup °Ë»öÀ» À§ÇÏ¿© nss_base_netgroup À» Ãß°¡ÇÑ´Ù.
{{{
nss_base_netgroup       ou=netgroup,dc=samjung,dc=com?one
}}}

OS¿¡¼­ netgroupÀ» ãÀ» ¼ö ÀÖµµ·Ï /etc/nsswitch.conf ¿¡¼­ netgroup ¿¡ ´ëÇÑ ¼³Á¤À» ÇÑ´Ù.
{{{
netgroup:   ldap
}}}

getent ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© À§¿¡¼­ ÀÔ·ÂÇÑ netgroupÀ» °Ë»öÇغ»´Ù.
{{{
# getent netgroup sysadmin
sysadmin               (cent1.tunelinux.pe.kr, , ) (cent2.tunelinux.pe.kr, , )
}}}


ÀÌ·¯ÇÑ ¼³Á¤À» ÀÌ¿ëÇÏ¿© À§¿¡¼­ sshd´Â sysadmin ¿¡ ¼ÓÇÑ È£½ºÆ®¿¡¼­¸¸ Á¢¼ÓÀ» Çϵµ·Ï ¼³Á¤À» ÇÒ ¼ö ÀÖ´Â °ÍÀÌ´Ù.

==== PAM Á¢±ÙÁ¦¾î ¿¬µ¿ ====
tcp ·¡ÆÛ¸¸ÀÌ ¾Æ´Ï¶ó ³Ý±×·ìÀ» ÀÌ¿ëÇÏ¿© PAM ÀÇ Á¢±Ù±ÇÇÑ Á¦¾î¿Í ¿¬°üÀ» ½Ãų ¼ö°¡ ÀÖ´Ù.
ÀÌ¿¡ ´ëÇÑ ³»¿ëÀº Æäµµ¶ó µð·ºÅ丮 ¼­¹öÀÇ À§Å°¿¡ ÀÚ¼¼È÷ ³ª¿ÍÀÖ´Ù.

À§¿Í °°Àº ÀÛ¾÷À» ÇÏ¿© ƯÁ¤ È£½ºÆ®¿Í ƯÁ¤ »ç¿ëÀÚº°·Î ±×·ìÀ» ¹­´Â´Ù. 
bobby, joey »ç¿ëÀÚ¸¦ QAUsers ±×·ìÀ¸·Î ¸¸µç´Ù.
{{{
dn: cn=QAUsers,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: QAUsers
nisNetgroupTriple: (,bobby,example.com)
nisNetgroupTriple: (,joey,example.com)
description: All QA users in my organization
}}}

qa01, qa02 È£½ºÆ®¸¦ QASystems ±×·ìÀ¸·Î ¸¸µç´Ù.
{{{
dn: cn=QASystems,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: QASystems
nisNetgroupTriple: (qa01,,example.com)
nisNetgroupTriple: (qa02,,example.com)
description: All QA systems on our network
}}}

PAM ¿¡¼­ /etc/security/access.conf ÆÄÀÏÀ» ÀÌ¿ëÇÏ¿© ip ¿¡ µû¶ó Á¢¼Ó°¡´ÉÇÑ È£½ºÆ®¿Í »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÒ ¼ö ÀÖ´Ù.
ÀÌ¿¡ ´ëÇؼ­´Â º°µµ·Î PAM Á¤º¸¸¦ Âü°íÇÑ´Ù.
access.conf ÆÄÀÏ¿¡¼­ nisÀÇ ³Ý±×·ìÀº  @netgroupname ÇüÅ·ΠÀÌ¿ëÇÏ¸é µÈ´Ù. ¿©±â¼­ È£½ºÆ®¸íÀ̳ª »ç¿ëÀÚ¸í ÇÑ°¡Áö¸¸ ÀÌ¿ëÇÏ´Â °ÍÀÌ ¾Æ´Ï¶ó µÎ°¡Áö¸¦ °áÇÕÇÏ¸é ¿©·¯°¡Áö Æí¸®ÇÑ Á¡ÀÌ ÀÖ´Ù.
¾Æ·¡ÀÇ ³»¿ëÀº 10.x.x.x ³×Æ®¿öÅ©¿¡¼­ QASystems¿¡ QAUsers °¡ Á¢¼ÓÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â °ÍÀÌ´Ù.
{{{
+ : @QAUsers@@QASystems : 10.
}}}

¾Æ·¡ÀÇ °æ¿ì´Â root »ç¿ëÀÚ´Â ·ÎÄÿ¡¼­¸¸ Á¢¼ÓÇÏ°í Admins ³Ý±×·ìÀº 10.x ³×Æ®¿öÅ©¿¡¼­ Á¢¼ÓÇÒ ¼ö ÀÖµµ·Ï ÇÏ¸ç ³ª¸ÓÁö´Â ¸ðµÎ ¸·´Â ¼³Á¤ÀÌ´Ù.
{{{
+ : root : LOCAL
+ : @Admins : 10.
- : ALL : ALL
}}}

==== cfengine ¿¡¼­ÀÇ »ç¿ë ====
cfengineÀº °¢Á¾ ½Ã½ºÅÛÀÛ¾÷À» ÀÚµ¿È­ÇÒ ¼ö ÀÖ´Â ÇÁ·Î±×·¥ÀÌ¸ç º°µµ ÀڷḦ Âü°íÇϱ⠹ٶõ´Ù.
http://www.cfengine.org/docs/cfengine-Reference.html#groups
NIS netgroupÀ» ÀÌ¿ëÇÏ´Â °æ¿ì¿¡´Â +³ª +@ ±âÈ£¸¦ ÀÌ¿ëÇÑ´Ù. ¿©±â¼­ À¯¿ëÇÑ °ÍÀÌ netgroup except ÀÌ´Ù. ¾Æ·¡¿¡¼­ testgroupÀº  mynetgoupÀ» Æ÷ÇÔÇÏ°í Àִµ¥ mynetgoup ¿¡¼­ ƯÁ¤ È£½ºÆ®¸¸ »©·Á°í ÇÒ °æ¿ì¿¡´Â - ±âÈ£¸¦ ÀÌ¿ëÇÏ¿© ÁöÁ¤ÇÏ¸é µÈ´Ù. 
{{{
     groups:
        science = ( +science-allhosts )
        physics = ( +physics-allhosts )
        physics_theory = ( +@physics-theory-sun4 dirac feynman schwinger )
        testgroup = ( +mynetgroup -specialhost -otherhost )
}}}

==== Âü°í»çÇ× ====
===== host À̸§¿¡ ´ëÇÏ¿© =====
dns¿¡ µî·ÏµÇ¾îÀÖÁö ¾Ê¾Æµµ ldapÀÇ hosts ¿¡ µé¾î°¡ÀÖÀ¸¸é µ¿ÀÏÇÏ°Ô µ¿ÀÛÇÑ´Ù.
=====  nisNetgroupTriple Ãß°¡, º¯°æ½Ã =====
½ÇÁ¦ »ç¿ëÇϸ鼭 ¹®Á¦°¡ ºÎµúÈù °ÍÀÌ ÀÖ´Ù. nisNetgroupTriple À» Ãß°¡ÇÏ·Á°í ÇÏ´Â °æ¿ì¿¡´Â additional info: modify/add: nisNetgroupTriple: no equality matching rule ¶ó´Â ¿¡·¯°¡ ³­´Ù.
attribute Á¤ÀÇ¿¡¼­ nisNetgroupTriple Àº ¸ÅĪ ·êÀÌ ¾ø´Ù. ÀÌ ºÎºÐÀÌ ¿µÇâÀ» ¹ÌÄ¡´Â °Í °°´Ù. 
ÁÁÀº ¹æ¹ýÀº ¾Æ´ÑµíÇÏÁö¸¸ ½ºÅ°¸¶¿¡¼­ EQUALITY ¿Í SYNTAX¸¦ ¼öÁ¤ÇØÁÖ¾úÁö¸¸ Á¦´ë·Î ÀÛµ¿ÇÏÁö´Â ¾Ê¾Ò´Ù.
{{{
# cat mod.txt
dn: cn=sysadmin2,ou=netgroup,dc=samjung,dc=com
changetype: modify
add: nisNetgroupTriple
nisNetgroupTriple: (cent2.tunelinux.pe.kr,,)

#  ldapmodify -D "cn=manager,dc=samjung,dc=com" -W -x -v -f mod.txt
ldap_initialize( <DEFAULT> )
add nisNetgroupTriple:
        (cent2.tunelinux.pe.kr,,)
modifying entry "cn=sysadmin2,ou=netgroup,dc=samjung,dc=com"
modify complete
ldap_modify: Inappropriate matching (18)
        additional info: modify/add: nisNetgroupTriple: no equality matching rule
}}}

nisNetgroupTripple attibutetype
{{{
attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
        DESC 'Netgroup triple'
        SYNTAX 1.3.6.1.1.1.0.0 )
}}}

nisNetgroupTripleÀº Ãʱâ ÇÑ°³ ÀԷ°¡´ÉÇϸç ÇÑ°³¸¸ ÀÖÀ» °æ¿ì ¼öÁ¤, »èÁ¦°¡ °¡´ÉÇѵ¥ µÎ°³ÀÌ»ó Ãß°¡°¡ µÇÁö ¾Ê´Â´Ù. 
¸ÅĪ·ê¶§¹®¿¡ »ý±â´Â ¹®Á¦¶ó°í ÆÇ´ÜÀÌ µÇ¸ç ÀÌ·² °æ¿ì ÇØ´ç dnÀ» »èÁ¦ÇÏ°í ½Å±Ô·Î dn¸¦ ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.

