[자료] OpenLDAP Everywhere - ldap이용 계정등 통합하기

바뀐 저작권법에서는 링크도 저작권자의 허락을 받아야하니 이렇게 펌도 불법이겠군요. 온국민을 감옥으로 보내라!

[출처] http://www.linuxjournal.com/node/6266/print

O'REILY 에서 나온 LDAP System Administration 의 9. LDAP Interoperability 에 이와 관련된 내용이 나옵니다. 그런데 여기 책에서도 마이크로소프트의 서버와 기술이 아닌 것으로 Active Direcroty Domain을 구현할 방법이 없다고 나오고 있습니다. 대신 유닉스 계정인증을 AD로 이용하는 방법에 대하여 나오고 있습니다.

이와 관련하여서 리눅스저널의 참고자료가 있습니다.

http://www.linuxjournal.com/node/6266/print

OpenLDAP Everywhere
아마도 이 기사가 도움이 되리란 생각이 되는데 제가 AD를 잘 몰라서요.

위 기사를 보시면 윈도우와 리눅스 계정을 LDAP을 이용하여 통합하고 LDAP을 이용 주소록을 이용하는 경우에 대한 설명을 담고 있습니다. 여기서 윈도우즈는 SAMBA를 이용하여 LDAP서버에 접근을 합니다. 내용은 리눅스를 기반으로 하고 있지만 솔라리스등 다른 유닉스에서도 비슷하게 접근가능할 것이라 생각이 되네요.

기타참고자료
http://www.joinc.co.kr/modules/moniwiki/wiki.php/%B8%AE%B4%AA%BD%BA%BF%A... 리눅스에서 LDAP를 이용한 PAM 구성
http://www.linuxjournal.com/article/5689 OpenLDAP with Linux and Windows
http://www.linuxjournal.com/article/5505 Highly Available LDAP
==============================================================

LJ Logo
OpenLDAP Everywhere
By Craig Swanson and Matt Lung
Created 2002-12-01 00:00

Step-by-step instructions for sharing e-mail directories, having a unified login and sharing files in a mixed environment.

The purpose of this article is to demonstrate the use of OpenLDAP as the core directory service for a heterogeneous environment. The LDAP server provides a shared e-mail directory, a unified login for Linux and Windows users, automount of home directories and file sharing for both Linux and Windows clients.

Midwest Tool & Die has been using OpenLDAP for three years, and the performance has been flawless. We have experienced 100% uptime for the directory. The company saw the first big benefit from sharing e-mail contacts in the directory. Now, we have unified logon from any networked computer. Our computer users can access the same file storage through Windows/Samba or through Linux/NFS/automount. The result is seamless access to network services.
[1]

Figure 1. OpenLDAP Mixed Environment

A simple mixed environment used in the examples in this article is shown in Figure 1. The configuration discussed in this article does not document the use of SSL. The ldapsync.pl program it uses may expose your LDAP manager password. As a result, Windows clients may cache user passwords, thereby creating a new risk to Linux security. Review your security needs with caution and prudence, and attempt this configuration at your own risk. Neither the authors, nor our employer, Midwest Tool & Die, takes any responsibility for your security.
LDAP Server Installation and Configuration

The LDAP server we discuss was installed using RPM binary packages and uses openldap-2.0.11-8 on Red Hat 7.1. You also need to have the auth_ldap and nss_ldap packages. This article assumes a domain name of foo.com.

To use the most recent source, follow the instructions at www.openldap.org/doc/admin/quickstart.html [2] to download and install OpenLDAP. Edit the OpenLDAP server configuration file, /etc/openldap/slapd.conf as follows:

# Schemas to use
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/
rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/
kerberosobject.schema
database ldbm
suffix "dc=foo,dc=com"
rootdn "cn=Manager, dc=foo,dc=com"
rootpw {crypt}sadtCr0CILzv2
directory /var/lib/ldap
index default eq
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,sub
# Access Control (See openldap v.2.0 Admin Guide)
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=manager,dc=foo,dc=com" write
by * compare
access to *
by self write
by dn="cn=manager,dc=foo,dc=com" write
by * read

The LDAP schemas define object classes and attributes that make up the directory entries. With the edits above, the hard work of defining schemas to fit our uses has been done. The schemas that we need, listed in the first section of slapd.conf, already have been defined and packaged with the RPM installation.

If you find that you need to add an objectClass or an attribute for your directory, see the OpenLDAP admin guide at www.openldap.org/doc/admin20/schema.html [3]. We'll use the default database type ldbm, and our example uses the LDAP domain component. Therefore, foo.com becomes dc=foo,dc=com. In addition, the manager has full write access to LDAP entries.

The Red Hat 7.3 Reference Guide suggests using crypt to protect the manager's password:

perl -e "print crypt('passwd',
'salt_string',);"

In the previous Perl line, replace salt_string with a two-character salt, and passwd with the plain-text version of the password. Paste the resulting encrypted password into slapd.conf as shown above.

