2: 2021-05-19 (水) 13:20:08 iseki  |
現: 2022-10-19 (水) 11:57:17 iseki |
| - | * 389-ds [#b65858c9] | + | * 389-ds [#k9ce659f] |
| | + | - [[LDAP]] 実装の一つ |
| | + | - [[OpenLDAP]] より良いとの噂. |
| | | | |
| | - https://www.secioss.co.jp/389-directory-server-%E6%A7%8B%E7%AF%89%E6%89%8B%E9%A0%86-%EF%BD%9E%E5%88%9D%E7%B4%9A%E7%B7%A8%EF%BD%9E/ | | - https://www.secioss.co.jp/389-directory-server-%E6%A7%8B%E7%AF%89%E6%89%8B%E9%A0%86-%EF%BD%9E%E5%88%9D%E7%B4%9A%E7%B7%A8%EF%BD%9E/ |
| | + | - 情報が少ない! |
| | + | #br |
| | | | |
| | + | ** NSL [#cf647cf8] |
| | + | -- ds.nsl.tuis.ac.jp |
| | + | -- [[phpldapadmin>phpLDAPadmin]] |
| | + | -- デーモン:ns-lsapd |
| | #br | | #br |
| | | | |
| - | ** CentOS8 [#v09d1bf7] | + | ** CentOS8 (1.4系)[#d6b77973] |
| - | *** Install [#w3cf15d7] | + | |
| | + | *** Information [#s2fb0473] |
| | + | - 古い Java コンソールと管理サーバーは廃止 |
| | + | -- 代わりは? |
| | + | -- [[Cockpit]] または [[Apache Directory Studio]] を使う? |
| | + | --- [[Cockpit]] はまだ能力不足(2021 6/3) |
| | + | --- DIT(Directory Information Tree)操作に [[Apache Directory Studio]] を使う. |
| | + | - 結局 [[Apache Directory Studio]] も良く分からんので,[[phpldapadmin>phpLDAPadmin]] を使おう! |
| | + | #br |
| | + | |
| | + | *** Install [#fcfbefb6] |
| | + | # dnf install epel-release |
| | + | # dnf update epel-release |
| | + | # dnf module install 389-directory-server:stable/default |
| | + | |
| | + | - openldap のクライアントも入れておいた方が便利 |
| | + | #br |
| | + | |
| | + | *** Setup [#vfcc1b4f] |
| | + | # dscreate interactive |
| | + | - Create self-signed certificate database に yes で答えると勝手にTLS用の設定をやってくれるみたい. |
| | + | -- NSSのデータベース用パスワードは /etc/dirsrv/slapd-[Directory server identifier]/pin.txt |
| | + | - Create just the top suffix entry [no]: yes |
| | + | - DataBase は ''/var/lib/dirsrv/slapd-[Directory server identifier] ''にできる. |
| | + | - [[Cockpit]] からも接続可能 |
| | + | #br |
| | + | |
| | + | **** Example [#p39549e6] |
| | + | # dscreate interactive |
| | + | Install Directory Server (interactive mode) |
| | + | =========================================== |
| | + | selinux is disabled, will not relabel ports or files. |
| | + | Selinux support will be disabled, continue? [yes]: |
| | + | Enter system's hostname [altair]: ds.nsl.tuis.ac.jp |
| | + | Enter the instance name [ds]: nsl |
| | + | Enter port number [389]: |
| | + | Create self-signed certificate database [yes]: |
| | + | Enter secure port number [636]: |
| | + | Enter Directory Manager DN [cn=Directory Manager]: cn=Manager |
| | + | Enter the Directory Manager password: ******** |
| | + | Confirm the Directory Manager Password: ******** |
| | + | Enter the database suffix (or enter "none" to skip) [dc=nsl,dc=tuis,dc=ac,dc=jp]: |
| | + | Create sample entries in the suffix [no]: yes |
| | + | Do you want to start the instance after the installation? [yes]: |
| | + | Are you ready to install? [no]: yes |
| | + | Starting installation... |
| | + | Completed installation for nsl |
| | + | #br |
| | + | |
| | + | **** firewall [#qefc799e] |
