LDAP Linux HOWTO
Luiz Ernesto Pinheiro Malere, malere@yahoo.com
v1.03, 28 September 2000
aóFîn « <inachi@earth.interq.or.jp>
v1.03j, 21 December 2000
±Ì¶ÍALinux }Vɨ¯é LDAP (Lightweight Directory Access
Protocol)T[oÌCXg[AÝèAÀsAÇÉÖ·éîñðڹĢ
Ü·BܽALDAP f[^x[XÌì¬û@Af[^x[XÌîñÌXVÆ
íA[~OANZXðÀ»·éû@ANetscape ÌAhX Ìpû
@É¢ÄÌÚ×àڹĢܷB±Ì¶ÌåªÍA~VKåwÌ
LDAP îñy[WÆ OpenLDAP Administrator's Guide ðîɵܵ½B
______________________________________________________________________
Ú
1. ͶßÉ
1.1 LDAP ÆÍH
1.2 fBNgT[rXÆÍH
1.3 LDAP ÍÇÌæ¤É®ì·éÌ©H
1.4 LDAP ÌobNGhAIuWFNgA®«
1.5 ±Ì¶ÌVµ¢o[W
1.6 Ó©ÆñÄ
1.7 [Xð
1.8 Ó«
1.9 ì ÆÆÓ
2. LDAP T[oÌCXg[
2.1 OÉKvÈàÌ
2.2 pbP[WÌ_E[h
2.3 T[oÌWJ
2.4 \tgEFAÌÝè
2.5 T[oÌì¬
3. LDAP T[oÌÝè
3.1 Ýèt@CÌtH[}bg
3.2 O[ofBNeBu
3.3 êÊobNGhfBNeBu
3.4 êÊf[^x[XfBNeBu
3.5 LDBM obNGhÅLfBNeBu
3.6 ¼ÌobNGhf[^x[X
3.7 ANZX§äÌá
3.8 Ýèt@CÌá
4. LDAP T[oÌÀs
4.1 R}hCIvV
4.2 LDAP T[oÌN®
4.3 LDAP T[oÌI¹
5. f[^x[Xì¬/Çc[
5.1 ICÅf[^x[Xð쬷éû@
5.2 ItCÅf[^x[Xð쬷éû@
5.3 LDIF tH[}bgÉ¢ijçÉ
5.4 ldapsearch, ldapdelete, ldapmodify [eBeB
6. ÇÁîñÆâ«
6.1 [~OANZX
6.1.1 ®«t@CÌÏX
6.1.2 IuWFNgNXt@CÌÏX
6.1.3 LDIF t@CÌì¬
6.1.4 Netscape Navigator ÌÝè
6.1.5 LDAP T[oÌÄN®
6.2 Netscape ÌAhX
6.3 LDAP Migration Tools
6.4 LDAP ðp¢½FØ
6.5 OtBJÈ LDAP c[
6.6 Logs
7. îñ¹
7.1 URLs
7.2 Ð
7.3 RFC
______________________________________________________________________
1. ͶßÉ
±Ì¶ÌåÈÚIÍALinux }VãÉ LDAP fBNgT[oðZbg
AbvµÄp·é±ÆÅ·BÇÒÍALDAP T[oðCXg[AÝèA
ÀsAÇ·éû@É¢ÄwÑÜ·B»ÌãALDAP NCAgÆ[
eBeBðp¢ÄfBNgÌîñði[Aæ¾AXV·éû@É¢
ÄàwÑÜ·BLDAP fBNgT[oÌf[Í slapd ÆæÎêAlX
È UNIX vbgtH[Å®ìµÜ·B
LDAP T[oÔÌ¡»ð©³ÇéÊÌf[ª èÜ·B±Ìf[Í
slurpd ÆæÎêĢܷªA³µ ½è±êÉ¢ÄCÉ·éKvÍ èÜ
¹ñB±Ì¶ÅÍA ȽÌ[JhCÉfBNgT[rXðñ
·é slapd ðÀsµÜ·B¡»ÍµÈ¢ÌÅ slurpd Íg¢Ü¹ñB
±Ì¶ÅྷéÌÍASÒÉÆÁÄ¿å¤Çæ¢öxÌÈPÈT[oÌ
«\zÅ·ªA]ÞÈçãÅÊÌÝèÉAbvO[h·é±ÆàÈPÅ
·B±Ì¶ÉڹĢéîñÍALDAP vgRðp·é梫ªªè
ÆÈèÜ·B¨»ç±Ì¶ðÇñ¾ãÉÍAT[oÌ\Íðg£µ½èA
³çÉÍ C, C++, Java JLbgÈÇðgÁÄNCAgð«½ÈÁ
½è·é±Æŵå¤B
1.1. LDAP ÆÍH
LDAP ÆÍAfBNgT[rXÉANZX·é½ßÌNCAgT[o
vgRÅ·B±êÍ X.500 ÌtgGhƵÄgíêĢܵ
½ªAX^hA[ÌfBNgT[oâ¼ÌíÞÌfBNgT[
oÅàg¦éæ¤ÉÈèܵ½B
1.2. fBNgT[rXÆÍH
fBNgÍf[^x[XÉĢܷªAæèLqIÅ®«x[XÌîñ
ðÜÞæ¤ÉÈÁĢܷBêÊÉfBNgÌîñÍAÝæèàÇ
oµÌûª¸ÁƽsíêÜ·Bµ½ªÁÄAêÊIÈf[^x[XÅåÊ
Ì¡GÈXVðs¤½ßÉp¢çêé¡GÈgUNVâ[obN
@\ðfBNgÅÍÊíÀµÜ¹ñBfBNgÌXVÍAÊÍ
all-or-nothing ÌPÈ«·¦Éܹ߬ñB
fBNgÍAåÊÌÆï é¢Íõìɦūéæ¤ÉÅK»³ê
ĢܷBÒ¦ÆM«ðüãA©ÂX|X^Cð¸ç·½ßÉA
fBNgÉÍîñðL¡»·é\ͪ èÜ·BfBNgîñª¡
»³êÄ¢éêAêIÈs®ª¶·é©àµêܹñªAèúIɯ
úðÆéæ¤ÉµÄ¨¯Îâè èܹñB
fBNgT[rXÌñû@ÉÍFXÈíÞª èÜ·B±Ì½ßAfB
NgÉÛ¶·éîñÌíÞª½lÉÈèAêûÅÍîñÌQÆAâ¹A
XVâAFسêÈ¢ANZX©çÇÌæ¤Éîñðçé©ÈÇÉÖµÄFX
Èvª¶¶Ü·BÇIÅAÀçê½ÎÛ(½Æ¦ÎAPêÌ}VÌ
finger T[rXÈÇ)ÌÝÖÌT[rXðñ·éæ¤ÈfBNgT[r
Xª éêûAåæIÅAÍé©ÉL¢ÎÛÉT[rXðñ·éæ¤ÈT[
rXà èÜ·B
1.3. LDAP ÍÇÌæ¤É®ì·éÌ©H
LDAP fBNgT[rXÍANCAgT[ofðîɵĢÜ
·BêÂÈãÌfBNgT[oªALDAP fBNgc[ é¢Í
LDAP obNGhf[^x[Xð\¬·éf[^ðÛLµÄ¢Ü·B LDAP
NCAgÍ LDAP T[oÉÚ±µA»ÌT[oÉεĿâµÜ·B±Ì
¿âÉεÄT[oÍñðÔ·©ANCAgª³çÉîñðTµo¹é
êÖÌ|C^(ÊíÍÊÌLDAPT[o)ðԵܷBNCAg©çÍA
ÇÌ LDAP T[oÉÚ±µÄàfBNgͯ¶æ¤É©¦Ü·B é
LDAP T[oÉñ¦µ½¼OÍÊÌ LDAP T[oÅ௶GgðQƵÜ
·B±êÍALDAP Ìæ¤ÈåæIfBNgT[rXÌdvÈÁ«Å·B
1.4. LDAP ÌobNGhAIuWFNgA®«
slapd ÉÍíÞÌÙÈéOÂÌobNGhf[^x[Xªt®µÄ¢ÄAÇ
êðIÔ©Í[UÌ©RÅ·BLDBM ÍfBXNx[X̬Èf[^x[
XÅ·BSHELL Í UNIX R}h é¢ÍXNvgÉηéf[^x[XC
^tF[XÅ·BPASSWD ÍÈPÈpX[ht@Cf[^x[XÅ·B
±Ì¶ÅÍ LDBM f[^x[XðIð·éàÌƵܷB
LDBM f[^x[XÍAf[^x[XÌeGgÉSoCgÌRpNg
ÅêÓȯÊqðèÄé±ÆÉæÁĬè§ÁĢܷB±Ì¯ÊqÍõ
øÌGgðQÆ·é½ßÉgíêÜ·Bf[^x[XÉÍAid2entry
Æ¢¤êÂÌåõøt@CªÜÜêÜ·B±êÍAGgÌêÓȯÊ
q(EID)ðGg©ÌÌeLXg\»É}bvµÜ·B»Ì¼Ìõøt@C
à¯lÉdzêÜ·B
LDAP x[XÌfBNgT[oÔÅfBNgîñðC|[g¨æÑ
GNX|[gµ½èAfBNgÉKp³êéPZbgÌÏXðLq·éÉ
ÍAÊ LDIF (LDAP Data Interchange Format)Æ¢¤tH[}bgªgíê
Ü·B LDIF ÍAGgÌIuWFNgwüÌKwÅîñði[µÜ·B±
ê©çp·é LDAP \tgEFApbP[WÉÍA LDIF t@Cð LDBM
tH[}bgÉÏ··é[eBeBªt®µÄ¢Ü·B
êÊÌ LDIF t@CÍÌæ¤ÈàeÉÈÁĢܷB
dn: o=TUDelft, c=NL
o: TUDelft
objectclass: organization
dn: cn=Luiz Malere, o=TUDelft, c=NL
cn: Luiz Malere
sn: Malere
mail: malere@yahoo.com
objectclass: person
ãɦµ½Æ¨èAeGgͯʼ(distinguished name: DN)ÅêÓɯ
ʳêÜ·BDN ÍAGg̼OÆGgðfBNgKwÌÅãÊ
ɳ©ÌÚÁ½¼OÌpXÆ©çÈèÜ·B
LDAP ÅÍAIuWFNgNXÍGgðè`·é½ßÉg¦é®«ÌW
Üèðè`µÜ·BLDAP ÌWÅÍAÌæ¤ÈIuWFNgNXÌî{
^ðñµÄ¢Ü·B
o fBNgÌO[v -- ±êÉÍAÂXÌIuWFNgÌȵ
Xg é¢ÍIuWFNgÌO[vªÜÜêÜ·B
o Ý -- ¼âLqÈÇB
o fBNgÌgDB
o fBNgÌlXB
GgÍñÂÈãÌIuWFNgNXɮūܷB½Æ¦ÎAl̽
ßÌGgÍAIuWFNgNX person Åè`µÜ·ªAIuWFNg
NX inetOrgPerson, groupOfNames, organization Ì®«ÉæÁÄàè`
Å«Ü·BT[oÌIuWFNgNX\¢(»ÌXL[})ÍAÁèÌGg
Év³ê½®«Æ³êĢ鮫ÌXgSÌðèµÜ·B
[ó] ±±ÅÍu®(belong)vÆ¢¤¾tª ¢Ü¢ÉgíêÄ¢Ü
·BinetOrgPerson Í person ©çh¶µÄ¢éÌÅA inetOrgPerson ÌG
gͼûÌIuWFNgNXÌGgƾ¦Ü·BܽA\¢^ÌI
uWFNgNXÆâ^ÌIuWFNgNXðgÝí¹½Ggð
ìÁ½êà¡ÌIuWFNgNXÉu®vµÄ¢éƾ¦éŵå