=== »ç¿ëÀÚ Á¢±ÙÁ¦ÇÑ ¾î¶² ¹æ¹ýÀÌ ÁÁÀ»±î? ===
È£½ºÆ®º°·Î Á¢¼Ó°¡´ÉÇÑ »ç¿ëÀÚ¸¦ ÁöÁ¤ÇÏ´Â ¹æ½ÄÀº Á¢¼ÓÇÏ·Á´Â Ŭ¶óÀ̾ðÆ® ¼³Á¤ÀÌ ¸ðµÎ ´Þ¶óÁö¹Ç·Î ºÒÆíÇÏ´Ù. (pam_groupdn, pam_member_attribute ¼³Á¤)
pam_check_host_attr ¶Ç´Â LDAP¿¡ NIS¸¦ ¿¬µ¿ÇÏ´Â ¹æ½ÄÀÌ °ü¸®»ó Æí¸®ÇÒ °ÍÀÌ´Ù.

°¢ÀÚÀÇ Àå´ÜÁ¡À» »ý°¢Çغ¸ÀÚ.
pam_check_host_attr À» ÀÌ¿ëÇÏ¸é °¢ »ç¿ëÀÚº°·Î Á¢¼ÓÇÒ ¼ö Àִ ȣ½ºÆ®¸¦ ÁöÁ¤ÇÑ´Ù. 
¸ðµç °ÍÀ» LDAP¿¡¼­ °ü¸®ÇÏ°í /etc/ldap.conf ¿¡¼­ pam_check_host_attr ÁöÁ¤ÇÏ´Â °Í ¿Ü¿¡ º°µµÀÇ ¼³Á¤ÀÌ ÇÊ¿ä¾øÀ¸¹Ç·Î ±¸¼ºÀÌ °£´ÜÇÏ´Ù.
ÇÏÁö¸¸ ½Ã½ºÅÛ°ú »ç¿ëÀڱԸ𰡠ĿÁö¸é º°µµÀÇ °ü¸®ÅøÀ» ¸¸µéÁö ¾ÊÀ¸¸é ºÒÆíÇÏ´Ù.

NIS¸¦ ÀÌ¿ëÇÏ´Â °æ¿ì¿¡´Â ¼³Á¤Àº Á»´õ º¹ÀâÇØÁöÁö¸¸ »ç¿ëÀÚ, ½Ã½ºÅÛº°·Î ±×·ìÀ» ¸¸µé°í ÀÌ ±×·ìÀ» ÇÊ¿ä¿¡ µû¶ó Á¶Á¤ÇÒ ¼ö ÀÖ´Ù.
/etc/security/access.conf´Â ½Ã½ºÅÛ¿¡ ´Þ¶óÁö´Â°ÍÀÌ ¾Æ´Ï¶ó ¸ðµç ½Ã½ºÅÛ¿¡¼­ µ¿ÀÏÇÑ ³»¿ëÀ» °øÀ¯ÇÒ ¼ö ÀÖ´Ù.
±âº»¼³Á¤Àº µ¿ÀÏÇÏµÇ Æ¯Á¤ ±×·ì¿¡ ´ëÇÑ Á¶Á¤Àº ldapÀ» ÅëÇÏ¿© ÇÏ¸é µÈ´Ù.
ÇÑ°¡Áö ´ÜÁ¡À̶ó¸é nisNetgroupTripleÀº ÇÑ°³¸¸ ÀԷ°¡´É, ÇÑ°³¸¸ ÀÖÀ» °æ¿ì ¼öÁ¤, »èÁ¦°¡ °¡´ÉÇѵ¥ µÎ°³ÀÌ»ó Ãß°¡´Â µÇÁö°¡ ¾Ê´Â´Ù. 
¸ÅĪ·ê¶§¹®¿¡ »ý±â´Â ¹®Á¦¶ó°í ÆÇ´ÜÀÌ µÇ¸ç ÀÌ·² °æ¿ì ÇØ´ç dnÀ» »èÁ¦ÇÏ°í ½Å±Ô·Î dn¸¦ ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.
ÀÌ·¯ÇÑ ºÒÆíÇÔÀº ÀÖÁö¸¸ ±âº» Á¦°øµÇ´Â ±â´É¸¸À¸·Î °¡Àå °­·ÂÇÏ°Ô Á¢±ÙÁ¦¾î¸¦ ÇÒ ¼ö°¡ ÀÖ´Ù.
¶ÇÇÑ NIS±â´ÉÀ» cfengine µî ´Ù¸¥ ÇÁ·Î±×·¥¿¡¼­µµ È°¿ëÀÌ °¡´ÉÇÏ´Ù. 
==  user º¯°æ ÇÁ·Î±×·¥ - cpu ==
passwd ÇÁ·Î±×·¥À» ÀÌ¿ëÇؼ­ »ç¿ëÀÚ¸¦ º¯°æÇÏ¿©µµ µÈ´Ù. ±×·¸Áö¸¸ »ç¿ëÀÚ »ý¼ºÀº ldif ÆÄÀÏ·Î Á÷Á¢ ³Ö°Å³ª cpu ÇÁ·Î±×·¥ ÀÌ¿ë ¶Ç´Â ldap °ü¸®ÀÚÅøÀ» ÀÌ¿ëÇØ¾ß ÇÑ´Ù. cpu°¡ »ç¿ëÀÚ °èÁ¤ ¹× ±×·ì°ü¸®¿¡ Æí¸®ÇÏ´Ù.

http://cpu.sourceforge.net/ ÃֽŹöÀü ´Ù¿î·Îµå

 * rpmfind ¿¡¼­ cpu rpmÀ» ´Ù¿î·Îµå ¹Þ¾Æµµ µÊ. [ftp://rpmfind.net/linux/dag/redhat/el4/en/i386/dag/RPMS/cpu-1.4.3-0.2.el4.rf.i386.rpm rhel4 ¹öÀü¿¡ ¸ÂÃá rpm]ÀÌ ÀÖÀ½.
 ¿©±â¼­ ¼³Ä¡ÇÑ rpmÀÇ cpu ÇÁ·Î±×·¥Àº ´Ù¸¥ »ç¿ëÀÚµµ »ç¿ëÇÒ ¼ö ÀÖÀ¸¹Ç·Î root¸¸ »ç¿ëÇϵµ·Ï Á¶Á¤ÇÑ´Ù. 
{{{
[root@cent3 migration]# ll /usr/sbin/cpu
-rwxr-xr-x  1 root root 12127 Feb 17  2005 /usr/sbin/cpu
[root@cent3 migration]# chmod 700 /usr/sbin/cpu
}}}

openldap-devel ÇÊ¿äÇÔ
{{{
./configure --prefix=/usr/local/cpu
make
make install
}}}
ÀÌÁ¦ /usr/local/cpu ¿¡ ÇÁ·Î±×·¥ÀÌ ¼³Ä¡°¡ µÈ´Ù.

{{{
# grep samjung /usr/local/cpu/etc/cpu.conf 
BIND_DN         = cn=Manager,dc=samjung,dc=com
USER_BASE       = ou=People,dc=samjung,dc=com
GROUP_BASE      = ou=Group,dc=samjung,dc=com
}}}

À§¿Í °°ÀÌ dnÀ» ¹Ù²Ù¾îÁØ´Ù.
{{{
#HASH = "md5"
HASH = "crypt"
}}}

HASH ¸¦ md5 ¿¡¼­ crypt ·Î ¹Ù²Ù¾îÁØ´Ù.


