10: 2021-06-20 (Sun) 18:24:23 iseki  |
Cur: 2022-10-19 (Wed) 11:57:17 iseki |
| | * 389-ds [#k9ce659f] | | * 389-ds [#k9ce659f] |
| - | - LDAP実装の一つ | + | - [[LDAP]] 実装の一つ |
| | + | - [[OpenLDAP]] より良いとの噂. |
| | - https://www.secioss.co.jp/389-directory-server-%E6%A7%8B%E7%AF%89%E6%89%8B%E9%A0%86-%EF%BD%9E%E5%88%9D%E7%B4%9A%E7%B7%A8%EF%BD%9E/ | | - https://www.secioss.co.jp/389-directory-server-%E6%A7%8B%E7%AF%89%E6%89%8B%E9%A0%86-%EF%BD%9E%E5%88%9D%E7%B4%9A%E7%B7%A8%EF%BD%9E/ |
| | + | - 情報が少ない! |
| | + | #br |
| | | | |
| | + | ** NSL [#cf647cf8] |
| | + | -- ds.nsl.tuis.ac.jp |
| | + | -- [[phpldapadmin>phpLDAPadmin]] |
| | + | -- デーモン:ns-lsapd |
| | #br | | #br |
| | | | |
| | # dnf update epel-release | | # dnf update epel-release |
| | # dnf module install 389-directory-server:stable/default | | # dnf module install 389-directory-server:stable/default |
| | + | |
| | + | - openldap のクライアントも入れておいた方が便利 |
| | #br | | #br |
| | | | |
| | -- NSSのデータベース用パスワードは /etc/dirsrv/slapd-[Directory server identifier]/pin.txt | | -- NSSのデータベース用パスワードは /etc/dirsrv/slapd-[Directory server identifier]/pin.txt |
| | - Create just the top suffix entry [no]: yes | | - Create just the top suffix entry [no]: yes |
| | + | - DataBase は ''/var/lib/dirsrv/slapd-[Directory server identifier] ''にできる. |
| | - [[Cockpit]] からも接続可能 | | - [[Cockpit]] からも接続可能 |
| | + | #br |
| | + | |
| | + | **** Example [#p39549e6] |
| | + | # dscreate interactive |
| | + | Install Directory Server (interactive mode) |
| | + | =========================================== |
| | + | selinux is disabled, will not relabel ports or files. |
| | + | Selinux support will be disabled, continue? [yes]: |
| | + | Enter system's hostname [altair]: ds.nsl.tuis.ac.jp |
| | + | Enter the instance name [ds]: nsl |
| | + | Enter port number [389]: |
| | + | Create self-signed certificate database [yes]: |
| | + | Enter secure port number [636]: |
| | + | Enter Directory Manager DN [cn=Directory Manager]: cn=Manager |
| | + | Enter the Directory Manager password: ******** |
| | + | Confirm the Directory Manager Password: ******** |
| | + | Enter the database suffix (or enter "none" to skip) [dc=nsl,dc=tuis,dc=ac,dc=jp]: |
| | + | Create sample entries in the suffix [no]: yes |
| | + | Do you want to start the instance after the installation? [yes]: |
| | + | Are you ready to install? [no]: yes |
| | + | Starting installation... |
| | + | Completed installation for nsl |
| | #br | | #br |
| | | | |
| | # firewall-cmd --add-service=ldaps --permanent | | # firewall-cmd --add-service=ldaps --permanent |
| | # firewall-cmd --reload | | # firewall-cmd --reload |
| | + | |
| | + | **** 起動 [#i3f71e60] |
| | + | - systemctl start dirsrv@[Directory server identifier] |
| | + | -- systemctrl start dirsrv@nsl.service |
| | + | #br |
| | | | |