¤Bµ©µAgroupOfNames Æ organization Ílðè`·éàÌÅÍÈA
lð\»·éGgð DN ÅQÆū龯ŷB
fBNgÌf[^ÍA®«ÆlÌyAƵÄ\»³êÜ·BîñÌ¢©È
éªàLqIÈ®«ÆÖAt¯çêĢܷB
½Æ¦ÎA®« commonName (cn)ÍAl̼Oði[·é½ßÉg¢Ü·B¼
Oª Jonas Salk Å élÍAfBNgÅÍÌæ¤É\¹Ü·B
cn: Jonas Salk
fBNgÉi[·éelÍAIuWFNgNX person Ì®«ÌWÜ
èÉæÁÄè`³êÜ·B±ÌGgðè`·é½ßÉgíêé¼Ì®«É
ÍÌæ¤Èà̪ èÜ·B
givenname: Jonas
surname: Salk
mail: jonass@airius.com
Kv®«(required attribute)ÆÍAIuWFNgNXðg¤GgÉ^
¦È¯êÎÈçÈ¢®«Ì±ÆÅ·B·×ÄÌGgÍ objectClass ®«
ðKvƵܷB±êÍ»ÌGgª®·éIuWFNgNXÌXg
ðwè·éàÌÅ·B
®«(allowed attribute)ÆÍAIuWFNgNXðg¤GgÉ^
¦é±ÆÌū鮫̱ÆÅ·B½Æ¦ÎAIuWFNgNX person É
¨¢ÄA®« cn Æ sn ÍKv®«Å èA®« description,
telephoneNumber, seeAlso, userpassword Í®«Å ÁÄKv®«ÅÍ
èܹñB
e®«ÍAηéV^bNXè`ðÁĢܷB±ÌV^bNXè`
ÍA®«ÉæÁÄñ³êéîñÌ^CvðLqµÜ·B
bin
oCi
ces
p嬶ðæÊ·é¶ñ(ärÌÛÉp嬶Ìá¢ð³µÈ
¢)
cis
p嬶ðæʵȢ¶ñ(ärÌÛÉp嬶Ìá¢Í³·
é)
tel
dbÔ̶ñ(cis ÉÄ¢éªAärÌÛÉuNÆ_bV
`-' ð³·é)
dn ¯Ê¼
IuWFNgNXÆ®«Ìè`ªVXeÌÇ±É é©ðméÉÍA
``LDAP T[oÌÝè''ÌÅÌiðQƵľ³¢B
1.5. ±Ì¶ÌVµ¢o[W
±Ì¶ÍAÇÒæèó¯æÁ½tB[hobNðx[XɵÄC³ÆXVð
sÁĢܷB±Ì HOWTO ÌVµ¢o[WÍÌƱëÅ©êÜ·B
http://www.mobilesoft.com.br/HOWTO/LDAP-HOWTO.html
1.6. Ó©ÆñÄ
±Ì¶É éîñÉ¢Ľç©Ì^⪠êÎAemail ÅÉAµÄ
¾³¢B(malere@yahoo.com)
RgâñĪ éêàÉmç¹Ä¾³¢B
1.7. [Xð
±ÌßÉÍA±Ì¶Ì[XêðútÉڹĢܷBe[XÉ
¢ÄÍAOo[W©çÌÏX_AVKÇÁÚAC³_ðLµÄ¢Ü
·B
v1.0: 20 June 1999, úo[W
v1.01: 15 February 2000, ÌßðÇÁ
o LDAP Migration Tools
o LDAP ðp¢½FØ
o OtBJÈ LDAP c[
o RFC
v1.02: 13 September 2000, ëÌC³¨æÑÌßÌÇÁ
o [Xð
v1.03: 28 September 2000, OpenLDAP 2.0 Ìà¾ÌÇÁB±êÍ Ldap v3
(RFC2251 <ftp://ftp.isi.edu/in-notes/rfc2251.txt>) ðæèñÅ¢Ü
·B
[ó] ZúÔÅ OpenLDAP 2.0 ÌîñðæèñÅê½ÌÍæ¢ÌÅ·
ªA»Ì¹¢© OpenLDAP 1.2,x ÌîñÆ 2.0.x Ìîñª¬µÄ¢Ü·B
óÒÌCâ½Æ±ëÍóŦµÄ¨«Ü·B
1.8. Ó«
±Ì HOWTO ¶ÍAI_Ì TUDelft åwŪתÄç쬵½àÌ
̬ÊÅ·B±Ì¶ðæ¤É©ßÄê½lXA Rene van Leuken
Æ Wim Tiwon É´Óµ½¢B{É èªÆ¤BÞçàƯ¶ Linux t@
Å·B
»ê©çA̶Év£µÄê½hCcêÅ LDAP-HOWTO Ì|óÒÅ é
Thomas Bendler ÆALDP vWFNgÌÌåÈé{eBAÅ é Joshua
Go Éà´Óµ½¢B
1.9. ì ÆÆÓ
±Ì LDAP Linux HOWTO Ìì ÍA1999 NÈ~ Luiz Ernesto Pinheiro
Malere É èÜ·B±Ì¶Í©RÉzzÅ«Ü·B±Ì¶ðÏXµÄÍ
ÈèܹñB½ç©ÌñĪ éêÉÍ email ÅÉAµÄ¾³¢
(»ÌñĪLøÈçAª¶ðÏXµÜ·)B
|gKêÈÇÉ|óµ½¢êà email ÅÉAµÄ¾³¢B
±Ì¶ÌàeÉ¢ÄÍêØÌÓCð¢Ü¹ñB±Ì¶É éèÉ
]Á½ÊÉ¢ÄAÍêØÌÓCð¿Ü¹ñB
±ÌÉ¢Ä^â_ª éÈçÎALinux HOWTO ÇÒÉAµÄ¾³¢
(linux-howto@metalab.unc.edu)B
2. LDAP T[oÌCXg[
LDAP T[oðCXg[·éÉÍAOÉKvÈpbP[WÌCXg[
(ùÉCXg[³êĢȢê)ALDAP T[o\tgEGFAÌ_E
[hA\tgEFAÌWJAMakefile ÌÝèAT[oÌì¬ÌÜÂÌX
ebvªKvÅ·B
2.1. OÉKvÈàÌ
[ó] ±ÌßÍî{IÉ OpenLDAP 2.0.x ÉÖµÄྵĢܷB
LDAPv3 É®S·é½ßÉAOpenLDAP ÌNCAgÆT[oÍÉ °
é\tgEFAªCXg[³êÄ¢é±ÆðKvƵܷB
OpenSSL TLS Cu
OS ÉæÁÄͱÌCuªîÕVXeÌê é¢ÍIvVÌ\
tgEFAR|[lgƵÄñ³êÄ¢é©àµêܹñªAOpenSSL
ͽ¢Ä¢ÊÉCXg[ªKvÆÈèÜ·B OpenSSL Í
http://www.openssl.org <http://www.openssl.org> ©çüèÅ«Ü·B
Kerberos FØT[rX
OpenLDAP ÌNCAgÆT[oÍAKerberos x[XÌFØT[rXðT|
[gµÜ·BÁÉ OpenLDAP ÅÍAHeimdal © MIT Kerberos V pbP[WÌ
¢¸ê©ðp¢½ SASL/GSSAPI FØ@\ðT|[gµÜ·B Kerberos x[
XÌ SASL/GSSAPI FØðg¤ÌÅ êÎA Heimdal © MIT Kerberos V ðC
Xg[µÄ¨¢Ä¾³¢B Heimdal Kerberos Í
http://www.pdc.kth.se/heimdal <http://www.pdc.kth.se/heimdal> ©çüè
Å«Ü·B
MIT Kerberos Í http://web.mit.edu/kerberos/www
<http://web.mit.edu/kerberos/www> ©çüèÅ«Ü·B Kerberos ªñ·
éæ¤ÈÅÈFØT[rXÌpð©ßÜ·B
Cyrus"s Simple Authentication and Security Layer Cu
OS ÉæÁÄͱÌCuªîÕVXeÌê é¢ÍIvVÌ\
tgEFAR|[lgƵÄñ³êÄ¢é©àµêܹñªA Cyrus
SASL ͽ¢Ä¢ÊÉCXg[ªKvÆÈèÜ·B Cyrus SASL Í
http://asg.web.cmu.edu/sasl/sasl-library.html
<http://asg.web.cmu.edu/sasl/sasl-library.html> ©çüèÅ«Ü
·BCyrus SASL ÍAOpenSSL Æ Kerberos/GSSAPI ÌCuªCXg[
³êÄ¢êÎA»êçðg¤æ¤ÉÈèÜ·B
f[^x[X\tgEFA
OpenLDAP Ì slapd ÌåvÈf[^x[XobNGh LDBM ÍAGgX
g[WÉg¤f[^x[XpbP[WðKvƵܷB LDBM Ìf[^x[
XÉÍ Sleepycat Software Ì BerkeleyDB (§) é¢Í Free Software
Foundation Ì GNU Database Manager (GDBM) ðpÅ«Ü·B configure
XNvgðÀs·éÆ«ÉA±êçÌpbP[WÌÇ¿çàpūȯê
ÎA±ÌåvÈf[^x[XobNGhðT|[gµ½ slapd ð\zÅ«
ܹñB
±êçñÂÌpbP[WÍAǿ穪îÕVXeÌê é¢ÍIvV
Ì\tgEFAR|[lgƵÄñ³êÄ¢é©àµêܹñµA©
ªÅ\tgEFAðüèµÄCXg[·éKvª é©àµêܹñB
BerkeleyDB Í Sleepycat Software Ì _E[hy[W
http://www.sleepycat.com/download.html
<http://www.sleepycat.com/download.html> ©çüèÅ«Ü·B±êð¢
Ä¢é_ÅÌÅV[XÅ éo[W 3.1 ª¨©ßÅ·B
GDBM Í FSF Ì_E[hTCg ftp://ftp.gnu.org/pub/gnu/gdbm
<ftp://ftp.gnu.org/pub/gnu/gdbm> ©çüèÅ«Ü·B±êð¢Ä¢é
_Åo[W 1.8 ªÅV[XÅ·B
Xbh
OpenLDAP ÍXbhÌ_ð©¹éæ¤ÉÝv³êĢܷB OpenLDAP
Í POSIX pthreads, Mach CThreads ÈÇÆ¢Á½³Ü´ÜÈXbhn
ðT|[gµÄ¢Ü·Bconfigure XNvgªK³ÈXbhTuVXe
ðoÅ«È¢êA configure Ís½ð¾ÁÄ«Ü·B±êªN«½ê
ÉÍAOpenLDAP FAQ http://www.openldap.org/faq
<http://www.openldap.org/faq> Ì Software - Installation - Platform
Hints ÌZNVð²×ÄÝľ³¢B