¿©±â¼­ sldapd.conf ÀÇ root ºñ¹Ð¹øÈ£¸¦ ³Ö¾îÁÖ¾î¾ß ÇÑ´Ù.
{{{
BIND_PASS       = xxxx 


MAX_UIDNUMBER = 10000
MIN_UIDNUMBER = 1000
MAX_GIDNUMBER = 10000
MIN_GIDNUMBER = 1000
}}}

MIN_UIDNUMBER, MIN_GIDNUMBER ¸¦ 100¿¡¼­ ÀûÀýÇÑ °ªÀ¸·Î ¹Ù²Û´Ù.

{{{
# /usr/local/cpu/sbin/cpu useradd test 
# /usr/local/cpu/sbin/cpu userdel test 
$ /usr/local/cpu/sbin/cpu usermod -p  test2

[root@localhost openldap]# id test
uid=1001(test) gid=1001(test) groups=1001(test)
[root@localhost openldap]# /usr/local/cpu/sbin/cpu groupmod -g 1005 test
Group test successfully modified!
[root@localhost openldap]# id test
uid=1001(test) gid=1001 groups=1001,1005(test)
[root@localhost openldap]# /usr/local/cpu/sbin/cpu groupmod -n test222 test
Group test222 successfully modified!
[root@localhost openldap]# id test
uid=1001(test) gid=1001 groups=1001,1005(test222)
}}}

ÆíÇÏ°Ô »ç¿ëÀ» ÇÏ·Á¸é path¿¡ Ãß°¡ÇØÁÖ¸é ÁÁ´Ù.

{{{
export PATH=$PATH:/usr/local/cpu/sbin
export MANPATH=$MANPATH:/usr/local/cpu/man
man cpu-ldap
}}}

cpu cat Àº Àüü »ç¿ëÀÚ, ±×·ìÀ» º»´Ù.
{{{
[root@cent ~]# cpu cat
User Accounts
ldaptest:x:1001:1001::/home/ldaptest:/bin/bash
ldap2:x:1000:1002::/home/ldap2:/bin/bash

Group Entries
webdev:x:2000:
test:x:1000:
ldaptest:x:1001:
ldap2:x:1002:
}}}

»ç¿ëÀÚ Æнº¿öµå º¯°æÇÑ´Ù.
{{{
[root@cent ~]# cpu usermod -p ldaptest
}}}

°ü¸®¸¦ À§Çؼ­´Â ¸ÕÀú ÇÊ¿äÇÑ ±×·ìÀ» »ý¼ºÇÏ°í ±× »ç¿ëÀÚ¸¦ Ãß°¡ÇØÁÖ´Â °ÍÀÌ ÁÁÀ» °ÍÀÌ´Ù. ±âº»°ªÀº »ç¿ëÀÚ¸¦ »ý¼º½Ã µ¿ÀÏÇÑ À̸§ÀÇ ±×·ìÀ» »ý¼ºÇÑ´Ù. ±×·¯¹Ç·Î óÀ½ »ý¼º½Ã -g ¿É¼ÇÀ» ÀÌ¿ëÇÏ¿© ±×·ìÀ» ÁöÁ¤Çϴ°ÍÀÌ ÁÁ´Ù. ¾Æ´Ï¸é »ç¿ëÀÚ »ý¼ºÈÄ ±×·ìÀ» ¹Ù²Ù¾îÁ־ µÈ´Ù.

{{{
[root@cent3 openldap]# cpu useradd -g test5 ilove
[root@cent3 openldap]# cpu usermod -g test ilove
}}}

==  nfs, autofs ¼¼Æà ==
nfs, autofs´Â Ȩµð·ºÅ丮¸¦ »ç¿ëÀÚ°¡ ·Î±×Àνà ÀÚµ¿À¸·Î ÆÄÀϼ­¹ö¿¡¼­ ¸¶¿îÆ®ÇÏ´Â °æ¿ì¿¡¸¸ »ç¿ëÇÏ¸é µË´Ï´Ù.
=== nfs ¼­¹ö ¼¼Æà ===
{{{
# cat /etc/exports
/tmp   192.168.0.0/255.255.255.0(rw,sync)

# /etc/init.d/nfs start
}}}
=== autofs ¼¼Æà ===
auto.master ÆÄÀÏÀÌ ¸ÞÀÎÆÄÀÏÀÌ¸ç ¿©±â¿¡¼­ ¸¶¿îÆ® Æ÷ÀÎÆ®¿Í ¼¼ºÎ ¼³Á¤ÆÄÀÏÀ» ÁöÁ¤ÇÔ. 
¾Æ·¡¿¡¼­´Â /home µð·ºÅ丮¿¡ Á¢±ÙÇÏ´Â °æ¿ì /etc/auto.home ÆÄÀÏÀ» Âü°íÇϸç auto.home Àº /home ÀÇ ¸ðµç ÇÏÀ§ µð·ºÅ丮(*)¿¡ Á¢±ÙÇÏ´Â °æ¿ì nfs 192.168.0.24:/tmp ÀÇ ÇØ´ç µð·ºÅ丮¿¡ ¸¶¿îÆ®ÇÔ
{{{
# cat /etc/auto.master 
/home   /etc/auto.home --timeout=5

# cat /etc/auto.home 
*               -rw,soft,intr           192.168.0.24:/tmp/&
}}}


home µð·ºÅ丮 °øÀ¯Çϱâ À§ÇØ automount ¼¼ÆÃÇϱâ (»çÀü¿¡ autofs ´Â ¼¼ÆÃÀ» ÇؾßÇÔ)

{{{
# cat auto.master.ldif 
dn: ou=auto.master,dc=samjung,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master

dn: cn=/home,ou=auto.master,dc=samjung,dc=com
objectClass: automount
cn: /home
automountInformation: ldap:ou=auto.home,dc=samjung,dc=com

# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f auto.master.ldif 
Enter LDAP Password: 
adding new entry "ou=auto.master,dc=samjung,dc=com"

adding new entry "cn=/home,ou=auto.master,dc=samjung,dc=com"
 
# cat auto.home.ldifc 
dn: ou=auto.home,dc=samjung,dc=com
objectClass: top
objectClass: automountMap
ou: auto.home

dn: cn=/,ou=auto.home,dc=samjung,dc=com
objectClass: automount
cn: *
automountInformation:   192.168.0.24:/tmp/&

# ldapadd -x -D 'cn=manager,dc=samjung,dc=com' -W -f auto.home.ldifc 
Enter LDAP Password: 
adding new entry "ou=auto.home,dc=samjung,dc=com"

adding new entry "cn=test,ou=auto.home,dc=samjung,dc=com"
}}}
ÀÌ·¸°Ô ÇÏ´Â °æ¿ì /etc/auto.master ¸¦ ldap ¿¡¼­ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï ¹Ù²Ù¾î ÁÙ¼ö ÀÖÀ½
{{{
# cat /etc/auto.master 
#/home  /etc/auto.home --timeout=5
/home   ldap:192.168.0.23:ou=auto.home,dc=samjung,dc=com --timeout=5
}}}

== °¢Á¾ ¾ÖÇø®ÄÉÀÌ¼Ç LDAP ¿¬µ¿ ==
===  outlook µî À̸ÞÀÏŬ¶óÀ̾ðÆ® ¼¼ÆÃÇϱâ ===
À§¿¡¼­ ou=people,dc=samjung,dc=com ¿¡ ÀÔ·ÂÇÑ »ç¿ëÀÚÁ¤º¸´Â ¾Æ¿ô·è, ¼±´õ¹öµå µîÀÇ ÁÖ¼Ò·Ï¿¡¼­ È°¿ëÀ» ÇÒ ¼ö ÀÖ´Ù.
==== ¾Æ¿ô·è ====
outlook express ¿¡¼­´Â µµ±¸->°èÁ¤ À¸·Î °¡¼­ µð·ºÅ丮 ¼­ºñ½º¸¦ ¼±ÅÃÇÑ´Ù.
µð·ºÅ丮 ¼­ºñ½º °èÁ¤¿¡ ÀûÀýÇÑ À̸§À» ÅÃÇÏ¿© ã±â ½±µµ·Ï ³Ö´Â´Ù.
¼­¹ö À̸§¿¡ ldap ¼­¹ö Á¤º¸¸¦ ÀÔ·ÂÇÑ´Ù.
·Î±×ÀÎ ÇÊ¿ä¿¡¼­´Â À§¿¡¼­ ¸¸µç ldaptest µîÀ» ÀÌ¿ëÇÏ¸é µÈ´Ù. uid=ldaptest,ou=people,dc=samjung,dc=com ¸¦ ³Ö¾îÁÖ¸é µÉ °ÍÀÌ´Ù.
¾ÏÈ£´Â À§ id¿¡ ÇØ´çÇÏ´Â ºñ¹Ð¹øÈ£¸¦ ³ÖÀ¸¸é µÈ´Ù.
º¸¾È ¾ÏÈ£ ÀÎÁõÀ» »ç¿ëÇÏ¿© ·Î±×ÀÎÀº Àß ¸ð¸£°Ú´Ù.
°í±Þ¿¡¼­ °Ë»ö±âÁØÀ» ÀÔ·ÂÇÑ´Ù. ou=people,dc=samjung,dc=com