| | + | # firewall-cmd --add-service=ldap --permanent |
| | + | # firewall-cmd --add-service=ldaps --permanent |
| | + | # firewall-cmd --reload |
| | + | |
| | + | **** 起動 [#i3f71e60] |
| | + | - systemctl start dirsrv@[Directory server identifier] |
| | + | -- systemctrl start dirsrv@nsl.service |
| | + | #br |
| | + | |
| | + | *** check [#c4ab40fc] |
| | + | - TLS を使う場合は /etc/openldap/ldap.conf に ''TLS_REQCERT never ''を追加 |
| | + | |
| | + | ex.) ldapsearch -x -H ldap://localhost -D cn=Manager -W -b dc=nsl,dc=tuis,dc=ac,dc=jp |
| | + | ex.) ldapsearch -x -H ldaps://localhost -D cn=Manager -W -b dc=nsl,dc=tuis,dc=ac,dc=jp |
| | + | |
| | + | #br |
| | + | *** Client [#x92900f4] |
| | + | - [[pam_ldap]] |
| | + | - [[nss_ldap]], [[nslcd]] |
| | + | - [[sssd]] |
| | + | #br |
| | + | |
| | + | *** 属性値の変更 [#bed30db8] |
| | + | **** 変更例 [#r2f61dc3] |
| | + | - dapmodify -x -H ldap://202.26.150.51 -D cn=Manager -W -f ''change.ldif'' |
| | + | |
| | + | # cat change.ldif |
| | + | dn: cn=config |
| | + | changetype: modify |
| | + | replace: nsslapd-security |
| | + | nsslapd-security: on |
| | + | |
| | + | **** aci 内部属性の変更 [#adeb9eca] |
| | + | - 一般ユーザに userPassword の変更権限の aci内部属性を与える |
| | + | - ldapmodify -x -H ldap://202.26.150.51 -D cn=Manager -W -f ''userPass.ldif'' |
| | + | |
| | + | # cat userPass.ldif |
| | + | dn: dc=nsl,dc=tuis,dc=ac,dc=jp |
| | + | changetype: modify |
| | + | add: aci |
| | + | aci: (targetattr = "userPassword") (version 3.0; acl |
| | + | "modify own password"; allow (write) userdn = "ldap:///self";) |
| | + | |
| | + | **** ldapサーバが相手の証明書をチェックしない [#o1fd5ca1] |
| | + | - cn=config |
| | + | -- nsslapd-tls-check-crl : none |
| | + | -- nsslapd-ssl-check-hostname : off |
| | + | #br |
| | + | |
| | + | *** Replication [#pbbe0db9] |
| | + | **** Cockpit を使った Replication (389-ds => 389-ds) [#tde4a66d] |
| | + | - Supplier --> Consumer ならうまくいく |
| | + | -- Agreement で Consumer のデータベースを初期化する. |
| | + | -- ldaps(636)で通信する場合は,「''ldapサーバが相手の証明書をチェックしない''」ようにする. |
| | + | |
| | + | - Supplier <--> Supplier がダメ |
| | + | - Consumer を Cockpit で削除しようとすると,389-ds が止まって削除できない.ログ関連のエラー? |
| | + | |
| | + | |
| | + | #br |
| | + | |
| | + | **** OpenLDAP => 389-ds [#qea3193d] |
| | + | - syncprovモジュールを使用する.(?) |
| | + | - Consumer(389-ds) から Supplier(OpenLDAP)に聞きに行く形. |
| | + | #br |
| | + | |
| | + | *** Trouble Shooting [#xce00c43] |
| | + | **** エラー番号 [#f1f44c73] |
| | + | - https://software.fujitsu.com/jp/manual/manualfiles/M050000/B1WN4901/02/irepab/irep0158.htm |
| | + | #br |
| | + | |
| | + | **** パスワードの変更に失敗しました。 サーバーのメッセージ: Insufficient access rights [#p22fa258] |
| | + | - 一般ユーザにパスワード変更の権限がない(err=50) |
| | + | - 上記の 「aci 内部属性の変更」 を参照 |
| | + | #br |
| | + | |
| | + | ** old(1.3系) [#y104db5f] |
| | + | |
| | + | *** Install [#j1cca87e] |
| | # dnf module enable 389-ds | | # dnf module enable 389-ds |
| | # dnf install 389-ds-base | | # dnf install 389-ds-base |
| | # dnf install 389-ds-base-legacy-tools | | # dnf install 389-ds-base-legacy-tools |
| - | #br | + | |
