LDAP Linux HOWTO Luiz Ernesto Pinheiro Malere, malere@yahoo.com v1.03, 28 September 2000 aóFîn « <inachi@earth.interq.or.jp> v1.03j, 21 December 2000 ±Ì¶ÍALinux }Vɨ¯é LDAP (Lightweight Directory Access Protocol)T[oÌCXg[AÝèAÀsAÇÉÖ·éîñðڹĢ Ü·BܽALDAP f[^x[XÌì¬û@Af[^x[XÌîñÌXVÆ íA[~OANZXðÀ»·éû@ANetscape ÌAhX Ìpû @É¢ÄÌÚ×àڹĢܷB±Ì¶ÌåªÍA~VKåwÌ LDAP îñy[WÆ OpenLDAP Administrator's Guide ðîɵܵ½B ______________________________________________________________________ Ú 1. ͶßÉ 1.1 LDAP ÆÍH 1.2 fBNgT[rXÆÍH 1.3 LDAP ÍÇÌæ¤É®ì·éÌ©H 1.4 LDAP ÌobNGhAIuWFNgA®« 1.5 ±Ì¶ÌVµ¢o[W 1.6 Ó©ÆñÄ 1.7 [Xð 1.8 Ó« 1.9 ì ÆÆÓ 2. LDAP T[oÌCXg[ 2.1 OÉKvÈàÌ 2.2 pbP[WÌ_E[h 2.3 T[oÌWJ 2.4 \tgEFAÌÝè 2.5 T[oÌì¬ 3. LDAP T[oÌÝè 3.1 Ýèt@CÌtH[}bg 3.2 O[ofBNeBu 3.3 êÊobNGhfBNeBu 3.4 êÊf[^x[XfBNeBu 3.5 LDBM obNGhÅLfBNeBu 3.6 ¼ÌobNGhf[^x[X 3.7 ANZX§äÌá 3.8 Ýèt@CÌá 4. LDAP T[oÌÀs 4.1 R}hCIvV 4.2 LDAP T[oÌN® 4.3 LDAP T[oÌI¹ 5. f[^x[Xì¬/Çc[ 5.1 ICÅf[^x[Xð쬷éû@ 5.2 ItCÅf[^x[Xð쬷éû@ 5.3 LDIF tH[}bgÉ¢ijçÉ 5.4 ldapsearch, ldapdelete, ldapmodify [eBeB 6. ÇÁîñÆâ« 6.1 [~OANZX 6.1.1 ®«t@CÌÏX 6.1.2 IuWFNgNXt@CÌÏX 6.1.3 LDIF t@CÌì¬ 6.1.4 Netscape Navigator ÌÝè 6.1.5 LDAP T[oÌÄN® 6.2 Netscape ÌAhX 6.3 LDAP Migration Tools 6.4 LDAP ðp¢½FØ 6.5 OtBJÈ LDAP c[ 6.6 Logs 7. îñ¹ 7.1 URLs 7.2 Ð 7.3 RFC ______________________________________________________________________ 1. ͶßÉ ±Ì¶ÌåÈÚIÍALinux }VãÉ LDAP fBNgT[oðZbg AbvµÄp·é±ÆÅ·BÇÒÍALDAP T[oðCXg[AÝèA ÀsAÇ·éû@É¢ÄwÑÜ·B»ÌãALDAP NCAgÆ[ eBeBðp¢ÄfBNgÌîñði[Aæ¾AXV·éû@É¢ ÄàwÑÜ·BLDAP fBNgT[oÌf[Í slapd ÆæÎêAlX È UNIX vbgtH[Å®ìµÜ·B LDAP T[oÔÌ¡»ð©³ÇéÊÌf[ª èÜ·B±Ìf[Í slurpd ÆæÎêĢܷªA³µ ½è±êÉ¢ÄCÉ·éKvÍ èÜ ¹ñB±Ì¶ÅÍA ȽÌ[JhCÉfBNgT[rXðñ ·é slapd ðÀsµÜ·B¡»ÍµÈ¢ÌÅ slurpd Íg¢Ü¹ñB ±Ì¶ÅྷéÌÍASÒÉÆÁÄ¿å¤Çæ¢öxÌÈPÈT[oÌ Â«\zÅ·ªA]ÞÈçãÅÊÌÝèÉAbvO[h·é±ÆàÈPÅ ·B±Ì¶ÉڹĢéîñÍALDAP vgRðp·é梫ªªè ÆÈèÜ·B¨»ç±Ì¶ðÇñ¾ãÉÍAT[oÌ\Íðg£µ½èA ³çÉÍ C, C++, Java JLbgÈÇðgÁÄNCAgð«½ÈÁ ½è·é±Æŵå¤B 1.1. LDAP ÆÍH LDAP ÆÍAfBNgT[rXÉANZX·é½ßÌNCAgT[o vgRÅ·B±êÍ X.500 ÌtgGhƵÄgíêĢܵ ½ªAX^hA[ÌfBNgT[oâ¼ÌíÞÌfBNgT[ oÅàg¦éæ¤ÉÈèܵ½B 1.2. fBNgT[rXÆÍH fBNgÍf[^x[XÉĢܷªAæèLqIÅ®«x[XÌîñ ðÜÞæ¤ÉÈÁĢܷBêÊÉfBNgÌîñÍAÝæèàÇ oµÌûª¸ÁƽsíêÜ·Bµ½ªÁÄAêÊIÈf[^x[XÅåÊ Ì¡GÈXVðs¤½ßÉp¢çêé¡GÈgUNVâ[obN @\ðfBNgÅÍÊíÀµÜ¹ñBfBNgÌXVÍAÊÍ all-or-nothing ÌPÈ«·¦Éܹ߬ñB fBNgÍAåÊÌÆï é¢Íõìɦūéæ¤ÉÅK»³ê ĢܷBÒ¦ÆM«ðüãA©ÂX|X^Cð¸ç·½ßÉA fBNgÉÍîñðL¡»·é\ͪ èÜ·BfBNgîñª¡ »³êÄ¢éêAêIÈs®ª¶·é©àµêܹñªAèúIɯ úðÆéæ¤ÉµÄ¨¯Îâè èܹñB fBNgT[rXÌñû@ÉÍFXÈíÞª èÜ·B±Ì½ßAfB NgÉÛ¶·éîñÌíÞª½lÉÈèAêûÅÍîñÌQÆAâ¹A XVâAFسêÈ¢ANZX©çÇÌæ¤Éîñðçé©ÈÇÉÖµÄFX Èvª¶¶Ü·BÇIÅAÀçê½ÎÛ(½Æ¦ÎAPêÌ}VÌ finger T[rXÈÇ)ÌÝÖÌT[rXðñ·éæ¤ÈfBNgT[r Xª éêûAåæIÅAÍé©ÉL¢ÎÛÉT[rXðñ·éæ¤ÈT[ rXà èÜ·B 1.3. LDAP ÍÇÌæ¤É®ì·éÌ©H LDAP fBNgT[rXÍANCAgT[ofðîÉµÄ¢Ü ·BêÂÈãÌfBNgT[oªALDAP fBNgc[ é¢Í LDAP obNGhf[^x[Xð\¬·éf[^ðÛLµÄ¢Ü·B LDAP NCAgÍ LDAP T[oÉÚ±µA»ÌT[oÉεĿâµÜ·B±Ì ¿âÉεÄT[oÍñðÔ·©ANCAgª³çÉîñðTµo¹é êÖÌ|C^(ÊíÍÊÌLDAPT[o)ðԵܷBNCAg©çÍA ÇÌ LDAP T[oÉÚ±µÄàfBNgͯ¶æ¤É©¦Ü·B é LDAP T[oÉñ¦µ½¼OÍÊÌ LDAP T[oÅ௶GgðQÆµÜ ·B±êÍALDAP Ìæ¤ÈåæIfBNgT[rXÌdvÈÁ«Å·B 1.4. LDAP ÌobNGhAIuWFNgA®« slapd ÉÍíÞÌÙÈéOÂÌobNGhf[^x[Xªt®µÄ¢ÄAÇ êðIÔ©Í[UÌ©RÅ·BLDBM ÍfBXNx[X̬Èf[^x[ XÅ·BSHELL Í UNIX R}h é¢ÍXNvgÉηéf[^x[XC ^tF[XÅ·BPASSWD ÍÈPÈpX[ht@Cf[^x[XÅ·B ±Ì¶ÅÍ LDBM f[^x[XðIð·éàÌƵܷB LDBM f[^x[XÍAf[^x[XÌeGgÉSoCgÌRpNg ÅêÓȯÊqðèÄé±ÆÉæÁĬè§ÁĢܷB±Ì¯ÊqÍõ øÌGgðQÆ·é½ßÉgíêÜ·Bf[^x[XÉÍAid2entry Æ¢¤êÂÌåõøt@CªÜÜêÜ·B±êÍAGgÌêÓÈ¯Ê q(EID)ðGg©ÌÌeLXg\»É}bvµÜ·B»Ì¼Ìõøt@C à¯lÉdzêÜ·B LDAP x[XÌfBNgT[oÔÅfBNgîñðC|[g¨æÑ GNX|[gµ½èAfBNgÉKp³êéPZbgÌÏXðLq·éÉ ÍAÊ LDIF (LDAP Data Interchange Format)Æ¢¤tH[}bgªgíê Ü·B LDIF ÍAGgÌIuWFNgwüÌKwÅîñði[µÜ·B± ê©çp·é LDAP \tgEFApbP[WÉÍA LDIF t@Cð LDBM tH[}bgÉÏ··é[eBeBªt®µÄ¢Ü·B êÊÌ LDIF t@CÍÌæ¤ÈàeÉÈÁĢܷB dn: o=TUDelft, c=NL o: TUDelft objectclass: organization dn: cn=Luiz Malere, o=TUDelft, c=NL cn: Luiz Malere sn: Malere mail: malere@yahoo.com objectclass: person ãɦµ½Æ¨èAeGgͯʼ(distinguished name: DN)ÅêÓɯ ʳêÜ·BDN ÍAGg̼OÆGgðfBNgKwÌÅãÊ É³©ÌÚÁ½¼OÌpXÆ©çÈèÜ·B LDAP ÅÍAIuWFNgNXÍGgðè`·é½ßÉg¦é®«ÌW Üèðè`µÜ·BLDAP ÌWÅÍAÌæ¤ÈIuWFNgNXÌî{ ^ðñµÄ¢Ü·B o fBNgÌO[v -- ±êÉÍAÂXÌIuWFNgÌȵ Xg é¢ÍIuWFNgÌO[vªÜÜêÜ·B o Ý -- ¼âLqÈÇB o fBNgÌgDB o fBNgÌlXB GgÍñÂÈãÌIuWFNgNXɮūܷB½Æ¦ÎAl̽ ßÌGgÍAIuWFNgNX person Åè`µÜ·ªAIuWFNg NX inetOrgPerson, groupOfNames, organization Ì®«ÉæÁÄàè` Å«Ü·BT[oÌIuWFNgNX\¢(»ÌXL[})ÍAÁèÌGg Év³ê½®«Æ³êĢ鮫ÌXgSÌðèµÜ·B [ó] ±±ÅÍu®(belong)vÆ¢¤¾tª ¢Ü¢ÉgíêÄ¢Ü ·BinetOrgPerson Í person ©çh¶µÄ¢éÌÅA inetOrgPerson ÌG gͼûÌIuWFNgNXÌGgƾ¦Ü·BܽA\¢^ÌI uWFNgNXÆâ^ÌIuWFNgNXðgÝí¹½Ggð ìÁ½êà¡ÌIuWFNgNXÉu®vµÄ¢éƾ¦éÅµå ¤Bµ©µAgroupOfNames Æ organization Ílðè`·éàÌÅÍÈA lð\»·éGgð DN ÅQÆū龯ŷB fBNgÌf[^ÍA®«ÆlÌyAƵÄ\»³êÜ·BîñÌ¢©È éªàLqIÈ®«ÆÖAt¯çêĢܷB ½Æ¦ÎA®« commonName (cn)ÍAl̼Oði[·é½ßÉg¢Ü·B¼ Oª Jonas Salk Å élÍAfBNgÅÍÌæ¤É\¹Ü·B cn: Jonas Salk fBNgÉi[·éelÍAIuWFNgNX person Ì®«ÌWÜ èÉæÁÄè`³êÜ·B±ÌGgðè`·é½ßÉgíêé¼Ì®«É ÍÌæ¤Èà̪ èÜ·B givenname: Jonas surname: Salk mail: jonass@airius.com Kv®«(required attribute)ÆÍAIuWFNgNXðg¤GgÉ^ ¦È¯êÎÈçÈ¢®«Ì±ÆÅ·B·×ÄÌGgÍ objectClass ®« ðKvƵܷB±êÍ»ÌGgª®·éIuWFNgNXÌXg ðwè·éàÌÅ·B ®«(allowed attribute)ÆÍAIuWFNgNXðg¤GgÉ^ ¦é±ÆÌū鮫̱ÆÅ·B½Æ¦ÎAIuWFNgNX person É ¨¢ÄA®« cn Æ sn ÍKv®«Å èA®« description, telephoneNumber, seeAlso, userpassword Í®«Å ÁÄKv®«ÅÍ èܹñB e®«ÍAηéV^bNXè`ðÁĢܷB±ÌV^bNXè` ÍA®«ÉæÁÄñ³êéîñÌ^CvðLqµÜ·B bin oCi ces p嬶ðæÊ·é¶ñ(ärÌÛÉp嬶Ìá¢ð³µÈ ¢) cis p嬶ðæʵȢ¶ñ(ärÌÛÉp嬶Ìá¢Í³· é) tel dbÔ̶ñ(cis ÉÄ¢éªAärÌÛÉuNÆ_bV `-' ð³·é) dn ¯Ê¼ IuWFNgNXÆ®«Ìè`ªVXeÌÇ±É é©ðméÉÍA ``LDAP T[oÌÝè''ÌÅÌiðQƵľ³¢B 1.5. ±Ì¶ÌVµ¢o[W ±Ì¶ÍAÇÒæèó¯æÁ½tB[hobNðx[XɵÄC³ÆXVð sÁĢܷB±Ì HOWTO ÌVµ¢o[WÍÌƱëÅ©êÜ·B http://www.mobilesoft.com.br/HOWTO/LDAP-HOWTO.html 1.6. Ó©ÆñÄ ±Ì¶É éîñÉ¢Ľç©Ì^⪠êÎAemail ÅÉAµÄ ¾³¢B(malere@yahoo.com) RgâñĪ éêàÉmç¹Ä¾³¢B 1.7. [Xð ±ÌßÉÍA±Ì¶Ì[XêðútÉڹĢܷBe[XÉ Â¢ÄÍAOo[W©çÌÏX_AVKÇÁÚAC³_ðLµÄ¢Ü ·B v1.0: 20 June 1999, úo[W v1.01: 15 February 2000, ÌßðÇÁ o LDAP Migration Tools o LDAP ðp¢½FØ o OtBJÈ LDAP c[ o RFC v1.02: 13 September 2000, ëÌC³¨æÑÌßÌÇÁ o [Xð v1.03: 28 September 2000, OpenLDAP 2.0 Ìà¾ÌÇÁB±êÍ Ldap v3 (RFC2251 <ftp://ftp.isi.edu/in-notes/rfc2251.txt>) ðæèñÅ¢Ü ·B [ó] ZúÔÅ OpenLDAP 2.0 ÌîñðæèñÅê½ÌÍæ¢ÌÅ· ªA»Ì¹¢© OpenLDAP 1.2,x ÌîñÆ 2.0.x Ìîñª¬µÄ¢Ü·B óÒÌCâ½Æ±ëÍóŦµÄ¨«Ü·B 1.8. Ó« ±Ì HOWTO ¶ÍAI_Ì TUDelft åwŪתÄç쬵½àÌ Ì¬ÊÅ·B±Ì¶ðæ¤É©ßÄê½lXA Rene van Leuken Æ Wim Tiwon É´Óµ½¢B{É èªÆ¤BÞçàƯ¶ Linux t@ Å·B »ê©çA̶Év£µÄê½hCcêÅ LDAP-HOWTO Ì|óÒÅ é Thomas Bendler ÆALDP vWFNgÌÌåÈé{eBAÅ é Joshua Go Éà´Óµ½¢B 1.9. ì ÆÆÓ ±Ì LDAP