The index lines enhance performance for attributes that are often queried. Access control restricts access to the userPassword entry, but the user and manager may modify the entry. For all other entries, the manager has write access, and everyone else is granted read access.
Create the Directory Structure

LDAP can be seen as a tree, with foo.com at the trunk. Branches are created as organizational units (ou), as shown in Figure 2.
[4]

Figure 2. Organizational units are branches on the LDAP tree.

Each entry in the directory is uniquely identified with a distinguished name (dn). The dn for the LDAP manager looks like dn: cn=manager, dc=foo, dc=com.

The ou provides a method for grouping entries, as shown in Table 1.

Table 1. ou Method for Grouping Entries [5]

We create the individual entries in LDIF (LDAP Interchange Format) and save them to top.ldif:

dn: dc=foo, dc=com
objectclass: dcObject
objectclass: organization
o: Foo Company
dc: foo
dn: cn=manager, dc=foo, dc=com
objectclass: organizationalRole
cn: manager
dn: ou=people, dc=foo, dc=com
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: foo.com
dn: ou=contacts, ou=people, dc=foo, dc=com
ou: contacts
ou: people
objectclass: organizationalUnit
objectclass: domainRelatedObject
associatedDomain: foo.com
dn: ou=group, dc=foo, dc=com
ou: group
objectclass: organizationalUnit
objectclass: domainRelatedObject

Add the top-level entries to the directory with ldapadd:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f top.ldif

Then, test your work with ldapsearch to retrieve all entries:

ldapsearch -x -b 'dc=foo,dc=com'

Share E-Mail Contacts

At this point, we have enough structure in LDAP to put it to real use. We'll start by sharing our e-mail contacts, which also should be in LDIF.

To simplify the process, you may be able to export your e-mail address book in LDIF. For example, in Mozilla 1.0, you can export in LDIF from the Tools menu on the address book window. Microsoft Outlook Express also allows exporting the address book in LDIF. You will need to process the resulting file so it looks like our contacts example below; I suggest using Perl for the task.

Contacts are uniquely identified by their e-mail addresses. Here is the dn for a sample contact:

dn: uid=someone@somewhere.com,ou=contacts,
ou=people, dc=foo,dc=com

With all of the attributes, the full entry for a contact looks like:

dn: uid=someone@somewhere.com,ou=contacts,
ou=people, dc=foo,dc=com
cn: Someone Youknow
mail:
uid:
givenname: Someone
sn: Youknow
objectclass: person
objectClass: top
objectClass: inetOrgPerson

Separate each contact entry with a blank line, and save it to a file called contacts.ldif. Then you can add the contacts to the directory with ldapadd:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f contacts.ldif

Once again, test your work with an ldapsearch that retrieves all entries:

ldapsearch -x -b 'dc=foo,dc=com'

Configure E-Mail Clients

Now it's time to configure Mozilla to use the new LDAP server (see Figure 3).
[6]

Figure 3. Directory Server Properties Dialog Box in Mozilla

From the Edit menu in the Mozilla Mail and News window, select Mail & Newsgroup Account Setting. In the Addressing tab, select Use a different LDAP server, then select Edit Directories and then Add. Fill in the Directory Server Properties dialog with:

Name: FOO
Server: ldapserver.foo.com
base DN: ou=people,dc=foo,dc=com

Next, tell Mozilla to look up addresses in your directory. Under Addressing in the Mail and Newsgroups preferences, select Address Autocompletion and fill in FOO for Directory Server.

Test your settings by composing a message to one of your contacts in your LDAP directory. The address should autocomplete as you type. Another test is to search the LDAP directory from within the Mozilla Mail Address Book. A search for Name or E-mail that contains * should return all of the contact entries. Similarly, you can also configure Microsoft Outlook Express to use the LDAP directory.
Unified Linux Login with LDAP

By storing user account information in LDAP, you can use the same user name and password at any Linux console. To start, you must decide which user names should be entered in LDAP. Here is our user scheme for UID/GIDs:

*

System accounts: UID < 500
*

Real people in LDAP: 499 < UID < 10,000
*

Local users, groups (not in LDAP) > 10,000

This user scheme allows for 9,500 LDAP user and group entries, while allowing local per-system users and groups that do not interfere with LDAP UID/GIDs.
Create Local Computer User Entries

An entry for a local computer user is identified by the login name as ``uid''. Local computer users are members of ou=people: dn: uid=gomerp,ou=people,dc=foo,dc=com.

The full entry contains the attributes needed to control account access:

dn: uid=gomerp,ou=people,dc=foo,dc=com
uid: gomerp
cn: Gomer Pyle
givenname: Gomer
sn: Pyle
mail:
objectClass: person

objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
objectClass: shadowAccount
userPassword: useradd_ldap_flag
shadowLastChange: 11547
shadowMax: 99999
shadowFlag: 0
krbname:
loginShell: /bin/bash
uidNumber: 531
gidNumber: 531
homeDirectory: /h/gomerp
gecos: Gomer Pyle

To make this easier, OpenLDAP ships with migration utilities that can extract the user account information; see /usr/share/openldap/migration. The first thing you need to do is edit migrate_common.ph:

# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "foo.com";
# Default base
$DEFAULT_BASE = "dc=foo,dc=com";
# turn this on to support more general object classes
# such as person.
$EXTENDED_SCHEMA = 1;

Then, extract the user account information:

/usr/share/openldap/migration/migrate_passwd.pl \
/etc/passwod >people.ldif

Once this is done, review the resulting LDIF file. You should remove entries for system accounts such as root and for local system users that do not need to appear in LDAP. Finally, add the user entries to LDAP:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f people.ldif

As always, test your work with an ldapsearch that retrieves all entries:

ldapsearch -x -b "dc=foo,dc=com"
"(objectclass=*)"

Because the computer users belong to ou=people, you may now look up their e-mail addresses within your mail client.