ÀÌÁ¦ outlook express ¿¡¼­ ÁÖ¼Ò -> »ç¶÷ã±â¸¦ ¼±ÅÃÇÏ¿© ldap µð·ºÅ丮¸¦ ÁöÁ¤ÇÏ°í °Ë»öÁ¶°ÇÀ» ÀÔ·ÂÇÏ¸é µÈ´Ù.
==== ¼±´õ¹öµå ====
¼±´õ¹öµå¿¡¼­´Â °èÁ¤¼³Á¤->ÁÖ¼Ò->µð·ºÅ丮 ÆíÁý¿¡¼­ µð·ºÅ丮 ¼­ºñ½º¸¦ Ãß°¡ÇÑ´Ù.
À̸§Àº  ÀûÀýÇÑ À̸§À» ÅÃÇÏ¿© ã±â ½±µµ·Ï ³Ö´Â´Ù.
È£½ºÆ® À̸§¿¡ ldap ¼­¹ö Á¤º¸¸¦ ÀÔ·ÂÇÑ´Ù.
±âº» dn¿¡ ou=people,dc=samjung,dc=com ¸¦ ÀÔ·ÂÇÑ´Ù. ±âÁØÀÌ µÇ´Â dnÀ» ÀÔ·ÂÇÏ´Â °ÍÀÌ´Ù.
Æ÷Æ®¹øÈ£´Â ldap Æ÷Æ®¹øÈ£¸¦ Àû´Â´Ù.
DN ¹ÙÀεå´Â ÀÎÁõÀ» »ç¿ëÇÒ °æ¿ì¿¡ ÇØ´çÇÑ´Ù.
uid=ldaptest,ou=people,dc=samjung,dc=com
¾ÏÈ£´Â Á¢¼Ó½Ã ÀÔ·ÂÀ» ÇÏ¸é µÈ´Ù.
==== Âü°í»çÇ× ====
ÇöÀç ±âº»¼³Á¤Àº ´Ù¸¥ »ç¿ëÀÚµµ read ±ÇÇÑÀ» Áֱ⶧¹®¿¡ ¾Æ¿ô·è¿¡¼­ ·Î±×ÀÎÇÊ¿ä, ¼±´õ¹öµå¿¡¼­ DN ¹ÙÀε带 ¼±ÅÃÇÏÁö ¾Ê´Â´Ù°í ÇÏ´õ¶óµµ ÁÖ¼Ò·Ï °Ë»öÀÌ °¡´ÉÇÏ´Ù.
ÀÌ ºÎºÐÀº ldap ¼­¹ö ¼³Á¤¿¡¼­ aclÀ» ÁÖ¾î¾ß ÇÒ °ÍÀÌ´Ù.

Âü°í·Î À̸ÞÀÏŬ¶óÀ̾ðÆ®´Â Àбâ Àü¿ëÀÌ´Ù. ¶Ç °Ë»öÀ» Çؼ­ ÀÌ¿ëÇؾßÇÏ´Â ºÒÆíÀÌ ÀÖ´Ù.
==== À¥ÁÖ¼Ò·Ï ÇÁ·Î±×·¥ ====
 * /usr/share/doc/labe-3.3/REAME ÆÄÀÏÀ» Âü°í.
 ¿©±â¼­ ¸ÕÀú suffix, rootdn¸¦ ¸¸µé¾îÁÖ°í ldap ´ë¸óÀ» ´Ù½Ã ¶ç¿ò. ¾Æ·¡ ½ºÅ°¸¶ Ãß°¡µµ ¿©±â¿¡¼­ ¾ð±ÞÇÏ°í ÀÖÀ½.
 * http://sourceforge.net/projects/labe/ ¿©±â¿¡¼­ ´Ù¿î·Îµå ¹Þ¾Æ ¼³Ä¡ÇÏ¸é µÈ´Ù. 
 ¼³Á¤Àº ldapÀ» ÀÌÇØÇÏ°í ÀÖÀ¸¸é °£´ÜÇÏ´Ù. rpmÀ¸·Î ¼³Ä¡Çϸé /var/www/html/labe/ µð·ºÅ丮¿¡ À¥ÇÁ·Î±×·¥¼³Ä¡°¡ µÇ°í setup.sh ¿¡¼­ ÀûÀýÇÑ ´äº¯À» ÇØÁÖ¸é µÈ´Ù.
 Âü°í·Î ÀÌÀ¯´Â ¸ð¸£°Ú´Âµ¥ /etc/openldap/slapd.conf ¿¡¼­ labe ÇÁ·Î±×·¥ÀÌ »ç¿ëÇÏ´Â ½ºÅ°¸¶¸¦ ¼öµ¿À¸·Î Ãß°¡ÇØÁØ´Ù. ÀÌ´Â ÀÚµ¿À¸·Î µÇÁö ¾Ê´Â µíÇÏ´Ù.
{{{
include /etc/openldap/schema/extension.schema
}}}
 /etc/labe/connect.conf ÆÄÀÏÀÌ ldap Á¢¼Ó¿¡ ´ëÇÑ ¼³Á¤ÆÄÀÏÀÌ¸ç ¿©±â¿¡ ¼­¹öÁÖ¼Ò, port, bind, rootdn Á¤º¸°¡ µé¾î°£´Ù. ÀÌ´Â À§ÀÇ ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÏ¸é »ý¼ºÀÌ µÇ´Â °ÍÀÌ´Ù.
==== À¥ÁÖ¼Ò·Ï ACL ¼³Á¤À¸·Î ÀÎÁõµÈ »ç¿ëÀÚ¸¸ Àеµ·Ï Çϱâ ====
 ¾Æ·¡¿Í °°ÀÌ ±âº» ±ÇÇÑÀ» noneÀ¸·Î ÁÖ°í users (dnÀÌ Á¸ÀçÇÏ°í Æнº¿öµå¸¦ Á¦½ÃÇÑ »ç¿ëÀÚ)¿¡°Ô¸¸ read ±ÇÇÑÀ» ÁÖ´Â °ÍÀ¸·Î ¹Ù²Ù´Ï ÀÎÁõÀ» ÇØ¾ß Á¢¼ÓÀÌ µÈ´Ù. ACL ¼³Á¤ºÎºÐÀº ÃßÈÄ¿¡ Á»´õ »ìÆìºÁ¾ßÇÔ
{{{
access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=manager,dc=samjung,dc=com"        write
        by * compare
access to *
        by self write
        by dn="cn=manager,dc=samjung,dc=com"        write
        by users read
}}}
À§¿¡¼­ users ¿¡ read ±ÇÇÑÀ» ÁÖÁö ¾ÊÀ¸¸é ´Ù¸¥ Á¤º¸µµ º¼¼ö°¡ ¾ø´Ù. 

defaultaccess none °¡ ¿À·¼¸® Ã¥µî¿¡¼­´Â ³ª¿À´Âµ¥ openldap ¹öÀüÀÌ ¿Ã¶ó°¡¸é¼­ ±âº»ÀûÀ¸·Î aci°¡ ¼³Á¤µÇÁö ¾ÊÀ¸¸é °ÅºÎ·Î µ¿ÀÛÀÌ ¹Ù²ïµíÇÏ´Ù.

