OpenLDAP も本格的に Online Configuration (olc) 時代になったようので、 0から構築し直してみます。
SHA256を使うのでportsからインストールします。
# portinstall openldap-server
slapd_enable="YES" slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///"' slapd_sockets="/var/run/openldap/ldapi" slapd_cn_config="YES"
cn=configを生成するために最小限の設定ファイルを作成します。
password-hash {SSHA} allow bind_v2 sizelimit 100000 loglevel sync stats stats2 include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/ppolicy.schema include /usr/local/etc/openldap/schema/duaconf.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_mdb moduleload back_ldap moduleload back_meta moduleload back_monitor TLSCertificateFile /usr/local/etc/openldap/certs/host.cert TLSCertificateKeyFile /usr/local/etc/openldap/certs/host.key TLSCACertificateFile /usr/local/etc/openldap/certs/chain.pem TLSCACertificatePath /usr/local/etc/openldap/certs TLSCipherSuite HIGH:MEDIUM:-SSLv3:-SSLv2 access to dn.base="" by * read access to dn.base="cn=subschema" by * read database config rootdn "cn=admin,cn=config" rootpw password database monitor
cn=configに変換します。
# cd /usr/local/etc/openldap # chmod 600 slapd.conf # mkdir slapd.d # chmod 750 slapd.d # slaptest -f slapd.conf -F slapd.d # chown -R ldap:ldap slapd.d # mkdir schema.option
slapd を起動します。
# service slapd start
slapd にアクセスできるか確認します。
# ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config | grep cn= dn: cn=config dn: cn=module{0},cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: cn={4}ppolicy,cn=schema,cn=config dn: cn={5}duaconf,cn=schema,cn=config dn: olcDatabase={-1}frontend,cn=config olcAccess: {1}to dn.base="cn=subschema" by * read olcSchemaDN: cn=Subschema dn: olcDatabase={0}config,cn=config olcRootDN: cn=admin,cn=config dn: olcDatabase={1}monitor,cn=config
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: pw-sha2 dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256}
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f pw-sha2.ldif % ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'cn=module{0}' dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/libexec/openldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}back_ldap olcModuleLoad: {2}back_meta olcModuleLoad: {3}back_monitor olcModuleLoad: {4}pw-sha2 # ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcDatabase={-1}frontend' olcPasswordHash dn: olcDatabase={-1}frontend,cn=config olcPasswordHash: {SSHA256}
slapd を再起動します。
# service slapd restart
SSHA256 パスワード生成
% slappasswd -h '{SSHA256}' -o module-path=/usr/local/libexec/openldap -o module-load=pw-sha2 -s password
{SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw==
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw==
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f root-password.ldif
% ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcDatabase={0}config' olcRootPW
olcRootPW: {SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw==
Solaris との互換性のために追加します。
attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secret key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) # Object Class Definitions objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'An object with a public and secret key' SUP top AUXILIARY MUST ( cn $ nisPublicKey $ nisSecretKey ) MAY ( uidNumber $ description ) ) objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'Associates a NIS domain with a naming context' SUP top AUXILIARY MUST nisDomain ) objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST ( automountMapName ) MAY description ) objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description )