| - | *** Setup [#k1a66c59] | + | *** Setup [#ibdb458d] |
| | # setup-ds.pl | | # setup-ds.pl |
| | - ほぼデフォルトでOK | | - ほぼデフォルトでOK |
| | -- Computer name は DNSで引けるものにする. | | -- Computer name は DNSで引けるものにする. |
| - | -- Directory server identifier は他と被らないようにする.(Ex. nsl) | + | -- Directory server identifier は他と被らないようにする.(ex. nsl) |
| | - 失敗した場合は /tmp に作られる log をチェックする. | | - 失敗した場合は /tmp に作られる log をチェックする. |
| - | - /etc/dirsrv/slapd-[Directory server identifier]/ が作られる.(Ex. /etc/dirsrv/slapd-nsl/) | + | - /etc/dirsrv/slapd-[Directory server identifier]/ が作られる.(ex. /etc/dirsrv/slapd-nsl/) |
| | + | - LDAPI が作られない.Cockpit でアクセスできない. |
| | #br | | #br |
| | | | |
| - | *** Execute [#hd324f7d] | + | *** Execute [#eae554aa] |
| | # systemctl start dirsrv@[Directory server identifier] | | # systemctl start dirsrv@[Directory server identifier] |
| | + | |
| | + | ex.) systemctl start dirsrv@nsl |
| | + | #br |
| | + | |
| | + | **** check [#of7b3188] |
| | + | - ex.) ldapsearch -x -H ldap://localhost -D cn=Manager -W -b dc=nsl,dc=tuis,dc=ac,dc=jp |
| | + | #br |
| | + | *** 389 Windows Console [#ld5fba0b] |
| | + | - https://directory.fedoraproject.org/docs/389ds/releases/release-windows-console-1-1-15.html |
| | + | #br |
| | + | |
| | + | *** TLS [#nce42bec] |
| | + | **** サーバ証明書 (p12ファイル) [#faee5d4f] |
| | + | # cd /etc/dirsrv |
| | + | # mkdir certs |
| | + | # cd certs |
| | + | # mkdir private |
| | + | # openssl genrsa 2048 > private/private.key |
| | + | # openssl req -new -x509 -key private/private.key -out server.crt -days 3650 |
| | + | # openssl pkcs12 -export -inkey private/private.key -in server.crt -out server.p12 -nodes -name Server-Cert |
| | + | p12ファイルのパスワードを設定 |
| | + | #br |
| | + | **** 389 へ配置 [#pde7bcf7] |
| | + | # pk12util -i server.p12 -d /etc/dirsrv/slapd-nsl |
| | + | Internal (Software) Token のパスワードを設定 |
| | + | - 確認 |
| | + | # certutil -d /etc/dirsrv/slapd-nsl -L |
| | + | |
| | + | Certificate Nickname Trust Attributes |
| | + | SSL,S/MIME,JAR/XPI |
| | + | |
| | + | Server-Cert u,u,u |
| | + | |
| | + | **** 389のファイル設定 [#r48dce25] |
| | + | - /etc/dirsrv/slapd-nsl/pin.txt (Internal (Software) Tokenのパスワードを設定) |
| | + | Internal (Software) Token:pass |
| | + | |
| | + | - /etc/dirsrv/slapd-nsl/ldaps.ldif |
| | + | dn: cn=config |
| | + | changetype: modify |
| | + | replace: nsslapd-security |
| | + | nsslapd-security: on |
| | + | - ldaps.ldif の変更を反映 |
| | + | # ldapmodify -x -H ldap://localhost -D cn=Manager -W -f ldaps.ldif |
| | + | LDAPのパスワードを入力 |
| | + | - /etc/openldap/ldap.conf に TLS_REQCERT never を追加 |
| | + | #br |
| | + | **** firewall [#qefc799e] |
| | + | # firewall-cmd --add-service=ldap --permanent |
| | + | # firewall-cmd --add-service=ldaps --permanent |
| | + | # firewall-cmd --reload |
| | | | |
| - | Ex. systemctl start dirsrv@nsl | + | **** check [#r813c364] |
| | + | # systemctl restart dirsrv@nsl |
| | + | # ldapsearch -x -H ldaps://localhost -D cn=Manager -W -b dc=nsl,dc=tuis,dc=ac,dc=jp |
| | #br | | #br |