TCP Wrappers
TCP wrappers (IP xÌANZX§ätB^)ªOÉCXg[³ê
Ä¢êÎAslapd Í»êðT|[gµÜ·BñöJÌîñðÂT[oÉ¢
ÄÍ TCP wrappers â»Ì¼Ì IP xÌANZXtB^(IP xÌ
t@CEH[Éñ³êéàÌÈÇ)Ìpð©ßÜ·B
2.2. pbP[WÌ_E[h
t[Ézz³êÄ¢é LDAP T[oÉÍA~VKåwÌ LDAP T[oÆ
OpenLDAP T[oÌñª èÜ·BܽAÁèÌð̺ÅÌÝt[Å
éàÌÉ Netscape fBNgT[oª èÜ·(½Æ¦ÎA³ç@ÖÍt
[ÅpÅ«Ü·)BOpenLDAP T[oÍA~VKåwÌT[oÌÅVo[
WðîɵĢÄA[OXgÆ OpenLDAP Åð§ÂÇÁ̶ª
èÜ·B±Ì¶ÅÍAOpenLDAP ðp·é±ÆɵܷB
OpenLDAP ÌÅVÌ tar+gzip o[WÍAÌƱë©çüèÅ«Ü·B
http://www.openldap.org
~VKåwÌT[oÌÅVo[Wª~µ¢ÈçAÌƱë©çüèÅ
«Ü·B
ftp://terminator.rs.itd.umich.edu/ldap
±Ì¶ðÛÉÍñÂÌo[WÌ OpenLDAP pbP[Wðg¢Üµ
½BêÂÍÅVÌÀèÅ 1.2.11 ÅAà¤êÂÍVKÉ[X³ê½ 2.0.4
Å·BªgÁÄ¢é OS Í J[l 2.2.13 Ì Slackware Linux Å·B
OpenLDAP ÌTCgÉÍAOpenLDAP T[oÌÅVÌJÅÆÀèŪu©êÄ
¢Ü·B±Ì¶ðXVµ½_ÅAÅVÌÀèÅÍ openldap-
stable-20000704.tgz Å·BÅVÌJÅÍ openldap-2.0.4.tgz Å·B
[ó] ±±Å¢¤JÅÍÀÛÉÍ[XÅÅ·B|ó_ÅÌÅVÌ
[XÅÍ openldap-2.0.7.tgz ÅAJÅÍ èܹñBÀèÅÍ
OpenLDAP 1.2.11 x[XÌàÌÅ·B
2.3. T[oÌWJ
³ÄA[J}VÉ gzip ÅÅßçê½pbP[WðàÁÄ«ÄA»êð
WJ·é±Æɵܵå¤B
ܸA±ÌpbP[Wð /usr/local ÈÇÌ]ÝÌfBNgÉRs[µÜ
·B
»µÄÌR}hðÀsµÜ·B
tar xvzf openldap-stable.tgz
ÌR}hÅ௶±ÆªÅ«Ü·B
gunzip openldap-stable.tgz | tar xvf -
2.4. \tgEFAÌÝè
¢Â©ÌIvVªpÓ³êÄ¢ÄA±êçðJX^}CY·é±ÆÉæ
èACXg[·éTCgÉÅKÈ\tgEFAªì¬Å«Ü·B
±Ì\tgEFAÌÝèÉÍAñÂÌXebvµ©Kv èܹñB
o \tgEFAðWJµ½fBNgzºÌTufBNg include É
ét@C ldapconfig.h.edit ðÒW·éB
o configure XNvgðÀs·é( Ƚª^tKCÈçÎAconfigure X
NvgðÀs·éãíèÉ Make-common t@CðÒW·é±ÆàÅ«
Ü· :^)B
[ó] »ÝÌ OpenLDAP ÉÍ Make-common t@CͶݵܹñB
t@C include/ldapconfig.h.edit ÅÍAslapd Æ slurpd f[Ì
ÝÈÇÌIvVðÝèÅ«Ü·B±Ìt@C©Ìæߪ¯çêÄ
¢ÄAftHgÌÝèÍÅàêÊIÈÇÒÌIðð½fµÄ¢éÌÅA}
¢Å¢éÈç±ÌXebvðȪµÄ¾³¢B
vi include/ldapconfig.h.edit
OpenLDAP T[oÌzz\[XÉÍACXg[·éfBNgâRp
CÆJÌtOÈÇÌIvVðwè·é½ßÌÝèXNvgªt
®µÄ¢Ü·B\tgEFAðWJµ½fBNgÅÌæ¤É^CvµÄ
¾³¢B
./configure --help
±êÍA\tgEFAð쬷éOÉ configure XNvgÅJX^}CY
Å«é·×ÄÌIvVðóµÜ·BCXg[·éfBNgðÝ
è·éÉÍA--prefix=pref, --exec-prefix=eprefix, --bindir=dir ÌIv
VªLpÅ·BÊÉIvVȵŠconfigure ðÀs·êÎAKØ
ÈÝèð©®oµAftHgÌêÊIÈêÉCXg[·éæ¤É
õµÜ·BÆ¢¤±ÆÅA»Ìæ¤ÉµÄÝܵå¤B
./configure
oÍð²×ÄA·×ĤܢÁ½©ðmFµÄ¾³¢B
2.5. T[oÌì¬
\tgEFAðÝèµI¦½çA\tgEFAÌì¬ðͶßé±ÆªÅ«Ü
·BܸAÌR}hðgÁÄ˶ÖWð쬵ܷB
make depend
»ÌãAÌR}hðgÁÄT[oð쬵ܷB
make
·×ĤܢÁ½ÈçAÝ赽ƨèÉ쬳êÄ¢éŵå¤B»¤Å
ȯêÎAOÌXebvÉßÁÄÝèµ½àeð²×ľ³¢B\tgEF
AðWJµÄÅ«½fBNg̺ÌpX doc/install/hints É év
bgtH[ÅLÌqgðmFµÄÝľ³¢B
³ AoCiÆ man y[WðCXg[µÜµå¤B±êðs¤ÉÍ(C
Xg[·éêÉàæèÜ·ª)X[p[UÉÈéKvª éŵå
¤B
su
make install
±êÅ®¹Å·B ȽÍT[oÌoCiƻ̼¢Â©Ì[eB
eBÌoCiðèÉüêܵ½B``LDAP T[oÌÝè''ÉiñÅA LDAP
T[oÌÝèû@ð©Ä¾³¢B
OpwnLDAP 2.0 T[oÌoCiÍ slapd Æ¢¤¼OÅ·B OpenLDAP 2.0 Í
8 30 úɳ®É[X³êܵ½B±êÍ RFC 2251 Éè`³ê½
LDAP vgR v3 ðæèñŢܷB
OpenLDAP 2.0 ÌåÈÁ¥ðÉ °Ü·B
o LDAPv2 Æ LDAPv3 (RFC2251-2256,2829-2831) ÌT|[g
o ù¶ÌNCAgÆÌÝ·«ÌÛ
o IPv4 Æ IPv6 ÌT|[g
o ÍÈFØ@\(SASL) (RFC2829)
o Start TLS (RFC2830)
o ¾ê^O(RFC2596)
o DNSx[XÌT[rXP[V(RFC2247+"locate" C^[lbgh
tg)
o X^hA[T[oÌ»
o ¼O«QÆ/ManageDsaIT ("nameref" C^[lbghtg)
o ANZX§äTuVXeÌ»
o Xbhv[O
o vGveBuXbhÌT|[g
o ¡XiÌT|[g
o LDIFv1 (RFC2849)
o vbgtH[/TuVXeÌoÌüP
LFLinux Documentation Project (LDP)ÅÍ LDAP Implementation HOWTO
Æ¢¤¶ðpÓ·é\èÅ·B±Ì¶Í OpenLDAP 2.0 ÌV@\ð²×½
¢lÉÆÁÄ·Îçµ¢îñ¹ÆÈéŵå¤B±Ì¶Í 2000 NÌ 12
É[X³êé\èÅ·B
OpenLDAP pbP[WÌÅVÅÅÍA¡ì¬µ½oCiðeXg·é±Æà
Å«Ü·BpbP[WÉÍeXgXNvgªt®µÄ¢ÄAÌæ¤ÉµÄ
ÀsÅ«Ü·B
make test
[ó] ±ÌeXgû@Í OpenLDAP 2.0.x ÌêÅ·B OpenLDAP 1.2.x Å
Í tests TufBNgÉÚÁÄ©ç make µÜ·B
XNvgŽ©«¢±ÆªN«½Èç Ctrl-C ðü͵ÄXNvgÌÀs
ðfÅ«Ü·BÌêAXNvgÌÀsª®SÉI¹·éOÉXNv
gÌÀsªâ~µÜµ½BÆà©àAÌ OpenLDAP ÌÝèÅà¢Â©Ì
¬÷(successfull)ÌbZ[WðmFūĢܷ
[ó] óÒÌ«(Vine Linux 2.1 + OpenLDAP 2.0.7)ŵ½Æ±ëÅÍA
âèÈ·×ÄÌeXgðpXµÜµ½B
3. LDAP T[oÌÝè
[ó] ±ÌÍÌà¾Íî{IÉ OpenLDAP 2.0.x ÉîâĢܷB
\tgEFAÌCXg[ª®¹µ½çA ȽÌTCgÅp·é½ßÌ
ÝèðµÜµå¤Bslapd C^CÝèÌ·×ÄÍAslapd.conf t@C
ðƨµÄs¢Ü·B±Ìt@CÍ configure XNvgÅwèµ½
prefix fBNg(ftHgÍ /usr/local/etc/openldap)ÉCXg[
³êĢܷB
±ÌßÅÍ slapd.conf ÅægíêéÝèfBNeBuÉ¢ÄÚµà
¾µÜ·BSfBNeBuÌXgÉ¢ÄÍ slapd.conf(5) }j
A
y[WðQƵľ³¢BBÝèt@CÌfBNeBuÍAO[o
AobNGhÅLAf[^ÅLÌJeSɪ¯Ä¢Ü·BefBN
eBuÉ¢ÄÍA»Ìà¾ÆÆàÉ(ൠêÎ)»ÌftHglÆÝèá
ð¦µÜ·B
3.1. Ýèt@CÌtH[}bg
t@C slapd.conf ÍAO[oAobNGhÅLAf[^x[XÅL
ÌR^CvÌÝèîñ©ç¬èÜ·BܸÅÉwè·éÌÍO[oîñ
Å èA»ÌãÉÁèÌobNGhíÊÉÖAµ½îñª±«A³çÉ»Ì
ãÉÁèÌf[^x[XÀÌÉÖAµ½îñª±«Ü·B
O[ofBNeBuÍãÌobNGhâf[^x[XÝèÌfBN
eBuÅã«Å«AobNGhÝèfBNeBuÍf[^x[XÝè
fBNeBuÅã«Å«Ü·B
uNsÆ '#' ¶ÅnÜéRgsͳ³êÜ·BsªóÅn
ÜÁÄ¢éêAOÌs©çÌp±Å éÆÝȳêÜ·B slapd.conf Ìê
ÊIÈtH[}bgÍÌæ¤ÉÈèÜ·B
# O[oÝèfBNeBu
<O[oÝèfBNeBu>
# obNGhè`
backend <typeA>
<obNGhÅLfBNeBu>
# PÔÚÌf[^x[Xè` & ÝèfBNeBu
database <typeA>
<f[^x[XÅLfBNeBu>
# QÔÚÌf[^x[Xè` & ÝèfBNeBu
database <typeB>
<f[^x[XÅLfBNeBu>
# ±«Ìf[^x[Xè` & ÝèfBNeBu
...
