Copyright ©2000-2018 T.Hiraga <hiraga@next-hop.net> All Rights Reserved.
Last modified: $Date: 2018/02/28 15:52:52 $
OpenLDAP も本格的に Online Configuration (olc) 時代になったようので、 0から構築し直してみます。
SHA256を使うのでportsからインストールします。
# portinstall openldap-server
slapd_enable="YES" slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"' slapd_sockets="/var/run/openldap/ldapi" slapd_cn_config="YES"
cn=configを生成するために最小限の設定ファイルを作成します。
password-hash {SSHA}
allow bind_v2
sizelimit 100000
loglevel sync stats stats2
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/duaconf.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_mdb
moduleload back_ldap
moduleload back_meta
moduleload back_monitor
TLSCertificateFile /usr/local/etc/openldap/certs/host.cert
TLSCertificateKeyFile /usr/local/etc/openldap/certs/host.key
TLSCACertificateFile /usr/local/etc/openldap/certs/chain.pem
TLSCACertificatePath /usr/local/etc/openldap/certs
TLSCipherSuite HIGH:MEDIUM:-SSLv3:-SSLv2
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read
database config
rootdn "cn=admin,cn=config"
rootpw password
database monitor
cn=configに変換します。
# cd /usr/local/etc/openldap # chmod 600 slapd.conf # mkdir slapd.d # chmod 750 slapd.d # slaptest -f slapd.conf -F slapd.d # chown -R ldap:ldap slapd.d # mkdir schema.option
slapd を起動します。
# service slapd start
slapd にアクセスできるか確認します。
# ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config | grep cn=
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}ppolicy,cn=schema,cn=config
dn: cn={5}duaconf,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {1}to dn.base="cn=subschema" by * read
olcSchemaDN: cn=Subschema
dn: olcDatabase={0}config,cn=config
olcRootDN: cn=admin,cn=config
dn: olcDatabase={1}monitor,cn=config
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: pw-sha2
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA256}
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f pw-sha2.ldif
% ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'cn=module{0}'
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}back_ldap
olcModuleLoad: {2}back_meta
olcModuleLoad: {3}back_monitor
olcModuleLoad: {4}pw-sha2
# ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcDatabase={-1}frontend' olcPasswordHash
dn: olcDatabase={-1}frontend,cn=config
olcPasswordHash: {SSHA256}
slapd を再起動します。
# service slapd restart
SSHA256 パスワード生成
% slappasswd -h '{SSHA256}' -o module-path=/usr/local/libexec/openldap -o module-load=pw-sha2 -s password
{SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw==
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw==
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f root-password.ldif
% ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcDatabase={0}config' olcRootPW
olcRootPW: {SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw==
Solaris との互換性のために追加します。
attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secret key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) # Object Class Definitions objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'An object with a public and secret key' SUP top AUXILIARY MUST ( cn $ nisPublicKey $ nisSecretKey ) MAY ( uidNumber $ description ) ) objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'Associates a NIS domain with a naming context' SUP top AUXILIARY MUST nisDomain ) objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST ( automountMapName ) MAY description ) objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description )
dn: cn=rfc2307sun,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: rfc2307sun
olcAttributeTypes: {0}( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secret key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {3}( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'An object with a public and secret key' SUP top AUXILIARY MUST ( cn $ nisPublicKey $ nisSecretKey ) MAY ( uidNumber $ description ) )