Linux HOWTO Ìì ÍA1999 NÈ~ Luiz Ernesto Pinheiro Malere É èÜ·B±Ì¶Í©RÉzzÅ«Ü·B±Ì¶ðÏXµÄÍ ÈèܹñB½ç©ÌñĪ éêÉÍ email ÅÉAµÄ¾³¢ (»ÌñĪLøÈçAª¶ðÏXµÜ·)B |gKêÈÇÉ|óµ½¢êà email ÅÉAµÄ¾³¢B ±Ì¶ÌàeÉ¢ÄÍêØÌÓCð¢Ü¹ñB±Ì¶É éèÉ ]Á½ÊÉ¢ÄAÍêØÌÓCð¿Ü¹ñB ±ÌÉ¢Ä^â_ª éÈçÎALinux HOWTO ÇÒÉAµÄ¾³¢ (linux-howto@metalab.unc.edu)B 2. LDAP T[oÌCXg[ LDAP T[oðCXg[·éÉÍAOÉKvÈpbP[WÌCXg[ (ùÉCXg[³êĢȢê)ALDAP T[o\tgEGFAÌ_E [hA\tgEFAÌWJAMakefile ÌÝèAT[oÌì¬ÌÜÂÌX ebvªKvÅ·B 2.1. OÉKvÈàÌ [ó] ±ÌßÍî{IÉ OpenLDAP 2.0.x ÉÖµÄྵĢܷB LDAPv3 É®S·é½ßÉAOpenLDAP ÌNCAgÆT[oÍÉ ° é\tgEFAªCXg[³êÄ¢é±ÆðKvƵܷB OpenSSL TLS Cu OS ÉæÁÄͱÌCuªîÕVXeÌê é¢ÍIvVÌ\ tgEFAR|[lgƵÄñ³êÄ¢é©àµêܹñªAOpenSSL ͽ¢Ä¢ÊÉCXg[ªKvÆÈèÜ·B OpenSSL Í http://www.openssl.org <http://www.openssl.org> ©çüèÅ«Ü·B Kerberos FØT[rX OpenLDAP ÌNCAgÆT[oÍAKerberos x[XÌFØT[rXðT| [gµÜ·BÁÉ OpenLDAP ÅÍAHeimdal © MIT Kerberos V pbP[WÌ ¢¸ê©ðp¢½ SASL/GSSAPI FØ@\ðT|[gµÜ·B Kerberos x[ XÌ SASL/GSSAPI FØðg¤ÌÅ êÎA Heimdal © MIT Kerberos V ðC Xg[µÄ¨¢Ä¾³¢B Heimdal Kerberos Í http://www.pdc.kth.se/heimdal <http://www.pdc.kth.se/heimdal> ©çüè Å«Ü·B MIT Kerberos Í http://web.mit.edu/kerberos/www <http://web.mit.edu/kerberos/www> ©çüèÅ«Ü·B Kerberos ªñ· éæ¤ÈÅÈFØT[rXÌpð©ßÜ·B Cyrus"s Simple Authentication and Security Layer Cu OS ÉæÁÄͱÌCuªîÕVXeÌê é¢ÍIvVÌ\ tgEFAR|[lgƵÄñ³êÄ¢é©àµêܹñªA Cyrus SASL ͽ¢Ä¢ÊÉCXg[ªKvÆÈèÜ·B Cyrus SASL Í http://asg.web.cmu.edu/sasl/sasl-library.html <http://asg.web.cmu.edu/sasl/sasl-library.html> ©çüèÅ«Ü ·BCyrus SASL ÍAOpenSSL Æ Kerberos/GSSAPI ÌCuªCXg[ ³êÄ¢êÎA»êçðg¤æ¤ÉÈèÜ·B f[^x[X\tgEFA OpenLDAP Ì slapd ÌåvÈf[^x[XobNGh LDBM ÍAGgX g[WÉg¤f[^x[XpbP[WðKvƵܷB LDBM Ìf[^x[ XÉÍ Sleepycat Software Ì BerkeleyDB (§) é¢Í Free Software Foundation Ì GNU Database Manager (GDBM) ðpÅ«Ü·B configure XNvgðÀs·éÆ«ÉA±êçÌpbP[WÌÇ¿çàpūȯê ÎA±ÌåvÈf[^x[XobNGhðT|[gµ½ slapd ð\zÅ« ܹñB ±êçñÂÌpbP[WÍAǿ穪îÕVXeÌê é¢ÍIvV Ì\tgEFAR|[lgƵÄñ³êÄ¢é©àµêܹñµA© ªÅ\tgEFAðüèµÄCXg[·éKvª é©àµêܹñB BerkeleyDB Í Sleepycat Software Ì _E[hy[W http://www.sleepycat.com/download.html <http://www.sleepycat.com/download.html> ©çüèÅ«Ü·B±êð¢ Ä¢é_ÅÌÅV[XÅ éo[W 3.1 ª¨©ßÅ·B GDBM Í FSF Ì_E[hTCg ftp://ftp.gnu.org/pub/gnu/gdbm <ftp://ftp.gnu.org/pub/gnu/gdbm> ©çüèÅ«Ü·B±êð¢Ä¢é _Åo[W 1.8 ªÅV[XÅ·B Xbh OpenLDAP ÍXbhÌ_ð©¹éæ¤ÉÝv³êĢܷB OpenLDAP Í POSIX pthreads, Mach CThreads ÈÇÆ¢Á½³Ü´ÜÈXbhn ðT|[gµÄ¢Ü·Bconfigure XNvgªK³ÈXbhTuVXe ðoÅ«È¢êA configure Ís½ð¾ÁÄ«Ü·B±êªN«½ê ÉÍAOpenLDAP FAQ http://www.openldap.org/faq <http://www.openldap.org/faq> Ì Software - Installation - Platform Hints ÌZNVð²×ÄÝľ³¢B TCP Wrappers TCP wrappers (IP xÌANZX§ätB^)ªOÉCXg[³ê Ä¢êÎAslapd Í»êðT|[gµÜ·BñöJÌîñðÂT[oÉ¢ ÄÍ TCP wrappers â»Ì¼Ì IP xÌANZXtB^(IP xÌ t@CEH[Éñ³êéàÌÈÇ)Ìpð©ßÜ·B 2.2. pbP[WÌ_E[h t[Ézz³êÄ¢é LDAP T[oÉÍA~VKåwÌ LDAP T[oÆ OpenLDAP T[oÌñª èÜ·BܽAÁèÌð̺ÅÌÝt[Å éàÌÉ Netscape fBNgT[oª èÜ·(½Æ¦ÎA³ç@ÖÍt [ÅpÅ«Ü·)BOpenLDAP T[oÍA~VKåwÌT[oÌÅVo[ WðîɵĢÄA[OXgÆ OpenLDAP Åð§ÂÇÁ̶ª èÜ·B±Ì¶ÅÍAOpenLDAP ðp·é±ÆɵܷB OpenLDAP ÌÅVÌ tar+gzip o[WÍAÌƱë©çüèÅ«Ü·B http://www.openldap.org ~VKåwÌT[oÌÅVo[Wª~µ¢ÈçAÌƱë©çüèÅ «Ü·B ftp://terminator.rs.itd.umich.edu/ldap ±Ì¶ðÛÉÍñÂÌo[WÌ OpenLDAP pbP[Wðg¢Üµ ½BêÂÍÅVÌÀèÅ 1.2.11 ÅAà¤êÂÍVKÉ[X³ê½ 2.0.4 Å·BªgÁÄ¢é OS Í J[l 2.2.13 Ì Slackware Linux Å·B OpenLDAP ÌTCgÉÍAOpenLDAP T[oÌÅVÌJÅÆÀèŪu©êÄ ¢Ü·B±Ì¶ðXVµ½_ÅAÅVÌÀèÅÍ openldap- stable-20000704.tgz Å·BÅVÌJÅÍ openldap-2.0.4.tgz Å·B [ó] ±±Å¢¤JÅÍÀÛÉÍ[XÅÅ·B|ó_ÅÌÅVÌ [XÅÍ openldap-2.0.7.tgz ÅAJÅÍ èܹñBÀèÅÍ OpenLDAP 1.2.11 x[XÌàÌÅ·B 2.3. T[oÌWJ ³ÄA[J}VÉ gzip ÅÅßçê½pbP[WðàÁÄ«ÄA»êð WJ·é±Æɵܵå¤B ܸA±ÌpbP[Wð /usr/local ÈÇÌ]ÝÌfBNgÉRs[µÜ ·B »µÄÌR}hðÀsµÜ·B tar xvzf openldap-stable.tgz ÌR}hÅ௶±ÆªÅ«Ü·B gunzip openldap-stable.tgz | tar xvf - 2.4. \tgEFAÌÝè ¢Â©ÌIvVªpÓ³êÄ¢ÄA±êçðJX^}CY·é±ÆÉæ èACXg[·éTCgÉÅKÈ\tgEFAªì¬Å«Ü·B ±Ì\tgEFAÌÝèÉÍAñÂÌXebvµ©Kv èܹñB o \tgEFAðWJµ½fBNgzºÌTufBNg include É ét@C ldapconfig.h.edit ðÒW·éB o configure XNvgðÀs·é( Ƚª^tKCÈçÎAconfigure X NvgðÀs·éãíèÉ Make-common t@CðÒW·é±ÆàÅ« Ü· :^)B [ó] »ÝÌ OpenLDAP ÉÍ Make-common t@CͶݵܹñB t@C include/ldapconfig.h.edit ÅÍAslapd Æ slurpd f[Ì ÝÈÇÌIvVðÝèÅ«Ü·B±Ìt@C©Ìæߪ¯çêÄ ¢ÄAftHgÌÝèÍÅàêÊIÈÇÒÌIðð½fµÄ¢éÌÅA} ¢Å¢éÈç±ÌXebvðȪµÄ¾³¢B vi include/ldapconfig.h.edit OpenLDAP T[oÌzz\[XÉÍACXg[·éfBNgâRp CÆJÌtOÈÇÌIvVðwè·é½ßÌÝèXNvgªt ®µÄ¢Ü·B\tgEFAðWJµ½fBNgÅÌæ¤É^CvµÄ ¾³¢B ./configure --help ±êÍA\tgEFAð쬷éOÉ configure XNvgÅJX^}CY Å«é·×ÄÌIvVðóµÜ·BCXg[·éfBNgðÝ è·éÉÍA--prefix=pref, --exec-prefix=eprefix, --bindir=dir ÌIv VªLpÅ·BÊÉIvVȵŠconfigure ðÀs·êÎAKØ ÈÝèð©®oµAftHgÌêÊIÈêÉCXg[·éæ¤É õµÜ·BÆ¢¤±ÆÅA»Ìæ¤ÉµÄÝܵå¤B ./configure oÍð²×ÄA·×ĤܢÁ½©ðmFµÄ¾³¢B 2.5. T[oÌì¬ \tgEFAðÝèµI¦½çA\tgEFAÌì¬ðͶßé±ÆªÅ«Ü ·BܸAÌR}hðgÁÄ˶ÖWð쬵ܷB make depend »ÌãAÌR}hðgÁÄT[oð쬵ܷB make ·×ĤܢÁ½ÈçAÝ赽ƨèÉ쬳êÄ¢éŵå¤B»¤Å ȯêÎAOÌXebvÉßÁÄÝèµ½àeð²×ľ³¢B\tgEF AðWJµÄÅ«½fBNg̺ÌpX doc/install/hints É év bgtH[ÅLÌqgðmFµÄÝľ³¢B ³ AoCiÆ man y[WðCXg[µÜµå¤B±êðs¤ÉÍ(C Xg[·éêÉàæèÜ·ª)X[p[UÉÈéKvª éÅµå ¤B su make install ±êÅ®¹Å·B ȽÍT[oÌoCiƻ̼¢Â©Ì[eB eBÌoCiðèÉüêܵ½B``LDAP T[oÌÝè''ÉiñÅA LDAP T[oÌÝèû@ð©Ä¾³¢B OpwnLDAP 2.0 T[oÌoCiÍ slapd Æ¢¤¼OÅ·B OpenLDAP 2.0 Í 8 30 úɳ®É[X³êܵ½B±êÍ RFC 2251 Éè`³ê½ LDAP vgR v3 ðæèñŢܷB OpenLDAP 2.0 ÌåÈÁ¥ðÉ °Ü·B o LDAPv2 Æ LDAPv3 (RFC2251-2256,2829-2831) ÌT|[g o ù¶ÌNCAgÆÌÝ·«ÌÛ o IPv4 Æ IPv6 ÌT|[g o ÍÈFØ@\(SASL) (RFC2829) o Start TLS (RFC2830) o ¾ê^O(RFC2596) o DNSx[XÌT[rXP[V(RFC2247+"locate" C^[lbgh tg) o X^hA[T[oÌ» o ¼O«QÆ/ManageDsaIT ("nameref" C^[lbghtg) o ANZX§äTuVXeÌ» o Xbhv[O o vGveBuXbhÌT|[g o ¡XiÌT|[g o LDIFv1 (RFC2849) o vbgtH[/TuVXeÌoÌüP LFLinux Documentation Project (LDP)ÅÍ LDAP Implementation HOWTO Æ¢¤¶ðpÓ·é\èÅ·B±Ì¶Í OpenLDAP 2.0 ÌV@\ð²×½ ¢lÉÆÁÄ·Îçµ¢îñ¹ÆÈéŵå¤B±Ì¶Í 2000 NÌ 12 É[X³êé\èÅ·B OpenLDAP pbP[WÌÅVÅÅÍA¡ì¬µ½oCiðeXg·é±Æà Å«Ü·BpbP[WÉÍeXgXNvgªt®µÄ¢ÄAÌæ¤ÉµÄ ÀsÅ«Ü·B make test [ó] ±ÌeXgû@Í OpenLDAP 2.0.x ÌêÅ·B OpenLDAP 1.2.x Å Í tests TufBNgÉÚÁÄ©ç make µÜ·B XNvgŽ©«¢±ÆªN«½Èç Ctrl-C ðü͵ÄXNvgÌÀs ðfÅ«Ü·BÌêAXNvgÌÀsª®SÉI¹·éOÉXNv gÌÀsªâ~µÜµ½BÆà©àAÌ OpenLDAP ÌÝèÅà¢Â©Ì ¬÷(successfull)ÌbZ[WðmFūĢܷ [ó] óÒÌ«(Vine Linux 2.1 + OpenLDAP 2.0.7)ŵ½Æ±ëÅÍA âèÈ·×ÄÌeXgðpXµÜµ½B 3. LDAP T[oÌÝè [ó] ±ÌÍÌà¾Íî{IÉ OpenLDAP 2.0.x ÉîâĢܷB \tgEFAÌCXg[ª®¹µ½çA ȽÌTCgÅp·é½ßÌ ÝèðµÜµå¤Bslapd C^CÝèÌ·×ÄÍAslapd.conf t@C ðƨµÄs¢Ü·B±Ìt@CÍ configure XNvgÅwèµ½ prefix fBNg(ftHgÍ /usr/local/etc/openldap)ÉCXg[ ³êĢܷB ±ÌßÅÍ slapd.conf ÅægíêéÝèfBNeBuÉ¢ÄÚµà ¾µÜ·BSfBNeBuÌXgÉ¢ÄÍ slapd.conf(5) }j A