ÝèfBNeBuÌÉÍøðÆéà̪ èÜ·BøÌ éêÉÍ
óÅæØÁÄÀ×Ü·BøÉóðÜß½¢êÉÍAøðñdøp
ÅÍÝÜ·BøÉñdøpâobNXbV
¶ `\' ðÜß½¢ê
ÉÍA»Ì¶ÌOÉobNXbV
¶ `\' ðu«Ü·B
OpenLDAP Ìzz¨ÌÉÍÝèt@CÌTvªt¢Ä«Ü·B±êÍ
Ê /usr/local/etc/openldap fBNgÉCXg[³êÜ·BXL
[}è`(®«^ÆIuWFNgNX)ðÜñ¾t@Cà
/usr/local/etc/openldap/schema fBNgÉñ³êĢܷB
3.2. O[ofBNeBu
±ÌßÅྷéfBNeBuÍAobNGhܽÍf[^x[XÌè`
ÅÁÉ㫵ȢÀèA·×ÄÌobNGhÆf[^x[XÉKp³êÜ
·BÀÛÌeLXgÅu«·¦éfBNeBuÌøÍuPbg <> Ŧ
µÜ·B
access to <what> [ by <who> <accesslevel> <control> ]+
±ÌfBNeBuÍAGg⮫ÌPZbg(<what> Éwè)É
ηéANZX (<accesslevel> Éwè)ðPlÈãÌvÒ(<who>É
wè)É^¦Ü·BæèÚµÍuANZX§ävÌáðQƵľ
³¢B
attributetype <RFC2252 Attribute Type Description>
±ÌfBNeBuÍ®«^ðè`µÜ·B
defaultaccess { none | compare | search | read | write }
±ÌfBNeBuÍAaccess fBNeBuªwè³êĢȢÆ
«ÉAvÒÉ^¦éftHgÌANZX ðwèµÜ·BÇÌAN
ZX xàæèºÊÌANZX xðÃÉ^¦Ü· (½Æ¦Î
read ANZX ÍAsearch, compare ANZX ðÃÉ^¦Ü·ª
write ANZX Í^¦Ü¹ñ)B
ftHgÌÝèÍÌƨèÅ·B
defaultaccess read
idletimeout <integer>
AChóÔÌNCAgÚ±ð§IÉØf·éÜÅÌbðwè
µÜ·Bidletimeout Ìlª 0 Å éÆ(ftHg) ±Ì@\ͳø
ÉÈèÜ·B
include <filename>
±ÌfBNeBuÍAslapd ª»ÝÌt@CÌÌsÉiÞOÉA
^¦½t@C©çÇÁÌÝèîñðÇÝÞ±ÆðwèµÜ·Bæè
Þt@CÍAÊíÌ slapd Ýèt@CÌtH[}bgÉ]¢Ü
·Bt@CÌæÝÍêÊÉXL[}wèÌLq³ê½t@Cðæ
èÞÌÉgíêÜ·B
LF±ÌfBNeBuÌæµ¢ÉÍӵľ³¢ - üêqÉ
ÈÁ½ include fBNeBuɧÀÍÈAinclude ª[vÉ
ÈÁ½êÅào³êܹñB
loglevel <integer>
±ÌfBNeBuÍAfobOîñÆìÌvlð syslog ÉoÍ
·éxðwèµÜ·(»ÝÌƱëAsyslogd(8) Ì LOG_LOCAL4
t@VeBÉL^³êÜ·)B±ÌIvVªLøÉÈéæ¤É·
éÉÍ OpenLDAP ð --enable-debug t«(ftHg)Å configure
µÈ¯êÎÈèܹñ(vÉÖ·éñÂÌxÍáOÅA±êçÍ
íÉpÂ\Å·)BÇÌfobNɽ̪εĢéÌ©ð²×
éÉÍ -d ? ðwèµÄ slapd ðN®·é©AȺÌ\ðQlɵÄ
¾³¢B<integer> ÉwèÂ\ÈlÉÍÌà̪ èÜ·B
[ó] OpenLDAP 2.0.x ÅÍ slapd Ì -d ? w誳Èèܵ½B
-1 ·×ÄÌfobOxðLøÉ·é
0 fobOµÈ¢
1 ÖÄoµÌg[X
2 pPbgÌfobO
4 Ú×ÈfobOg[X
8 Ú±Ç
16 pPbgóMÌó
32 õtB^
64 Ýèt@C
128 ANZX§äXg
256 Ú±/ì/ÊÌvO
512 GgMÌvO
1024 shell obNGhÆÌÊMÌó
2048 GgðÍÌfobOó
½Æ¦ÎÌæ¤ÉwèµÜ·B
loglevel 255 é¢Í loglevel -1
±Ìæ¤ÉÝè·éÆAåÊÌfobOîñªL^³êÜ·B
ftHgÌÝèÍÌƨèÅ·B
loglevel 256
objectclass <RFC2252 Object Class Description>
±ÌfBNeBuÍIuWFNgNXðè`µÜ·B
referral <URI>
±ÌfBNeBuÍAvð·é½ßÌ[Jf[^x[Xð
©Â¯çêÈ©Á½êÉANCAgÉß·ÐîæðwèµÜ·B
½Æ¦ÎÌæ¤ÉwèµÜ·B
referral ldap://root.openldap.org
±êÍAOpenLDAP vWFNgÌO[o[g LDAP T[oÉñ[
JÈâ¹ðÐî·é±ÆðwèµÜ·B«¢ LDAP NCAgÈç
ß³êéT[oÉÄvð·éŵ太A»Ìæ¤ÈNCAgÌÙ
ÆñÇÍAzXg¼ÌªÆIvV̯ʼ̪ÆðÁ½PÈ
LDAP URL Ìû@ðmÁĢ龯ŷB
sizelimit <integer>
±ÌfBNeBuÍAõì©çÔ·GgÌÅåðwèµÜ
·B
ftHgÌÝèÍÌƨèÅ·B
sizelimit 500
timelimit <integer>
±ÌfBNeBuÍAslapd ªõvÌÉg¤Ååb(À
Ô)ðwèµÜ·B±ÌÔàÉvªB¹çêȯêÎAÔ§Àð
´ßµ½±Æð¦·ÊðԵܷB
ftHgÌÝèÍÌƨèÅ·B
timelimit 3600
3.3. êÊobNGhfBNeBu
±ÌßÌfBNeBuÍA»ÌfBNeBuªè`³êÄ¢éobNG
hÉÌÝKp³êÜ·B±êçÌfBNeBuÍSíÊÌobNGhÅT
|[g³êÜ·BobNGhfBNeBuÍA¯íÊÌ·×ÄÌf[^x
[XÀÌÉKpµÜ·ªAfBNeBuÉæÁÄÍf[^x[XfBN
eBuÅ㫳êÜ·B
backend <type>
±ÌfBNeBuÍAobNGhè`ÌnÜèð¦µÜ·B
<type> ÉÍAldbm, shell, passwd ÈÇT|[g³êÄ¢éobNG
híÊÌÇê©ðwèµÜ·B
3.4. êÊf[^x[XfBNeBu
±ÌßÌfBNeBuÍA»ÌfBNeBuªè`³êÄ¢éf[^x[
XÉÌÝKp³êÜ·B±êçÌfBNeBuÍSíÊÌf[^x[XÅT
|[g³êÜ·B
database <type>
±ÌfBNeBuÍVµ¢f[^x[XÀÌè`ÌnÜèð¦µÜ
·B<type> ÉÍAldbm, shell, passwd ÈÇAT|[g³êÄ¢éf
[^x[XÌíÊÌ¢¸ê©ðwèµÜ·B
½Æ¦ÎÌæ¤ÉwèµÜ·B
database ldbm
±ÌÝèÍAVµ¢ LDBM obNGhf[^x[XÀÌè`ÌnÜèð
¦µÜ·B
readonly { on | off }
±ÌfBNeBuÍAf[^x[XðuÇæèêpv[hɵÜ
·B±Ì[hÅf[^x[XðXVµæ¤Æ·éÆ "unwilling to
perform" G[ªÔèÜ·B
ftHgÌÝèÍÌƨèÅ·B
readonly off
replica
<-- [orig] replica host=<hostname>[:<port>] [bindmethod={ simple
| kerberos | sasl }] ["binddn=<DN>"] [mech=<mech>]
[authcid=<identity>] [authzid=<identity>]
[credentials=<password>] [srvtab=<filename>] -->
replica host=<hostname>[:<port>]
[bindmethod={ simple | kerberos | sasl }]
["binddn=<DN>"]
[mech=<mech>]
[authcid=<identity>]
[authzid=<identity>]
[credentials=<password>]
[srvtab=<filename>]
±ÌfBNeBuÍA±Ìf[^x[XÌ¡»TCgðwèµÜ·Bp
[^ host= ÍAX[u slapd ÌÀ̪ ézXgÆ|[g(Iv
V)ðwèµÜ·B<hostname> ÍhC¼ é¢Í IP AhXð
gÁÄwèµÜ·B<port> ª^¦çêĢȯêÎAWÌ LDAP |[g
Ô(389)ªgíêÜ·B
p[^ binddn= ÍAX[u slapd ÌXVÅoCh·é½ßÌ DN
ð^¦Ü·B±êÍAX[u slapd Ìf[^x[XÉεÄANZX
read/write ðÁ½ DN ɵȯêÎÈèܹñBÊíÍX[u slapd
ÌÝèt@CÉ é rootdn ÉwèµÄ éàÌð^¦Ü·Bܽ±Ì
DN ÍAX[u slapd Ýèt@CÌ updatedn fBNeBuÉwè
µ½àÌÆêvµÄ¢È¯êÎÈèܹñB DN ÉÍXy[XªüÁÄ¢
é±Æª½¢ÌÅA"binddn=<DN>" ¶ñÍñdøpÅÍÁĨÆæ
¢Åµå¤B
bindmethod ÍAX[u slapd ÖÌÚ±Ég¤FتpX[hx[X
ÌàÌ©AKerberos ©ASASL ©ÉæÁÄ simple © kerberos © sasl
ÉÈèÜ·B
ÈÕFØÍ\ªÈêÑ«Æ@§«ÌÛì(TLS â IPSEC ÈÇ)ªÈ¯êÎg
¤×«ÅÍ èܹñBÈÕFØÍ binddn Æ credentials p[^Ì
wèðKvƵܷB
Kerberos FØÍASASL FØ̹¢ÅãxêÉÈÁĢܷB (ÁÉ
KERBEROS_V4 Æ GSSAPI)BKerberos FØÍ binddn Æ srvtab p[^
ÌwèðKvƵܷB
êÊÉÍ SASL FØðg¤±Æð©ßÜ·BSASL FØÍ mech p[^
ðgÁ½@\ÌwèªKvÅ·Bwè·é@\É˶µÄAFØACf
eBeBâؾð authcid Æ credentials ðgÁÄwèÅ«Ü·BF
ØACfeBeBÌwèÉÍ authzid p[^ðg¤©àµêܹ
ñB
replogfile <filename>
±ÌfBNeBuÍAslapd ª ÏXðL^·é¡»Ot@CÌ
¼OðwèµÜ·B¡»OÍÊí slapd ª«oµAslurpd ªÇÝ
æèÜ·BÊí±ÌfBNeBuÍAf[^x[Xð¡»·é½ßÉ
slurpd ªgíêÄ¢éêÉÌÝpµÜ·Bµ©µ slurpd ðÀs
µÄ¢ÈÄàAgUNVO̶¬Ég¦Ü·B±ÌêA
¡»Ot@CͳÀɦ±¯éÌÅèúIÉØèlßéKvª
èÜ·B
rootdn <dn>
±ÌfBNeBuÍA±Ìf[^x[XÉηéANZX §ä é
¢ÍÇÀx̧ÀÉ]íÈ¢ DN ðwèµÜ·B±Ì DN ÍfBN
gÌGgÅ éKvÍ èܹñB±Ì DN ÉÍ SASL ACf
eBeBðg¦Ü·B
Ggx[XÌáF
rootdn "cn=Manager,dc=example,dc=com"
SASL x[XÌáF
rootdn "uid=root@EXAMPLE.COM"
rootpw <password>