olcObjectClasses: {1}( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'Associates a NIS domain with a naming context' SUP top AUXILIARY MUST nisDomain )
olcObjectClasses: {2}( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST automountMapName MAY description )
olcObjectClasses: {3}( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description )
% ldapadd -h localhost -D "cn=admin,cn=config" -w password -f schema.option/rfc2307sun.ldif
% ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=schema,cn=config 'cn={6}rfc2307sun'
include /usr/share/sendmail/cf/sendmail.schema
登録
# slaptest -f slapd-schema.conf -F slapd.d/
# cd /usr/ports/security/sudo # make extract # cp -p work/sudo-1.8.18/doc/schema.OpenLDAP /usr/local/etc/openldap/schema.option/sudo.schema # make clean
include /usr/local/etc/openldap/schema.option/sudo.schema
登録
# slaptest -f slapd-schema.conf -F slapd.d/
# cd /usr/ports/net/samba44
# make extract
# cp -p work/samba-4.4.5/examples/LDAP/samba.{ldif,schema} /usr/local/etc/openldap/schema.option
# make clean
% ldapadd -h localhost -D "cn=admin,cn=config" -w password -f /usr/local/etc/openldap/schema.option/samba.ldif
# cd /usr/ports/net/freeradius3 # make extract # cp -p work/freeradius-server-3.0.11/doc/schemas/ldap/openldap/* /usr/local/etc/openldap/schema.option # make clean % ldapadd -h localhost -D "cn=admin,cn=config" -w password -f /usr/local/etc/openldap/schema.option/freeradius.ldif % ldapadd -h localhost -D "cn=admin,cn=config" -w password -f /usr/local/etc/openldap/schema.option/freeradius-clients.ldif
# cd /usr/ports/net/isc-dhcp43-server # make extract # cp -p work/dhcp-4.3.4/contrib/ldap/dhcp.schema /usr/local/etc/openldap/schema.option # make clean
include /usr/local/etc/openldap/schema.option/dhcp.schema
登録
# slaptest -f slapd-schema.conf -F slapd.d/
# cd /usr/ports/net/asterisk13 # make extract # cp -p work/asterisk-13.11.2/contrib/scripts/asterisk.ldap-schema /usr/local/etc/openldap/schema.option/asterisk.schema # cp -p work/asterisk-13.11.2/contrib/scripts/asterisk.ldif /usr/local/etc/openldap/schema.option/ # make clean % ldapadd -h localhost -D "cn=admin,cn=config" -w password -f /usr/local/etc/openldap/schema.option/asterisk.ldif
# These object classes and attributes are rooted at OID
# 1.2.840.113556.1, Microsoft's Directory Enabled networks
# OID. Many of them rely on the modified "standard" objects
# and attributes defined in "microsoft.std.schema".
#
# http://www.kouti.com/tables/userattributes.htm
#
# 1.2.840.113556.1: Active Directory
# 1.2.840.113556.1.4: Attribute
# 1.2.840.113556.1.5: Classes
# 1.2.840.113556.1.6: OCS
attributeType ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
SINGLE-VALUE )
attributeType ( 1.2.840.113556.1.4.750 NAME 'groupType'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
attributeType ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
attributeType ( 1.2.840.113556.1.4.52 NAME 'lastLogon'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' )
#SYNTAX '1.2.840.113556.1.4.906' )
# Encoded as 1.3.6.1.4.1.1466.115.121.1.27 but guaranteed to support 64-bit numbers.
attributeType ( 1.2.840.113556.1.4.159 NAME 'accountExpires'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' )
#SYNTAX '1.2.840.113556.1.4.906' )
# Encoded as 1.3.6.1.4.1.1466.115.121.1.27 but guaranteed to support 64-bit numbers.
attributeType ( 1.2.840.113556.1.4.96 NAME 'pwdLastSet'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' )
#SYNTAX '1.2.840.113556.1.4.906' )
# Encoded as 1.3.6.1.4.1.1466.115.121.1.27 but guaranteed to support 64-bit numbers.
attributeType ( 1.2.840.113556.1.4.8 NAME 'userAccountControl'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' )
attributeType ( 1.2.840.113556.1.4.90 NAME 'unicodePwd'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' )
attributeType ( 1.2.840.113556.1.4.647 NAME 'otherMobile'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{64} )