y[WðQƵľ³¢BBÝèt@CÌfBNeBuÍAO[o AobNGhÅLAf[^ÅLÌJeSɪ¯Ä¢Ü·BefBN eBuÉ¢ÄÍA»Ìà¾ÆÆàÉ(ൠêÎ)»ÌftHglÆÝèá ð¦µÜ·B 3.1. Ýèt@CÌtH[}bg t@C slapd.conf ÍAO[oAobNGhÅLAf[^x[XÅL ÌR^CvÌÝèîñ©ç¬èÜ·BܸÅÉwè·éÌÍO[oîñ Å èA»ÌãÉÁèÌobNGhíÊÉÖAµ½îñª±«A³çÉ»Ì ãÉÁèÌf[^x[XÀÌÉÖAµ½îñª±«Ü·B O[ofBNeBuÍãÌobNGhâf[^x[XÝèÌfBN eBuÅã«Å«AobNGhÝèfBNeBuÍf[^x[XÝè fBNeBuÅã«Å«Ü·B uNsÆ '#' ¶ÅnÜéRgsͳ³êÜ·BsªóÅn ÜÁÄ¢éêAOÌs©çÌp±Å éÆÝȳêÜ·B slapd.conf Ìê ÊIÈtH[}bgÍÌæ¤ÉÈèÜ·B # O[oÝèfBNeBu <O[oÝèfBNeBu> # obNGhè` backend <typeA> <obNGhÅLfBNeBu> # PÔÚÌf[^x[Xè` & ÝèfBNeBu database <typeA> <f[^x[XÅLfBNeBu> # QÔÚÌf[^x[Xè` & ÝèfBNeBu database <typeB> <f[^x[XÅLfBNeBu> # ±«Ìf[^x[Xè` & ÝèfBNeBu ... ÝèfBNeBuÌÉÍøðÆéà̪ èÜ·BøÌ éêÉÍ óÅæØÁÄÀ×Ü·BøÉóðÜß½¢êÉÍAøðñdøp ÅÍÝÜ·BøÉñdøpâobNXbV ¶ `\' ðÜß½¢ê ÉÍA»Ì¶ÌOÉobNXbV ¶ `\' ðu«Ü·B OpenLDAP Ìzz¨ÌÉÍÝèt@CÌTvªt¢Ä«Ü·B±êÍ Ê /usr/local/etc/openldap fBNgÉCXg[³êÜ·BXL [}è`(®«^ÆIuWFNgNX)ðÜñ¾t@Cà /usr/local/etc/openldap/schema fBNgÉñ³êĢܷB 3.2. O[ofBNeBu ±ÌßÅྷéfBNeBuÍAobNGhܽÍf[^x[XÌè` ÅÁÉ㫵ȢÀèA·×ÄÌobNGhÆf[^x[XÉKp³êÜ ·BÀÛÌeLXgÅu«·¦éfBNeBuÌøÍuPbg <> Ŧ µÜ·B access to <what> [ by <who> <accesslevel> <control> ]+ ±ÌfBNeBuÍAGg⮫ÌPZbg(<what> Éwè)É Î·éANZX (<accesslevel> Éwè)ðPlÈãÌvÒ(<who>É wè)É^¦Ü·BæèÚµÍuANZX§ävÌáðQƵľ ³¢B attributetype <RFC2252 Attribute Type Description> ±ÌfBNeBuÍ®«^ðè`µÜ·B defaultaccess { none | compare | search | read | write } ±ÌfBNeBuÍAaccess fBNeBuªwè³êÄ¢È¢Æ «ÉAvÒÉ^¦éftHgÌANZX ðwèµÜ·BÇÌAN ZX xàæèºÊÌANZX xðÃÉ^¦Ü· (½Æ¦Î read ANZX ÍAsearch, compare ANZX ðÃÉ^¦Ü·ª write ANZX Í^¦Ü¹ñ)B ftHgÌÝèÍÌƨèÅ·B defaultaccess read idletimeout <integer> AChóÔÌNCAgÚ±ð§IÉØf·éÜÅÌbðwè µÜ·Bidletimeout Ìlª 0 Å éÆ(ftHg) ±Ì@\ͳø ÉÈèÜ·B include <filename> ±ÌfBNeBuÍAslapd ª»ÝÌt@CÌÌsÉiÞOÉA ^¦½t@C©çÇÁÌÝèîñðÇÝÞ±ÆðwèµÜ·Bæè Þt@CÍAÊíÌ slapd Ýèt@CÌtH[}bgÉ]¢Ü ·Bt@CÌæÝÍêÊÉXL[}wèÌLq³ê½t@Cðæ èÞÌÉgíêÜ·B LF±ÌfBNeBuÌæµ¢ÉÍӵľ³¢ - üêqÉ ÈÁ½ include fBNeBuɧÀÍÈAinclude ª[vÉ ÈÁ½êÅào³êܹñB loglevel <integer> ±ÌfBNeBuÍAfobOîñÆìÌvlð syslog ÉoÍ ·éxðwèµÜ·(»ÝÌƱëAsyslogd(8) Ì LOG_LOCAL4 t@VeBÉL^³êÜ·)B±ÌIvVªLøÉÈéæ¤É· éÉÍ OpenLDAP ð --enable-debug t«(ftHg)Å configure µÈ¯êÎÈèܹñ(vÉÖ·éñÂÌxÍáOÅA±êçÍ íÉpÂ\Å·)BÇÌfobNɽ̪εĢéÌ©ð²× éÉÍ -d ? ðwèµÄ slapd ðN®·é©AȺÌ\ðQlÉµÄ ¾³¢B<integer> ÉwèÂ\ÈlÉÍÌà̪ èÜ·B [ó] OpenLDAP 2.0.x ÅÍ slapd Ì -d ? w誳Èèܵ½B -1 ·×ÄÌfobOxðLøÉ·é 0 fobOµÈ¢ 1 ÖÄoµÌg[X 2 pPbgÌfobO 4 Ú×ÈfobOg[X 8 Ú±Ç 16 pPbgóMÌó 32 õtB^ 64 Ýèt@C 128 ANZX§äXg 256 Ú±/ì/ÊÌvO 512 GgMÌvO 1024 shell obNGhÆÌÊMÌó 2048 GgðÍÌfobOó ½Æ¦ÎÌæ¤ÉwèµÜ·B loglevel 255 é¢Í loglevel -1 ±Ìæ¤ÉÝè·éÆAåÊÌfobOîñªL^³êÜ·B ftHgÌÝèÍÌƨèÅ·B loglevel 256 objectclass <RFC2252 Object Class Description> ±ÌfBNeBuÍIuWFNgNXðè`µÜ·B referral <URI> ±ÌfBNeBuÍAvð·é½ßÌ[Jf[^x[Xð ©Â¯çêÈ©Á½êÉANCAgÉß·ÐîæðwèµÜ·B ½Æ¦ÎÌæ¤ÉwèµÜ·B referral ldap://root.openldap.org ±êÍAOpenLDAP vWFNgÌO[o[g LDAP T[oÉñ[ JÈâ¹ðÐî·é±ÆðwèµÜ·B«¢ LDAP NCAgÈç ß³êéT[oÉÄvð·éŵ太A»Ìæ¤ÈNCAgÌÙ ÆñÇÍAzXg¼ÌªÆIvV̯ʼ̪ÆðÁ½PÈ LDAP URL Ìû@ðmÁĢ龯ŷB sizelimit <integer> ±ÌfBNeBuÍAõì©çÔ·GgÌÅåðwèµÜ ·B ftHgÌÝèÍÌƨèÅ·B sizelimit 500 timelimit <integer> ±ÌfBNeBuÍAslapd ªõvÌÉg¤Ååb(À Ô)ðwèµÜ·B±ÌÔàÉvªB¹çêȯêÎAÔ§Àð ´ßµ½±Æð¦·ÊðԵܷB ftHgÌÝèÍÌƨèÅ·B timelimit 3600 3.3. êÊobNGhfBNeBu ±ÌßÌfBNeBuÍA»ÌfBNeBuªè`³êÄ¢éobNG hÉÌÝKp³êÜ·B±êçÌfBNeBuÍSíÊÌobNGhÅT |[g³êÜ·BobNGhfBNeBuÍA¯íÊÌ·×ÄÌf[^x [XÀÌÉKpµÜ·ªAfBNeBuÉæÁÄÍf[^x[XfBN eBuÅ㫳êÜ·B backend <type> ±ÌfBNeBuÍAobNGhè`ÌnÜèð¦µÜ·B <type> ÉÍAldbm, shell, passwd ÈÇT|[g³êÄ¢éobNG híÊÌÇê©ðwèµÜ·B 3.4. êÊf[^x[XfBNeBu ±ÌßÌfBNeBuÍA»ÌfBNeBuªè`³êÄ¢éf[^x[ XÉÌÝKp³êÜ·B±êçÌfBNeBuÍSíÊÌf[^x[XÅT |[g³êÜ·B database <type> ±ÌfBNeBuÍVµ¢f[^x[XÀÌè`ÌnÜèð¦µÜ ·B<type> ÉÍAldbm, shell, passwd ÈÇAT|[g³êÄ¢éf [^x[XÌíÊÌ¢¸ê©ðwèµÜ·B ½Æ¦ÎÌæ¤ÉwèµÜ·B database ldbm ±ÌÝèÍAVµ¢ LDBM obNGhf[^x[XÀÌè`ÌnÜè𠦵ܷB readonly { on | off } ±ÌfBNeBuÍAf[^x[XðuÇæèêpv[hÉµÜ ·B±Ì[hÅf[^x[XðXVµæ¤Æ·éÆ "unwilling to perform" G[ªÔèÜ·B ftHgÌÝèÍÌƨèÅ·B readonly off replica <-- [orig] replica host=<hostname>[:<port>] [bindmethod={ simple | kerberos | sasl }] ["binddn=<DN>"] [mech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<password>] [srvtab=<filename>] --> replica host=<hostname>[:<port>] [bindmethod={ simple | kerberos | sasl }] ["binddn=<DN>"] [mech=<mech>] [authcid=<identity>] [authzid=<identity>] [credentials=<password>] [srvtab=<filename>] ±ÌfBNeBuÍA±Ìf[^x[XÌ¡»TCgðwèµÜ·Bp [^ host= ÍAX[u slapd ÌÀ̪ ézXgÆ|[g(Iv V)ðwèµÜ·B<hostname> ÍhC¼ é¢Í IP AhXð gÁÄwèµÜ·B<port> ª^¦çêĢȯêÎAWÌ LDAP |[g Ô(389)ªgíêÜ·B p[^ binddn= ÍAX[u slapd ÌXVÅoCh·é½ßÌ DN ð^¦Ü·B±êÍAX[u slapd Ìf[^x[XÉεÄANZX read/write ðÁ½ DN ɵȯêÎÈèܹñBÊíÍX[u slapd ÌÝèt@CÉ é rootdn ÉwèµÄ éàÌð^¦Ü·Bܽ±Ì DN ÍAX[u slapd Ýèt@CÌ updatedn fBNeBuÉwè µ½àÌÆêvµÄ¢È¯êÎÈèܹñB DN ÉÍXy[XªüÁÄ¢ é±Æª½¢ÌÅA"binddn=<DN>" ¶ñÍñdøpÅÍÁĨÆæ ¢Åµå¤B bindmethod ÍAX[u slapd ÖÌÚ±Ég¤FتpX[hx[X ÌàÌ©AKerberos ©ASASL ©ÉæÁÄ simple © kerberos © sasl ÉÈèÜ·B ÈÕFØÍ\ªÈêÑ«Æ@§«ÌÛì(TLS â IPSEC ÈÇ)ªÈ¯êÎg ¤×«ÅÍ èܹñBÈÕFØÍ binddn Æ credentials p[^Ì wèðKvƵܷB Kerberos FØÍASASL FØ̹¢ÅãxêÉÈÁĢܷB (ÁÉ KERBEROS_V4 Æ GSSAPI)BKerberos FØÍ binddn Æ srvtab p[^ ÌwèðKvƵܷB êÊÉÍ SASL FØðg¤±Æð©ßÜ·BSASL FØÍ mech p[^ ðgÁ½@\ÌwèªKvÅ·Bwè·é@\É˶µÄAFØACf eBeBâؾð authcid Æ credentials ðgÁÄwèÅ«Ü·BF ØACfeBeBÌwèÉÍ authzid p[^ðg¤©àµêܹ ñB replogfile <filename> ±ÌfBNeBuÍAslapd ª ÏXðL^·é¡»Ot@CÌ ¼OðwèµÜ·B¡»OÍÊí slapd ª«oµAslurpd ªÇÝ æèÜ·BÊí±ÌfBNeBuÍAf[^x[Xð¡»·é½ßÉ slurpd ªgíêÄ¢éêÉÌÝpµÜ·Bµ©µ slurpd ðÀs µÄ¢ÈÄàAgUNVO̶¬Ég¦Ü·B±ÌêA ¡»Ot@CͳÀɦ±¯éÌÅèúIÉØèlßéKvª èÜ·B rootdn <dn> ±ÌfBNeBuÍA±Ìf[^x[XÉηéANZX §ä é ¢ÍÇÀx̧ÀÉ]íÈ¢ DN ðwèµÜ·B±Ì DN ÍfBN gÌGgÅ éKvÍ èܹñB±Ì DN ÉÍ SASL ACf eBeBðg¦Ü·B Ggx[XÌáF rootdn "cn=Manager,dc=example,dc=com" SASL x[XÌáF rootdn "uid=root@EXAMPLE.COM" rootpw <password> ±ÌfBNeBuÍAãÌIvVÅ^¦½ DN ÌGgª¶Ý ·é©A»ÌGgªpX[hðÁÄ¢é©É©©íç¸AíÉ Kp·épX[hðwèµÜ·B±ÌfBNeBuÍ SASL FØÌ ¹¢ÅãxêÉÈÁĢܷB ½Æ¦ÎÌæ¤ÉwèµÜ·B rootpw secret suffix <dn suffix> ±ÌfBNeBuÍA±ÌobNGhf[^x[XÉn·â¹Ì DN Úö«ðwèµÜ·B¡Ì suffix sð^¦Äàæ¢Å·ªAe f[^x[Xè`ÉÈÆàêÂÍKvÅ·B ½Æ¦ÎÌæ¤ÉwèµÜ·B suffix "dc=example,dc=com" ±ÌwèÅÍADN ÌöÉ "dc=example, dc=com" Ìt¢½â¹ª±Ì obNGhÉn³êÜ·B LFâ¹ðn·obNGhªIð³êéÆ«Aslapd Íef[^x [XÌ suffix sðÝèt@CÉ»êéÔÉ©Ä¢«Ü·Bµ½ªÁ ÄA éf[^x[XÌÚö«ªÊÌf[^x[XÌÚª«ÉÈÁÄ¢é êÉÍAÝèt@CÌæèãÌ٤ɻêéæ¤ÉµÈ¯êÎÈèÜ ¹ñB updatedn <dn> ±ÌfBNeBuÍX[uÌ slapd ÉÌÝKpÅ«Ü·B±Ì fBNeBuÍ¡»ÌÏXð· DN ðwèµÜ·B±êÉÍA¡» ÌÏXð·éÆ«É slurpd(8) ªoCh·é DNA é¢Í SASL A CfeBeBÆÖAµ½ DN ðwèµÜ·B Ggx[XÌáF updatedn "cn=Update Daemon,dc=example,dc=com" SASL