ã¡ã‚‡ã£ã¨ã€OpenLDAPã¸åŒ¿åユーザーã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹ï¼ˆå‚照)を許å¯ã™ã‚‹æ–¹æ³•ã‚’調ã¹ã‚‹ã“ã¨ã«ãªã‚Šã¾ã—ã¦ã€‚
確èªã¯ã€ã“ã¡ã‚‰ã®OpenLDAPã®Dockerイメージを使ã„ã¾ã™ã€‚
起動。
$ docker container run -it --rm --name openldap --env LDAP_ADMIN_PASSWORD="admin-password" --env LDAP_DOMAIN=test.example osixia/openldap:1.2.2
管ç†ãƒ¦ãƒ¼ã‚¶ãƒ¼ã¯ã€admin / admin-password ã§ã™ã€‚
ã“ã“ã§ã€ãƒ†ã‚¹ãƒˆç”¨ã®ã‚¨ãƒ³ãƒˆãƒªã‚’登録ã—ã¦ãŠãã¾ã™ã€‚
test.ldif
dn: uid=user001,dc=test,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
uid: user001
cn: テスト 太郎
sn: テスト
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/user001
userPassword: {SSHA}K1h08ZgBJQIInrqH1eerLG/I4jO2H9fh
description: My Test Account
登録。
# ldapadd -f test.ldif -D "cn=admin,dc=test,dc=example,dc=com" -w admin-password adding new entry "uid=user001,dc=test,dc=example,dc=com"
確èªã€‚
# ldapsearch -x -H ldap://localhost -b uid=user001,dc=test,dc=example,dc=com -D "cn=admin,dc=test,dc=example,dc=com" -w admin-password # extended LDIF # # LDAPv3 # base <uid=user001,dc=test,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # user001, test.example.com dn: uid=user001,dc=test,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount uid: user001 cn:: 44OG44K544OIIOWkqumDjg== sn:: 44OG44K544OI uidNumber: 10001 gidNumber: 10001 homeDirectory: /home/user001 userPassword:: e1NTSEF9SzFoMDhaZ0JKUUlJbnJxSDFlZXJMRy9JNGpPMkg5Zmg= description: My Test Account # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
å‚ç…§ã§ãã¦ã„ã¾ã™ã€‚
ã“ã“ã§ã€ã“れを匿åユーザーã‹ã‚‰ã®ã‚¢ã‚¯ã‚»ã‚¹ï¼ˆãƒã‚¤ãƒ³ãƒ‰DNãªã—)ã¨ã™ã‚‹ã¨ã€å‚ç…§ã§ããªããªã‚Šã¾ã™ã€‚
# ldapsearch -x -H ldap://localhost -b uid=user001,dc=test,dc=example,dc=com # extended LDIF # # LDAPv3 # base <uid=user001,dc=test,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1
ç¾åœ¨ã®è¨å®šã‚’確èªã™ã‚‹
アクセス権é™ã®è¨å®šç¢ºèªã¯ã€ä»¥ä¸‹ã®ã‚³ãƒžãƒ³ãƒ‰ã§è¡Œã„ã¾ã™ã€‚
# ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}mdb,cn=config
以下ã®ã€ã€ŒolcAccessã€ã®éƒ¨åˆ†ãŒã‚¢ã‚¯ã‚»ã‚¹æ¨©é™ã®è¨å®šã§ã™ã€‚
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=test,dc=example,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=test,dc=example,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by self read by dn="cn=admin,dc=test,dc=example,dc=com" write by * none
ç¾åœ¨ã®è¨å®šã¯ã€ã€ŒuserPasswordã€ãŠã‚ˆã³ã€ŒshadowLastChangeã€å±žæ€§ã«ã¤ã„ã¦ã¯è‡ªåˆ†è‡ªèº«ã¯æ›´æ–°å¯èƒ½ã€ç®¡ç†ãƒ¦ãƒ¼ã‚¶ãƒ¼ã‹ã‚‰ã‚‚
æ›´æ–°å¯èƒ½ã€åŒ¿åユーザーã‹ã‚‰ã®auth(ãƒã‚¤ãƒ³ãƒ‰ï¼‰ã¯å¯èƒ½ã€ãれ以外ã¯ã‚¢ã‚¯ã‚»ã‚¹æ¨©ãªã—ã€ã¨ã„ã†è¨å®šã«ãªã‚Šã¾ã™ã€‚
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=test,dc=example,dc=com" write
by anonymous auth
by * none
ã‚‚ã†ã²ã¨ã¤ã¯ã€ã€ŒuserPasswordã€ã€ã€ŒshadowLastChangeã€ä»¥å¤–ã®å±žæ€§ã«ã¤ã„ã¦ã€è‡ªèº«ã¯å‚ç…§å¯èƒ½ã€ç®¡ç†ãƒ¦ãƒ¼ã‚¶ãƒ¼ã‹ã‚‰ã¯
æ›´æ–°å¯èƒ½ã€ãれ以外ã¯ã‚¢ã‚¯ã‚»ã‚¹æ¨©ãªã—ã€ã¨ãªã‚Šã¾ã™ã€‚
olcAccess: {1}to *
by self read
by dn="cn=admin,dc=test,dc=example,dc=com" write
by * none
ã¡ãªã¿ã«ã€OpenLDAPサーãƒãƒ¼å…¨ä½“ã®è¨å®šã‚’確èªã™ã‚‹å ´åˆã¯ã€ã“ã¡ã‚‰ã€‚
# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
「-Y EXTERNALã€ã¯ã€LDAP Version 3ã®SASLèªè¨¼ã®ã†ã¡ã€å¤–部èªè¨¼ï¼ˆLinuxユーザーèªè¨¼ï¼‰ã‚’使ã†æŒ‡å®šã§ã€ã€Œ-Hã€ã§ã¯æŽ¥ç¶šå…ˆã®
LDAPサーãƒãƒ¼ã‚’指定ã™ã‚‹ã®ã§ã™ãŒã€ã€Œldapiã€ã¯UNIXドメインソケットを使ã£ãŸãƒãƒ¼ã‚«ãƒ«ã®LDAPサーãƒãƒ¼ã¨æŽ¥ç¶šã™ã‚‹ãŸã‚ã®
指定ã§ã™ã€‚
ã§ã€åŒ¿åユーザーãŒå‚ç…§å¯èƒ½ãªã‚ˆã†ã«ã€2ã¤ç›®ã®ã‚¢ã‚¯ã‚»ã‚¹æ¨©é™ã®è¨å®šã§ã€Œ*ã€ã®éƒ¨åˆ†ã‚’「readã€ã«ã—ã¾ã™ã€‚
access.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write by dn="cn=admin,dc=test,dc=example,dc=com" write
by anonymous auth
by * none
olcAccess: {1}to *
by self read
by dn="cn=admin,dc=test,dc=example,dc=com" write
by * read
変更。
# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f access.ldif
modifying entry "olcDatabase={1}mdb,cn=config"
ã“ã‚Œã§ã€åŒ¿åユーザーã§ã‚‚å‚ç…§å¯èƒ½ã«ãªã‚Šã¾ã—ãŸã€‚
# ldapsearch -x -H ldap://localhost -b uid=user001,dc=test,dc=example,dc=com # extended LDIF # # LDAPv3 # base <uid=user001,dc=test,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # user001, test.example.com dn: uid=user001,dc=test,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount uid: user001 cn:: 44OG44K544OIIOWkqumDjg== sn:: 44OG44K544OI uidNumber: 10001 gidNumber: 10001 homeDirectory: /home/user001 description: My Test Account # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