attributeType ( 1.2.840.113556.1.2.18 NAME 'otherTelephone'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{64} )
attributeType ( 1.2.840.113556.1.2.146 NAME 'company'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
#attributeType ( 2.16.840.1.113730.3.1.34 NAME 'middleName'
# EQUALITY caseIgnoreMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64}
# SINGLE-VALUE )
attributeType ( 2.16.840.1.113730.3.1.35 NAME 'thumbnailPhoto'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{102400}
SINGLE-VALUE )
attributeType ( 2.16.840.1.113730.3.1.36 NAME 'thumbnailLogo'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32767}
SINGLE-VALUE )
#attributeType ( 1.2.840.113556.1.2.13 NAME 'displayName'
# EQUALITY caseIgnoreMatch
# SUBSTR caseIgnoreSubstringsMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectClass ( 1.2.840.113556.1.5.9 NAME 'user'
DESC 'a user'
SUP inetOrgPerson STRUCTURAL
MUST ( cn $ sAMAccountName )
MAY ( userPrincipalName $ distinguishedName $
lastLogon $ accountExpires $ pwdLastSet $
userAccountControl $ unicodePwd $
thumbnailPhoto $ otherTelephone $ otherMobile $
userSMIMECertificate $ company $
co $ mail $ givenName $ displayName $
employeeNumber ) )
include /usr/local/etc/openldap/schema.option/activedirectory.schema
登録
# slaptest -f slapd-schema.conf -F slapd.d/
https://github.com/hiroyuki-sato/openldap-schemas-for-openam/blob/master/cn={99}openam.ldif をschema.option/openam.ldifとしてダウンロードし、いくつか修正します。
--- schema.option/openam.ldif.orig 2016-10-12 05:18:40.553102000 +0900
+++ schema.option/openam.ldif 2016-10-12 05:13:28.498297000 +0900
@@ -1,6 +1,6 @@
-dn: cn={99}openam
+dn: cn=openam,cn=schema,cn=config
objectClass: olcSchemaConfig
-cn: {99}openam
+cn: openam
olcAttributeTypes: {1}( 2.16.840.1.113730.3.1.1072 NAME 'iplanet-am-user-admin-start-dn' DESC 'Starting DN for Admin User' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.9.1.63 NAME 'iplanet-am-auth-login-success-url' DESC 'Redirection URL After Successful Login' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' )
olcAttributeTypes: {3}( 1.3.6.1.4.1.1466.101.120.43 NAME 'preferredTimeZone' DESC 'preferred time zone for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'iPlanet' )
@@ -36,7 +36,7 @@
olcAttributeTypes: {33}( 1.3.6.1.4.1.42.2.27.9.1.74 NAME 'iplanet-am-user-federation-info' DESC 'User Federation Information' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' )
olcAttributeTypes: {34}( 1.3.6.1.4.1.42.2.27.9.1.989 NAME 'sun-fm-saml2-nameid-infokey' DESC 'SAML 2.0 Name Identifier Information Key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' )
olcAttributeTypes: {35}( 1.3.6.1.4.1.42.2.27.9.1.825 NAME 'sunIdentityServerPPCommonNameCN' DESC 'Liberty PP CommonName CN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' )
-olcAttributeTypes: {36}( 1.2.840.113556.1.2.102 NAME 'memberof' DESC 'Group that the entry belongs to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'iPlanet Delegated Administrator' )
+#olcAttributeTypes: {36}( 1.2.840.113556.1.2.102 NAME 'memberof' DESC 'Group that the entry belongs to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'iPlanet Delegated Administrator' )
olcAttributeTypes: {37}( 1.3.6.1.4.1.42.2.27.9.1.838 NAME 'sunIdentityServerPPLegalIdentityVATIdType' DESC 'Liberty PP IDType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' )
olcAttributeTypes: {38}( 1.3.6.1.4.1.42.2.27.9.1.830 NAME 'sunIdentityServerPPCommonNamePT' DESC 'Liberty PP CommonName PersonalTitle' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' )
olcAttributeTypes: {39}( 1.3.6.1.4.1.42.2.27.9.1.841 NAME 'sunIdentityServerPPEmploymentIdentityOrg' DESC 'Liberty PP Org' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' )
@@ -88,4 +88,4 @@
olcObjectClasses: {10}( 1.3.6.1.4.1.1466.101.120.142 NAME 'iPlanetPreferences' AUXILIARY MAY ( preferredLanguage $ preferredLocale $ preferredTimeZone ) X-ORIGIN 'iPlanet' )