=== ¾ÆÆÄÄ¡ ÀÎÁõ¿¡ LDAP »ç¿ëÇϱâ ===
 * ¿¬µ¿¹æ¹ý¸¸ °£·«È÷ ¼³¸í
 * [http://httpd.apache.org/docs/2.0/ko/mod/mod_auth_ldap.html apache ¿¡¼­ ldap ÀÎÁõ] ¾ÆÆÄÄ¡ °ø½ÄÇѱ۹®¼­Áß °ü·Ã³»¿ë
 * htaccess ¿¡¼­ ¾Æ·¡¿Í °°ÀÌ »ç¿ëÇÏ¸é µÊ. »ó¼¼ÇÑ ¼³Á¤À» À§Çؼ­´Â Á»´õ ¸Å´º¾óÀ» º¸°í ¿¬±¸°¡ ÇÊ¿äÇÔ. ¿©±â¼­´Â ¸Å´º¾ó¿¡ ³ª¿Â ³»¿ëÀ» °¡Áö°í ±¸Çö¸¸ Çغ»°ÍÀÓ. dc=samjung,dc=co ÀÌ ºÎºÐÀ» ÀûÀýÈ÷ ¹Ù²Ù¸é µÉ°ÍÀÓ. 
{{{[joon@localhost moniwiki]$ cat .htaccess
AuthType Basic
AuthName "joon wiki system"
AuthLDAPURL ldap://localhost:389/ou=people,dc=samjung,dc=com?uid?sub?(objectClass=*)
require valid-user
}}}
=== samba, ldap ¿¬µ¿ ===
  ±¸±Û°Ë»öÇؼ­ http://aput.net/~jheiss/samba/ldap.shtml »çÀÌÆ®¸¦ º¸°íÇßÁö¸¸ Àß µÇÁö ¾Ê¾ÒÀ½. ½Ã°£°É¸±µíÇÏ¿© ±×³É ³Ñ¾î°¬À½

==  ldap ¿¡¼­ TLS »ç¿ëÇÑ ¾Ïȣȭ Åë½Å ==
Âü°íÀÚ·á 
http://www.openldap.org/doc/admin23/tls.html 
Centralize user accounts with OpenLDAP http://www-128.ibm.com/developerworks/library/l-openldap/index.html
=== ÀÎÁõ ¸ÞÄ¿´ÏÁò ===
LDAPv3 ¿¡¼­´Â Ŭ¶óÀ̾ðÆ® ÀÎÁõ¿¡ ¿©·¯°¡Áö ¸ÞÄ«´ÏÁòÀ» »ç¿ëÇÑ´Ù.
 * anonymous authentication
 * simple authentication
 * simple authentication over SSL/TLS
 * simple authentication and Security Layer (SASL)

SSL/TLS´Â µÎ°¡Áö ¹æ¹ýÀÌ ÀÖ´Ù. sslÀ» ÅëÇØ ldapÀ» »ç¿ëÇÏ´Â ¹æ¹ý(ldaps, tcp port 636)º¸´Ù´Â StartTLS LDAP È®Àå±â´ÉÀ¸·Î »ç¿ëÇÏ´Â °ÍÀÌ ÁÁ´Ù. StartTLS ´Â tcp 389 port(ldapÆ÷Æ®)¸¦ ÅëÇؼ­ TLS Åë½ÅÀ» ÇÒ ¼ö ÀÖ´Â ±â´ÉÀÌ´Ù. ¼­¹öÀÇ °°Àº Æ÷Æ®¿¡¼­ Ŭ¶óÀ̾ðÆ®ÀÇ ¿äû¿¡ µû¶ó ¾ÏȣȭµÈ ¼¼¼Ç°ú ¾ÏȣȭµÇÁö ¾ÊÀº ¼¼¼ÇÀ» ¸ðµÎ ó¸®ÇÒ ¼ö ÀÖ´Ù.

=== ÀÎÁõ¼­ »ý¼º ===
root CA °¡ ¾øÀ» °æ¿ì ¸ÕÀú »ý¼ºÀ» ÇØÁØ´Ù. ÇØ´ç Á¤º¸´Â ½Ã½ºÅÛ¿¡ ¸Â°Ô ÀûÀýÇÏ°Ô ¼öÁ¤À» ÇÑ´Ù. Common NameÀº ÇØ´ç ¼­¹öÀÇ È£½ºÆ®¸íÀ» ÁöÁ¤ÇÑ´Ù.
{{{
# cd /usr/share/ssl/misc
# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
............................................................++++++
.++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KO]:
State or Province Name (full name) [gurogu]:
Locality Name (eg, city) [seoul]:
Organization Name (eg, company) [Samjung dataservice]:
Organizational Unit Name (eg, section) [ITservice]:
Common Name (eg, your name or your server's hostname) [cent3.tunelinux.pe.kr]:
Email Address [joon@sds.co.kr]:
}}}


ÀÌÁ¦ LDAP¼­¹ö¿¡¼­ »ç¿ëÇÒ ¼­¹ö ÀÎÁõ¿äû¼­(CSR)À» »ý¼ºÇÑ´Ù.
°³ÀÎÅ°´Â slapd-key.pem À¸·Î ÁöÁ¤ÇÏ°í slapd-req.pem ÀÌ CSRÀÌ´Ù. ¿©±â¼­ nodes ¿É¼ÇÀ» ¾´°ÍÀº ldap¼­¹ö¸¦ ³»¸®°í ¿Ã·ÁÁÙ¶§ ºñ¹Ð¹øÈ£¸¦ ³Ö¾îÁÖÁö ¾Êµµ·Ï Çϱâ À§Çؼ­ÀÌ´Ù.
{{{
openssl req -new -nodes  -keyout slapd-key.pem -out slapd-req.pem -days 365
}}}

ÀÌÁ¦ ¾Õ¿¡¼­ »ý¼ºÇÑ root CA·Î ÀÎÁõ¼­ »çÀÎÀ» ÇÑ´Ù.
{{{
openssl ca -out slapd-cert.pem -infiles slapd-req.pem
}}}

À§¿¡¼­ »ý¼ºÇÑ ÀÎÁõ¼­¸¦ ÀûÀýÇÑ µð·ºÅ丮·Î ¿Å±ä´Ù. Âü°í·Î CAÅ°´Â /etc/openldap/cacerts ¿¡ µÎ´Âµ¥ CA Å° ¸»°í ¾Æ·¡¿¡¼­ slapdcert.pem µµ ÀÌ µð·ºÅ丮¿¡ µÎ¸é TLS ±â´ÉÀÌ Á¦´ë·Î ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù. ÀÌ µð·ºÅ丮¿¡¼­ ca Å°¸¦ ãµµ·Ï ÇØ ³õ¾Æ¼­ ¿¡·¯°¡ ³ª´Â µíÇÏ´Ù. ÀÚ¼¼ÇÑ ÀÌÀ¯±îÁö´Â ¸ð¸£Áö¸¸ ´Ù¸¥ µð·ºÅ丮¿¡ µÎ¸é µÇ¹Ç·Î ÁÖÀǸ¸ ÇÏ¸é µÉ °ÍÀÌ´Ù.
{{{
# cp -p slapd-key.pem /etc/openldap/slapdkey.pem -> private key
# cp -p slapd-cert.pem /etc/openldap/slapdcert.pem -> certificate
# chown ldap:ldap /etc/openldap/slapdcert.pem
# chmod 644 /etc/openldap/slapdcert.pem
# chown ldap:ldap /etc/openldap/slapdkey.pem
# chmod 400 /etc/openldap/slapdkey.pem

# cp /usr/share/ssl/misc/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem -> CA certificate
# chown ldap:ldap /etc/openldap/cacerts/cacert.pem
# chmod 644 /etc/openldap/cacerts/cacert.pem

±ÍÂúÀº ÀÛ¾÷ÀÌ¶ó¼­ º¹»çÇؼ­ ¾²°Ô ¾Æ·¡¿¡ Àû¾î³õ´Â´Ù.
cp slapd-key.pem /etc/openldap/slapdkey.pem 
cp slapd-cert.pem /etc/openldap/slapdcert.pem
chown ldap:ldap /etc/openldap/slapdcert.pem
chmod 644 /etc/openldap/slapdcert.pem
chown ldap:ldap /etc/openldap/slapdkey.pem
chmod 400 /etc/openldap/slapdkey.pem

cp /usr/share/ssl/misc/demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem
chown ldap:ldap /etc/openldap/cacerts/cacert.pem
chmod 644 /etc/openldap/cacerts/cacert.pem
}}}

ldap ¼­¹ö¼³Á¤(slapd.conf)¿¡ ´ÙÀ½ ³»¿ëÀ» Ãß°¡ÇÑ´Ù. global ¼½¼Ç¿¡ Ãß°¡ÇÏ¸é µÈ´Ù.
{{{
TLSCipherSuite HIGH:MEDIUM:+SSLv2  -> openssl ciphers
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem -> CA private key
TLSCertificateFile /etc/openldap/slapdcert.pem -> certificate
TLSCertificateKeyFile /etc/openldap/slapdkey.pem -> private key
}}}

LDAP ¼­¹ö¿¡¼­ /etc/openldap/ldap.conf ¿¡ ¾Æ·¡ ³»¿ëÀ» Ãß°¡ÇÑ´Ù.
{{{
TLS_CACERTDIR /etc/openldap/cacerts
#TLS_REQCERT allow
}}}

TLS_REQCERT ´Â TLS ¼¼¼Ç¿¡¼­ ¼­¹ö ÀÎÁõ¼­ üũ¿Í ¿¬°üµÈ ºÎºÐÀÌ´Ù. allow´Â ¼­¹öÀÎÁõ¼­°¡ ¾ø°Å³ª À߸øµÇ¾îµµ ¼¼¼ÇÀÌ ÁøÇàµÈ´Ù. TLS_REQCERT ¿¡¼­ demand·Î ÇÏ¸é ¼­¹öÀÎÁõ¼­¸¦ ¿äûÇ쵂 ¼­¹öÀÎÁõ¼­°¡ ¾ø°Å³ª ÀÎÁõ¼­°¡ À߸øµÇ¾úÀ¸¸é ¼¼¼ÇÀ» ¹Ù·Î ²÷´Â´Ù. (man ldap.conf)
ldap ¼­¹ö¸¦ ³»·È´Ù°¡ ´Ù½Ã ¿Ã·ÁÁØ´Ù.