dn: cn=rfc2307sun,cn=schema,cn=config objectClass: olcSchemaConfig cn: rfc2307sun olcAttributeTypes: {0}( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {1}( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secret key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {3}( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'An object with a public and secret key' SUP top AUXILIARY MUST ( cn $ nisPublicKey $ nisSecretKey ) MAY ( uidNumber $ description ) ) olcObjectClasses: {1}( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'Associates a NIS domain with a naming context' SUP top AUXILIARY MUST nisDomain ) olcObjectClasses: {2}( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST automountMapName MAY description ) olcObjectClasses: {3}( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description )
% ldapadd -h localhost -D "cn=admin,cn=config" -w password -f schema.option/rfc2307sun.ldif % ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=schema,cn=config 'cn={6}rfc2307sun'
include /usr/share/sendmail/cf/sendmail.schema
登録
# slaptest -f slapd-schema.conf -F slapd.d/
# cd /usr/ports/security/sudo # make extract # cp -p work/sudo-1.8.18/doc/schema.OpenLDAP /usr/local/etc/openldap/schema.option/sudo.schema # make clean
include /usr/local/etc/openldap/schema.option/sudo.schema
登録
# slaptest -f slapd-schema.conf -F slapd.d/
# cd /usr/ports/net/samba44 # make extract # cp -p work/samba-4.4.5/examples/LDAP/samba.{ldif,schema} /usr/local/etc/openldap/schema.option # make clean % ldapadd -h localhost -D "cn=admin,cn=config" -w password -f /usr/local/etc/openldap/schema.option/samba.ldif
# cd /usr/ports/net/freeradius3 # make extract # cp -p work/freeradius-server-3.0.11/doc/schemas/ldap/openldap/* /usr/local/etc/openldap/schema.option # make clean % ldapadd -h localhost -D "cn=admin,cn=config" -w password -f /usr/local/etc/openldap/schema.option/freeradius.ldif % ldapadd -h localhost -D "cn=admin,cn=config" -w password -f /usr/local/etc/openldap/schema.option/freeradius-clients.ldif
# cd /usr/ports/net/isc-dhcp43-server # make extract # cp -p work/dhcp-4.3.4/contrib/ldap/dhcp.schema /usr/local/etc/openldap/schema.option # make clean
include /usr/local/etc/openldap/schema.option/dhcp.schema
登録
# slaptest -f slapd-schema.conf -F slapd.d/
# cd /usr/ports/net/asterisk13 # make extract # cp -p work/asterisk-13.11.2/contrib/scripts/asterisk.ldap-schema /usr/local/etc/openldap/schema.option/asterisk.schema # cp -p work/asterisk-13.11.2/contrib/scripts/asterisk.ldif /usr/local/etc/openldap/schema.option/ # make clean % ldapadd -h localhost -D "cn=admin,cn=config" -w password -f /usr/local/etc/openldap/schema.option/asterisk.ldif
# These object classes and attributes are rooted at OID # 1.2.840.113556.1, Microsoft's Directory Enabled networks # OID. Many of them rely on the modified "standard" objects # and attributes defined in "microsoft.std.schema". # # http://www.kouti.com/tables/userattributes.htm # # 1.2.840.113556.1: Active Directory # 1.2.840.113556.1.4: Attribute # 1.2.840.113556.1.5: Classes # 1.2.840.113556.1.6: OCS attributeType ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE ) attributeType ( 1.2.840.113556.1.4.750 NAME 'groupType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) attributeType ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) attributeType ( 1.2.840.113556.1.4.52 NAME 'lastLogon' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' ) #SYNTAX '1.2.840.113556.1.4.906' ) # Encoded as 1.3.6.1.4.1.1466.115.121.1.27 but guaranteed to support 64-bit numbers. attributeType ( 1.2.840.113556.1.4.159 NAME 'accountExpires' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' ) #SYNTAX '1.2.840.113556.1.4.906' ) # Encoded as 1.3.6.1.4.1.1466.115.121.1.27 but guaranteed to support 64-bit numbers. attributeType ( 1.2.840.113556.1.4.96 NAME 'pwdLastSet' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' ) #SYNTAX '1.2.840.113556.1.4.906' ) # Encoded as 1.3.6.1.4.1.1466.115.121.1.27 but guaranteed to support 64-bit numbers. attributeType ( 1.2.840.113556.1.4.8 NAME 'userAccountControl' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' ) attributeType ( 1.2.840.113556.1.4.90 NAME 'unicodePwd' SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' ) attributeType ( 1.2.840.113556.1.4.647 