Project

General

Profile

389 Directory Server

RHEL7.4以降から非推奨となったOpenLDAPの代替となる389 Directory Serverのインストール

インストール

  1. リポジトリを有効化する
    # dnf module enable 389-ds 
    
  2. サーバとツールをインストール
    # yum install 389-ds-base 389-ds-base-legacy-tools
    
  3. 起動設定と起動
    ※targetを後述のインスタンス名にすることで個別に動作させることも可能
    # systemctl enable --now dirsrv.target
    # systemctl start dirsrv.target
    

初期設定

  1. 初期設定ファイルのテンプレートを作成
    # dscreate create-template /etc/dirsrv/initialize.inf
    
  2. パスワードハッシュを作成
    # pwdhash -s MD5 パスワード文字列
    {MD5}xxxxxxxxxxx
    
    ↑の結果をコピーしておく
    
  3. テンプレートファイルを編集
    
    ;
    ; This is a version 2 ds setup inf file.
    ; It is used by the python versions of setup-ds-*
    ; Most options map 1 to 1 to the original .inf file.
    ; However, there are some differences that I envision
    ; For example, note the split backend section.
    ; You should be able to create, one, many or no backends in an install
    ;
    ; The special value {instance_name} is substituted at installation time.
    ;
    ; By default, all configuration parameters in this file are commented out.
    ; To use an INF file with dscreate, you must at least set the parameters
    ; flagged with [REQUIRED].
    
    [general]
    # defaults (str)
    # Description: Directory Server enables administrators to use the default values for cn=config entries from a specific version. If you set this parameter to "999999999", which is the default, the instance always uses the default values of the latest version. For example, to configure that the instance uses default values from version 1.3.5, set this parameter to "001003005". The format of this value is XXXYYYZZZ, where X is the major version, Y the minor version, and Z the patch level. Note that each part of the value uses 3 digits and must be filled with leading zeros if necessary.
    # Default value: 999999999 
    ;defaults = 999999999
    
    # full_machine_name (str)
    # Description: Sets the fully qualified hostname (FQDN) of this system. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to the FQDN of the load balancer and, additionally, set "strict_host_checking" to "false".
    # Default value: localhost.localdomain 
    full_machine_name = localhost.localdomain
    
    ↑ホスト名を指定
    
    # start (bool)
    # Description: Starts the instance after the install completes. If false, the instance is created but started.
    # Default value: True 
    ;start = True
    
    # strict_host_checking (bool)
    # Description: Sets whether the server verifies the forward and reverse record set in the "full_machine_name" parameter. When installing this instance with GSSAPI authentication behind a load balancer, set this parameter to "false". Container installs imply "false".
    # Default value: False 
    ;strict_host_checking = False
    
    [slapd]
    # instance_name (str)
    # Description: Sets the name of the instance. You can refer to this value in other parameters of this INF file using the "{instance_name}" variable. Note that this name cannot be changed after the installation!
    # Default value: localhost 
    instance_name = localhost
    
    ↑インスタンス名を指定
    
    # port (int)
    # Description: Sets the TCP port the instance uses for LDAP connections.
    # Default value: 389 
    ;port = 389
    
    root_dn = cn=Manager
    
    ↑rootdn名を指定
     ※デフォルトだとDirectory Managerとスペースが入るので面倒
     ※ここでroot_password より前で指定しないと有効にならない
    
    # root_password (str)
    # Description: Sets the password of the "cn=Directory Manager" account ("root_dn" parameter).You can either set this parameter to a plain text password dscreate hashes during the installation or to a "{algorithm}hash" string generated by the pwdhash utility. The password must be at least 8 characters long.  Note that setting a plain text password can be a security risk if unprivileged users can read this INF file!
    # Default value: Directory_Manager_Password 
    ;root_password = Directory_Manager_Password
    root_password = {MD5}xxxxxx
    
    ↑先ほどのパスワードハッシュをコピー
    
    # secure_port (int)
    # Description: Sets the TCP port the instance uses for TLS-secured LDAP connections (LDAPS).
    # Default value: 636 
    ;secure_port = 636
    