ÀÌÁ¦ ldap Ŭ¶óÀ̾ðÆ®¿¡¼­ ´ÙÀ½ÀÇ ¼³Á¤À» /etc/ldap.conf¿¡ ÇÑ´Ù. ¿©±â¼­ cacert.pemÀº ldap Ŭ¶óÀ̾ðÆ® ½Ã½ºÅÛ¿¡ º¹»ç¸¦ Çصξî¾ß ÇÑ´Ù.
{{{
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
}}}
tls_checkpeer ¼­¹ö certificate ¸¦ ÇÊ¿ä·Î ÇÏ°í °ËÁõÀ» Çϵµ·Ï ÇÑ´Ù. (¼³Á¤ÆÄÀÏÀÇ ÁÖ¼®³»¿ë Âü°í)

Âü°í·Î Ŭ¶óÀ̾ðÆ® ¼³Á¤¿¡¼­ authconfig¸¦ ÀÌ¿ëÇϸé {{{tls_cacertdir /etc/openldap/cacerts}}} ·Î ¼³Á¤ÀÌ µÈ´Ù. À§¿Í °°ÀÌ tls_cacertfile ¿É¼ÇÀ» ÀÌ¿ëÇÏ¿© Á÷Á¢ ÆÄÀÏÀ» ÁöÁ¤ÇÒ ¼öµµ ÀÖ°í ¾Æ´Ï¸é /etc/opeanldap/cacerts ÆÄÀÏ¿¡ ÇØ´ç ÀÎÁõ¼­¸¦ ³Ö¾îµÎ¸é authconfig ¿¡¼­ ÀÚµ¿À¸·Î c_rehah À¯Æ¿¸®Æ¼¸¦ ÀÌ¿ëÇÏ¿© ÇØ´ç µð·ºÅ丮¿¡¼­ ÀÎÁõ¼­ÆÄÀÏÀ» °¡¸®Å°´Â ½Éº¼¸¯ ¸µÅ©¸¦ ¸¸µç´Ù. 
{{{
# ls -alF /etc/openldap/cacerts
total 16
drwxr-xr-x  2 root root 4096 Jan  4 13:15 ./
drwxr-xr-x  4 root root 4096 Jan  4 13:18 ../
-rw-r--r--  1 root root 1346 Jan  4 13:15 cacert.pem
lrwxrwxrwx  1 root root   10 Jan  4 13:14 cc9fe289.0 -> cacert.pem
}}}
ÀÚ½ÅÀÌ ÆíÇÑ´ë·Î ¾²¸é µÇ°ÚÁö¸¸ authconfig ¸¦ ÀÌ¿ëÇÑ´Ù¸é ÀÚµ¿À¸·Î »ý¼ºµÇ´Â tls_cacertdir  ¿É¼ÇÀ» ½áµµ µÉ °ÍÀÌ´Ù.
== replication ±¸Çö ==
=== ÁÖÀÇ»çÇ× ===
openldapÀº ¿ø·¡ single master replication systemÀÌ´Ù. ¾÷µ¥ÀÌÆ®´Â ¸¶½ºÅÍ¿¡¼­¸¸ µÇ°í ³ª¸ÓÁö´Â ÀбâÀü¿ëÀ̶ó´Â °ÍÀÌ´Ù.ÇöÀç openldap¿¡¼­´Â multimaster ¸¦ Áö¿øÇÏ´Â ¾Ê´Â´Ù. 
replication¿¡µµ µÎ°¡Áö ¹æ½ÄÀÌ ÀÖÀ¸¸ç ±âÁ¸¿¡ »ç¿ëÇÏ´ø slurpd¿Í ÃÖ±ÙºÎÅÍ Áö¿øÇÑ LDAP Sync Replication ÀÌ ÀÖ´Ù. ÇöÀç´Â slurpd¸¸ Å×½ºÆÃÀ» ÇÏ¿´´Ù. 
½½·¹À̺꿡¼­ LDAP¼­¹ö¸¦ ³»¸®´Â Å×½ºÆðá°ú Àá½Ãµ¿¾È ³×Æ®¿öÅ©µîÀÇ ¹®Á¦°¡ ÀÖ´Ù°í ÇÏ´õ¶óµµ ½½·¹À̺갡 Á¤»óÀ¸·Î µ¹¾Æ¿À¸é ¸®Çø®ÄÉÀ̼ÇÀÌ Á¤»óÀûÀ¸·Î µ¿À۵Ǿú´Ù. ±×·¸Áö¸¸ ¸îºÐÀ̳»ÀÇ °£´ÜÇÑ Å×½ºÆø¸ ÇÑ °ÍÀ̹ǷΠÀ̰͸¸À» °¡Áö°í ½Å·Ú¼ºÀ» È®ÀÎÇϱâ´Â Èûµé °ÍÀÌ´Ù. ±×·±µ¥ ³×Æ®¿öÅ©ÀÇ ÀÌ»óµîÀ¸·Î ¿¬°áÀÌ µÇ¾îÀÖÁö ¸øÇÒ¶§ ¸¶½ºÅÍ¿¡¼­ »õ·Î¿î °ªÀ» ÀÔ·ÂÇϸé ÀÌ´Â ³ªÁß¿¡ ¿¬°áÀÌ º¹±¸µÇ´õ¶óµµ ÀÚµ¿À¸·Î ½½·¹À̺꿡 µé¾î°¡Áö´Â ¾Ê´Â´Ù.
=== LDAP Sync Replication ===
LDAP Sync Replication Àº consumer-side replicationÀ¸·Î ¸¶½ºÅͼ­¹ö(provider ¼­¹ö)ÀÇ ¼³Á¤À» º¯°æÇϰųª Àç½ÃÀÛÇÏÁö ¾Ê°íµµ replicat¸¦ »ý¼ºÇÒ ¼ö ÀÖ¾î Æí¸®ÇÏ´Ù. 
slurpd ¹æ½Ä¿¡ ºñÇØ ¿©·¯°¡Áö ÀåÁ¡ÀÌ ÀÖ´Â µí ÇÏÁö¸¸ RHELÀ̳ª CentOS 4.4 ¿¡ ±âº» ¼³Ä¡µÇ¾î ÀÖ´Â openldap 2.2 ´ë¿¡¼­´Â ¸î°¡Áö Á¦¾àÀÌ ÀÖ¾î ½ÇÁ¦·Î ¾²±â´Â ºÒÆíÇÑ µí ÇÏ´Ù. ÀÌ ±â´ÉÀÌ ÇÊ¿äÇÏ´Ù¸é ¼Ò½º·Î ¼³Ä¡ÇÏ¿© ÇØ°áÇÒ ¼ö ÀÖÀ» µí Çѵ¥ °³ÀÎÀûÀ¸·Î´Â ÀÌ ±â´ÉÀÌ ´çÀå Àý½ÇÈ÷ ÇÊ¿äÇÑ °ÍÀº ¾Æ´Ï¶ó¼­ Ãß°¡ Å×½ºÆÃÀº ÇÏÁö ¾Ê¾Ò´Ù.  2.2´ë¿Í 2.3´ë¿¡¼­ ±¸ÇöÇÒ¶§ ¾à°£ÀÇ Â÷ÀÌÁ¡, Á¦¾àÀÌ ÀÖ´Ù.
{{{
http://www.openldap.org/doc/admin22/syncrepl.html (openldap 2.2 ¸Å´º¾ó)
While slapd (8) can function as the LDAP Sync provider only when it is configured with either back-bdb or back-hdb backend, the syncrepl engine, which is a consumer-side replication engine, can work with any backends.