±ÌfBNeBuÍAãÌIvVÅ^¦½ DN ÌGgª¶Ý
·é©A»ÌGgªpX[hðÁÄ¢é©É©©íç¸AíÉ
Kp·épX[hðwèµÜ·B±ÌfBNeBuÍ SASL FØÌ
¹¢ÅãxêÉÈÁĢܷB
½Æ¦ÎÌæ¤ÉwèµÜ·B
rootpw secret
suffix <dn suffix>
±ÌfBNeBuÍA±ÌobNGhf[^x[XÉn·â¹Ì
DN Úö«ðwèµÜ·B¡Ì suffix sð^¦Äàæ¢Å·ªAe
f[^x[Xè`ÉÈÆàêÂÍKvÅ·B
½Æ¦ÎÌæ¤ÉwèµÜ·B
suffix "dc=example,dc=com"
±ÌwèÅÍADN ÌöÉ "dc=example, dc=com" Ìt¢½â¹ª±Ì
obNGhÉn³êÜ·B
LFâ¹ðn·obNGhªIð³êéÆ«Aslapd Íef[^x
[XÌ suffix sðÝèt@CÉ»êéÔÉ©Ä¢«Ü·Bµ½ªÁ
ÄA éf[^x[XÌÚö«ªÊÌf[^x[XÌÚª«ÉÈÁÄ¢é
êÉÍAÝèt@CÌæèãÌ٤ɻêéæ¤ÉµÈ¯êÎÈèÜ
¹ñB
updatedn <dn>
±ÌfBNeBuÍX[uÌ slapd ÉÌÝKpÅ«Ü·B±Ì
fBNeBuÍ¡»ÌÏXð· DN ðwèµÜ·B±êÉÍA¡»
ÌÏXð·éÆ«É slurpd(8) ªoCh·é DNA é¢Í SASL A
CfeBeBÆÖAµ½ DN ðwèµÜ·B
Ggx[XÌáF
updatedn "cn=Update Daemon,dc=example,dc=com"
SASL x[XÌáF
updatedn "uid=slurpd@EXAMPLE.COM"
updateref <URL>
±ÌfBNeBuÍX[uÌ slapd ÉÌÝKpÅ«Ü·B±êÍ
¡»ÌXVvðéNCAgÉß· URL ðwèµÜ·B±Ì
fBNeBuÍ¢ÂàwèÅ«Ae URL ªß³êÜ·B
½Æ¦ÎÌæ¤ÉwèµÜ·B
updateref ldap://master.example.net
3.5. LDBM obNGhÅLfBNeBu
±ÌJeSÌfBNeBuÍALDBM obNGhf[^x[XÉÌÝK
p³êÜ·B·Èí¿A"database ldbm" Æ ésÌãÅAÌ "database"
sª»êéOÉȯêÎÈèܹñB
cachesize <integer>
±ÌfBNeBuÍALDBM obNGhf[^x[XÌÀÌÉæÁ
ÄdzêéàLbV
ÌGgðwèµÜ·B
ftHgÌÝèÍÌƨèÅ·B
cachesize 1000
dbcachesize <integer>
±ÌfBNeBuÍAI[v³êÄ¢éõøt@C»ê¼êÆÖ
AïçêÄ¢éàLbV
ÌTCYðoCgÅwèµÜ
·BîÂÌf[^x[Xû®ÅT|[g³êȯêÎA±ÌfBN
eBuÍÙÁij³êÜ·B±Ìðâ·Ææè½Ìðg
¢Ü·ªAIÈ«\Ìü㪾çêÜ·BÁÉ XVÆõøÌì¬Å
«\Ìü㪰ŷB
ftHgÌÝèÍÌƨèÅ·B
dbcachesize 100000
dbnolocking
±ÌfBNeBuªwè³êéÆf[^x[XÌbNª³øÉÈè
Ü·B±ÌfBNeBuÍAf[^ÌZL
eBð]µÉµÄÅà
«\ðã°½¢êÉg¢Ü·B
dbnosync
±ÌfBNeBuÍAÏXÉηéàÌÏXðfBXNãÌà
eÆ·®ÉͯúðÆçÈ¢æ¤ÉµÜ·B±ÌfBNeBuÍAf
[^ÌZL
eBð]µÉµÄÅà«\ðã°½¢êÉg¢Ü·B
directory <directory>
±ÌfBNeBuÍAf[^x[XÆÖA·éõøðÜñ¾ LDBM
t@CSðufBNgðwèµÜ·B
ftHgÌÝèÍÌƨèÅ·B
directory /usr/local/var/openldap-ldbm
index {<attrlist> | default} [pres,eq,approx,sub,none]
±ÌfBNeBuÍA^¦½®«É¢ÄÇ·éõøðwèµÜ
·B <attrlist%gt; ¾¯ª^¦çê½êAftHgÌõøªÇ
³êÜ·B½Æ¦ÎÌæ¤ÉwèµÜ·B
index default pres,eq
index objectClass,uid
index cn,sn eq,sub,approx
PsÚÍAõøÌftHgZbgð¶ÝÆ¿«ðÇ·éæ¤ÉÝè
µÜ·BQsÚÍAobjectClass Æ uid ®«^É¢ÄftHgÌõ
ø(pres, eq)ðÇ·æ¤ÉÝèµÜ·BRsÚÍAcn Æ sn ®«^ÉÂ
¢Ä¿«Aª¶ñAßÌõøðÇ·éæ¤ÉÝèµÜ·B
mode <integer>
±ÌfBNeBuÍAV½É쬳êéf[^x[Xõøt@CÌ
Ât@CÛì[hðwèµÜ·B
ftHgÌÝèÍÌƨèÅ·B
mode 0600
3.6. ¼ÌobNGhf[^x[X
slapd ÍAftHgÌ LDBM ̼Éà¢ÂàÌobNGhf[^x[X
íÊðT|[gµÄ¢Ü·B
o ldbm: Berkeley Ü½Í GNU DBM Ý·ÌobNGh
o passwd: /etc/passwd ÖÌÇæèêpÌANZXðñ
o shell: VF(OvO)obNGh
o sql: SQL vOªÂ\ÈobNGh
ÚµÍ {{slapd.conf}}(5) manpage ðQƵľ³¢B
3.7. ANZX§äÌá
``O[ofBNeBu''Ìà¾É éANZX§ä@\ÍÀÉÍÅ
·B±ÌßÅÍAANZX§äÌpáð¢Â©¦µÜ·BܸÍAÈPÈ
á©çB
access to * by * read
±Ì access fBNeBuÍA çäélÉÇæè(read)ANZX ð^¦
Ü·B±ê¾¯ðwèµ½êÉÍAÌ defaultaccess sƯ¶±ÆÉÈ
èÜ·B
defaultaccess read
ÌáÍADN ÅGgðIð·éÌɳK\»ðpµÄ¢éƱëð¦
µÄ¢Ü·B±ÌñÂÌANZX é¾ÌÔÍdvÅ·B
access to dn=".*, o=U of M, c=US"
by * search
access to dn=".*, c=US"
by * read
±ÌáÅÍAÇæè(read)ANZX ª c=US Tuc[zºÌGgÉ^
¦çêÜ·ªA"o=U of M, c=US" Tuc[zºÉÀÁÄÍõ(search) A
NZX µ©^¦çêܹñB±ÌANZX wèÌðtÉ·éÆA·×
ÄÌ "U of M" GgÍ "c=US" GgÅà éÌÅA "U of M" ÌûÌ
wèªSKp³êÈÈÁĵܢܷB
ÌáàÌdv«ð¦µÄ¢Ü·ªA¡xÍANZX wèÌ¼É "by"
ßÌÉ¢Ä঵ĢܷBܽ±ÌáÅÍAÁèÌ®«ÖÌANZX
ð^¦é®«ZN^ÆA³Ü´ÜÈ <who> ZN^Ìp@É¢Äà
¦µÄ¢Ü·B
access to dn=".*, o=U of M, c=US" attr=homePhone
by self write
by dn=".*, o=U of M, c=US" search
by domain=.*\.umich\.edu read
by * compare
access to dn=".*, o=U of M, c=US"
by self write
by dn=".*, o=U of M, c=US" search
by * none
±ÌáÍA"o=U of M, c=US" Tuc[ÌGgÉKp³êÜ·B®«
homePhone ð·×ÄÌ®«ÉεAYGg©ÌÉÍÝ
(write)ð^¦A¼Ì "U of M" zºÌGgÉÍõ (search)ð^
¦A»Ì¼ÌGgÉÍANZX ð^¦Ü¹ñB®« homePhone Éε
ÄÍAYGg©ÌÉÍÝ (write)ð^¦A¼Ì "U of M" Gg
ÉÍõ (search)ð^¦Aumich.edu hCàÌDZ©ç©Ú±·éN
CAgÉÍÇæè ð^¦A»Ì¼ÌGgÉÍär (compare)ð^
¦Ü·B
ÁèÌ DN É®«ÌÇÁÆð·±ÆªLpȱƪ èÜ·B½Æ¦
ÎA éO[vð쬵AlXÉ member ®«ÖÌÇÁÆ𩪩gÌ
DN ÉÀÁÄÅ«éæ¤Éµ½¢êAÌæ¤ÈANZX é¾ÅÀ»Å«
Ü·B
access to attr=member,entry
by dnattr=member selfwrite
ZN^ dnattr <who> ÍAANZX ª member ®«ÉXg³êÄ¢éG
gÉKp³êé±ÆðwèµÜ·BANZX ZN^ selfwrite ÍA
»Ìæ¤È member Bª©ª©gÌ DN ¾¯ð®«©çÇÁ/íÅ«é±Æ
ðwèµÜ·BܽAentry ®«ðÇÁµÄ¨±ÆªKvÅ·BȺÈçA
GgÌÇÌ®«ÉANZX·éɹæAGgÖÌANZX ªKvÉ
Èé©çÅ·B
[ó] "entry" ÍGgàÉÀݵȢÁêÈ®«ÅA®«ÖÌANZX
wèÅGgÖÌANZX ðwè·é½ßÉg¤àÌÅ·B
<what> ßÌÌ attr=member \¬vfÍAß "dn=* attr=member" ÌȪ`
Å é±ÆÉڵľ³¢(·Èí¿A·×ÄÌGgÌ member ®«
ÉêvµÜ·)B
LFLDAP ÌANZX§äÉ¢ÄàÁÆm软êÎ OpenLDAP
Administrator's Guide (http://www.openldap.org) ð²×ľ³¢B
3.8. Ýèt@CÌá
ȺÍÝèt@CÌáÅ·BáÌXÉÍà¾ðÂ¯Ä èÜ·B±êÍñ
ÂÌf[^x[Xðè`µÄ¢ÄA»ê¼ê X.500 c[ÌÊX̪ð
µÜ·B¼ûÆàf[^x[XÉÍ LDBM ðgÁĢܷBà¾ÌsãA
áÉÍsÔð¯ĢܷªAÀÛÌt@CÉÍsÔð¯ܹñBÜ
¸ÍO[oÝèZNV©çྵܷB
1. # example config file - global configuration section
2. include /usr/local/etc/schema/core.schema
3. referral ldap://root.openldap.org
4. access to * by * read
s 1 ÍRgÅ·Bs 2 Í core XL[}è`ðÜñ¾ÊÌÝèt@C
ðæèÝÜ·Bs 3 Ì referral fBNeBuÍAãÉè`·éf[^
x[XÌÇê©É[JÅÈ¢â¹É¢ÄAzXg root.openldap.org
Å®ìµÄ¢éW|[g(389)Ì LDAP T[oðQÆ·é±ÆðÓ¡µÜ
·B
s 4 ÍO[oÈANZX§äÅ·B±êÍAf[^x[XÌANZX§
äÉêv·éà̪ȢêA é¢ÍAANZXÌÎÛÆÈéIuWFNg
ª (Root DSE Ìæ¤É)ÇÌf[^x[X̧äºÉàÈ¢êÉÌÝgíê
Ü·B
Ýèt@CÌáÌ̪ÍAc[Ì "dc=example,dc=com" zºÉ é
àÌÉ¢ÄÌâ¹ð·é LDBM obNGhðè`µÜ·B±Ìf[
^x[XÍñÂÌX[u slapd É¡»³êÜ·BX[uÌêÂÍ
truelies ÅAà¤êÂÍ judgmentday Å·B¢Â©Ì®«É¢Äõøª
dzêAuserPassword ®«ÍFسêĢȢàÌ©çÌANZX©çÛ
ì³êÜ·B
5. # ldbm definition for the example.com
6. database ldbm
7. suffix "dc=example, dc=com"
8. directory /usr/local/var/openldap
9. rootdn "cn=Manager, dc=example, dc=com"
10. rootpw secret
11. # replication directives
12. replogfile /usr/local/var/openldap/slapd.replog
13. replica host=slave1.example.com:389
14. binddn="cn=Replicator, dc=example, dc=com"
15. bindmethod=simple credentials=secret
16. replica host=slave2.example.com
17. binddn="cn=Replicator, dc=example, dc=com"
18. bindmethod=simple credentials=secret
19. # indexed attribute definitions
20. index uid pres,eq
21. index cn,sn,uid pres,eq,approx,sub
22. index objectClass eq
23. # ldbm access control definitions
24. access to attr=userPassword
25. by self write
26. by anonymous auth
27. by dn="cn=Admin,dc=example,dc=com" write
28. by * none
29. access to *
30. by self write
31. by dn="cn=Admin,dc=example,dc=com" write
32. by * read
s 5 ÍRgÅ·Bf[^x[Xè`ÌnÜèÍAs 6 Ì database L[
[hŦµÜ·Bs 7 ÍA±Ìf[^x[XÉn·â¹Ì½ßÌ DN Ú
ö«ðwèµÜ·Bs 8 ÍAf[^x[Xt@CðufBNgðw
èµÜ·B
s 9 Æ 10 ÍA±Ìf[^x[XÌuX[p[UvGgÆ»ÌpX
[hðwèµÜ·B±ÌGgÍANZX§ä é¢ÍTCY/Ô§ÀÉ
]¢Ü¹ñB
s 11 ©ç 18 Í¡»ÌÝèÅ·Bs 11 Í¡»Ot@CðwèµÜ
·(f[^x[XÌÏXªL^³êÜ· - ±Ìt@CÉÍ slapd ª«
ÝAslurpd ªÇÝoµÜ·)Bs 12 ©ç 14 Í¡»ªìçêézXgAXV
ðs¤Æ«ÌoCh̽ßÌ DNAoChû@(ÈÕFØ)Abinddn ̽ß
Ìؾ(pX[h)ðwèµÜ·Bs 15 ©ç 18 ÍAæQÌ¡»TCgð
wèµÜ·B
s 20 ©ç 22 ÍA³Ü´ÜÈ®«Ì½ßÉÇ·éõøðwèµÜ·B
s 24 ©ç 32 ÍAf[^x[XàÌGg̽ßÌANZX§äðwèµ
Ü·B·×ÄÌGgÌ {{EX:userPassword}} ®«ÍA»ÌGg©g
¨æÑ "admin" Gg©çXVÂ\Å·B±Ì®«ÍFØÌÚIÉÍg¦
Ü·ªÇÝæêܹñB»Ì¼·×ÄÌ®«ÍA»ÌGg©g¨æÑ
"admin" Gg©çXVÂ\ÅAFسê½[U©çÇÝæêÜ·B
Ýèt@CÌáÌ̪ÍAÊÌ LDBM f[^x[Xðè`µÜ·B±Ì
LDBM f[^x[XÍ dc=example,dc=net Tuc[ÉÖ·éâ¹ðµ
Ü·Bs 38 ªÈ¢ÆAs 4 ÌO[oANZXK¥ÉæèÇÝæèAN
ZXªÂ³êé±ÆÉӵľ³¢B
33. # ldbm definition for example.net
34. database ldbm
35. suffix "dc=example, dc=net"
36. directory /usr/local/var/ldbm-example-net
37. rootdn "cn=Manager, dc=example, dc=com"
38. access to * by users read
4. LDAP T[oÌÀs
[ó] ±ÌÍÌà¾Íî{IÉ OpenLDAP 2.0.x ÉîâĢܷB
slapd ÍX^hA[T[oƵĮì·éæ¤ÉÝv³êĢܷB±
êÉæèT[oÍALbVOAîÕf[^x[Xɨ¯éÀsâèÌ
ÇAVXe\[XÌÛÆ¢Á½_ª¾çêÜ·Binetd(8) ©çÀ
s·éIvVÍÈÈèܵ½B
4.1. R}hCIvV
slapd ÍA}j
Ay[WÉÚà³êÄ¢éæ¤É½ÌR}hCI
vVðT|[gµÄ¢Ü·B±ÌßÅÍægíêéÌIvVÉ
¢ÄÚàµÜ·B
-f <filename>
±ÌIvVÍAslapd ÌÝèt@C𾦵ܷBftHgÍ
Ê /usr/local/etc/openldap/slapd.conf Å·B
-h <URLs>
±ÌIvVÍãÖÌXiÝèðwèµÜ·BftHgÍ
ldap:/// Å·B±êÍftHgÌ LDAP |[g 389 Å·×ÄÌC
^tF[X𵤠TCPãÌ LDAP ðÓ¡µÜ·B±ÌIvVÉÍA
ÁèÌ|Xg/|[gÌyAàµÍ¼ÌvgRXL[(ldaps://
â ldapi:// ÈÇ)ðwèÅ«Ü·B½Æ¦Î -h "ldaps://
ldap://127.0.0.1:667" ÍAñÂÌXið쬵ܷBêÂÍftH
gÌ LDAP/SSL |[g 636 Å·×ÄÌC^tF[X𵤠SSL ã
Ì LDAP Å·Bà¤êÂÍ|[g 667 Å localhost (loopback)ÌC
^BF[X𵤠TCPãÌ LDAP Å·BzXgÍAIPv4 ÌlÆhb
gðgÁ½`®ÅàzXg¼ÅÅàwèÅ«Ü·B
-n <service-name>
±ÌIvVÍAOÌæÈÇÅgíêéT[rX¼ðwèµÜ·B
ftHgÌT[rX¼Í slapd Å·B
-l <syslog-local-user>
±ÌIvVÍ syslog(8) @\Ì[J[UðwèµÜ·Bl
Í LOCAL0, LOCAL1, LOCAL2, ©ç LOCAL7 ÜÅwèÅ«Ü·BftH
gÍ LOCAL4 Å·B±ÌIvVÍVXeÉæÁÄT|[g³ê
ĢȢ±Æª èÜ·B
-u user -g group
±êçÌIvVÍA»ê¼ê slapd ðÀs·é½ßÌ[UÆO
[vðwèµÜ·Buser ÉÍ[U¼© uid ðwèµÜ·Bgroup
ÉÍO[v¼© gid ðwèµÜ·B
-r directory
±ÌIvVÍÀsfBNgðwèµÜ·B slapd ÍXi
ðI[vµ½ãAÝèt@CÌÇÝâobNGhÌú»ð·
éOÉA±ÌfBNgÉ chroot(2) µÜ·B
-d <level> | ?
±ÌIvVÍ slapd ÌfobOxð <level> ÉÝèµÜ·B
xª `?' ¶ÌêA³Ü´ÜÈfobOxð\¦µA¼Ì
IvVwèð³µÄ slapd ÍI¹µÜ·B»ÝT|[g³êÄ
¢éfobOxÉÍÌà̪ èÜ·B
-1 ·×ÄÌfobOxðLøÉ·é
0 fobOµÈ¢
1 ÖÄoµÌg[X
2 pPbgÌfobO
4 Ú×ÈfobOg[X
8 Ú±Ç
16 pPbgóMÌó
32 õtB^
64 Ýèt@C
128 ANZX§äXg
256 Ú±/ì/ÊÌvO
512 GgMÌvO
1024 shell obNGhÆÌÊMÌó
2048 GgðÍÌfobOó
¡ÌfobOxðLøÉ·é±ÆàÅ«Ü·Bv·éx»ê
¼êÉ¢ÄfobOIvVðwèµÄàæ¢Å·µAfobOx
ðÁZµÄwèµÄà©Ü¢Ü¹ñBÂÜèAÖÄoµÌg[XÆ
Ýèt@CÌÌÏ@ðs¢½¯êÎAxð»ÌñÂÌxÌ
vÉÝè·êÎæ¢ÌÅ·(±ÌêÍ -d 65)BܽA»Ìæ¤ÈÁZ
ð slapd ɳ¹é±ÆàÅ«Ü·(½Æ¦Î -d 1 -d 64)BæèÚµÍ
<ldap.h%gt; t@CðQƵľ³¢B
LFvOðoÍ·éñÂÌxÈOÌfobOîñðoÍÅ«é
æ¤É·éÉÍAslapd ð -DLDAP_DEBUG t«Å slapd ðRpCµÄ
¨©È¯êÎÈèܹñB
[ó] OpenLDAP 2.0.x ÅÍ -d ? w誳Èèܵ½B
4.2. LDAP T[oÌN®
êÊÉ slapd ÍÌæ¤ÉÀsµÜ·B
/usr/local/etc/libexec/slapd [<option>]*
±±Å /usr/local/etc/libexec ÍAconfigure XNvgÅè³ê½ê
ÅA<option> ÍOqµ½( é¢Í slapd(8) Éà¾Ì é)IvVÅ
·BfobOxðwèµÈ¯êÎ(xÉ 0 ðwèµ½êàÜß
Ä)Aslapd Í©®IÉ fork µA§ä[©ç©ªðØ裵ÄobNO
EhÅ®ìµÜ·B
4.3. LDAP T[oÌI¹
ÀSÉ slapd ðI¹³¹éÉÍAÌæ¤ÉR}hð^¦Ü·B
kill -TERM `cat $(ETCDIR)/slapd.pid`
[ó] OpenLDAP 2.0.x ÅÍ `-TERM' ÅÍÈ `-INT' ðwè·é±ÆÉ
ÈÁĢȷB
slapd ªI¹·éOÉͳܴÜÈobt@ðtbV
·éKvª é½
ßAæè§IÉI¹³¹éèiðg¤Æ LDBM f[^x[Xªs³ÉÈé°
êª èÜ·Bslapd ÍAslapd.conf t@CÉÝèµ½fBNgÌ
slapd.pid Æ¢¤t@C(½Æ¦Î /usr/local/var/slapd.pid) É pid ð
«ÝÜ·B
include/ldapconfig.h.edit Ì SLAPD_PIDFILE ðÏX·é±ÆÉæÁÄA
±Ì pid t@CÌÊuðÏXÅ«Ü·B
[ó] »ÝÌ OpenLDAP ÅÍ slapd.conf ÌO[oIvVÅ pid
t@CÌÊuðÝè·éæ¤ÉÏX³êĢܷB½Æ¦Î `pidfile
/usr/local/var/slapd.pid' ÆwèµÜ·B
ܽAslapd ÍAslapd.conf t@CÉÝèµ½fBNgÌ slapd.args
Æ¢¤t@C(½Æ¦Î /usr/local/var/slapd.args)É slapd Ìøð
«ÝÜ·B include/ldapconfig.h.edit Ì SLAPD_ARGSFILE ðÏX·é
±ÆÉæÁÄA±Ìøt@CÌÊuðÏXÅ«Ü·B
[ó] »ÝÌ OpenLDAP ÅÍ slapd.conf ÌO[oIvVÅø
t@CÌÊuðÝè·éæ¤ÉÏX³êĢܷB½Æ¦Î `argsfile
/usr/local/var/slapd.args' ÆwèµÜ·B