NAME 'otherMobile' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{64} ) attributeType ( 1.2.840.113556.1.2.18 NAME 'otherTelephone' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{64} ) attributeType ( 1.2.840.113556.1.2.146 NAME 'company' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} ) #attributeType ( 2.16.840.1.113730.3.1.34 NAME 'middleName' # EQUALITY caseIgnoreMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} # SINGLE-VALUE ) attributeType ( 2.16.840.1.113730.3.1.35 NAME 'thumbnailPhoto' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{102400} SINGLE-VALUE ) attributeType ( 2.16.840.1.113730.3.1.36 NAME 'thumbnailLogo' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{32767} SINGLE-VALUE ) #attributeType ( 1.2.840.113556.1.2.13 NAME 'displayName' # EQUALITY caseIgnoreMatch # SUBSTR caseIgnoreSubstringsMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) objectClass ( 1.2.840.113556.1.5.9 NAME 'user' DESC 'a user' SUP inetOrgPerson STRUCTURAL MUST ( cn $ sAMAccountName ) MAY ( userPrincipalName $ distinguishedName $ lastLogon $ accountExpires $ pwdLastSet $ userAccountControl $ unicodePwd $ thumbnailPhoto $ otherTelephone $ otherMobile $ userSMIMECertificate $ company $ co $ mail $ givenName $ displayName $ employeeNumber ) )
include /usr/local/etc/openldap/schema.option/activedirectory.schema
登録
# slaptest -f slapd-schema.conf -F slapd.d/
https://github.com/hiroyuki-sato/openldap-schemas-for-openam/blob/master/cn={99}openam.ldif をschema.option/openam.ldifとしてダウンロードし、いくつか修正します。
--- schema.option/openam.ldif.orig 2016-10-12 05:18:40.553102000 +0900 +++ schema.option/openam.ldif 2016-10-12 05:13:28.498297000 +0900 @@ -1,6 +1,6 @@ -dn: cn={99}openam +dn: cn=openam,cn=schema,cn=config objectClass: olcSchemaConfig -cn: {99}openam +cn: openam olcAttributeTypes: {1}( 2.16.840.1.113730.3.1.1072 NAME 'iplanet-am-user-admin-start-dn' DESC 'Starting DN for Admin User' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' ) olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.9.1.63 NAME 'iplanet-am-auth-login-success-url' DESC 'Redirection URL After Successful Login' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' ) olcAttributeTypes: {3}( 1.3.6.1.4.1.1466.101.120.43 NAME 'preferredTimeZone' DESC 'preferred time zone for a person' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'iPlanet' ) @@ -36,7 +36,7 @@ olcAttributeTypes: {33}( 1.3.6.1.4.1.42.2.27.9.1.74 NAME 'iplanet-am-user-federation-info' DESC 'User Federation Information' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' ) olcAttributeTypes: {34}( 1.3.6.1.4.1.42.2.27.9.1.989 NAME 'sun-fm-saml2-nameid-infokey' DESC 'SAML 2.0 Name Identifier Information Key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' ) olcAttributeTypes: {35}( 1.3.6.1.4.1.42.2.27.9.1.825 NAME 'sunIdentityServerPPCommonNameCN' DESC 'Liberty PP CommonName CN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' ) -olcAttributeTypes: {36}( 1.2.840.113556.1.2.102 NAME 'memberof' DESC 'Group that the entry belongs to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'iPlanet Delegated Administrator' ) +#olcAttributeTypes: {36}( 1.2.840.113556.1.2.102 NAME 'memberof' DESC 'Group that the entry belongs to' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'iPlanet Delegated Administrator' ) olcAttributeTypes: {37}( 1.3.6.1.4.1.42.2.27.9.1.838 NAME 'sunIdentityServerPPLegalIdentityVATIdType' DESC 'Liberty PP IDType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' ) olcAttributeTypes: {38}( 1.3.6.1.4.1.42.2.27.9.1.830 NAME 'sunIdentityServerPPCommonNamePT' DESC 'Liberty PP CommonName PersonalTitle' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' ) olcAttributeTypes: {39}( 1.3.6.1.4.1.42.2.27.9.1.841 NAME 'sunIdentityServerPPEmploymentIdentityOrg' DESC 'Liberty PP Org' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'OpenSSO' ) @@ -88,4 +88,4 @@ olcObjectClasses: {10}( 