http://www.openldap.org/doc/admin23/syncrepl.html (openldap 2.3¸Å´º¾ó)
The syncrepl engine, which is a consumer-side replication engine, can work with any backends. The LDAP Sync provider can be configured as an overlay on any backend, but works best with the back-bdb or back-hdb backend. The provider can not support refreshAndPersist mode on back-ldbm due to limits in that backend's locking architecture.
}}}
2.2 ¿¡¼­ ¸¶½ºÅͼ­¹ö´Â ¹é¿£µå·Î back-bdb, back-hdb °¡ ÇÊ¿äÇÏ°í ½½·¹À̺꿡¼­´Â ¹é¿£µå Á¦ÇÑÀÌ ¾ø´Ù. rpm ÆÐÅ°Áö¿¡´Â back-bdb °¡ µ¿ÀÛÇÏÁö ¾Ê¾ÒÀ¸¸ç ÀÌ¿¡ ´ëÇÑ Áö¿øÀº ºüÁ®ÀÖ´Â µíÇÏ´Ù. 2.3 ¿¡¼­´Â ÀÌ·¯ÇÑ Á¦ÇÑÀÌ ¾ø´Ù. ±×·¸Áö¸¸ 2.3¿¡¼­µµ ¹é¿£µå·Î back-bdb ³ª back-hdb¸¦ ÃßõÇÏ°í ÀÖ´Ù. 

¼³Á¤ÇÏ´Â ¹æ¹ýµµ ¾à°£ÀÇ Â÷ÀÌ°¡ ÀÖÀ¸¸ç ÀÌ´Â ¸Å´º¾óÀ» Âü°íÇÑ´Ù.
=== ±¸Çö¼ø¼­ ===
 * ¸¶½ºÅͼ­¹öÀÇ slapd ´ë¸ó ³»¸²
 * ¸¶½ºÅͼ­¹öÀÇ slapd.conf ¼³Á¤
 * ¸¶½ºÅͼ­¹öÀÇ µ¥ÀÌŸ¸¦ ½½·¹À̺꿡 º¹»çÇÏ°í ½½·¹ÀÌºê ¼­¹ö¿¡ ³Ö¾îÁÜ (ÀÌ°æ¿ì ½½·¹ÀÌºê ¼­¹ö´Â ³»·Á°¡ ÀÖ´Ù°í °¡Á¤ÇÏ°í ÀÌÈÄ¿¡ ¼¼ºÎ ¼³Á¤ÇÔ)
 * ½½·¹À̺꼭¹öÀÇ slpad.conf¸¦ ¼³Á¤
 * ½½·¹À̺꼭¹öÀÇ slapd ½ÃÀÛ
 * ¸¶½ºÅͼ­¹öÀÇ slapd ½ÃÀÛ
 * ¸¶½ºÅͼ­¹öÀÇ slurpd ½ÃÀÛ (centOS ¿¡¼­´Â replica ¼³Á¤ÀÌ ÀÖ´Â °æ¿ì ½ÃÀÛ½ºÅ©¸³Æ®¿¡¼­ ÀÚµ¿À¸·Î slapd, slurpd ÇÔ²² ½ÃÀÛÇÔ)

=== ¸¶½ºÅͼ­¹ö ¼³Á¤ ===
¸¶½ºÅͼ­¹ö¿¡¼­´Â ¾Æ·¡ÀÇ ³»¿ëÀ» /etc/openldap/sldapd.conf ¿¡ Ãß°¡ÇÑ´Ù.
{{{
replogfile /var/lib/ldap/openldap-master-replog
replica uri=ldap://cent.tunelinux.pe.kr:389
        suffix="dc=samjung,dc=com"
        binddn="cn=replica,dc=samjung,dc=com"
        credentials=xxxx
        bindmethod=simple
        tls=yes
}}}
replogfile Àº ¸¶½ºÅͼ­¹ö¿¡¼­ slapd°¡ ·Î±× º¯È­¸¦ ±â·ÏÇÏ´Â ÆÄÀÏÀÌ´Ù. ÀÌ ÆÄÀÏÀ» slurpd°¡ Àо ½½·¹ÀÌºê ¼­¹ö·Î º¸³½´Ù.
replica ¸¦ ÀÌ¿ëÇÏ¿© °¢ ½½·¹ÀÌºê ¼­¹ö¸¦ ÁöÁ¤ÇÑ´Ù. 
 * uri : ½½·¹ÀÌºê ¼­¹ö ¹× Æ÷Æ®
 * suffix : suffix
 * binddn : ½½·¹ÀÌºê ¼­¹öÀÇ sldapd.conf ¿¡¼­ updatedn °ú ÀÏÄ¡ÇؾßÇÑ´Ù. ½½·¹ÀÌºê ¼­¹ö¿¡¼­ ÀÌ ±ÇÇÑÀ» °¡Áö°í ¸¶½ºÅͼ­¹ö¿¡¼­ ¿À´Â ·Î±×¸¦ ±â·ÏÇÑ´Ù. ¸¶½ºÅͼ­¹öÀÇ rootdn°ú´Â ´ç¿¬È÷ ´Ù¸£°Ô Çϴ°ÍÀÌ ÁÁÀ» °ÍÀÌ´Ù.
 * bindmethod´Â ½½·¹À̺ê¿Í Åë½ÅÀ» Çϴµ¥ »ç¿ëÇϸç simple, sasl À» ¼±ÅÃÇÒ ¼ö ÀÖ´Ù. ¿©±â¼­´Â simpleÀ» ¼±ÅÃÇÏ¿´À¸¸ç credentials ´Â ½½·¹ÀÌºê ¼­¹ö¿¡ ¹ÙÀεåÇϱâ À§ÇÑ Æнº¿öµåÀÌ´Ù. ÀÌ´Â ½½·¹À̺꼭¹ö¿¡¼­ ÁöÁ¤ÇÑ °ÍÀ» ³ÖÀ¸¸é µÈ´Ù. 
 * tls ´Â ¸¶½ºÅͼ­¹ö¿Í ½½·¹À̺꼭¹ö°£ÀÇ Åë½ÅÀ» ¾ÏȣȭÇÑ´Ù.
 * ¸¶½ºÅͼ­¹ö¿¡¼­ µ¥ÀÌŸ¸¦ ½½·¹À̺꼭¹ö·Î ¿Å±â´Â °æ¿ì¿¡ ldap¼­¹ö¸¦ ³»¸®°í slapcat À» ÀÌ¿ëÇÏ¿© LDIF ÆÄÀÏÇüÅ·Π¿Å±æ ¼ö ÀÖ´Ù. ¸®Çø®Ä«(½½·¹À̺ê)¿¡¼­´Â slapadd ¸¦ ÀÌ¿ëÇÏ¿© µ¥ÀÌŸ¸¦ º¹¿øÇÏ¸é µÈ´Ù. ±×Àü¿¡ slapd.conf ¼³Á¤Àº µÇ¾îÀÖ¾î¾ß ÇÒ °ÍÀÌ´Ù.
{{{
root@master# slapcat -b "dc=samjung,dc=com" -l contents.ldif
... contents.ldif¸¦ ½½·¹À̺ê·Î º¹»çÇÑ´Ù.
root@replica# slapadd -l contents.ldif 
}}}
=== ½½·¹À̺꼭¹ö ¼³Á¤ ===
{{{
> rootdn                "cn=replica,dc=samjung,dc=com"
> rootpw                {SSHA}IgT24XXXXEGN9aaLhBduKPJCp
> updatedn      "cn=replica,dc=samjung,dc=com"
> updateref     ldap://cent3.tunelinux.pe.kr
}}}
 * updatedn : ¸¶½ºÅͼ­¹öÀÇ ¼³Á¤°ú ÀÏÄ¡ÇؾßÇÑ´Ù. updatednÀº ÇØ´ç µ¥ÀÌŸ¿¡ ¾²±â ±ÇÇÑÀÌ ÀÖ¾î¾ß ÇÑ´Ù. 
 * updateref : Ŭ¶óÀ̾ðÆ®¿¡°Ô ¸¶½ºÅÍ µð·ºÅ丮 ¼­¹ö¸¦ ¾Ë·ÁÁÖ´Â URL. Ŭ¶óÀ̾ðÆ®°¡ ¾÷µ¥ÀÌÆ® ¿äûÀ» ÇÏ´Â °æ¿ì ¸¶½ºÅͼ­¹ö¸¦ ¾Ë·ÁÁØ´Ù. 