olcObjectClasses: {11}( 1.3.6.1.4.1.42.2.27.9.2.104 NAME 'sunRealmService' DESC 'object containing service information for realms' SUP top MAY ( o $ labeledURI $ sunKeyValue $ sunxmlKeyValue $ description ) X-ORIGIN 'Sun Java System Identity Management' )
olcObjectClasses: {12}( 1.3.6.1.4.1.42.2.27.9.2.23 NAME 'iplanet-am-auth-configuration-service' DESC 'Authentication Configuration Service OC' SUP top AUXILIARY MAY ( iplanet-am-auth-configuration $ iplanet-am-auth-login-success-url $ iplanet-am-auth-login-failure-url $ iplanet-am-auth-post-login-process-class ) X-ORIGIN 'OpenSSO' )
-olcObjectClasses: {13}( 2.16.840.1.113730.3.2.130 NAME 'inetuser' DESC 'Auxiliary class which has to be present in an entry for delivery of subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $ inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Nortel subscriber interoperability' )
+olcObjectClasses: {13}( 2.16.840.1.113730.3.2.130 NAME 'inetuser' DESC 'Auxiliary class which has to be present in an entry for delivery of subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $ inetUserHTTPURL $ userPassword ) X-ORIGIN 'Nortel subscriber interoperability' )
% ldapadd -h localhost -D "cn=admin,cn=config" -w password -f schema.option/openam.ldif
# mkdir /var/db/openldap-data/next-hop.net # chmod 750 /var/db/openldap-data/next-hop.net # chown ldap:ldap /var/db/openldap-data/next-hop.net
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/db/openldap-data/next-hop.net
olcSuffix: dc=next-hop,dc=net
olcAccess: to dn.base="dc=next-hop,dc=net" by * read
olcAccess: to dn.subtree="dc=next-hop,dc=net" attrs=userPassword by self write by dn="cn=manager,dc=next-hop,dc=net" write by anonymous auth by * none
olcAccess: to dn.subtree="dc=next-hop,dc=net" attrs=sambaLMPassword by self write by dn="cn=manager,dc=next-hop,dc=net" write by * none
olcAccess: to dn.subtree="dc=next-hop,dc=net" attrs=sambaNTPassword by self write by dn="cn=manager,dc=next-hop,dc=net" write by * none
olcAccess: to dn.subtree="dc=next-hop,dc=net" attrs=unicodePwd by self write by dn="cn=manager,dc=next-hop,dc=net" write by * none
olcAccess: to dn.subtree="dc=next-hop,dc=net" by self read by dn="cn=manager,dc=next-hop,dc=net" write by * none
olcRootDN: cn=manager,dc=next-hop,dc=net
olcRootPW: {SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw==
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: objectClass eq
olcDbIndex: dc pres,eq,sub
olcDbIndex: o,ou pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: cn pres,eq,sub
olcDbIndex: sn,givenName pres,eq,sub
olcDbIndex: gecos,mail pres,eq,sub
olcDbIndex: homeDirectory pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: description pres,eq,sub
olcDbIndex: uidNumber,gidNumber pres,eq
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: uniqueMember pres,eq
olcDbIndex: telephoneNumber pres,eq,sub
olcDbIndex: title pres,eq,sub
olcDbIndex: c,l,st pres,eq,sub
olcDbIndex: postalCode pres,eq,sub
olcDbIndex: streetAddress pres,eq,sub
olcDbIndex: physicalDeliveryOfficeName pres,eq,sub
データベースは olcDatabase={2}mdb,cn=config として作成されます。
% ldapadd -h localhost -D "cn=admin,cn=config" -w password -f next-hop.net-db.ldif
% ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcDatabase={2}mdb'
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw==
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f root-password-mdb.ldif
% ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcDatabase={2}mdb' olcRootPW
dn: dc=next-hop,dc=net objectClass: dcObject objectClass: organization objectClass: nisDomainObject dc: next-hop nisDomain: next-hop.net o: Next Hop dn: cn=Manager,dc=next-hop,dc=net objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=User,dc=next-hop,dc=net objectClass: organizationalUnit ou: User dn: ou=Group,dc=next-hop,dc=net objectClass: organizationalUnit ou: Group