1.3.6.1.4.1.1466.101.120.142 NAME 'iPlanetPreferences' AUXILIARY MAY ( preferredLanguage $ preferredLocale $ preferredTimeZone ) X-ORIGIN 'iPlanet' ) olcObjectClasses: {11}( 1.3.6.1.4.1.42.2.27.9.2.104 NAME 'sunRealmService' DESC 'object containing service information for realms' SUP top MAY ( o $ labeledURI $ sunKeyValue $ sunxmlKeyValue $ description ) X-ORIGIN 'Sun Java System Identity Management' ) olcObjectClasses: {12}( 1.3.6.1.4.1.42.2.27.9.2.23 NAME 'iplanet-am-auth-configuration-service' DESC 'Authentication Configuration Service OC' SUP top AUXILIARY MAY ( iplanet-am-auth-configuration $ iplanet-am-auth-login-success-url $ iplanet-am-auth-login-failure-url $ iplanet-am-auth-post-login-process-class ) X-ORIGIN 'OpenSSO' ) -olcObjectClasses: {13}( 2.16.840.1.113730.3.2.130 NAME 'inetuser' DESC 'Auxiliary class which has to be present in an entry for delivery of subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $ inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Nortel subscriber interoperability' ) +olcObjectClasses: {13}( 2.16.840.1.113730.3.2.130 NAME 'inetuser' DESC 'Auxiliary class which has to be present in an entry for delivery of subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $ inetUserHTTPURL $ userPassword ) X-ORIGIN 'Nortel subscriber interoperability' )
% ldapadd -h localhost -D "cn=admin,cn=config" -w password -f schema.option/openam.ldif
# mkdir /var/db/openldap-data/next-hop.net # chmod 750 /var/db/openldap-data/next-hop.net # chown ldap:ldap /var/db/openldap-data/next-hop.net
dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbDirectory: /var/db/openldap-data/next-hop.net olcSuffix: dc=next-hop,dc=net olcAccess: to dn.base="dc=next-hop,dc=net" by * read olcAccess: to dn.subtree="dc=next-hop,dc=net" attrs=userPassword by self write by dn="cn=manager,dc=next-hop,dc=net" write by anonymous auth by * none olcAccess: to dn.subtree="dc=next-hop,dc=net" attrs=sambaLMPassword by self write by dn="cn=manager,dc=next-hop,dc=net" write by * none olcAccess: to dn.subtree="dc=next-hop,dc=net" attrs=sambaNTPassword by self write by dn="cn=manager,dc=next-hop,dc=net" write by * none olcAccess: to dn.subtree="dc=next-hop,dc=net" attrs=unicodePwd by self write by dn="cn=manager,dc=next-hop,dc=net" write by * none olcAccess: to dn.subtree="dc=next-hop,dc=net" by self read by dn="cn=manager,dc=next-hop,dc=net" write by * none olcRootDN: cn=manager,dc=next-hop,dc=net olcRootPW: {SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw== olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: objectClass eq olcDbIndex: dc pres,eq,sub olcDbIndex: o,ou pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: cn pres,eq,sub olcDbIndex: sn,givenName pres,eq,sub olcDbIndex: gecos,mail pres,eq,sub olcDbIndex: homeDirectory pres,eq olcDbIndex: loginShell pres,eq olcDbIndex: description pres,eq,sub olcDbIndex: uidNumber,gidNumber pres,eq olcDbIndex: memberUid pres,eq,sub olcDbIndex: uniqueMember pres,eq olcDbIndex: telephoneNumber pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: c,l,st pres,eq,sub olcDbIndex: postalCode pres,eq,sub olcDbIndex: streetAddress pres,eq,sub olcDbIndex: physicalDeliveryOfficeName pres,eq,sub
データベースは olcDatabase={2}mdb,cn=config として作成されます。
% ldapadd -h localhost -D "cn=admin,cn=config" -w password -f next-hop.net-db.ldif % ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcDatabase={2}mdb'
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA256}KIRFufHY14o2x0h2qcnkJrgKPWtgW3g3HnHJqO3f5JpVl7Ag1kqQXw==
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f root-password-mdb.ldif % ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcDatabase={2}mdb' olcRootPW
dn: dc=next-hop,dc=net objectClass: dcObject objectClass: organization objectClass: nisDomainObject dc: next-hop nisDomain: next-hop.net o: Next Hop dn: cn=Manager,dc=next-hop,dc=net objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=User,dc=next-hop,dc=net objectClass: organizationalUnit ou: User dn: ou=Group,dc=next-hop,dc=net objectClass: organizationalUnit ou: Group