=== ¸®Çø®ÄÉÀ̼ǽà ÀÛµ¿¹æ½Ä ===
Ŭ¶óÀ̾ðÆ®¿¡¼­´Â /etc/ldap.conf ÀÇ host ¿¡ master, slave ¼­¹ö¸¦ ¸ðµÎ ÁöÁ¤ÇØÁØ´Ù. ½½·¹À̺꿡¼­´Â updateref¸¦ ÀÌ¿ëÇÏ¿© ½½·¹À̺꿡 ¾÷µ¥ÀÌÆ®¿äû½Ã ¸¶½ºÅͼ­¹ö·Î ¾÷µ¥ÀÌÆ® ¿äûÀ» º¸³½´Ù. ¿¹¸¦ µé¾î À§¿¡¼­ people¿¡ ¼ÓÇÑ »ç¿ëÀÚÀÇ °æ¿ì ÀÚ½ÅÀÇ Æнº¿öµå¸¦ º¯°æÇÒ ¼ö°¡ ÀÖ´Ù. ÀÌ°æ¿ì slave ¼­¹ö¿¡¼­ ÀÚ½ÅÀÇ Æнº¿öµå¸¦ º¯°æÇÒ °æ¿ì ÀÌ¿¡ ´ëÇÑ ¿äûÀº ¸¶½ºÅÍ·Î °¡°í ¸¶½ºÅÍ¿¡¼­ ¾÷µ¥ÀÌÆ®ÇÑÈÄ ´Ù½Ã ½½·¹À̺꼭¹ö·Î µ¿±âÈ­°¡ µÈ´Ù. ´Ü, rootdnÀº Á÷Á¢ ÀÛµ¿ÇÏ¿´´Ù. 
== ±âŸ ==
=== GUI tool ===
 * http://ldapadmin.sourceforge.net/ ldap °Ë»ö, ¼öÁ¤ µî ÇÒ ¼ö ÀÖ´Â À©µµ¿ì °ø°³ÇÁ·Î±×·¥(GPL) ÀÌ ½ÇÁ¦ »ç¿ëÇغ¸´Ï Æí¸®ÇÔ. GUI¿¡¼­ »ç¿ëÀÚ À̵¿, º¹»ç, ±×·ì¿¡ ¿©·¯ »ç¿ëÀÚ Ãß°¡µî °¡´ÉÇÔ
 * phpLDAPadmin (php), LDAP Account Manager(LAM, php), LDAP Browser(ÀÚ¹Ù)µîÀ¸·Î µÈ ÇÁ·Î±×·¥ÀÌ ÀÖÀ¸³ª »ç¿ëÇϱ⿡´Â ºÒÆíÇÔ
 * LDAP Account Manager: lam.sourceforge.net À¥À¸·Î °èÁ¤Ãß°¡ ¹× °ü¸® °¡´É
 * phpLDAPadmin: phpldapadmin.sourceforge.net
 * LDAP Browser: www-unix.mcs.anl.gov/~gawor/ldap
=== ·Î±×È®ÀÎ ===
sldapd.conf ¿¡¼­ loglevel À» ¼³Á¤ÇÑ´Ù.
296 = 256 log connections/operations/results + 32 search filter processing + 8 connection management
{{{
loglevel        256
}}}
LDAPÀº LOG_LOCAL4 facility¸¦ »ç¿ëÇϹǷΠ/etc/syslog.conf ¿¡ ¾Æ·¡ÀÇ ¼³Á¤À» ÇÑ´Ù. ldap¸¸ º°µµ ÆÄÀÏ·Î ÀúÀåÇÒ ¼öµµ ÀÖ´Ù. ÀÌ °æ¿ì¿¡´Â ·Î±×·ÎÅ×À̼ÇÀ» ÁÖ±âÀûÀ¸·Î ÇØÁÖ¾î¾ß ÇÑ´Ù.
{{{
# grep local4 /etc/syslog.conf
local4.*                                                /var/log/messages
}}}

ÀÌ°æ¿ì syslogd ¸¦ ´Ù½Ã Àç½ÃÀÛÇØÁÖ¾î¾ß ÇÑ´Ù.

Âü°í·Î openldap ¹®¼­¿¡µµ ·Î±×·¹º§¿¡ ´ëÇÑ ³»¿ëÀº ÀÖÁö¸¸ ³²°ÜÁø ·Î±×¸¦ ¾î¶»°Ô ºÐ¼®ÇÏ¸é µÇ´ÂÁö¿¡ ´ëÇؼ­´Â »ó¼¼ÇÑ ¼³¸íÀº ¾ø¾ú´Ù. ÀÌ¿¡ ´ëÇؼ­´Â ÀÛµ¿¹æ½ÄÀº ºñ½ÁÇÒ °ÍÀÌ¶ó ¿©°ÜÁö¹Ç·Î ·¹µåÇÞ µð·ºÅ丮 ¼­¹öÀÇ ¸Å´º¾óÀ» Âü°íÇÏ¸é µÉ µí ÇÏ´Ù. ÀÌ¿¡ ´ëÇÑ ³»¿ëÀº [http://www.redhat.com/docs/manuals/dir-server/ ·¹µåÇÞ µð·ºÅ丮 ¼­¹ö ¸Å´º¾ó] Áß¿¡¼­ Configuration, Command, and File Reference ÀÇ Chapter 5 Access Log and Connection Code Reference ¸¦ Âü°íÇÑ´Ù. ¿©±â¼­ ·Î±×¿¡ ³²´Â ±â·ÏÀÌ ¾î¶² ¿¡·¯ÄÚµåÀÎÁö ¼³¸íÀ» Âü°íÇÏÀÚ.
=== µ¿ÀûÀÎ ¼­¹ö¼³Á¤ Áö¿ø ===
openldap 2.3¿¡¼­´Â slapd.conf ¼³Á¤µµ LDIF ÇüŸ¦ Áö¿øÇÑ´Ù. ±×·¡¼­ ¿î¿µÁßÀÎ »óÅ¿¡¼­µµ ldap ¼­¹öÀÇ ¼³Á¤°ªÀ» º¯°æÇÒ ¼ö ÀÖ´Ù. [[DateTime(2007-01-04T08:01:58)]] ÇöÀç CentOS 4.4 ¿¡ ÀÖ´Â rpmÀº 2.2 ¹öÀüÀÌ´Ù.
=== Object Class Types ===
Object Class Types Àº Structural , Auxiliary, Abstract ¼¼°¡Áö°¡ ÀÖ´Ù. 
ÁÖÀÇ»çÇ×À¸·Î´Â LDAP µð·ºÅ丮ÀÇ °¢ ¿£Æ®¿¡´Â ÇϳªÀÇ Structural object class¸¸ ÀÖ¾î¾ß ÇÑ´Ù. (¿À·¼¸® LDAP admin 20ÆäÀÌÁö)
=== Á¢±ÙÁ¦¾î ===
 http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control Âü°í
=== db »ý¼º, °ü¸®ÇÁ·Î±×·¥ ===
slapadd : ¿ÀÇÁ¶óÀο¡¼­ µ¥ÀÌŸ Ãß°¡
slapindex : ¿ÀÇÁ¶óÀο¡¼­ À妽º Àç»ý¼º. slapd.conf ¿¡¼­ ¼³Á¤ÀÌ ¹Ù²ï °æ¿ì ±âÁ¸ À妽º°¡ ÀÚµ¿À¸·Î º¯°æµÇÁö ¾Ê´Â´Ù. ÀÌ·¯ÇÑ °æ¿ì ÇÊ¿äÇÏ´Ù.
slapcat : ¿ÀÇÁÆÄÀο¡¼­ µ¥ÀÌŸ¸¦ LDIF ÇüÅ·Π´ýÇÁ¶ã¶§ »ç¿ë. ¹é¾÷½Ã Æí¸®ÇÔ.
=== nscd ³×ÀÓ¼­ºñ½º ij½³ ´ë¸ó »ç¿ëÇϱâ ===
nscd´Â NIS, DNS µîÀÇ ³×ÀÓ¼­ºñ½º¸¦ ij½³ÇÒ ¼ö Àִµ¥ /etc/nscd.conf ¿¡¼­ ±âº»¼³Á¤Àº passwd, group, hosts °¡ ÁöÁ¤µÇ¾î ÀÖ´Ù. LDAP°ú ¿¬µ¿À» ÇÏ´Â °æ¿ì nscd¸¦ »ç¿ëÇÏ¿© Á»´õ ºü¸¥ °á°ú¸¦ ¾òÀ» ¼ö ÀÖÀ» °ÍÀÌ´Ù.