x[XÌáF updatedn "uid=slurpd@EXAMPLE.COM" updateref <URL> ±ÌfBNeBuÍX[uÌ slapd ÉÌÝKpÅ«Ü·B±êÍ ¡»ÌXVvðéNCAgÉß· URL ðwèµÜ·B±Ì fBNeBuÍ¢ÂàwèÅ«Ae URL ªß³êÜ·B ½Æ¦ÎÌæ¤ÉwèµÜ·B updateref ldap://master.example.net 3.5. LDBM obNGhÅLfBNeBu ±ÌJeSÌfBNeBuÍALDBM obNGhf[^x[XÉÌÝK p³êÜ·B·Èí¿A"database ldbm" Æ ésÌãÅAÌ "database" sª»êéOÉȯêÎÈèܹñB cachesize <integer> ±ÌfBNeBuÍALDBM obNGhf[^x[XÌÀÌÉæÁ ÄdzêéàLbV ÌGgðwèµÜ·B ftHgÌÝèÍÌƨèÅ·B cachesize 1000 dbcachesize <integer> ±ÌfBNeBuÍAI[v³êÄ¢éõøt@C»ê¼êÆÖ AïçêÄ¢éàLbV ÌTCYðoCgÅwèµÜ ·BîÂÌf[^x[Xû®ÅT|[g³êȯêÎA±ÌfBN eBuÍÙÁij³êÜ·B±Ìðâ·Ææè½Ìðg ¢Ü·ªAIÈ«\Ìü㪾çêÜ·BÁÉ XVÆõøÌì¬Å «\Ìü㪰ŷB ftHgÌÝèÍÌƨèÅ·B dbcachesize 100000 dbnolocking ±ÌfBNeBuªwè³êéÆf[^x[XÌbNª³øÉÈè Ü·B±ÌfBNeBuÍAf[^ÌZL eBð]µÉµÄÅà «\ðã°½¢êÉg¢Ü·B dbnosync ±ÌfBNeBuÍAÏXÉηéàÌÏXðfBXNãÌà eÆ·®ÉͯúðÆçÈ¢æ¤ÉµÜ·B±ÌfBNeBuÍAf [^ÌZL eBð]µÉµÄÅà«\ðã°½¢êÉg¢Ü·B directory <directory> ±ÌfBNeBuÍAf[^x[XÆÖA·éõøðÜñ¾ LDBM t@CSðufBNgðwèµÜ·B ftHgÌÝèÍÌƨèÅ·B directory /usr/local/var/openldap-ldbm index {<attrlist> | default} [pres,eq,approx,sub,none] ±ÌfBNeBuÍA^¦½®«É¢ÄÇ·éõøðwèµÜ ·B <attrlist%gt; ¾¯ª^¦çê½êAftHgÌõøªÇ ³êÜ·B½Æ¦ÎÌæ¤ÉwèµÜ·B index default pres,eq index objectClass,uid index cn,sn eq,sub,approx PsÚÍAõøÌftHgZbgð¶ÝÆ¿«ðÇ·éæ¤ÉÝè µÜ·BQsÚÍAobjectClass Æ uid ®«^É¢ÄftHgÌõ ø(pres, eq)ðÇ·æ¤ÉÝèµÜ·BRsÚÍAcn Æ sn ®«^É ¢Ä¿«Aª¶ñAßÌõøðÇ·éæ¤ÉÝèµÜ·B mode <integer> ±ÌfBNeBuÍAV½É쬳êéf[^x[Xõøt@CÌ Ât@CÛì[hðwèµÜ·B ftHgÌÝèÍÌƨèÅ·B mode 0600 3.6. ¼ÌobNGhf[^x[X slapd ÍAftHgÌ LDBM ̼Éà¢ÂàÌobNGhf[^x[X íÊðT|[gµÄ¢Ü·B o ldbm: Berkeley Ü½Í GNU DBM Ý·ÌobNGh o passwd: /etc/passwd ÖÌÇæèêpÌANZXðñ o shell: VF(OvO)obNGh o sql: SQL vOªÂ\ÈobNGh ÚµÍ {{slapd.conf}}(5) manpage ðQƵľ³¢B 3.7. ANZX§äÌá ``O[ofBNeBu''Ìà¾É éANZX§ä@\ÍÀÉÍÅ ·B±ÌßÅÍAANZX§äÌpáð¢Â©¦µÜ·BܸÍAÈPÈ á©çB access to * by * read ±Ì access fBNeBuÍA çäélÉÇæè(read)ANZX ð^¦ Ü·B±ê¾¯ðwèµ½êÉÍAÌ defaultaccess sƯ¶±ÆÉÈ èÜ·B defaultaccess read ÌáÍADN ÅGgðIð·éÌɳK\»ðpµÄ¢éƱë𦠵ĢܷB±ÌñÂÌANZX é¾ÌÔÍdvÅ·B access to dn=".*, o=U of M, c=US" by * search access to dn=".*, c=US" by * read ±ÌáÅÍAÇæè(read)ANZX ª c=US Tuc[zºÌGgÉ^ ¦çêÜ·ªA"o=U of M, c=US" Tuc[zºÉÀÁÄÍõ(search) A NZX µ©^¦çêܹñB±ÌANZX wèÌðtÉ·éÆA·× ÄÌ "U of M" GgÍ "c=US" GgÅà éÌÅA "U of M" ÌûÌ wèªSKp³êÈÈÁĵܢܷB ÌáàÌdv«ð¦µÄ¢Ü·ªA¡xÍANZX wèÌ¼É "by" ßÌÉ¢Ä঵ĢܷBܽ±ÌáÅÍAÁèÌ®«ÖÌANZX ð^¦é®«ZN^ÆA³Ü´ÜÈ <who> ZN^Ìp@É¢Äà ¦µÄ¢Ü·B access to dn=".*, o=U of M, c=US" attr=homePhone by self write by dn=".*, o=U of M, c=US" search by domain=.*\.umich\.edu read by * compare access to dn=".*, o=U of M, c=US" by self write by dn=".*, o=U of M, c=US" search by * none ±ÌáÍA"o=U of M, c=US" Tuc[ÌGgÉKp³êÜ·B®« homePhone ð·×ÄÌ®«ÉεAYGg©ÌÉÍÝ (write)ð^¦A¼Ì "U of M" zºÌGgÉÍõ (search)ð^ ¦A»Ì¼ÌGgÉÍANZX ð^¦Ü¹ñB®« homePhone Éε ÄÍAYGg©ÌÉÍÝ (write)ð^¦A¼Ì "U of M" Gg ÉÍõ (search)ð^¦Aumich.edu hCàÌDZ©ç©Ú±·éN CAgÉÍÇæè ð^¦A»Ì¼ÌGgÉÍär (compare)ð^ ¦Ü·B ÁèÌ DN É®«ÌÇÁÆð·±ÆªLpȱƪ èÜ·B½Æ¦ ÎA éO[vð쬵AlXÉ member ®«ÖÌÇÁÆ𩪩gÌ DN ÉÀÁÄÅ«éæ¤Éµ½¢êAÌæ¤ÈANZX é¾ÅÀ»Å« Ü·B access to attr=member,entry by dnattr=member selfwrite ZN^ dnattr <who> ÍAANZX ª member ®«ÉXg³êÄ¢éG gÉKp³êé±ÆðwèµÜ·BANZX ZN^ selfwrite ÍA »Ìæ¤È member Bª©ª©gÌ DN ¾¯ð®«©çÇÁ/íÅ«é±Æ ðwèµÜ·BܽAentry ®«ðÇÁµÄ¨±ÆªKvÅ·BȺÈçA GgÌÇÌ®«ÉANZX·éɹæAGgÖÌANZX ªKvÉ Èé©çÅ·B [ó] "entry" ÍGgàÉÀݵȢÁêÈ®«ÅA®«ÖÌANZX wèÅGgÖÌANZX ðwè·é½ßÉg¤àÌÅ·B <what> ßÌÌ attr=member \¬vfÍAß "dn=* attr=member" ÌȪ` Å é±ÆÉڵľ³¢(·Èí¿A·×ÄÌGgÌ member ®« ÉêvµÜ·)B LFLDAP ÌANZX§äÉ¢ÄàÁÆm软êÎ OpenLDAP Administrator's Guide (http://www.openldap.org) ð²×ľ³¢B 3.8. Ýèt@CÌá ȺÍÝèt@CÌáÅ·BáÌXÉÍà¾ðÂ¯Ä èÜ·B±êÍñ ÂÌf[^x[Xðè`µÄ¢ÄA»ê¼ê X.500 c[ÌÊX̪ð µÜ·B¼ûÆàf[^x[XÉÍ LDBM ðgÁĢܷBà¾ÌsãA áÉÍsÔð¯ĢܷªAÀÛÌt@CÉÍsÔð¯ܹñBÜ ¸ÍO[oÝèZNV©çྵܷB 1. # example config file - global configuration section 2. include /usr/local/etc/schema/core.schema 3. referral ldap://root.openldap.org 4. access to * by * read s 1 ÍRgÅ·Bs 2 Í core XL[}è`ðÜñ¾ÊÌÝèt@C ðæèÝÜ·Bs 3 Ì referral fBNeBuÍAãÉè`·éf[^ x[XÌÇê©É[JÅÈ¢â¹É¢ÄAzXg root.openldap.org Å®ìµÄ¢éW|[g(389)Ì LDAP T[oðQÆ·é±ÆðÓ¡µÜ ·B s 4 ÍO[oÈANZX§äÅ·B±êÍAf[^x[XÌANZX§ äÉêv·éà̪ȢêA é¢ÍAANZXÌÎÛÆÈéIuWFNg ª (Root DSE Ìæ¤É)ÇÌf[^x[X̧äºÉàÈ¢êÉÌÝgíê Ü·B Ýèt@CÌáÌ̪ÍAc[Ì "dc=example,dc=com" zºÉ é àÌÉ¢ÄÌâ¹ð·é LDBM obNGhðè`µÜ·B±Ìf[ ^x[XÍñÂÌX[u slapd É¡»³êÜ·BX[uÌêÂÍ truelies ÅAà¤êÂÍ judgmentday Å·B¢Â©Ì®«É¢Äõøª dzêAuserPassword ®«ÍFسêĢȢàÌ©çÌANZX©çÛ ì³êÜ·B 5. # ldbm definition for the example.com 6. database ldbm 7. suffix "dc=example, dc=com" 8. directory /usr/local/var/openldap 9. rootdn "cn=Manager, dc=example, dc=com" 10. rootpw secret 11. # replication directives 12. replogfile /usr/local/var/openldap/slapd.replog 13. replica host=slave1.example.com:389 14. binddn="cn=Replicator, dc=example, dc=com" 15. bindmethod=simple credentials=secret 16. replica host=slave2.example.com 17. binddn="cn=Replicator, dc=example, dc=com" 18. bindmethod=simple credentials=secret 19. # indexed attribute definitions 20. index uid pres,eq 21. index cn,sn,uid pres,eq,approx,sub 22. index objectClass eq 23. # ldbm access control definitions 24. access to attr=userPassword 25. by self write 26. by anonymous auth 27. by dn="cn=Admin,dc=example,dc=com" write 28. by * none 29. access to * 30. by self write 31. by dn="cn=Admin,dc=example,dc=com" write 32. by * read s 5 ÍRgÅ·Bf[^x[Xè`ÌnÜèÍAs 6 Ì database L[ [hŦµÜ·Bs 7 ÍA±Ìf[^x[XÉn·â¹Ì½ßÌ DN Ú ö«ðwèµÜ·Bs 8 ÍAf[^x[Xt@CðufBNgðw èµÜ·B s 9 Æ 10 ÍA±Ìf[^x[XÌuX[p[UvGgÆ»ÌpX [hðwèµÜ·B±ÌGgÍANZX§ä é¢ÍTCY/Ô§ÀÉ ]¢Ü¹ñB s 11 ©ç 18 Í¡»ÌÝèÅ·Bs 11 Í¡»Ot@CðwèµÜ ·(f[^x[XÌÏXªL^³êÜ· - ±Ìt@CÉÍ slapd ª« ÝAslurpd ªÇÝoµÜ·)Bs 12 ©ç 14 Í¡»ªìçêézXgAXV ðs¤Æ«ÌoCh̽ßÌ DNAoChû@(ÈÕFØ)Abinddn Ì½ß Ìؾ(pX[h)ðwèµÜ·Bs 15 ©ç 18 ÍAæQÌ¡»TCgð wèµÜ·B s 20 ©ç 22 ÍA³Ü´ÜÈ®«Ì½ßÉÇ·éõøðwèµÜ·B s 24 ©ç 32 ÍAf[^x[XàÌGg̽ßÌANZX§äðwèµ Ü·B·×ÄÌGgÌ {{EX:userPassword}} ®«ÍA»ÌGg©g ¨æÑ "admin" Gg©çXVÂ\Å·B±Ì®«ÍFØÌÚIÉÍg¦ Ü·ªÇÝæêܹñB»Ì¼·×ÄÌ®«ÍA»ÌGg©g¨æÑ "admin" Gg©çXVÂ\ÅAFسê½[U©çÇÝæêÜ·B Ýèt@CÌáÌ̪ÍAÊÌ LDBM f[^x[Xðè`µÜ·B±Ì LDBM f[^x[XÍ dc=example,dc=net Tuc[ÉÖ·éâ¹ðµ Ü·Bs 38 ªÈ¢ÆAs 4 ÌO[oANZXK¥ÉæèÇÝæèAN ZXªÂ³êé±ÆÉӵľ³¢B 33. # ldbm definition for example.net 34. database ldbm 35. suffix "dc=example, dc=net" 36. directory /usr/local/var/ldbm-example-net 37. rootdn "cn=Manager, dc=example, dc=com" 38. access to * by users read 4. LDAP T[oÌÀs [ó] ±ÌÍÌà¾Íî{IÉ OpenLDAP 2.0.x ÉîâĢܷB slapd ÍX^hA[T[oƵĮì·éæ¤ÉÝv³êĢܷB± êÉæèT[oÍALbVOAîÕf[^x[Xɨ¯éÀsâèÌ ÇAVXe\[XÌÛÆ¢Á½_ª¾çêÜ·Binetd(8) ©çÀ s·éIvVÍÈÈèܵ½B 4.1. R}hCIvV slapd ÍA}j Ay[WÉÚà³êÄ¢éæ¤É½ÌR}hCI vVðT|[gµÄ¢Ü·B±ÌßÅÍægíêéÌIvVÉ Â¢ÄÚàµÜ·B -f <filename> ±ÌIvVÍAslapd ÌÝèt@C𾦵ܷBftHgÍ Ê /usr/local/etc/openldap/slapd.conf Å·B -h <URLs> ±ÌIvVÍãÖÌXiÝèðwèµÜ·BftHgÍ ldap:/// Å·B±êÍftHgÌ LDAP |[g 389 Å·×ÄÌC ^tF[X𵤠TCPãÌ LDAP ðÓ¡µÜ·B±ÌIvVÉÍA ÁèÌ|Xg/|[gÌyAàµÍ¼ÌvgRXL[(ldaps:// â ldapi:// ÈÇ)ðwèÅ«Ü·B½Æ¦Î -h "ldaps:// ldap://127.0.0.1:667" ÍAñÂÌXið쬵ܷBêÂÍftH gÌ LDAP/SSL |[g 636 Å·×ÄÌC^tF[X𵤠SSL ã Ì LDAP Å·Bà¤êÂÍ|[g 667 Å localhost (loopback)ÌC ^BF[X𵤠TCPãÌ LDAP Å·BzXgÍAIPv4 ÌlÆhb gðgÁ½`®ÅàzXg¼ÅÅàwèÅ«Ü·B -n <service-name> ±ÌIvVÍAOÌæÈÇÅgíêéT[rX¼ðwèµÜ·B ftHgÌT[rX¼Í slapd Å·B -l <syslog-local-user> ±ÌIvVÍ syslog(8) @\Ì[J[UðwèµÜ·Bl Í LOCAL0, LOCAL1, LOCAL2, ©ç LOCAL7 ÜÅwèÅ«Ü·BftH gÍ LOCAL4 Å·B±ÌIvVÍVXeÉæÁÄT|[g³ê ĢȢ±Æª èÜ·B -u user -g group ±êçÌIvVÍA»ê¼ê slapd ðÀs·é½ßÌ[UÆO [vðwèµÜ·Buser ÉÍ[U¼© uid ðwèµÜ·Bgroup ÉÍO[v¼© gid ðwèµÜ·B -r directory ±ÌIvVÍÀsfBNgðwèµÜ·B slapd ÍXi ðI[vµ½ãAÝèt@CÌÇÝâobNGhÌú»ð· éOÉA±ÌfBNgÉ chroot(2) µÜ·B -d <level> | ? ±ÌIvVÍ slapd ÌfobOxð <level> ÉÝèµÜ·B xª `?' ¶ÌêA³Ü´ÜÈfobOxð\¦µA¼Ì IvVwèð³µÄ slapd ÍI¹µÜ·B»ÝT|[g³êÄ ¢éfobOxÉÍÌà̪ èÜ·B -1 ·×ÄÌfobOxðLøÉ·é 0 fobOµÈ¢ 1 ÖÄoµÌg[X 2 pPbgÌfobO 4 Ú×ÈfobOg[X 8 Ú±Ç 16 pPbgóMÌó 32 õtB^ 64 Ýèt@C 128 ANZX§äXg 256 Ú±/ì/ÊÌvO 512 GgMÌvO 1024 shell obNGhÆÌÊMÌó 2048 GgðÍÌfobOó ¡ÌfobOxðLøÉ·é±ÆàÅ«Ü·Bv·éx»ê ¼êÉ¢ÄfobOIvVðwèµÄàæ¢Å·µAfobOx ðÁZµÄwèµÄà©Ü¢Ü¹ñBÂÜèAÖÄoµÌg[XÆ Ýèt@CÌÌÏ@ðs¢½¯êÎAxð»ÌñÂÌxÌ vÉÝè·êÎæ¢ÌÅ·(±ÌêÍ -d 65)BܽA»Ìæ¤ÈÁZ ð slapd ɳ¹é±ÆàÅ«Ü·(½Æ¦Î -d 1 -d 64)BæèÚµÍ <ldap.h%gt; t@CðQƵľ³¢B LFvOðoÍ·éñÂÌxÈOÌfobOîñðoÍÅ«é æ¤É·éÉÍAslapd ð -DLDAP_DEBUG t«Å slapd ðRpCµÄ ¨©È¯êÎÈèܹñB [ó] OpenLDAP 2.0.x ÅÍ -d ? w誳Èèܵ½B 4.2. LDAP T[oÌN® êÊÉ slapd ÍÌæ¤ÉÀsµÜ·B /usr/local/etc/libexec/slapd [<option>]* ±±Å /usr/local/etc/libexec ÍAconfigure XNvgÅè³ê½ê ÅA<option> ÍOqµ½( é¢Í slapd(8) Éà¾Ì é)IvVÅ ·BfobOxðwèµÈ¯êÎ(xÉ 0 ðwèµ½êàÜß Ä)Aslapd Í©®IÉ fork µA§ä[©ç©ªðØ裵ÄobNO EhÅ®ìµÜ·B 4.3. LDAP T[oÌI¹ ÀSÉ slapd ðI¹³¹éÉÍAÌæ¤ÉR}hð^¦Ü·B kill -TERM `cat $(ETCDIR)/slapd.pid` [ó] OpenLDAP 2.0.x ÅÍ `-TERM' ÅÍÈ `-INT' ðwè·é±ÆÉ ÈÁĢȷB slapd ªI¹·éOÉͳܴÜÈobt@ðtbV ·éKvª é½ ßAæè§IÉI¹³¹éèiðg¤Æ LDBM f[^x[Xªs³ÉÈé° êª èÜ·Bslapd ÍAslapd.conf t@CÉÝèµ½fBNgÌ slapd.pid Æ¢¤t@C(½Æ¦Î /usr/local/var/slapd.pid) É pid ð «ÝÜ·B include/ldapconfig.h.edit Ì SLAPD_PIDFILE ðÏX·é±ÆÉæÁÄA ±Ì pid t@CÌÊuðÏXÅ«Ü·B [ó] »ÝÌ OpenLDAP ÅÍ slapd.conf ÌO[oIvVÅ pid t@CÌÊuðÝè·éæ¤ÉÏX³êĢܷB½Æ¦Î `pidfile /usr/local/var/slapd.pid' ÆwèµÜ·B ܽAslapd ÍAslapd.conf t@CÉÝèµ½fBNgÌ slapd.args Æ¢¤t@C(½Æ¦Î /usr/local/var/slapd.args)É slapd Ìøð «ÝÜ·B include/ldapconfig.h.edit Ì SLAPD_ARGSFILE ðÏX·é ±ÆÉæÁÄA±Ìøt@CÌÊuðÏXÅ«Ü·B [ó] »ÝÌ OpenLDAP ÅÍ slapd.conf ÌO[oIvVÅø t@CÌÊuðÝè·éæ¤ÉÏX³êĢܷB½Æ¦Î `argsfile /usr/local/var/slapd.args' ÆwèµÜ·B 5. f[^x[Xì¬/Çc[ ±ÌßÅÍAslapd f[^x[Xð 0 ©ç쬷éû@ÆAâ誶µ½ Æ«ÌguV [eBOÉ¢ÄྵܷBf[^x[Xð쬷é ÌÉÍñÂÌû@ª èÜ·B»ÌêÂÍ LDAP ðp¢ÄICÅf[^ x[Xð쬷éÆ¢¤àÌÅ·B±Ìû@ÅÍAPÉ slapd ðN®µA KÈ LDAP NCAgðp¢ÄGgðÇÁµÜ·B±Ìû@ÍAär I¬³Èf[^x[X(pɶÄS©ççöx)Ìì¬ÉKµÄ¢Ü·B f[^x[Xð쬷éà¤êÂÌû@ÍAslapd pÉñ³êéÁêÈ[ eBeBðp¢ÄItCÅs¤Æ¢¤àÌÅ·B±Ìû@ÍALDAP ð gÁÄ¢ÄÍϦçêÈ¢ÙÇÌ·¢Ôª©©Áĵܤæ¤È½çÈãà ÌGgª éêAàµÍf[^x[XÌì¬Éf[^x[XÖÌA NZXª³¢æ¤É·é±ÆðÛص½¢êÉÅKÈû@Å·B 5.1. ICÅf[^x[Xð쬷éû@ OpenLDAP \tgEFApbP[WÉÍ ldapadd Æ¢¤c[ªt®µÄ¢ ÄA±êÍ®ìµÄ¢é LDAP T[oÉεÄGgðÇÁ·é½ßÉp µÜ·BICÅf[^x[Xð쬷éÂàèÈçAGgÌÇÁÉ ldapadd c[ðg¦Ü·BÅÉGgðÇÁµ½ãÉA³çÉGg ðÇÁ·éÌÉà ldapadd ðg¦Ü·Bslapd ðn®·éOÉ slapd.conf t@CÉ éÌÝèIvVðÝèµÄ¨¢Ä¾³¢B suffix <dn> ``LDAP T[oÌÝè''Åྵ½æ¤ÉA±ÌIvVÉÍA±Ìf[^ x[XÉi[³êéGgQª½Å é©ðLqµÜ·B±êÍì¬µæ¤ ÆµÄ¢éTuc[Ì[gÌ DN ÉÝèµÜ·B½Æ¦ÎÌæ¤ÉÝè µÜ·B suffix "o=TUDelft, c=NL" õøt@Cð쬷éfBNgðÝèµÄ¾³¢B directory <directory> ½Æ¦ÎÌæ¤ÉÝèµÜ·B directory /usr/local/tudelft GgðÇÁ·é ÀðÁ½[UÅ slapd Éڱūéæ¤ÉÝè· éKvª èÜ·B±êÍf[^x[Xè`ÌñÂÌIvVðp¢Äs ¢Ü·B rootdn <dn> rootpw <passwd> /* ±±ÌpX[hÉ crypt ðg¤ÌðYêȢŠ!!! */ [ó] ÀÛÉÍ /* ` */ ÅRgðüêé±ÆÍūܹñB ±êçÌIvVÍAf[^x[XÌuX[p[UvGg(·Èí¿ ½ÅàÅ«éGg)ƵÄFØ·éÌÉg¤ DN ÆpX[hðwèµÜ ·B±êÅwè·é DN ÆpX[hÍAÀÛɱ̼OÌGgª é ©A»µÄwèÌpX[hðÁÄ¢é©É©©íç¸íÉLøÅ·B±ê ÍAܾ½àGgª³¢óÔÅÌFØÆGgÌÇÁðǤ·é©Æ¢ ¤u{ÆvâèððµÜ·B ÅãÉAf[^x[Xè`É]Þõøè`ðÜßÜ·B index {<attrlist> | default } [pres,eq,approx,sub,none] ½Æ¦ÎAcn, sn, uid, objectclass ®«Éõøð¯éÉÍAÌæ¤È index Ýèsðg¢Ü·B index cn,sn,uid index objectclass pres,eq index default none ±±ÜÅÝèµ½ç slapd ðN®µÄA È½Ì LDAP NCAgÅÚ± µÄAGgÌÇÁðJnµÄ¾³¢B½Æ¦ÎATUDelft GgÆ» êÉ®·é Postmaster Ggð ldapadd c[ðp¢ÄÇÁ·éÉÍA »ÌàeðLqµ½ /tmp/newentry Æ¢¤t@Cð쬵ܷB o=TUDelft, c=NL objectClass=organization o=TUDelft description=Technical University of Delft Netherlands cn=Postmaster, o=TUDelft, c=NL objectClass=organizationalRole cn=Postmaster description= TUDelft postmaster - postmaster@tudelft.nl ÀÛÉGgð쬷éÉÍÌæ¤ÈR}hðg¢Ü·B ldapadd -f /tmp/newentry -D "cn=Manager, o=TUDelft, c=NL" -w secret ãÌR}hpáÅÍArootdn ª "cn=Manager, o=TUDelft, c=NL"A rootpw ª "secret" ÉÝè³êÄ¢éàÌƵܷBR}hCÉpX [hð^Cvµ½È¯êÎAldapadd R}hÌIvV -w "password" ÌãíèÉ -W IvVðgÁľ³¢B»¤·éÆAÌ æ¤ÉpX[hÌüͪv³êéæ¤ÉÈèÜ·B ldapadd -f /tmp/newentry -D "cn=Manager, o=TUDelft, c=NL" -W Enter LDAP Password: 5.2. ItCÅf[^x[Xð쬷éû@ [ó] ±ÌßÌà¾Íî{IÉ OpenLDAP 2.0.x ÉîâĢܷB f[^x[Xð쬷éæQÌû@ÍAãq·éõø¶¬c[ðp¢ÄIt CÅs¤±ÆÅ·B½çÈãàÌGgði[·éKvª èAOqÌ LDAP ðpµ½û@ðgÁ½ÌÅÍÔª©©è·¬éæ¤ÈêÉÍAI tCŶ¬·é̪ÅKÅ·B±Ìc[ÍAslapd pÌÝèt@C ÆAÇÁ·éGgÌeLXg\»ª©ê½üÍ LDIF t@CÆðÇÝ ÝALDBM õøt@Cð¼Ú쬵ܷBܸÍAÝèt@CÌf[^ x[Xè`ÉÝèµÄ¨×«dvÈÝèIvVª¢Â© èÜ·B suffix <dn> Oqµ½æ¤ÉA±ÌIvVÍA±Ìf[^x[XÉi[³êéGg Qª½Å é©ð¦µÄ¢Ü·B±êÍ쬵æ¤ÆµÄ¢éTuc[Ì [gÌ DN ÉÝè·×«Å·B½Æ¦ÎÌæ¤ÉÝèµÜ·B suffix "o=TUDelft, c=NL" õøt@Cð쬷éfBNgðÝèµÄ¾³¢B directory <directory> ½Æ¦ÎÌæ¤ÉÝèµÜ·B directory /usr/local/tudelft ÉAI[v³êÄ¢éeõøt@CÉæÁÄp³êéàLb V ÌTCYðâµÄ¨Ææ¢Åµå¤BõøÌì¬ÉÅÌ«\ðo ·½ßÉÍASÌÌõøªÉ[Üéæ¤ÉµÜ·B±Ìæ¤É·éÉÍ f[^ªå«·¬éA é¢ÍªÈ·¬éêÅàALbV TC Yðū龯嫵ܵå¤BãÍy[WOVXeªìƵÄêÜ ·B±ÌTCYÍÌIvVÅÝèµÜ·B dbcachesize <integer> ½Æ¦ÎÌæ¤ÉÝèµÜ·B dbcachesize 50000000 ±êÍ 50MB Æ¢¤©Èèå«ÈTCYÌLbV ð쬵ܷ(~VK åwÅÍAf[^x[Xªñ 125K GgAÅåÌõøt@Cªñ 45MB Å·)B±ÌLbV TCYÆÀsx(ãq)ðÀ±µÄÝÄAVXeªÅ KÉ®ì·éæ¤ÉµÄ¾³¢Bõøt@Cð쬵½çAslapd ðÀs ·éOÉLbV TCYð¬³ÈlÉߵĨÌðYêȢž³¢B ÅãÉA쬷éõøðwè·éKvª èÜ·B±êÍAêÂÈãÌ index IvVÉæÁÄsíêÜ·B index {<attrlist> | default} [pres,eq,approx,sub,none] ½Æ¦ÎÌæ¤ÉÝèµÜ·B index cn,sn,uid pres,eq,approx <p> index default none ±êÍA®« cn, sn, and uid É¢ĶÝA¿«AßÌõøðì¬ µA¼Ì®«É¢ÄÍõøð쬵ܹñB±ÌIvVÉ¢ÄÚµ Í ``LDAP T[oÌÝè''ÌÝèt@CðQƵľ³¢B ±±ÜÅÝèµ½çAslapadd(8) vOðÀsµÄåf[^x[XÆÖ A·éõøð쬵ܷB slapadd -l <inputfile> -f <slapdconfigfile> [-d <debuglevel>] [-n <integer>|-b <suffix>] øÌÓ¡ÍÌƨèÅ·B -l <inputfile> ÇÁ·éGgðeLXg`®ÅLqµ½ LDIF üÍt@Cðwè µÜ· (LDIF É¢ÄÍßðQÆ)B -f <slapdconfigfile> õøð쬷éêA쬷éõøÈÇðmç¹é slapd Ýèt@C ðwèµÜ·B -d <debuglevel> <debuglevel> Åwèµ½fobO[hɵܷBwè·éfobO xÍ slapd Ư¶Å·BuLDAP T[oÌÀsvÌÍÌu``R} hCIvV''vðQƵľ³¢BÇÌf[^x[XðXV ·é©ðwè·éIvVøBÝèt@CÉè`³êÄ¢éÅ Ìf[^x[XÍ 1AQÔÚÌf[^x[XÍ 2 Æ¢¤æ¤Éwè µÜ·BftHgÅÍAÝèt@CÉè`³êÄ¢éÅÌ ldbm f[^x[XªgíêÜ·BIvV -b ƹ¹ÄwèµÄÍÈèÜ ¹ñB -b <suffix> ÇÌf[^x[XðXV·é©ðwè·éIvVøB^¦éT tBbNXÍAf[^x[XÔðè·é½ßÉAf[^x[XÌ suffix fBNeBuÆƳêÜ·BIvV -n ƹ¹Äwè µÄÍÈèܹñB ÉÍõøÌÄ쬪KvÉÈé±Æà èÜ·(slapd.conf(5) ðÏXµ½ ãÈÇ)B±Ìæ¤È±ÆÍAslapindex(8) vOðgÁÄÅ«Ü ·Bslapindex ÍÌ®ÅN®µÜ·B slapindex -f <slapdconfigfile> [-d <debuglevel>] [-n <databasenumber>|-b <suffix>] IvV -f, -d, -n, -b ÌÓ¡Í slapadd(1) vOƯ¶Å·B slapindex ÍA»ÝÌf[^x[XÌàeðîÉ·×ÄÌõøðÄì¬µÜ ·B f[^x[Xð LDIF t@CÉ_v·éÌÉg¤ slapcat Æ¢¤vO ªpÓ³êĢܷB±êÍAf[^x[XÌÂÇ«Ì éobNAbv ðÆ轢ƫAf[^x[XðItCÅÒWµ½¢Æ«ÈÇÉLpÅ ·B±ÌvOÍÌ®ÅN®µÜ·B slapcat -l <filename> -f <slapdconfigfile> [-d <debuglevel>] [-n <databasenumber>|-b <suffix>] IvV -n Ü½Í -b ÍA{{EX:-f}} Åwè·é slapd.conf(5) ÉÝè ³êÄ¢éf[^x[XðIÔÌÉg¢Ü·B·é LDIF oÍÍAWo Í© -l IvVÅwè·ét@CÉ«o³êÜ·B 5.3. LDIF tH[}bgÉ¢ijçÉ [ó] ±ÌßÌà¾Íî{IÉ OpenLDAP 2.0.x ÉîâĢܷB LDAP f[^ð·tH[}bg(LDIF - LDAP Data Interchange Format)ÍA LDAP GgðÈPÈeLXgtH[}bgÅ\»·é½ßÉp³êÜ ·BGgÌî{IÈ`®ÍÌæ¤ÈàÌÅ·B # Rg dn: <¯Ê¼> <®«Lqq>: <®«l> <®«Lqq>: <®«l> ... ¶ '#' ÅnÜésÍRgÅ·B®«LqqÍA cn, objectClass, 1.2.3 (®«^Ì OID)Ìæ¤ÈPÈ鮫^Å èA cn;lang_en_US, userCertificate;binary Ìæ¤ÉIvVàt¯çêÜ·B sðPêÌXy[XܽÍ^u¶ÅJn·éÆOÌsÉp±Å«Ü·B½Æ ¦ÎÌæ¤ÉÅ«Ü·B dn: cn=Barbara J Jensen, dc=example, dc= com cn: Barbara J Jensen ±êÍÌàÌƯŷB dn: cn=Barbara J Jensen, dc=example, dc=com cn: Barbara J Jensen ®«lª¡ éêÍsðª¯ÄwèµÜ·B½Æ¦ÎÌæ¤ÉÈèÜ ·B cn: Barbara J Jensen cn: Babs Jensen <®«l> ÉóÅ«È¢¶ªÜÜêÄ¢½èAXy[XAR(':')A¬ ÈèL('{{EX:<}}')ÅnÜéêÉÍA<®«Lqq> ɱ¯ÄRðñ Âu«Abase64 \LÅGR[hµ½lð«Ü·B½Æ¦ÎAlª " begins with a space" Å éÆ«ÍÌæ¤ÉÈèÜ·B cn:: IGJlZ2lucyB3aXRoIGEgc3BhY2U= ®«lðÛµ½ URL ðwè·é±ÆàÅ«Ü·Bɦ·áÍAjpegPhoto Ìlðt@C /path/to/file.jpeg ©ç¾é±ÆðwèµÜ·B cn:< file:///path/to/file.jpeg ¯¶ LDIF Ì¡ÌGgÍósŪ£µÜ·Bɦ·ÌÍAOÂÌG gðÜñ¾ LDIF t@CÌáÅ·B # Barbara's Entry dn: cn=Barbara J Jensen,dc=example,dc=com cn: Barbara J Jensen cn: Babs Jensen objectClass: person sn: Jensen # Bjorn's Entry dn: cn=Bjorn J Jensen,dc=example,dc=com cn: Bjorn J Jensen cn: Bjorn Jensen objectClass: person sn: Jensen # Base64 encoded JPEG photo jpegPhoto:: /9j/4AAQSkZJRgABAAAAAQABAAD/2wBDABALD A4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQ ERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVG # Jennifer's Entry dn: cn=Jennifer J Jensen,dc=example,dc=com cn: Jennifer J Jensen cn: Jennifer Jensen objectClass: person sn: Jensen # JPEG photo from file jpegPhoto:< file:///path/to/file.jpeg ±±ÅABjorn ÌGgÌ jpegPhoto ª base 64 GR[h ÅAJennifer ÌGgÌ jpegPhoto ª URL ÉæÁĦ³ê½ê©ç æ¾³êé±ÆÉڵľ³¢B LDIF t@Cɨ¢ÄAlÌãɱXy[XªØÌÄçêé±ÆÍ èÜ ¹ñBܽAlÌÌXy[Xªkßçêé±Æà èܹñBf[^ÉX y[Xðu«½È¢êÍALDIF ÉàXy[Xðu¢ÄÍÈèܹñB 5.4. ldapsearch, ldapdelete, ldapmodify [eBeB [ó] ±ÌßÌà¾Íî{IÉ OpenLDAP 1.2.x ÉîâĢܷB OpenLDAP 2.0.x ÅÍIvVª¢Â©ÇÁ/ÏX³êĢܷB ldapsearch - ldapsearch ÍAldap_search(3) CuR[Éηé R}hCC^tF[XÅ·B±Ì[eBeBÍALDAP f[^x [XobNGhÌGgðõ·é½ßÉg¢Ü·B ldapsearch ðN®·é®ÍÌƨèÅ·(eIvVÌÓ¡Í ldapsearch Ì man y[Wð©Ä¾³¢)B ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-B] [-L] [-R] [-d debuglevel] [-F sep] [-f file] [-D binddn] [-W] [-w bindpasswd] [-h ldaphost] [-p ldapport] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] filter [attrs...] ldapsearch Í LDAP T[oÖÉεÄRlNVð£èAoChµ½ ãAtB^ filter ðp¢ÄõµÜ·B±Ì filter ÍARFC 1558 Éè `³êÄ¢é LDAP tB^̶ñ\»É]íËÎÈèܹñBldapsearch ªPÂÈãÌGgð©Â¯éÆAattrs Éwèµ½®«ªæèo³êA» ÌGgÆlªWoÍÉó³êÜ·Battrs ÌwèªÈ¯êÎAS®« ªÔ³êÜ·B É ldapsearch Ìpáð¢Â©¦µÜ·B ldapsearch -b 'o=TUDelft,c=NL' 'objectclass=*' ldapsearch -b 'o=TUDelft,c=NL' 'cn=Rene van Leuken' ldasearch -u -b 'o=TUDelft,c=NL' 'cn=Luiz Malere' sn mail IvV -b Íõx[X(æªÌõ|Cg)ðwèµA-u IvV Í[Uth`®ðoÍÉÜßé±ÆðwèµÜ·B ldapdelete - ldapdelete ÍAldap_delete(3) CuR[Éηé R}hCC^tF[XÅ·B±Ì[eBeBÍALDAP f[^x [XobNGhÌGgðí·é½ßÉg¢Ü·B ldapdelete ðN®·é®ÍÌƨèÅ·(eIvVÌÓ¡Í ldapdelete Ì man y[Wð©Ä¾³¢)B ldapdelete [-n] [-v] [-k] [-K] [-c] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-h ldaphost] [-p ldapport] [dn]... ldapdelete Í LDAP T[oÉεÄRlNVð£èAoChµ½ãA PÂÈãÌGgðíµÜ·BPÂÈãÌ dn øª^¦çêÄ¢êÎA »Ì¯Ê¼ðÂGgªí³êÜ·BÂXÌ dn ÍARFC 1779 Éè` ³êÄ¢é¶ñ\»Ì DN ÅȯêÎÈèܹñBø dn ª^¦çêÄ¢ ȯêÎAWüÍ( é¢Í -f tOÅwèµ½t@C file)©ç DN ÌXgðÇÝÝÜ·B É ldapdelete Ìpáð¢Â©¦µÜ·B ldapdelete 'cn=Luiz Malere,o=TUDelft,c=NL' ldapdelete -v 'cn=Rene van Leuken,o=TUDelft,c=NL' -D 'cn=Luiz Malere,o=TUDelft,c=NL' -W IvV -v Íç·[hÉ·é±ÆðwèµA-D IvVÍoCh ·é dn (FØÌÎÛÆÈé dn)ðwèµA-W IvVÍpX[hÌüÍ ðv·é±ÆðwèµÜ·B ldapmodify - ldapmodify ÍAldap_modify(3) Æ ldap_add(3) ÌCu R[ÉηéR}hCC^tF[XÅ·B±Ì[eBeB ÍA LDAP f[^x[XobNGhÌGgðXV·é½ßÉg¢Ü ·B ldapmodify ðN®·é®ÍÌƨèÅ·(eIvVÌÓ¡Í ldapmodify Ì man y[Wð©Ä¾³¢)B ldapmodify [-a] [-b] [-c] [-r] [-n] [-v] [-k] [-d debuglevel] [-D binddn] [-W] [-w passwd] [-h ldaphost] [-p ldapport] [-f file] ldapadd [-b] [-c] [-r] [-n] [-v] [-k] [-K] [-d debuglevel] [-D binddn] [-w passwd] [-h ldaphost] [-p ldapport] [-f file] ldapadd ÍAldapmodify c[ÖÌn[hNÉÈÁĢܷBldapadd ƵÄN®³êéÆAtO -a (Vµ¢GgÌÇÁ)ªÃÙÉwè³ê½ àÌÆÝȵܷBldapmodify Í LDAP T[oÖÉεÄRlNVð£ èAoChµ½ãAGgðXV/ÇÁµÜ·BGgîñÍWüÍ é¢Í -f IvVÅwèµ½t@C file ©çÇÝÜêÜ·B É ldapmodify Ìpáð¢Â©¦µÜ·B t@C /tmp/entrymods ª èA»ÌàeÍÌæ¤ÉÈÁÄ¢éÆµÜ ·B dn: cn=Modify Me, o=University of Michigan, c=US changetype: modify replace: mail mail: modme@terminator.rs.itd.umich.edu - add: title title: Grand Poobah - add: jpegPhoto jpegPhoto: /tmp/modme.jpeg - delete: description - ÌR}hðÀsµÜ·B ldapmodify -b -r -f /tmp/entrymods ±êÉæèAGg "Modify Me" Ì mail ®«Ìàeðl "modme@terminator.rs.itd.umich.edu" Åu·µA "Grand Poobah" Ì title ðÇÁµÄAt@C "/tmp/modme.jpeg" Ìàeð jpegPhoto ƵÄÇÁµ ÄAdescription ®«ð®SɵܷB Ìâ ldapmodify üÍtH[}bgðp¢ÄàAãƯ¶XVªs¦Ü ·B cn=Modify Me, o=University of Michigan, c=US mail=modme@terminator.rs.itd.umich.edu +title=Grand Poobah +jpegPhoto=/tmp/modme.jpeg -description ±Ìêà¯lÉ ldapmodify ðN®µÜ·B ldapmodify -b -r -f /tmp/entrymods t@C /tmp/newentry ª èA»ÌàeÍÌæ¤ÉÈÁÄ¢éÆµÜ ·B dn: cn=Barbara Jensen, o=University of Michigan, c=US objectClass: person cn: Barbara Jensen cn: Babs Jensen sn: Jensen title: the world's most famous manager mail: bjensen@terminator.rs.itd.umich.edu uid: bjensen ÌR}hðÀsµÜ·B ldapadd -f /tmp/entrymods t@C /tmp/newentry ª èA»ÌàeÍÌæ¤ÉÈÁÄ¢éÆµÜ ·B dn: cn=Barbara Jensen, o=University of Michigan, c=US changetype: delete ÌR}hðÀsµÜ·B ldapmodify -f /tmp/entrymods ±êÍABabs Jensen ÌGgðµÜ·B IvV -f Í(WüÍÌãíèÉXVîñðÇÝÞ) t@Cðwè µA-b IvVÍoCiðwèµ (üÍt@CÅ '/' ÅnÜélÍ oCiÅ éÆðß³êé)A-r ÍXV(ftHgÅù¶ÌlðXV)ðw èµÜ·B 6. ÇÁîñÆâ« ±ÌßÉÍAfBNgÖÌâ¹Ég¦é Netscape ÌAhX (Address Book)É¢ÄÌîñª èÜ·BܽAo[W 4.5 ÈãÌ Netscape Navigator Æ LDAP T[oðgÁÄ[~OANZXðÀ»·é û@É¢ÄڵྵܷBOpenLDAP Ì[OXgÅÍA[~ OANZXÉ¢ĽÌc_ª èܵ½B»êͱÌ@\ª¤ÜÀ» Å«È¢½ßÅ·BåªÌlXÍ Netscape Navigator ª_E[hÆ Abv[h·éÌÉ LDAP T[oðg¤ÌðDÝܹñBµ½ªÁÄA±ê ðÇñÅ[~OANZXªv¤æ¤É®ìµÈ¢Æ¢¤±Æªí©ÁÄà CɵȢž³¢B½ÌlXªùɱÌóµðo±µÄ¢éÌÅ·B± ±Å±Ì@\ðÐî·éÚIÍALDAP vgRÌÂ\«É¢ÄÌACf AðlXÉæè½^¦é½ßÅ·BÅãÉÍA slapd vZXðÀSÉ f·éû@â slapd ÌOÉ¢ÄÌîñª èÜ·B 6.1. [~OANZX [ó] ±ÌßÌà¾Íî{IÉ OpenLDAP 1.2.x ÉîâĢܷB OpenLDAP 2.0.x ÅÍ®«âIuWFNgNXÌg£û@ÈǪÏXÉÈÁ ĢܷB [~OANZXÌÚIÍAlbgãÌDZɢÄà Netscape Navigator Æ LDAP T[oðp¢ÄAubN}[NAÝèA[tB^ÈÇðæèo ¹éæ¤É·é±ÆÅ·B±êÍñíÉÖÈ@\Å·B ȽªÇ±Å Web ÉANZXµæ¤ÆàA»±Åg¤uEUÉÍ È½©gÌÝèª éÌÅ ·BൠȽª·sÉo½æÅA ȽÌ[JubN}[NÉo^µÄ éêÌTCgÉANZXµ½¢êàSz èܹñBubN}[NâÝ èt@CÍ LDAP T[oÉAbv[h³êAãŠȽªÇ±É¢æ¤Æ àubN}[NâÝèt@Cð·×Äæèo¹Ü·B [ó] cOȪç Netscape 6 ÅÍ[~OANZX@\ª³Èèܵ ½B [~OANZXðÀ»·éÉÍÌXebvÉ]¤Kvª èÜ·B 1. ®«Lqt@CðÏX·é 2. IuWFNgNXLqt@CðÏX·é 3. vt@Cði[·é½ßÌ LDIF t@Cð쬷é 4. [~OANZXT[oÆµÄ LDAP T[oðg¤æ¤É Netscape Navigator ðÝè·é 5. Vµ¢ÝèÅ LDAP T[oðÄN®·é 6.1.1. ®«t@CÌÏX slapd.at.conf (±êÍ slapd.conf ÉæèÜêét@CÅAÊí /usr/local/etc/openldap É èÜ·)É^¦çêĢ鮫ÌêÉÌV µ¢®«ðÇÁ·éKvª èÜ·B attribute nsLIPtrURL ces attribute nsLIPrefs ces attribute nsLIProfileName cis attribute nsLIData bin attribute nsLIElementType cis attribute nsLIServerType cis attribute nsLIVersion cis attribute nsServerPort cis [ó] OpenLDAP 2.0.x ÌêA/usr/local/etc/openldap/schema/ ÉKÈ t@CðpÓµÄÌè`ðÇÁµA»êð slapd.conf ÉæèÞæ¤É µÜ·B attributetype ( 2.16.840.1.113730.3.1.70 NAME 'serverRoot' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.76 NAME 'serverHostName' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 2.16.840.1.113730.3.1.280 NAME 'nsServerPort' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 2.16.840.1.113730.3.1.399 NAME 'nsLIPtrURL' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 2.16.840.1.113730.3.1.400 NAME 'nsLIPrefs' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 2.16.840.1.113730.3.1.401 NAME 'nsLIProfileName' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.402 NAME 'nsLIData' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributetype ( 2.16.840.1.113730.3.1.403 NAME 'nsLIElementType' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.404 NAME 'nsLIServerType' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 2.16.840.1.113730.3.1.405 NAME 'nsLIVersion' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) 6.1.2. IuWFNgNXt@CÌÏX slapd.oc.conf (±êÍ slapd.conf ÉæèÜêét@CÅAÊ /usr/local/etc/openldap É èÜ·)ÉÌVµ¢NXðÇÁ·éKvª èÜ·B objectclass nsLIPtr requires objectclass allows nsliptrurl, owner objectclass nsLIProfile requires objectclass, nsliprofilename allows nsliprefs, uid, owner objectclass nsLIProfileElement requires objectclass, nslielementtype allows owner, nslidata, nsliversion objectclass nsLIServer requires objectclass, serverhostname allows description, cn, nsserverport, nsliservertype, serverroot [ó] OpenLDAP 2.0.x ÌêA/usr/local/etc/openldap/schema/ ÉKÈ t@CðpÓµÄÌè`ðÇÁµA»êð slapd.conf ÉæèÞæ¤É µÜ·B objectclass ( 2.16.840.1.113730.3.2.74 NAME 'nsLIPtr' SUP top MUST objectClass MAY ( nsLIPtrURL $ owner ) ) objectclass ( 2.16.840.1.113730.3.2.75 NAME 'nsLIProfile' SUP top MUST ( objectClass $ nsLIProfileName ) MAY ( nsLIPrefs $ uid $ owner ) ) objectclass ( 2.16.840.1.113730.3.2.76 NAME 'nsLIProfileElement' SUP top MUST ( objectClass $ nsLIElementType ) MAY ( owner $ nsLIData $ nsLIVersion ) ) objectclass ( 2.16.840.1.113730.3.2.77 NAME 'nsLIServer' SUP top MUST ( objectClass $ serverHostName ) MAY ( cn $ description $ nsLIServerType $ nsServerPort $ serverRoot ) ) 6.1.3. LDIF t@CÌì¬ [ó] ±ÌXebvÉüéOÉ slapd.conf ÌÝèðµÄ¨«Üµå¤BÜ ¸ OpenLDAP 1.2.x Ìê `lastmod on' ɵÄ^p®« modifyTimestamp ª©®IÉdzêéæ¤ÉµÈ¯êÎÈèܹñB³çÉAÌANZX ðÝèµÄ slapd ðÄN®µÄ¾³¢B OpenLDAP 1.2.x ÌêF access to dn=".*,ou=Roaming,o=myOrg,c=NL" by dnattr=owner write access to attr=userpassword by * none by self write OpenLDAP 2.0.x ÌêF access to dn=".*,ou=Roaming,o=myOrg,c=NL" by dnattr=owner write access to attr=userpassword by self write by anonymous auth by dn="cn=Manager,o=myOrg,c=NL" write by * none access to * by self write by anonymous auth É LDIF t@Cð쬷éKvª èÜ·BNetscape Ì[~OA NZX@\ðgÁÄݽ¢e[UpÉAvt@CGgðÇÁµÜ ·BȺÉAvt@CGgð LDIF t@CÌÈPÈáð¦µÜ ·B dn: o=myOrg,c=NL objectClass: top objectClass: organization o: myOrg dn: ou=People,o=myOrg,c=NL objectClass: top objectClass: organizationalUnit ou: People dn: cn=seallers,ou=People,o=myOrg,c=NL userPassword: myPassword objectClass: top objectClass: person cn: seallers sn: seallers dn: ou=Roaming,o=myOrg,c=NL objectClass: top objectClass: organizationalUnit ou: Roaming dn: nsLIProfileName=seallers,ou=Roaming,o=myOrg,c=NL objectClass: top objectClass: nsLIProfile nsLIProfileName: seallers owner: cn=seallers,ou=People,o=myOrg,c=NL [ó] à¿ëñALDIF t@Cð쬷龯ÅÍÈÄA±êðÀÛÉ ldapadd ÈÇðgÁÄfBNgÉi[µÄ¾³¢B 6.1.4. Netscape Navigator ÌÝè ÌXebvÍALDAP T[oÉεÄ[~OANZXªÂ\ÆÈéæ¤ É Netscape Navigator ðÝè·é±ÆÅ·B o j [uÒWv¨uÝèv¨u[~O [UvðIðµÜ·B ܸA±Ìvt@CÅ[~OANZXðÂ\ɵȯêÎÈèܹ ñBYÌ`FbN{bNXðNbNµÜ·B o [U¼Ì{bNXÉKØÈlA½Æ¦Î seallers ðü͵ܷB uÝèvEBhE̶¤É éu[~O [UvIvVÌîóð v_EµÄA[~OANZXÌTuIvVð\¦µÜ·B o uT[oîñvðNbNµÄuLDAP fBNg T[ovIvV ðLøɵA{bNXÉÌæ¤Èîñðü͵ܷB Address: ldap://myHost/nsLIProfileName=$USERID,ou=Roaming,o=myOrg,c=NL User DN: cn=$USERID,ou=People,o=myOrg,c=NL dvFNetscape ÍAuEUðÀs·éOÉA ȽªIðµ½vt@C ̼OÅ $USERID ð©®IÉu«·¦Ü·Bµ½ªÁÄA Ƚªv t@C seallers ðIðµÄ¢êÎ $USERID Í seallers