% ldapadd -h localhost -D "cn=manager,dc=next-hop,dc=net" -w password -f next-hop.net.ldif % ldapsearch -LLL -h localhost -D "cn=manager,dc=next-hop,dc=net" -w password -b dc=next-hop,dc=net
dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: memberof
% ldapadd -h localhost -D "cn=admin,cn=config" -w password -f memberof.ldif % ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcOverlay=memberof'
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sambaLMPassword pres,eq
olcDbIndex: sambaNTPassword pres,eq
olcDbIndex: sambaAcctFlags pres,eq
olcDbIndex: sambaPwdLastSet pres,eq
olcDbIndex: sambaPwdCanChange pres,eq
olcDbIndex: sambaPwdMustChange pres,eq
olcDbIndex: sambaLogonTime pres,eq
olcDbIndex: sambaLogoffTime pres,eq
olcDbIndex: sambaKickoffTime pres,eq
olcDbIndex: sambaBadPasswordCount pres,eq
olcDbIndex: sambaBadPasswordTime pres,eq
olcDbIndex: sambaLogonHours pres,eq
olcDbIndex: sambaHomeDrive pres,eq
olcDbIndex: sambaLogonScript pres,eq
olcDbIndex: sambaProfilePath pres,eq
olcDbIndex: sambaUserWorkstations pres,eq
olcDbIndex: sambaHomePath pres,eq
olcDbIndex: sambaDomainName pres,eq
olcDbIndex: sambaMungedDial pres,eq
olcDbIndex: sambaPasswordHistory pres,eq
olcDbIndex: sambaSID pres,eq
olcDbIndex: sambaPrimaryGroupSID pres,eq
olcDbIndex: sambaSIDList pres,eq
olcDbIndex: sambaGroupType pres,eq
olcDbIndex: sambaNextUserRid pres,eq
olcDbIndex: sambaNextGroupRid pres,eq
olcDbIndex: sambaNextRid pres,eq
olcDbIndex: sambaAlgorithmicRidBase pres,eq
olcDbIndex: sambaShareName pres,eq
olcDbIndex: sambaOptionName pres,eq
olcDbIndex: sambaBoolOption pres,eq
olcDbIndex: sambaIntegerOption pres,eq
olcDbIndex: sambaStringOption pres,eq
olcDbIndex: sambaStringListOption pres,eq
olcDbIndex: sambaTrustFlags pres,eq
olcDbIndex: sambaMinPwdLength pres,eq
olcDbIndex: sambaPwdHistoryLength pres,eq
olcDbIndex: sambaLogonToChgPwd pres,eq
olcDbIndex: sambaMaxPwdAge pres,eq
olcDbIndex: sambaMinPwdAge pres,eq
olcDbIndex: sambaLockoutDuration pres,eq
olcDbIndex: sambaLockoutObservationWindow pres,eq
olcDbIndex: sambaLockoutThreshold pres,eq
olcDbIndex: sambaForceLogoff pres,eq
olcDbIndex: sambaRefuseMachinePwdChange pres,eq
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f index-samba.ldif
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: inetUserHttpURL pres
olcDbIndex: inetUserStatus pres,eq
olcDbIndex: iplanet-am-auth-configuration pres
olcDbIndex: iplanet-am-auth-login-failure-url pres
olcDbIndex: iplanet-am-auth-login-success-url pres
olcDbIndex: iplanet-am-auth-post-login-process-class pres
olcDbIndex: iplanet-am-session-add-session-listener-on-all-sessions pres
olcDbIndex: iplanet-am-session-destroy-sessions pres
olcDbIndex: iplanet-am-session-get-valid-sessions pres
olcDbIndex: iplanet-am-session-max-caching-time pres
olcDbIndex: iplanet-am-session-max-idle-time pres
olcDbIndex: iplanet-am-session-max-session-time pres
olcDbIndex: iplanet-am-session-quota-limit pres
olcDbIndex: iplanet-am-session-service-status pres
olcDbIndex: iplanet-am-user-account-life pres
olcDbIndex: iplanet-am-user-admin-start-dn pres
olcDbIndex: iplanet-am-user-alias-list pres
olcDbIndex: iplanet-am-user-auth-config pres
olcDbIndex: iplanet-am-user-auth-modules pres
olcDbIndex: iplanet-am-user-failure-url pres
olcDbIndex: iplanet-am-user-federation-info pres
olcDbIndex: iplanet-am-user-federation-info-key pres
olcDbIndex: iplanet-am-user-login-status pres
olcDbIndex: iplanet-am-user-password-reset-force-reset pres
olcDbIndex: iplanet-am-user-password-reset-options pres
olcDbIndex: iplanet-am-user-password-reset-question-answer pres
olcDbIndex: iplanet-am-user-service-status pres
olcDbIndex: iplanet-am-user-success-url pres
olcDbIndex: preferredLocale pres,eq,sub
olcDbIndex: preferredTimeZone pres,eq,sub
olcDbIndex: sun-fm-saml2-nameid-info pres
olcDbIndex: sun-fm-saml2-nameid-infokey pres
olcDbIndex: sunAMAuthInvalidAttemptsData pres
