티스토리툴바

728x90
반응형

1. OpenLDAP 설치

yum install -y compat-openldap openldap openldap-servers openldap-clients openldap-servers-sql openldap-devel samba-common samba samba-client cifs-utils

2. OpenLDAP DB 설정

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap. /var/lib/ldap/DB_CONFIG

3. 서비스 등록

systemctl --now enable slapd.service

4. 서비스 확인

systemctl status slapd.service
● slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-06-11 16:23:18 KST; 22min ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 7786 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
  Process: 7757 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 7789 (slapd)
   CGroup: /system.slice/slapd.service
           └─7789 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
netstat -nlp | grep 389
ps -ef | grep -v grep | grep slapd

5. OpenLDAP 구성

slappasswd -h {SSHA} -s 패스워드입력
{SSHA}TuXt7LyRbmpzacWE4jjjdi8zUQNEcNYz

6. LDAP Admin 계정 생성 및 등록

cat <<EOF > chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}TuXt7LyRbmpzacWE4jjjdi8zUQNEcNYz
EOF
728x90
ldapmodify -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif

--output--
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"

7. LDAP 스키마(cosine.ldif, nis.ldif, inetorgperson.ldif) 추가

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

cp -av /usr/share/doc/samba-4.10.16/LDAP/samba.ldif /etc/openldap/schema/samba.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/samba.ldif

8. Domain 수정 작업

cat <<EOF > chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=manager,dc=test,dc=com" read by * none

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=manager,dc=test,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}TuXt7LyRbmpzacWE4jjjdi8zUQNEcNYz

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=manager,dc=test,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=manager,dc=test,dc=com" write by * read
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif

--output--
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"

modifying entry "olcDatabase={2}hdb,cn=config"
cat <<EOF > basedomain.ldif
dn: dc=test,dc=com
o: test
dc: test
objectClass: top
objectClass: dcObject
objectclass: organization

dn: cn=manager,dc=test,dc=com
objectClass: organizationalRole
cn: manager
description: Directory Manager

dn: ou=People,dc=test,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=test,dc=com
objectClass: organizationalUnit
ou: Group
EOF
ldapadd -x -D cn=manager,dc=test,dc=com -W -f basedomain.ldif

9. User 생성 작업

cat <<EOF > useradd.ldif
dn: uid=testuser,ou=People,dc=test,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: testuser
uid: testuser
uidNumber: 1500
gidNumber: 1500
homeDirectory: /home/testuser
loginShell: /bin/bash
gecos: 
userPassword: {crypt}x
shadowLastChange: 17058
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
EOF
ldapadd -x -D cn=manager,dc=test,dc=com -W -f useradd.ldif

10. SAMBA 세팅 (/etc/samba/smb.conf)

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
        workgroup = test.com
        security = user

        passdb backend = tdbsam
#       passdb backend = ldapsam:ldap://1.1.1.1
        ldap suffix = dc=test,dc=com
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap delete dn = no
        ldap admin dn = cn=manager
        ldap ssl = no
        ldap passwd sync = yes
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775

11. slapd.conf 세팅

# 안에 도메인 수정
cp -av /usr/share/openldap-servers/slapd.ldif /etc/openldap/slapd.conf

12. 상태

pwd
/etc/openldap/slapd.d/cn=config

ls -ltr
total 20
-rw------- 1 ldap ldap 443 Jan 13 13:14 olcDatabase={-1}frontend.ldif
-rw------- 1 ldap ldap 378 Jan 13 13:14 cn=schema.ldif
-rw------- 1 ldap ldap 624 Jan 13 16:51 olcDatabase={0}config.ldif
drwxr-x--- 2 ldap ldap 132 Jan 13 17:44 cn=schema
-rw------- 1 ldap ldap 608 Jan 14 10:07 olcDatabase={1}monitor.ldif
-rw------- 1 ldap ldap 974 Jan 14 10:07 olcDatabase={2}hdb.ldif

13. LDAP Admin으로 관리

http://www.ldapadmin.org/download/ldapadmin.html

 

OpenLDAP 삭제

1. 서비스 중지

systemctl stop slapd

2. 패키지 삭제

yum remove openldap-servers
Removing:
 openldap-servers

3. DB 삭제

rm -rf /var/lib/ldap

4. 계정 삭제

userdel ldap

5. LDAP 재설치

systemctl stop slapd
systemctl stop nscd.service

rm -rf /var/lib/ldap
rm -rf /etc/openldap
rm -rf /run/openldap 
rm -rf /usr/lib64/openldap /usr/libexec/openldap

yum reinstall -y openldap openldap-servers openldap-clients
728x90
300x250
저작자표시 비영리 동일조건

'IT > OpenLDAP' 카테고리의 다른 글

LDAP 사용자 자동 등록 처리  (0) 2022.02.15
OpenLDAP Logging 설정 방법  (0) 2022.02.03
LDAP Account Manager의 설정  (0) 2021.07.30
OpenLDAP memberOf overlay  (0) 2021.07.30
OpenLDAP ACL에 대한 설명  (0) 2021.07.30

+ Recent posts

티스토리툴바