% ldapadd -h localhost -D "cn=manager,dc=next-hop,dc=net" -w password -f next-hop.net.ldif % ldapsearch -LLL -h localhost -D "cn=manager,dc=next-hop,dc=net" -w password -b dc=next-hop,dc=net
dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig olcOverlay: memberof
% ldapadd -h localhost -D "cn=admin,cn=config" -w password -f memberof.ldif % ldapsearch -LLL -h localhost -D "cn=admin,cn=config" -w password -b cn=config 'olcOverlay=memberof'
dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: sambaLMPassword pres,eq olcDbIndex: sambaNTPassword pres,eq olcDbIndex: sambaAcctFlags pres,eq olcDbIndex: sambaPwdLastSet pres,eq olcDbIndex: sambaPwdCanChange pres,eq olcDbIndex: sambaPwdMustChange pres,eq olcDbIndex: sambaLogonTime pres,eq olcDbIndex: sambaLogoffTime pres,eq olcDbIndex: sambaKickoffTime pres,eq olcDbIndex: sambaBadPasswordCount pres,eq olcDbIndex: sambaBadPasswordTime pres,eq olcDbIndex: sambaLogonHours pres,eq olcDbIndex: sambaHomeDrive pres,eq olcDbIndex: sambaLogonScript pres,eq olcDbIndex: sambaProfilePath pres,eq olcDbIndex: sambaUserWorkstations pres,eq olcDbIndex: sambaHomePath pres,eq olcDbIndex: sambaDomainName pres,eq olcDbIndex: sambaMungedDial pres,eq olcDbIndex: sambaPasswordHistory pres,eq olcDbIndex: sambaSID pres,eq olcDbIndex: sambaPrimaryGroupSID pres,eq olcDbIndex: sambaSIDList pres,eq olcDbIndex: sambaGroupType pres,eq olcDbIndex: sambaNextUserRid pres,eq olcDbIndex: sambaNextGroupRid pres,eq olcDbIndex: sambaNextRid pres,eq olcDbIndex: sambaAlgorithmicRidBase pres,eq olcDbIndex: sambaShareName pres,eq olcDbIndex: sambaOptionName pres,eq olcDbIndex: sambaBoolOption pres,eq olcDbIndex: sambaIntegerOption pres,eq olcDbIndex: sambaStringOption pres,eq olcDbIndex: sambaStringListOption pres,eq olcDbIndex: sambaTrustFlags pres,eq olcDbIndex: sambaMinPwdLength pres,eq olcDbIndex: sambaPwdHistoryLength pres,eq olcDbIndex: sambaLogonToChgPwd pres,eq olcDbIndex: sambaMaxPwdAge pres,eq olcDbIndex: sambaMinPwdAge pres,eq olcDbIndex: sambaLockoutDuration pres,eq olcDbIndex: sambaLockoutObservationWindow pres,eq olcDbIndex: sambaLockoutThreshold pres,eq olcDbIndex: sambaForceLogoff pres,eq olcDbIndex: sambaRefuseMachinePwdChange pres,eq
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f index-samba.ldif
dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: inetUserHttpURL pres olcDbIndex: inetUserStatus pres,eq olcDbIndex: iplanet-am-auth-configuration pres olcDbIndex: iplanet-am-auth-login-failure-url pres olcDbIndex: iplanet-am-auth-login-success-url pres olcDbIndex: iplanet-am-auth-post-login-process-class pres olcDbIndex: iplanet-am-session-add-session-listener-on-all-sessions pres olcDbIndex: iplanet-am-session-destroy-sessions pres olcDbIndex: iplanet-am-session-get-valid-sessions pres olcDbIndex: iplanet-am-session-max-caching-time pres olcDbIndex: iplanet-am-session-max-idle-time pres olcDbIndex: iplanet-am-session-max-session-time pres olcDbIndex: iplanet-am-session-quota-limit pres olcDbIndex: iplanet-am-session-service-status pres olcDbIndex: iplanet-am-user-account-life pres olcDbIndex: iplanet-am-user-admin-start-dn pres olcDbIndex: iplanet-am-user-alias-list pres olcDbIndex: iplanet-am-user-auth-config pres olcDbIndex: iplanet-am-user-auth-modules pres olcDbIndex: iplanet-am-user-failure-url pres olcDbIndex: iplanet-am-user-federation-info pres olcDbIndex: iplanet-am-user-federation-info-key pres olcDbIndex: iplanet-am-user-login-status pres olcDbIndex: iplanet-am-user-password-reset-force-reset pres olcDbIndex: iplanet-am-user-password-reset-options pres olcDbIndex: iplanet-am-user-password-reset-question-answer pres olcDbIndex: iplanet-am-user-service-status pres olcDbIndex: iplanet-am-user-success-url pres olcDbIndex: preferredLocale pres,eq,sub olcDbIndex: preferredTimeZone pres,eq,sub olcDbIndex: sun-fm-saml2-nameid-info