| | *** check [#c4ab40fc] | | *** check [#c4ab40fc] |
| | #br | | #br |
| | *** Client [#x92900f4] | | *** Client [#x92900f4] |
| - | - [[pam_ldap]], [[nss_ldap]], [[nslcd]] | + | - [[pam_ldap]] |
| | + | - [[nss_ldap]], [[nslcd]] |
| | + | - [[sssd]] |
| | + | #br |
| | + | |
| | + | *** 属性値の変更 [#bed30db8] |
| | + | **** 変更例 [#r2f61dc3] |
| | + | - dapmodify -x -H ldap://202.26.150.51 -D cn=Manager -W -f ''change.ldif'' |
| | + | |
| | + | # cat change.ldif |
| | + | dn: cn=config |
| | + | changetype: modify |
| | + | replace: nsslapd-security |
| | + | nsslapd-security: on |
| | + | |
| | + | **** aci 内部属性の変更 [#adeb9eca] |
| | + | - 一般ユーザに userPassword の変更権限の aci内部属性を与える |
| | + | - ldapmodify -x -H ldap://202.26.150.51 -D cn=Manager -W -f ''userPass.ldif'' |
| | + | |
| | + | # cat userPass.ldif |
| | + | dn: dc=nsl,dc=tuis,dc=ac,dc=jp |
| | + | changetype: modify |
| | + | add: aci |
| | + | aci: (targetattr = "userPassword") (version 3.0; acl |
| | + | "modify own password"; allow (write) userdn = "ldap:///self";) |
| | + | |
| | + | **** ldapサーバが相手の証明書をチェックしない [#o1fd5ca1] |
| | + | - cn=config |
| | + | -- nsslapd-tls-check-crl : none |
| | + | -- nsslapd-ssl-check-hostname : off |
| | + | #br |
| | + | |
| | + | *** Replication [#pbbe0db9] |
| | + | **** Cockpit を使った Replication (389-ds => 389-ds) [#tde4a66d] |
| | + | - Supplier --> Consumer ならうまくいく |
| | + | -- Agreement で Consumer のデータベースを初期化する. |
| | + | -- ldaps(636)で通信する場合は,「''ldapサーバが相手の証明書をチェックしない''」ようにする. |
| | + | |
| | + | - Supplier <--> Supplier がダメ |
| | + | - Consumer を Cockpit で削除しようとすると,389-ds が止まって削除できない.ログ関連のエラー? |
| | + | |
| | + | |
| | + | #br |
| | + | |
| | + | **** OpenLDAP => 389-ds [#qea3193d] |
| | + | - syncprovモジュールを使用する.(?) |
| | + | - Consumer(389-ds) から Supplier(OpenLDAP)に聞きに行く形. |
| | + | #br |
| | + | |
| | + | *** Trouble Shooting [#xce00c43] |
| | + | **** エラー番号 [#f1f44c73] |
| | + | - https://software.fujitsu.com/jp/manual/manualfiles/M050000/B1WN4901/02/irepab/irep0158.htm |
| | + | #br |
| | + | |
| | + | **** パスワードの変更に失敗しました。 サーバーのメッセージ: Insufficient access rights [#p22fa258] |
| | + | - 一般ユーザにパスワード変更の権限がない(err=50) |
| | + | - 上記の 「aci 内部属性の変更」 を参照 |
| | #br | | #br |
| | | | |
| | *** Execute [#eae554aa] | | *** Execute [#eae554aa] |
| | # systemctl start dirsrv@[Directory server identifier] | | # systemctl start dirsrv@[Directory server identifier] |
| | + | |
| | ex.) systemctl start dirsrv@nsl | | ex.) systemctl start dirsrv@nsl |
| | #br | | #br |
| | - 確認 | | - 確認 |
| | # certutil -d /etc/dirsrv/slapd-nsl -L | | # certutil -d /etc/dirsrv/slapd-nsl -L |
| | + | |
| | Certificate Nickname Trust Attributes | | Certificate Nickname Trust Attributes |
| | SSL,S/MIME,JAR/XPI | | SSL,S/MIME,JAR/XPI |
| | + | |
| | Server-Cert u,u,u | | Server-Cert u,u,u |
| | | | |