5. f[^x[Xì¬/Çc[
±ÌßÅÍAslapd f[^x[Xð 0 ©ç쬷éû@ÆAâ誶µ½
Æ«ÌguV
[eBOÉ¢ÄྵܷBf[^x[Xð쬷é
ÌÉÍñÂÌû@ª èÜ·B»ÌêÂÍ LDAP ðp¢ÄICÅf[^
x[Xð쬷éÆ¢¤àÌÅ·B±Ìû@ÅÍAPÉ slapd ðN®µA
KÈ LDAP NCAgðp¢ÄGgðÇÁµÜ·B±Ìû@ÍAär
I¬³Èf[^x[X(pɶÄS©ççöx)Ìì¬ÉKµÄ¢Ü·B
f[^x[Xð쬷éà¤êÂÌû@ÍAslapd pÉñ³êéÁêÈ[
eBeBðp¢ÄItCÅs¤Æ¢¤àÌÅ·B±Ìû@ÍALDAP ð
gÁÄ¢ÄÍϦçêÈ¢ÙÇÌ·¢Ôª©©Áĵܤæ¤È½çÈãà
ÌGgª éêAàµÍf[^x[XÌì¬Éf[^x[XÖÌA
NZXª³¢æ¤É·é±ÆðÛص½¢êÉÅKÈû@Å·B
5.1. ICÅf[^x[Xð쬷éû@
OpenLDAP \tgEFApbP[WÉÍ ldapadd Æ¢¤c[ªt®µÄ¢
ÄA±êÍ®ìµÄ¢é LDAP T[oÉεÄGgðÇÁ·é½ßÉp
µÜ·BICÅf[^x[Xð쬷éÂàèÈçAGgÌÇÁÉ
ldapadd c[ðg¦Ü·BÅÉGgðÇÁµ½ãÉA³çÉGg
ðÇÁ·éÌÉà ldapadd ðg¦Ü·Bslapd ðn®·éOÉ slapd.conf
t@CÉ éÌÝèIvVðÝèµÄ¨¢Ä¾³¢B
suffix <dn>
``LDAP T[oÌÝè''Åྵ½æ¤ÉA±ÌIvVÉÍA±Ìf[^
x[XÉi[³êéGgQª½Å é©ðLqµÜ·B±êÍ쬵æ¤
ƵĢéTuc[Ì[gÌ DN ÉÝèµÜ·B½Æ¦ÎÌæ¤ÉÝè
µÜ·B
suffix "o=TUDelft, c=NL"
õøt@Cð쬷éfBNgðÝèµÄ¾³¢B
directory <directory>
½Æ¦ÎÌæ¤ÉÝèµÜ·B
directory /usr/local/tudelft
GgðÇÁ·é ÀðÁ½[UÅ slapd Éڱūéæ¤ÉÝè·
éKvª èÜ·B±êÍf[^x[Xè`ÌñÂÌIvVðp¢Äs
¢Ü·B
rootdn <dn>
rootpw <passwd> /* ±±ÌpX[hÉ crypt ðg¤ÌðYêȢŠ!!! */
[ó] ÀÛÉÍ /* ` */ ÅRgðüêé±ÆÍūܹñB
±êçÌIvVÍAf[^x[XÌuX[p[UvGg(·Èí¿
½ÅàÅ«éGg)ƵÄFØ·éÌÉg¤ DN ÆpX[hðwèµÜ
·B±êÅwè·é DN ÆpX[hÍAÀÛɱ̼OÌGgª é
©A»µÄwèÌpX[hðÁÄ¢é©É©©íç¸íÉLøÅ·B±ê
ÍAܾ½àGgª³¢óÔÅÌFØÆGgÌÇÁðǤ·é©Æ¢
¤u{ÆvâèððµÜ·B
ÅãÉAf[^x[Xè`É]Þõøè`ðÜßÜ·B
index {<attrlist> | default } [pres,eq,approx,sub,none]
½Æ¦ÎAcn, sn, uid, objectclass ®«Éõøð¯éÉÍAÌæ¤È
index Ýèsðg¢Ü·B
index cn,sn,uid
index objectclass pres,eq
index default none
±±ÜÅÝèµ½ç slapd ðN®µÄA È½Ì LDAP NCAgÅÚ±
µÄAGgÌÇÁðJnµÄ¾³¢B½Æ¦ÎATUDelft GgÆ»
êÉ®·é Postmaster Ggð ldapadd c[ðp¢ÄÇÁ·éÉÍA
»ÌàeðLqµ½ /tmp/newentry Æ¢¤t@Cð쬵ܷB
o=TUDelft, c=NL
objectClass=organization
o=TUDelft
description=Technical University of Delft Netherlands
cn=Postmaster, o=TUDelft, c=NL
objectClass=organizationalRole
cn=Postmaster
description= TUDelft postmaster - postmaster@tudelft.nl
ÀÛÉGgð쬷éÉÍÌæ¤ÈR}hðg¢Ü·B
ldapadd -f /tmp/newentry -D "cn=Manager, o=TUDelft, c=NL" -w secret
ãÌR}hpáÅÍArootdn ª "cn=Manager, o=TUDelft, c=NL"A
rootpw ª "secret" ÉÝè³êÄ¢éàÌƵܷBR}hCÉpX
[hð^Cvµ½È¯êÎAldapadd R}hÌIvV -w
"password" ÌãíèÉ -W IvVðgÁľ³¢B»¤·éÆAÌ
æ¤ÉpX[hÌüͪv³êéæ¤ÉÈèÜ·B
ldapadd -f /tmp/newentry -D "cn=Manager, o=TUDelft, c=NL" -W
Enter LDAP Password:
5.2. ItCÅf[^x[Xð쬷éû@
[ó] ±ÌßÌà¾Íî{IÉ OpenLDAP 2.0.x ÉîâĢܷB
f[^x[Xð쬷éæQÌû@ÍAãq·éõø¶¬c[ðp¢ÄIt
CÅs¤±ÆÅ·B½çÈãàÌGgði[·éKvª èAOqÌ
LDAP ðpµ½û@ðgÁ½ÌÅÍÔª©©è·¬éæ¤ÈêÉÍAI
tCŶ¬·é̪ÅKÅ·B±Ìc[ÍAslapd pÌÝèt@C
ÆAÇÁ·éGgÌeLXg\»ª©ê½üÍ LDIF t@CÆðÇÝ
ÝALDBM õøt@Cð¼Ú쬵ܷBܸÍAÝèt@CÌf[^
x[Xè`ÉÝèµÄ¨×«dvÈÝèIvVª¢Â© èÜ·B
suffix <dn>
Oqµ½æ¤ÉA±ÌIvVÍA±Ìf[^x[XÉi[³êéGg
Qª½Å é©ð¦µÄ¢Ü·B±êÍ쬵æ¤ÆµÄ¢éTuc[Ì
[gÌ DN ÉÝè·×«Å·B½Æ¦ÎÌæ¤ÉÝèµÜ·B
suffix "o=TUDelft, c=NL"
õøt@Cð쬷éfBNgðÝèµÄ¾³¢B
directory <directory>
½Æ¦ÎÌæ¤ÉÝèµÜ·B
directory /usr/local/tudelft
ÉAI[v³êÄ¢éeõøt@CÉæÁÄp³êéàLb
V
ÌTCYðâµÄ¨Ææ¢Åµå¤BõøÌì¬ÉÅÌ«\ðo
·½ßÉÍASÌÌõøªÉ[Üéæ¤ÉµÜ·B±Ìæ¤É·éÉÍ
f[^ªå«·¬éA é¢ÍªÈ·¬éêÅàALbV
TC
Yðū龯嫵ܵå¤BãÍy[WOVXeªìƵÄêÜ
·B±ÌTCYÍÌIvVÅÝèµÜ·B
dbcachesize <integer>
½Æ¦ÎÌæ¤ÉÝèµÜ·B
dbcachesize 50000000
±êÍ 50MB Æ¢¤©Èèå«ÈTCYÌLbV
ð쬵ܷ(~VK
åwÅÍAf[^x[Xªñ 125K GgAÅåÌõøt@Cªñ 45MB
Å·)B±ÌLbV
TCYÆÀsx(ãq)ðÀ±µÄÝÄAVXeªÅ
KÉ®ì·éæ¤ÉµÄ¾³¢Bõøt@Cð쬵½çAslapd ðÀs
·éOÉLbV
TCYð¬³ÈlÉߵĨÌðYêȢž³¢B
ÅãÉA쬷éõøðwè·éKvª èÜ·B±êÍAêÂÈãÌ index
IvVÉæÁÄsíêÜ·B
index {<attrlist> | default} [pres,eq,approx,sub,none]
½Æ¦ÎÌæ¤ÉÝèµÜ·B
index cn,sn,uid pres,eq,approx
<p>
index default none
±êÍA®« cn, sn, and uid É¢ĶÝA¿«AßÌõøðì¬
µA¼Ì®«É¢ÄÍõøð쬵ܹñB±ÌIvVÉ¢ÄÚµ
Í ``LDAP T[oÌÝè''ÌÝèt@CðQƵľ³¢B
±±ÜÅÝèµ½çAslapadd(8) vOðÀsµÄåf[^x[XÆÖ
A·éõøð쬵ܷB
slapadd -l <inputfile> -f <slapdconfigfile>
[-d <debuglevel>] [-n <integer>|-b <suffix>]
øÌÓ¡ÍÌƨèÅ·B
-l <inputfile>
ÇÁ·éGgðeLXg`®ÅLqµ½ LDIF üÍt@Cðwè
µÜ· (LDIF É¢ÄÍßðQÆ)B
-f <slapdconfigfile>
õøð쬷éêA쬷éõøÈÇðmç¹é slapd Ýèt@C
ðwèµÜ·B
-d <debuglevel>
<debuglevel> Åwèµ½fobO[hɵܷBwè·éfobO
xÍ slapd Ư¶Å·BuLDAP T[oÌÀsvÌÍÌu``R}
hCIvV''vðQƵľ³¢BÇÌf[^x[XðXV
·é©ðwè·éIvVøBÝèt@CÉè`³êÄ¢éÅ
Ìf[^x[XÍ 1AQÔÚÌf[^x[XÍ 2 Æ¢¤æ¤Éwè
µÜ·BftHgÅÍAÝèt@CÉè`³êÄ¢éÅÌ ldbm
f[^x[XªgíêÜ·BIvV -b ƹ¹ÄwèµÄÍÈèÜ
¹ñB
-b <suffix>
ÇÌf[^x[XðXV·é©ðwè·éIvVøB^¦éT
tBbNXÍAf[^x[XÔðè·é½ßÉAf[^x[XÌ
suffix fBNeBuÆƳêÜ·BIvV -n ƹ¹Äwè
µÄÍÈèܹñB
ÉÍõøÌÄ쬪KvÉÈé±Æà èÜ·(slapd.conf(5) ðÏXµ½
ãÈÇ)B±Ìæ¤È±ÆÍAslapindex(8) vOðgÁÄÅ«Ü
·Bslapindex ÍÌ®ÅN®µÜ·B
slapindex -f <slapdconfigfile> [-d <debuglevel>]
[-n <databasenumber>|-b <suffix>]
IvV -f, -d, -n, -b ÌÓ¡Í slapadd(1) vOƯ¶Å·B
slapindex ÍA»ÝÌf[^x[XÌàeðîÉ·×ÄÌõøðÄ쬵Ü
·B
f[^x[Xð LDIF t@CÉ_v·éÌÉg¤ slapcat Æ¢¤vO
ªpÓ³êĢܷB±êÍAf[^x[XÌÂÇ«Ì éobNAbv
ðÆ轢ƫAf[^x[XðItCÅÒWµ½¢Æ«ÈÇÉLpÅ
·B±ÌvOÍÌ®ÅN®µÜ·B
slapcat -l <filename> -f <slapdconfigfile>
[-d <debuglevel>] [-n <databasenumber>|-b <suffix>]
IvV -n Ü½Í -b ÍA{{EX:-f}} Åwè·é slapd.conf(5) ÉÝè
³êÄ¢éf[^x[XðIÔÌÉg¢Ü·B·é LDIF oÍÍAWo
Í© -l IvVÅwè·ét@CÉ«o³êÜ·B
5.3. LDIF tH[}bgÉ¢ijçÉ
[ó] ±ÌßÌà¾Íî{IÉ OpenLDAP 2.0.x ÉîâĢܷB
LDAP f[^ð·tH[}bg(LDIF - LDAP Data Interchange Format)ÍA
LDAP GgðÈPÈeLXgtH[}bgÅ\»·é½ßÉp³êÜ
·BGgÌî{IÈ`®ÍÌæ¤ÈàÌÅ·B
# Rg
dn: <¯Ê¼>
<®«Lqq>: <®«l>
<®«Lqq>: <®«l>
...