Éu«·íèA vt@C gonzales ðIðµÄ¢êÎ $USERID Í gonzales Éu«·í èÜ·Bvt@CÉ¢ÄæmçȯêÎA Netscape Comunicator pbP[WÉ¢Äé Profile Manager AvP[VðN®µÄ¾ ³¢B±êÍA¯¶}VãÅ¡[UªÀSÉuEUðµ¦éæ¤Ýv ³ê½AvP[VÅ èAÂXÌ[Uª©ª¾¯ÌuEUÝèðÛ LÅ«Ü·B [ó] óÒªmFµ½Æ±ëÅÍA$USERID Í [~O [UÌÝèÅ ü͵½[U¼Åu«·íéæ¤Å·B 6.1.5. LDAP T[oÌÄN® ÅIXebvÍAT[oÌÄN®Å·BLDAP T[oðÀSÉI¹³¹éû@ É¢ÄÍ ``LDAP T[oðI¹·éû@''AÄÑN®·éû@É墀 Í``LDAP T[oÌÀs''ðQƵľ³¢B [ó] óÒªmFµ½Æ±ëÅÍA±±ÅÄN®·éKvª éÌÍ LDAP T[oÅÍÈÄ Netscape Å·B 6.2. Netscape ÌAhX LDAP T[oªÀsµÄ¢êÎA¢ë¢ëÈNCAg(½Æ¦Î ldapsearch R}hC[eBeB)Å LDAP T[oÉANZXÅ«Ü ·BñíÉ»¡[¢NCAgÉ Netscape ÌAhX ª èÜ·B±ê Í Netscape Ìo[W 4.x ©çpÅ«éæ¤ÉÈÁĢܷªALDAP T[oÆÀSÉâèÆè·é½ßÉÍ 4.5 ÈãÌàÌðg¤Kvª èÜ ·B [ó] cOȪç Netscape 6 ÅÍ LDAP T[oÖÌANZX@\ª³È èܵ½B AhX ðg¦éæ¤É·éÉÍÌæ¤ÉµÄ¾³¢B Netscape Navigator ÌN® -> Communicator j [ÌIð -> AhX (Address Book) Netscape ÌAhX ÉÍAftHgÌ LDAP fBNgªùɢ ©o^³êĢܷB È½Ì LDAP fBNgào^·éKvª èÜ ·I t@C(File)j [ÌIð -> Vµ¢fBNg(New Directory) ȽÌT[oÌîñðü͵ܷB½Æ¦ÎÌæ¤ÉÝèµÜ·B o Description : TUDelft o LDAP Server : dutedin.et.tudelft.nl o Server Root : o=TUDelft, c=NL ftHgÌ LDAP |[gÍ 389 Å èAT[o¤Å±ÌIvVðÏX µÄ¢éÌÅÈ¢Àè|[gðÏXµÈ¢Å¾³¢B ±êÅA{bNX Show Names Containing ðgÁÄ È½ÌT[oÉÈPÈ â¹ªÅ«Ü·µASearch {^Å¡GÈâ¹àÅ«éæ¤ÉÈÁÄ¢ Ü·B 6.3. LDAP Migration Tools LDAP Migration Tools ÍAÝèt@C(configuration files)ð LDIF tH [}bgÉÏ··é Perl XNvgWÅ·B±ÌXNvgWÍ PADL Software Ltd ÉæÁÄñ³êÄ¢ÄAp·éOÉCZXðÉÚð ƨµÄ¨±Æð©ßÜ·ªAÆÉ©t[Å·B[UÌFØÉ LDAP T[oðpµæ¤ÆµÄ¢éÈçA±Ìc[ÍñíÉLpÅ·B Migration Tools ÍANIS âpX[hÌA[JCuð LDIF ÉÏ·µA»ê çÌt@CÆÝ·Ì éîñð LDAP T[oÅg¦éæ¤ÉµÜ·BܽA [UAO[vAhosts, aliases, netgroups, networks, protocols, RPC »µÄù¶Ìl[T[rX(NISAtbgt@CANetInfo)ÌT[rXð LDIF tH[}bgÉÚs·éÌÉàA±Ì Perl XNvgWðKpµÄ ¾³¢BLDAP Migration Tools Ì_E[hƳçÈéîñðüè·éÉ ÍAÌAhXÉsÁľ³¢B http://www.padl.com/tools.html ±ÌpbP[WÉÍ README t@Cªt¢Ä¢ÄAXNvgt@C̼ OÍ@\ð\µÄ¢Ü·BÜ¸Í README t@CÉÚðƨµÄA»ÌãÉ XNvgÌKpðJnµÄ¾³¢B 6.4. LDAP ðp¢½FØ PAM (Pluggable Authentication Modules)Æ¢¤@\ðp¢ÄALDAP Í[ UðFØÅ«Ü·BUNIX ªoêµ½©ç[UÌFØÍA[UªpX [hðü͵A»Ìüͳê½pX[hª /etc/passwd Éi[³êÄ¢ éû³ê½³®ÈpX[hÉY·é©ðVXeª¸·é±ÆÉæ èsíêīܵ½B ±êÍú̱ÆÅ èA»ÌãA½Ì[UÌFتêÊIÉÈèܵ ½B»ÌÉÍ /etc/passwd ðæè¡Gɵ½àÌâAX}[gJ[hÆ¢ ¤n[hEFAfoCXà èܵ½B±Ìæ¤ÈFØÌâèÍAVµ¢FØ û®ªJ³êé½ÑÉA»ÌVµ¢FØû@ðT|[g·é½ßÉFتK vÈvO(login, ftpd ÈÇ)Ì·×Ä𫷦ȯêÎÈçÈ¢±Æ Å·B PAM ÍAFØû®©çƧµÄvOðJ·éèiðñµÜ ·B±Ìæ¤ÈvOÍAÀsÉFØðs¤½ßÉÚ±·éuFØ W [vðKvƵܷB LDAP ̽ßÌFØW [ÍÌAhX©ç tar ball Ì`®ÅüèÅ «Ü·B http://www.padl.com/pam_ldap.html ±±ÅÍAùÉ Linux fBXgr [VÉ PAM ªpÓ³êÄ¢éàÌ ÆµÜ·BൠPAM ªpÓ³êĢȯêÎ http://www.kernel.org/pub/linux/libs/pam ðQƵľ³¢BÀÛÌÆ ±ëA³Ü´ÜÈ Linux fBXgr [VÅÌ PAM ÌWÝèÍ»ê ¼êáÁĢܷBÊAPAM ÌÝèt@CÍ /etc/pam.d/ fBNg ɶݵܷB±ÌfBNgÉÍA}VÅÀs·éeT[rX²ÆÉê ÂÌt@Cª èÜ·B½Æ¦ÎALinux Ìu[gAbvÌãÅ[UÌ OCÉ LDAP T[oðg¢½¢ÈçA(±ÌiÌÅÉà¾µÄ é æ¤É) È½Ì Linux Å PAM ðg¦éæ¤ÉµALDAP PAM W [ðC Xg[µA/etc/pam.d/ fBNgÉ é login Æ¢¤ PAM Ýèt@ CðÒWµÄÌæ¤ÈàeɵܷB #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so try_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_ldap.so password required /lib/security/pam_pwdb.so use_first_pass session required /lib/security/pam_unix_session.so [ó] pam_ldap ÍFØðs¤¾¯ÈÌÅAuid, gid, z[fBNgÈ ÇÌÇoµà LDAP ÅÅ«éæ¤É NSS (Name Service Switch)ÌW [ nss_ldap ðCXg[µÄ¨Kvª éŵå¤Bnss_ldap à PADL Software Ì Web TCg©çüèÅ«Ü·BܽAfBNgàÌGg Ìì¬ÉÍAOqÌ LDAP Migration Tools ðg¤Ææ¢Åµå¤B 6.5. OtBJÈ LDAP c[ o Kldap Kldap Í KDE ̽ßÉ©ê½OtBJÈ LDAP NCAgÅ ·BKldap Íæ¢C^tF[Xð¿AfBNgÉi[³ê½îñc [ð·×ÄQÆÅ«Ü·BÌ Web TCgÅA±ÌAvP[VÌXN [VbgÌ`FbNÆ_E[hªÅ«Ü·B http://www.mountpoint.ch/oliver/kldap o GQ GQ Æ¢¤ÈÈC^tF[Xðõ¦½OtBJ LDAP NCAgà èÜ·B±êÍ GNOME ̽ßÉ©ê½àÌÅ·BGQ Í KDE Åà®ìµ Ü·µA Kldap à GNOME Å®©¹Ü·BÌ Web TCgÅA_E[h â³çÈéîñðæ¾Å«Ü·B http://biot.com/gq/ 6.6. Logs slapd ÍO𶬷éÌÉ syslog(8) @\ðp¢Ü·Bsyslog(8) @\Ì ftHg[UÍ LOCAL4 Å·ªALOCAL0, LOCAL1 ©ç LOCAL7 ÜÅÌÇ ê©É·é±ÆàÅ«Ü·B Oð¶¬ðÅ«éæ¤É·éÉÍA½¢Ä¢Í /etc fBNgÉ é syslog.conf t@CðÒWµÈ¯êÎÈèܹñB Ìæ¤ÈsðÇÁµÜ·B local4.* /usr/adm/ldalog ±ÌÝèÅÍ syslog @\ÉftHg[U LOCAL4 ðg¢Ü·B±ÌsÌ \¶ðmçȯêÎAsyslog, syslog.conf, syslogd Ì man y[Wð©Ä ¾³¢BftHg[UðÏXµ½èA¶¬·éOÌxðwè·éÉ ÍAslapd ðN®·éÆ«ÉÌIvVðwèµÜ·B -s syslog-level ±ÌIvVÍAsyslog(8) @\ÉÇÌxÌfobOîñðoÍ·é© ð slapd É`¦Ü·B±ÌxÍbZ[WÌdåxðq×Ä¢ÄA É(¢Ù¤©çá¢Ù¤É) °éL[[hÌ¢¸ê©Å éFemerg, alert, crit, err, warning, notice, info, debug. ½Æ¦ÎÌæ¤Éwè µÜ·B slapd -f myslapd.conf -s debug [ó] ±Ìà¾Í½©Ì¨á¢Ìæ¤Å·BÀÛÉÍÇÌfobOîñðo Í·é©ðlÅwèµÜ·Bwè·élÉ¢ÄÍ slapd.conf Ì loglevel IvVðQƵľ³¢B -l syslog-local-user syslog(8) @\Ì[J[UðwèµÜ·BlÉÍ LOCAL0, LOCAL1 ÈÇ LOCAL7 ÜÅwèÅ«Ü·BftHgÍ LOCAL4 Å·Bµ©µA±ÌIv VÍ syslog(8) @\Å[J[UðT|[g·éVXeÅÌÝ ³êÜ·B ³ÄA¶¬³ê½Oð©ÄÝľ³¢B±ÌOÍAâ¹AXVAoC hÈÇÅN«éâèðð·éÌÉå«È¯ÆÈèÜ·B 7. îñ¹ ±ÌßÅÍALDAP É¢ijçÉmè½¢l̽ßÉALpÈ URLAN[ ÈÐARFCdlðÐîµÜ·B 7.1. URLs ɦ·ÌÍ LDAP É¢ÄñíÉLpÈîñðÜñ¾ URL Å·B±Ì HOWTO ͱêçÌ URL ©çìÁ½ÌÅA±Ì¶ðÇñ¾ãÅæèÚ×Èî ñªKvÈçA±êçÌ URL ũ¯çêé©àµêܹñB o ~VKåwÌ LDAP y[WF http://www.umich.edu/~dirsvcs/ldap/index.html o ~VKåwÌ LDAP ¶y[WF http://www.umich.edu/~dirsvcs/ldap/doc/ o OpenLDAP Administrator's Guide: http://www.openldap.org/doc/admin o Netscape Ì[~OANZXðèìÆÅÀ»·éû@F http://help.netscape.com/products/client/communicator/manual_roam- ing2.html o Netscape Communicator 4.5 Ì LDAP ÝèÌJX^}CYF http://developer.netscape.com/docs/manuals/communicator/ldap45.htm o Introducing to Directory Service (X.500): http://www.nic.surfnet.nl/surfnet/projects/x500/introducing/ o Linux Directory Service: http://www.rage.net/ldap/ 7.2. Ð ±êçÍ LDAP É¢ÄÅàæmçê½LpÈÐÅ·B o Implementing LDAP by Mark Wilcox o LDAP: Programming Directory-Enabled Applications with Lightweight Directory Access Protocol by Howes and Smith [¼h÷AªO ó uLDAP C^[lbg fBNg AvP[V vO~ OvAsA\§] o Understanding and Deploying LDAP Directory Servers by Howes, Smith, and Good 7.3. RFC LDAP ÌJðT|[g·é RFC Å·B o RFC 1558: A String Representation of LDAP Search Filters o RFC 1777: Lightweight Directory Access Protocol o RFC 1778: The String Representation of Standard Attribute Syntaxes o RFC 1779: A String Representation of Distinguished Names o RFC 1781: Using the OSI Directory to Achieve User Friendly Naming o RFC 1798: Connectionless LDAP o RFC 1823: The LDAP Application Programming Interface o RFC 1959: An LDAP URL Format o RFC 1960: A String Representation of LDAP Search Filters o RFC 2251: Lightweight Directory Access Protocol (v3) o RFC 2307: LDAP as a Network Information Service