    # self_sign_cert (bool)
    # Description: Sets whether the setup creates a self-signed certificate and enables TLS encryption during the installation. This is not suitable for production, but it enables administrators to use TLS right after the installation. You can replace the self-signed certificate with a certificate issued by a Certificate Authority.
    # Default value: True 
    ;self_sign_cert = True
    
    # self_sign_cert_valid_months (int)
    # Description: Set the number of months the issued self-signed certificate will be valid.
    # Default value: 24 
    ;self_sign_cert_valid_months = 24
    self_sign_cert_valid_months = 360
    
    ↑自己署名の有効期限を指定(360ヶ月)
    
    [backend-userroot]
    # create_suffix_entry (bool)
    # Description: Set this parameter to "True" to create a generic root node entry for the suffix in the database.
    # Default value: False 
    create_suffix_entry = true
    
    ↑suffixの先行作成を有効化
    
    # require_index (bool)
    # Description: Set this parameter to "True" to refuse unindexed searches in this database.
    # Default value: False 
    ;require_index = False
    
    # sample_entries (str)
    # Description: Set this parameter to 'yes' to add latest version of sample entries to this database.  Or, use '001003006' to use the 1.3.6 version sample entries.  Use this option, for example, to create a database for testing purposes.
    # Default value: no 
    ;sample_entries = no
    
    # suffix (str)
    # Description: Sets the root suffix stored in this database.  If you do not uncomment and set the suffix attribute the install process will NOT create the backend/suffix.  You can also create multiple backends/suffixes by duplicating this section.
    # Default value:  
    suffix = dc=localhost,dc=localdomain
    
    ↑suffixを指定
    
    
  4. テンプレートを元に初期設定
    # dscreate from-file /etc/dirsrv/initialize.inf 
    

設定変更

そのままではパスワード形式がdovecotなど一部のソフトウェアでは読めない
暗号化形式「PBKDF2_SHA256」となるので設定をあらかじめ変更する。

※データ投入の際にその形式で保存されるため、投入前に行う
 投入してしまった際は投入し直しか再設定が必要となる

  • 以下のldifファイルを作成する
    # vi /etc/dirsrv/passwordStorageScheme.ldif
    ----------
    dn: cn=config
    changetype: modify
    replace: passwordStorageScheme
    passwordStorageScheme: SSHA
    
    dn: cn=config
    changetype: modify
    replace: nsslapd-rootpwstoragescheme
    nsslapd-rootpwstoragescheme: SSHA
    
  • 設定の反映
    # ldapmodify -x -D "cn=Manager" -W -f /etc/dirsrv/passwordStorageScheme.ldif
    Enter LDAP Password: 
    modifying entry "cn=config" 
    
    modifying entry "cn=config" 
    
    
  • 設定反映の確認
    # ldapsearch -x -W -D "cn=Manager" -b cn=config |egrep "passwordStorageScheme|nsslapd-rootpwstoragescheme" 
    Enter LDAP Password: 
    passwordStorageScheme: SSHA
    nsslapd-rootpwstoragescheme: SSHA
    

データ投入(ldif)

  1. ldifを作成(例
    ※suffixはテンプレートで作成しているのでそれ以降
    # vi /etc/dirsrv/initialize.ldif
    ----------
    dn: ou=Members,dc=localhost,dc=localdomain
    objectClass: organizationalUnit
    ou: Members
    
    dn: ou=Groups,dc=localhost,dc=localdomain
    objectClass: organizationalUnit
    ou: Groups
    
    …後略…
    
  2. ldifをaddする
    # ldapadd -x -D "cn=Manager" -W -f /etc/dirsrv/initialize.ldif 
    

動作確認

  1. 動作確認(グローバル設定)
    # ldapsearch -x -W -D "cn=Manager" -b cn=config
    
  2. 動作確認(ツリー指定)
    # ldapsearch -D "cn=Manager" -W -b dc=localhost,dc=localdomain *