Create Group Entries

You need to make a group entry for each group that is shared between multiple Linux computers. Each user also needs a group entry for the user private group. A group entry is identified by ``cn'', and each group belongs to ou=group, for example:

dn: cn=gomerp,ou=group,dc=foo,dc=com

A user private group would look like this:

dn: cn=gomerp,ou=group,dc=foo,dc=com
objectClass: posixGroup
objectClass: top
cn: gomerp
userPassword: {crypt}x
gidNumber: 531

While a shared group would look like:

dn: cn=web_dev,ou=group,dc=foo,dc=com
objectClass: posixGroup
objectClass: top
cn: web_dev
gidNumber: 502
memberUid: gomerp
memberUid: goober
memberUid: barneyf

After creating the group entry, extract the group information:

/usr/share/openldap/migration/migrate_passwd.pl \
/etc/group >group.ldif

Review the resulting LDIF file, removing entries for system groups and for local system users that do not need to appear in LDAP. Then, add the group entries to LDAP:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f group.ldif

Test your work with an ldapsearch that retrieves all group entries:

ldapsearch -x -b 'dc=foo,cd=com'

Configure Automount to Share Home Directories (and NFS Shares)

With unified login, users have a single home directory shared via NFS. To keep things simple, we host our home directories from ldapserver.foo.com and share /home via NFS. NFS is outside the scope of this article, but here is a line from /etc/exports that works.

/home *.foo.com(rw)

Linux LDAP clients mount the user's home directory at login, using automount and NFS. The LDAP use of automount is a replacement for NIS (Network Information Service) automount maps. Replace the automount maps for auto.master, auto.home and auto.misc.

We also create a new organizational unit for auto.master:

dn: ou=auto.master,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master

An auto.master entry is identified by ``cn''. The automountInformation attribute instructs automount to look for the map in LDAP:

dn: cn=/h, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.home,
dc=foo,dc=com
cn: /h

While we're at it, let's create an auto.master entry for other NFS shared directories:

dn: cn=/share, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.misc,
dc=foo,dc=com
cn: /share

Create the automount entries in LDIF format and save as auto.master.ldif:

dn: ou=auto.master,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.master
dn: cn=/h, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.home,
dc=foo,dc=com
cn: /h
dn: cn=/share, ou=auto.master,dc=foo,dc=com
objectClass: automount
automountInformation: ldap:ou=auto.misc,
dc=foo,dc=com
cn: /share

Add the auto.master entries to LDAP:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \

-f auto.master.ldif

Next, we create a new organizational unit for auto.home, ou=auto.home. A home directory entry is identified by ``cn'':

dn: cn=gomerp,ou=auto.home,dc=foo,dc=com

Create auto.home entries for each user in LDIF format and save as auto.home.ldif:

dn: ou=auto.home,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.home
dn: cn=gomerp,ou=auto.home,dc=foo,dc=com
objectClass: automount
automountInformation:
ldapserver.foo.com:/home/gomerp
cn: super3

Add the auto.home entries to LDAP:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f auto.home.ldif

When automounted from a Linux LDAP client, your home directory (ldapserver.foo.com:/home/gomerp) is mounted on /h/gomerp. Other NFS shares may be entered in LDAP and automounted as they are needed. The auto.misc organizational unit holds these automount maps, which have the form ou=auto.misc.

We've already created an auto.master entry for /share, as indicated above. Now, create entries for NFS shares under auto.misc, and save them as auto.misc.ldif:

dn: ou=auto.misc,dc=foo,dc=com
objectClass: top
objectClass: automountMap
ou: auto.misc
dn: cn=redhat,ou=auto.misc,dc=foo,dc=com
objectClass: automount
automountInformation:
bigdisk.foo.com:/pub/redhat
cn: redhat
dn: cn=engineering,ou=auto.misc,dc=foo,dc=com
objectClass: automount
automountInformation:
bigdisk.foo.com:/data/engineering
cn: engineering

Add the auto.misc entries to LDAP:

ldapadd -x -D 'cn=manager,dc=foo,dc=com' -W \
-f auto.misc.ldif

When automounted from a Linux LDAP client, your shared directory bigdisk.foo.com:/data/engineering is mounted on /share/engineering.

Configure the Linux LDAP Client

You now need to install the authentication package, auth_ldap, and the name switch service package, nss_ldap. The Red Hat tool /usr/bin/authconfig is handy for configuring the client. Select Use LDAP