본문 바로가기

리눅스

[리눅스] OpenLDAP 설치 및 구성

728x90

OpenLDAP 설치 및 구성

OpenLDAP 설치

yum install -y compat-openldap openldap openldap-servers openldap-clients

$ yum install -y compat-openldap openldap openldap-servers openldap-clients openldap-servers-sql openldap-devel

OpenLDAP 데이터베이스 설정

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG

$ cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ chown ldap. /var/lib/ldap/DB_CONFIG

systemctl --now enable slapd.service

$ systemctl --now enable slapd.service

$ systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-06-11 16:23:18 KST; 22min ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 7786 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 7757 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 7789 (slapd)
   CGroup: /system.slice/slapd.service
           └─7789 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
$ netstat -nlp | grep 389
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      23999/slapd
tcp6       0      0 :::389                  :::*                    LISTEN      23999/slapd

$ ps -ef | grep -v grep | grep slapd
ldap     23999     1  0 11:29 ?        00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///

OpenLDAP 구성

OpenLDAP 루트 사용자 비밀번호 설정

$ slappasswd -h {SSHA} -s ldappassword1!
{SSHA}TuXt7LyRbmpzacWE4jjjdi8zUQNEcNYz

chrootpw.ldif 파일 생성

cat <<EOF > chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}TuXt7LyRbmpzacWE4jjjdi8zUQNEcNYz
EOF
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

--output--
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

LDAP 스키마(cosine.ldif, nis.ldif, inetorgperson.ldif) 추가

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
728x90

chdomain.ldif 파일 생성

cat <<EOF > chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=4wxyz,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=4wxyz,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=4wxyz,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}TuXt7LyRbmpzacWE4jjjdi8zUQNEcNYz

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=4wxyz,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=4wxyz,dc=com" write by * read
EOF
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

--output--
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

basedomain.ldif 파일 생성

cat <<EOF > basedomain.ldif
dn: dc=4wxyz,dc=com
o: 4wxyz
dc: 4wxyz
objectClass: top
objectClass: dcObject
objectclass: organization

dn: cn=Manager,dc=4wxyz,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=4wxyz,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=4wxyz,dc=com
objectClass: organizationalUnit
ou: Group
EOF
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -W -f basedomain.ldif

useradd.ldif 파일 생성

cat <<EOF > useradd.ldif
dn: uid=testuser,ou=People,dc=4wxyz,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1500
gidNumber: 1500
homeDirectory: /home/testuser
loginShell: /bin/bash
gecos: Linuxuser [Admin (at) HostAdvice]
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
EOF
$ ldapadd -x -D cn=Manager,dc=4wxyz,dc=com -W -f useradd.ldif

LDAP Admin

http://www.ldapadmin.org/download/ldapadmin.html

728x90