WHEREIS

openldap 설치

OS - Linux/Linux - ETC
2014. 6. 17. 19:27

설치

pam_ldap

nss-pam-ldapd

openldap-servers

openldap-clients

oddjob-mkhomedir-0.30-5.el6.x86_64

oddjob-0.30-5.el6.x86_64



slapd.conf 주요 설정

access to attrs=userPassword

        by self write

        by anonymous auth

        by dn.base="cn=admin,dc=abc,dc=com" write

        by * none


access to *

        by self write

        by dn.base="cn=admin,dc=abc,dc=com" write

        by users read

        by anonymous read


pam_ldap.conf 주요 설정

pam_password md5

bind_policy soft

bind_timelimit 2




pam 설정

system-auth

======================================================================================================

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_ldap.so use_first_pass

auth        required      pam_deny.so


account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     required      pam_permit.so


password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so


session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional   pam_oddjob_mkhomedir.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional     pam_ldap.so


password-auth

======================================================================================================

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_ldap.so use_first_pass

auth        required      pam_deny.so


account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     required      pam_permit.so


password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so


session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional   pam_oddjob_mkhomedir.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_ldap.so




로그설정

/etc/sysconifg/ldap

SLAPD_OPTIONS="-l local4"


/etc/rsyslog.conf

local4.*            /var/log/ldap.log




주요 명령어

ldapmodify -x -w "abc" -D "cn=admin,dc=abc,dc=com" -f meen2.ldif

ldapsearch -x -b "dc=abc,dc=com" "(objectclass=*)"

ldapadd -x -D "cn=admin,dc=abc,dc=com" -W -f hee.ldif


이중화구성


master

overlay         syncprov

syncprov-checkpoint     10 1

syncprov-sessionlog     100



slave

syncrepl        rid=001

                provider="ldap://서버IP/"

                type=refreshAndPersist

                interval=00:00:00:10

                retry="5 10 60 +"

                timeout=1

                schemachecking=off

                searchbase="dc=abc,dc=com"

                scope=sub

                bindmethod=simple

                binddn="cn=admin,dc=abc,dc=com"

                credentials="이거슨 패스워드 입니다."

updateref       ldap://서버IP:389/






ldap서버에 불필요한 쿼리를 줄이기 위해서

다음과 같이 ldap id/group에 대해서만 ldap서버로 질의하도록 /etc/nslcd.conf를 수정



root@abc:/root># grep valid /etc/nslcd.conf

validnames /^([0-9]{3}|[1|5|9][0-9]{6})$/


root@abc01:/root># grep nslcd_group_bymember /var/log/messages  |tail -n 3

Jul 18 13:57:38 abc01 nslcd[4040]: [5558ec] nslcd_group_bymember(root): invalid user name

Jul 18 14:00:01 abc01 nslcd[4040]: [8e1f29] nslcd_group_bymember(root): invalid user name

Jul 18 14:01:01 abc01 nslcd[4040]: [e87ccd] nslcd_group_bymember(root): invalid user name




https://wiki.kldp.org/wiki.php/LDAP-Tips#s-13.3.2

http://coffeenix.net/doc/Translations/html/PAM_admin-KLDP/configuration.html

http://www.openldap.org/doc/admin24/overlays.html

https://blog.christophersmart.com/articles/openldap-how-to-fedora/comment-page-3/

저작자표시 비영리 변경금지

'OS - Linux > Linux - ETC' 카테고리의 다른 글

vmstat 명령어  (0) 2014.08.19
리눅스 passwd 변경 시 에러  (0) 2014.08.06
df 용량과 실제 사용량이 틀린 경우  (0) 2014.05.19
히스토리 로그 설정  (0) 2014.05.17
[linux] 백그라운드 작업 nohup [xxx.sh] &  (0) 2014.04.22

이 글을 공유합시다

facebook twitter kakaoTalk kakaostory naver band
'OS - Linux/Linux - ETC' 의 관련글
댓글
loading

티스토리툴바