olcDbIndex: sunIdentityMSISDNNumber pres
olcDbIndex: sunIdentityServerDiscoEntries pres
olcDbIndex: sunIdentityServerPPAddressCard pres
olcDbIndex: sunIdentityServerPPCommonNameAltCN pres
olcDbIndex: sunIdentityServerPPCommonNameCN pres
olcDbIndex: sunIdentityServerPPCommonNameFN pres
olcDbIndex: sunIdentityServerPPCommonNameMN pres
olcDbIndex: sunIdentityServerPPCommonNamePT pres
olcDbIndex: sunIdentityServerPPCommonNameSN pres
olcDbIndex: sunIdentityServerPPDemographicsAge pres
olcDbIndex: sunIdentityServerPPDemographicsBirthDay pres
olcDbIndex: sunIdentityServerPPDemographicsDisplayLanguage pres
olcDbIndex: sunIdentityServerPPDemographicsLanguage pres
olcDbIndex: sunIdentityServerPPDemographicsTimeZone pres
olcDbIndex: sunIdentityServerPPEmergencyContact pres
olcDbIndex: sunIdentityServerPPEmploymentIdentityAltO pres
olcDbIndex: sunIdentityServerPPEmploymentIdentityJobTitle pres
olcDbIndex: sunIdentityServerPPEmploymentIdentityOrg pres
olcDbIndex: sunIdentityServerPPEncryptKey pres
olcDbIndex: sunIdentityServerPPFacadeGreetSound pres
olcDbIndex: sunIdentityServerPPFacadeMugShot pres
olcDbIndex: sunIdentityServerPPFacadeNamePronounced pres
olcDbIndex: sunIdentityServerPPFacadeWebSite pres
olcDbIndex: sunIdentityServerPPFacadegreetmesound pres
olcDbIndex: sunIdentityServerPPInformalName pres
olcDbIndex: sunIdentityServerPPLegalIdentityAltIdType pres
olcDbIndex: sunIdentityServerPPLegalIdentityAltIdValue pres
olcDbIndex: sunIdentityServerPPLegalIdentityDOB pres
olcDbIndex: sunIdentityServerPPLegalIdentityGender pres
olcDbIndex: sunIdentityServerPPLegalIdentityLegalName pres
olcDbIndex: sunIdentityServerPPLegalIdentityMaritalStatus pres
olcDbIndex: sunIdentityServerPPLegalIdentityVATIdType pres
olcDbIndex: sunIdentityServerPPLegalIdentityVATIdValue pres
olcDbIndex: sunIdentityServerPPMsgContact pres
olcDbIndex: sunIdentityServerPPSignKey pres
olcDbIndex: sunKeyValue pres
olcDbIndex: sunPluginSchema pres
olcDbIndex: sunServiceSchema pres
olcDbIndex: sunserviceID pres
olcDbIndex: sunsmspriority pres
olcDbIndex: sunxmlKeyValue pres
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f index-openam.ldif
# for replication of configuration
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1 ldap://ldap1.next-hop.net
olcServerID: 2 ldap://ldap2.next-hop.net
olcServerID: 3 ldap://ldap3.next-hop.net
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://ldap1.next-hop.net binddn="cn=admin,cn=config" bindmethod=simple
credentials=password searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncrepl: rid=002 provider=ldap://ldap2.next-hop.net binddn="cn=admin,cn=config" bindmethod=simple
credentials=password searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncrepl: rid=003 provider=ldap://ldap3.next-hop.net binddn="cn=admin,cn=config" bindmethod=simple
credentials=password searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f syncprov-config.ldif
# for replication of database
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=manager,dc=next-hop,dc=net" time.soft=unlimited time.hard=unlimited
size.soft=unlimited size.hard=unlimited
-
add: olcSyncrepl
olcSyncrepl: rid=011 provider=ldap://ldap1.next-hop.net
binddn="cn=manager,dc=next-hop,dc=net"
bindmethod=simple
credentials=password searchbase="dc=next-hop,dc=net" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncrepl: rid=012 provider=ldap://ldap2.next-hop.net
binddn="cn=manager,dc=next-hop,dc=net"
bindmethod=simple
credentials=password searchbase="dc=next-hop,dc=net" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncrepl: rid=013 provider=ldap://ldap3.next-hop.net
binddn="cn=manager,dc=next-hop,dc=net"
bindmethod=simple
credentials=password searchbase="dc=next-hop,dc=net" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f syncprov-db.ldif
|
Copyright ©2000-2018 T.Hiraga <hiraga@next-hop.net> All Rights Reserved. Last modified: $Date: 2018/02/28 15:52:52 $ |
|