pres olcDbIndex: sun-fm-saml2-nameid-infokey pres olcDbIndex: sunAMAuthInvalidAttemptsData pres olcDbIndex: sunIdentityMSISDNNumber pres olcDbIndex: sunIdentityServerDiscoEntries pres olcDbIndex: sunIdentityServerPPAddressCard pres olcDbIndex: sunIdentityServerPPCommonNameAltCN pres olcDbIndex: sunIdentityServerPPCommonNameCN pres olcDbIndex: sunIdentityServerPPCommonNameFN pres olcDbIndex: sunIdentityServerPPCommonNameMN pres olcDbIndex: sunIdentityServerPPCommonNamePT pres olcDbIndex: sunIdentityServerPPCommonNameSN pres olcDbIndex: sunIdentityServerPPDemographicsAge pres olcDbIndex: sunIdentityServerPPDemographicsBirthDay pres olcDbIndex: sunIdentityServerPPDemographicsDisplayLanguage pres olcDbIndex: sunIdentityServerPPDemographicsLanguage pres olcDbIndex: sunIdentityServerPPDemographicsTimeZone pres olcDbIndex: sunIdentityServerPPEmergencyContact pres olcDbIndex: sunIdentityServerPPEmploymentIdentityAltO pres olcDbIndex: sunIdentityServerPPEmploymentIdentityJobTitle pres olcDbIndex: sunIdentityServerPPEmploymentIdentityOrg pres olcDbIndex: sunIdentityServerPPEncryptKey pres olcDbIndex: sunIdentityServerPPFacadeGreetSound pres olcDbIndex: sunIdentityServerPPFacadeMugShot pres olcDbIndex: sunIdentityServerPPFacadeNamePronounced pres olcDbIndex: sunIdentityServerPPFacadeWebSite pres olcDbIndex: sunIdentityServerPPFacadegreetmesound pres olcDbIndex: sunIdentityServerPPInformalName pres olcDbIndex: sunIdentityServerPPLegalIdentityAltIdType pres olcDbIndex: sunIdentityServerPPLegalIdentityAltIdValue pres olcDbIndex: sunIdentityServerPPLegalIdentityDOB pres olcDbIndex: sunIdentityServerPPLegalIdentityGender pres olcDbIndex: sunIdentityServerPPLegalIdentityLegalName pres olcDbIndex: sunIdentityServerPPLegalIdentityMaritalStatus pres olcDbIndex: sunIdentityServerPPLegalIdentityVATIdType pres olcDbIndex: sunIdentityServerPPLegalIdentityVATIdValue pres olcDbIndex: sunIdentityServerPPMsgContact pres olcDbIndex: sunIdentityServerPPSignKey pres olcDbIndex: sunKeyValue pres olcDbIndex: sunPluginSchema pres olcDbIndex: sunServiceSchema pres olcDbIndex: sunserviceID pres olcDbIndex: sunsmspriority pres olcDbIndex: sunxmlKeyValue pres
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f index-openam.ldif
# for replication of configuration dn: cn=config changetype: modify add: olcServerID olcServerID: 1 ldap://ldap1.next-hop.net olcServerID: 2 ldap://ldap2.next-hop.net olcServerID: 3 ldap://ldap3.next-hop.net dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: rid=001 provider=ldap://ldap1.next-hop.net binddn="cn=admin,cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: rid=002 provider=ldap://ldap2.next-hop.net binddn="cn=admin,cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: rid=003 provider=ldap://ldap3.next-hop.net binddn="cn=admin,cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f syncprov-config.ldif
# for replication of database dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcLimits olcLimits: dn.exact="cn=manager,dc=next-hop,dc=net" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited - add: olcSyncrepl olcSyncrepl: rid=011 provider=ldap://ldap1.next-hop.net binddn="cn=manager,dc=next-hop,dc=net" bindmethod=simple credentials=password searchbase="dc=next-hop,dc=net" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncrepl: rid=012 provider=ldap://ldap2.next-hop.net binddn="cn=manager,dc=next-hop,dc=net" bindmethod=simple credentials=password searchbase="dc=next-hop,dc=net" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncrepl: rid=013 provider=ldap://ldap3.next-hop.net binddn="cn=manager,dc=next-hop,dc=net" bindmethod=simple credentials=password searchbase="dc=next-hop,dc=net" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
% ldapmodify -h localhost -D "cn=admin,cn=config" -w password -f syncprov-db.ldif
Copyright ©2000-2018 T.Hiraga <hiraga@next-hop.net> All Rights Reserved. Last modified: $Date: 2018/02/28 15:52:52 $ |