¶ '#' ÅnÜésÍRgÅ·B®«LqqÍA cn, objectClass,
1.2.3 (®«^Ì OID)Ìæ¤ÈPÈ鮫^Å èA cn;lang_en_US,
userCertificate;binary Ìæ¤ÉIvVàt¯çêÜ·B
sðPêÌXy[XܽÍ^u¶ÅJn·éÆOÌsÉp±Å«Ü·B½Æ
¦ÎÌæ¤ÉÅ«Ü·B
dn: cn=Barbara J Jensen, dc=example, dc=
com
cn: Barbara J
Jensen
±êÍÌàÌƯŷB
dn: cn=Barbara J Jensen, dc=example, dc=com
cn: Barbara J Jensen
®«lª¡ éêÍsðª¯ÄwèµÜ·B½Æ¦ÎÌæ¤ÉÈèÜ
·B
cn: Barbara J Jensen
cn: Babs Jensen
<®«l> ÉóÅ«È¢¶ªÜÜêÄ¢½èAXy[XAR(':')A¬
ÈèL('{{EX:<}}')ÅnÜéêÉÍA<®«Lqq> ɱ¯ÄRðñ
Âu«Abase64 \LÅGR[hµ½lð«Ü·B½Æ¦ÎAlª "
begins with a space" Å éÆ«ÍÌæ¤ÉÈèÜ·B
cn:: IGJlZ2lucyB3aXRoIGEgc3BhY2U=
®«lðÛµ½ URL ðwè·é±ÆàÅ«Ü·Bɦ·áÍAjpegPhoto
Ìlðt@C /path/to/file.jpeg ©ç¾é±ÆðwèµÜ·B
cn:< file:///path/to/file.jpeg
¯¶ LDIF Ì¡ÌGgÍósŪ£µÜ·Bɦ·ÌÍAOÂÌG
gðÜñ¾ LDIF t@CÌáÅ·B
# Barbara's Entry
dn: cn=Barbara J Jensen,dc=example,dc=com
cn: Barbara J Jensen
cn: Babs Jensen
objectClass: person
sn: Jensen
# Bjorn's Entry
dn: cn=Bjorn J Jensen,dc=example,dc=com
cn: Bjorn J Jensen
cn: Bjorn Jensen
objectClass: person
sn: Jensen
# Base64 encoded JPEG photo
jpegPhoto:: /9j/4AAQSkZJRgABAAAAAQABAAD/2wBDABALD
A4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQ
ERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVG
# Jennifer's Entry
dn: cn=Jennifer J Jensen,dc=example,dc=com
cn: Jennifer J Jensen
cn: Jennifer Jensen
objectClass: person
sn: Jensen
# JPEG photo from file
jpegPhoto:< file:///path/to/file.jpeg
±±ÅABjorn ÌGgÌ jpegPhoto ª base 64 GR[h
ÅAJennifer ÌGgÌ jpegPhoto ª URL ÉæÁĦ³ê½ê©ç
æ¾³êé±ÆÉڵľ³¢B
LDIF t@Cɨ¢ÄAlÌãɱXy[XªØÌÄçêé±ÆÍ èÜ
¹ñBܽAlÌÌXy[Xªkßçêé±Æà èܹñBf[^ÉX
y[Xðu«½È¢êÍALDIF ÉàXy[Xðu¢ÄÍÈèܹñB
5.4. ldapsearch, ldapdelete, ldapmodify [eBeB
[ó] ±ÌßÌà¾Íî{IÉ OpenLDAP 1.2.x ÉîâĢܷB
OpenLDAP 2.0.x ÅÍIvVª¢Â©ÇÁ/ÏX³êĢܷB
ldapsearch - ldapsearch ÍAldap_search(3) CuR[Éηé
R}hCC^tF[XÅ·B±Ì[eBeBÍALDAP f[^x
[XobNGhÌGgðõ·é½ßÉg¢Ü·B
ldapsearch ðN®·é®ÍÌƨèÅ·(eIvVÌÓ¡Í
ldapsearch Ì man y[Wð©Ä¾³¢)B
ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-B] [-L] [-R] [-d debuglevel]
[-F sep] [-f file] [-D binddn] [-W] [-w bindpasswd] [-h ldaphost]
[-p ldapport] [-b searchbase] [-s base|one|sub]
[-a never|always|search|find] [-l timelimit] [-z sizelimit]
filter [attrs...]
ldapsearch Í LDAP T[oÖÉεÄRlNVð£èAoChµ½
ãAtB^ filter ðp¢ÄõµÜ·B±Ì filter ÍARFC 1558 Éè
`³êÄ¢é LDAP tB^̶ñ\»É]íËÎÈèܹñBldapsearch
ªPÂÈãÌGgð©Â¯éÆAattrs Éwèµ½®«ªæèo³êA»
ÌGgÆlªWoÍÉó³êÜ·Battrs ÌwèªÈ¯êÎAS®«
ªÔ³êÜ·B
É ldapsearch Ìpáð¢Â©¦µÜ·B
ldapsearch -b 'o=TUDelft,c=NL' 'objectclass=*'
ldapsearch -b 'o=TUDelft,c=NL' 'cn=Rene van Leuken'
ldasearch -u -b 'o=TUDelft,c=NL' 'cn=Luiz Malere' sn mail
IvV -b Íõx[X(æªÌõ|Cg)ðwèµA-u IvV
Í[Uth`®ðoÍÉÜßé±ÆðwèµÜ·B
ldapdelete - ldapdelete ÍAldap_delete(3) CuR[Éηé
R}hCC^tF[XÅ·B±Ì[eBeBÍALDAP f[^x
[XobNGhÌGgðí·é½ßÉg¢Ü·B
ldapdelete ðN®·é®ÍÌƨèÅ·(eIvVÌÓ¡Í
ldapdelete Ì man y[Wð©Ä¾³¢)B
ldapdelete [-n] [-v] [-k] [-K] [-c] [-d debuglevel] [-f file] [-D binddn]
[-W] [-w passwd] [-h ldaphost] [-p ldapport] [dn]...
ldapdelete Í LDAP T[oÉεÄRlNVð£èAoChµ½ãA
PÂÈãÌGgðíµÜ·BPÂÈãÌ dn øª^¦çêÄ¢êÎA
»Ì¯Ê¼ðÂGgªí³êÜ·BÂXÌ dn ÍARFC 1779 Éè`
³êÄ¢é¶ñ\»Ì DN ÅȯêÎÈèܹñBø dn ª^¦çêÄ¢
ȯêÎAWüÍ( é¢Í -f tOÅwèµ½t@C file)©ç DN
ÌXgðÇÝÝÜ·B
É ldapdelete Ìpáð¢Â©¦µÜ·B
ldapdelete 'cn=Luiz Malere,o=TUDelft,c=NL'
ldapdelete -v 'cn=Rene van Leuken,o=TUDelft,c=NL' -D 'cn=Luiz Malere,o=TUDelft,c=NL' -W
IvV -v Íç·[hÉ·é±ÆðwèµA-D IvVÍoCh
·é dn (FØÌÎÛÆÈé dn)ðwèµA-W IvVÍpX[hÌüÍ
ðv·é±ÆðwèµÜ·B
ldapmodify - ldapmodify ÍAldap_modify(3) Æ ldap_add(3) ÌCu
R[ÉηéR}hCC^tF[XÅ·B±Ì[eBeB
ÍA LDAP f[^x[XobNGhÌGgðXV·é½ßÉg¢Ü
·B
ldapmodify ðN®·é®ÍÌƨèÅ·(eIvVÌÓ¡Í
ldapmodify Ì man y[Wð©Ä¾³¢)B
ldapmodify [-a] [-b] [-c] [-r] [-n] [-v] [-k] [-d debuglevel] [-D binddn]
[-W] [-w passwd] [-h ldaphost] [-p ldapport] [-f file]
ldapadd [-b] [-c] [-r] [-n] [-v] [-k] [-K] [-d debuglevel] [-D binddn]
[-w passwd] [-h ldaphost] [-p ldapport] [-f file]
ldapadd ÍAldapmodify c[ÖÌn[hNÉÈÁĢܷBldapadd
ƵÄN®³êéÆAtO -a (Vµ¢GgÌÇÁ)ªÃÙÉwè³ê½
àÌÆÝȵܷBldapmodify Í LDAP T[oÖÉεÄRlNVð£
èAoChµ½ãAGgðXV/ÇÁµÜ·BGgîñÍWüÍ
é¢Í -f IvVÅwèµ½t@C file ©çÇÝÜêÜ·B
É ldapmodify Ìpáð¢Â©¦µÜ·B
t@C /tmp/entrymods ª èA»ÌàeÍÌæ¤ÉÈÁÄ¢éƵÜ
·B
dn: cn=Modify Me, o=University of Michigan, c=US
changetype: modify
replace: mail
mail: modme@terminator.rs.itd.umich.edu
-
add: title
title: Grand Poobah
-
add: jpegPhoto
jpegPhoto: /tmp/modme.jpeg
-
delete: description
-
ÌR}hðÀsµÜ·B
ldapmodify -b -r -f /tmp/entrymods
±êÉæèAGg "Modify Me" Ì mail ®«Ìàeðl
"modme@terminator.rs.itd.umich.edu" Åu·µA "Grand Poobah" Ì title
ðÇÁµÄAt@C "/tmp/modme.jpeg" Ìàeð jpegPhoto ƵÄÇÁµ
ÄAdescription ®«ð®SɵܷB
Ìâ ldapmodify üÍtH[}bgðp¢ÄàAãƯ¶XVªs¦Ü
·B
cn=Modify Me, o=University of Michigan, c=US
mail=modme@terminator.rs.itd.umich.edu
+title=Grand Poobah
+jpegPhoto=/tmp/modme.jpeg
-description
±Ìêà¯lÉ ldapmodify ðN®µÜ·B
ldapmodify -b -r -f /tmp/entrymods
t@C /tmp/newentry ª èA»ÌàeÍÌæ¤ÉÈÁÄ¢éƵÜ
·B
dn: cn=Barbara Jensen, o=University of Michigan, c=US
objectClass: person
cn: Barbara Jensen
cn: Babs Jensen
sn: Jensen
title: the world's most famous manager
mail: bjensen@terminator.rs.itd.umich.edu
uid: bjensen
ÌR}hðÀsµÜ·B
ldapadd -f /tmp/entrymods
t@C /tmp/newentry ª èA»ÌàeÍÌæ¤ÉÈÁÄ¢éƵÜ
·B
dn: cn=Barbara Jensen, o=University of Michigan, c=US
changetype: delete
ÌR}hðÀsµÜ·B
ldapmodify -f /tmp/entrymods
±êÍABabs Jensen ÌGgðµÜ·B
IvV -f Í(WüÍÌãíèÉXVîñðÇÝÞ) t@Cðwè
µA-b IvVÍoCiðwèµ (üÍt@CÅ '/' ÅnÜélÍ
oCiÅ éÆðß³êé)A-r ÍXV(ftHgÅù¶ÌlðXV)ðw
èµÜ·B
6. ÇÁîñÆâ«
±ÌßÉÍAfBNgÖÌâ¹Ég¦é Netscape ÌAhX
(Address Book)É¢ÄÌîñª èÜ·BܽAo[W 4.5 ÈãÌ
Netscape Navigator Æ LDAP T[oðgÁÄ[~OANZXðÀ»·é
û@É¢ÄڵྵܷBOpenLDAP Ì[OXgÅÍA[~
OANZXÉ¢ĽÌc_ª èܵ½B»êͱÌ@\ª¤ÜÀ»
Å«È¢½ßÅ·BåªÌlXÍ Netscape Navigator ª_E[hÆ
Abv[h·éÌÉ LDAP T[oðg¤ÌðDÝܹñBµ½ªÁÄA±ê
ðÇñÅ[~OANZXªv¤æ¤É®ìµÈ¢Æ¢¤±Æªí©ÁÄà
CɵȢž³¢B½ÌlXªùɱÌóµðo±µÄ¢éÌÅ·B±
±Å±Ì@\ðÐî·éÚIÍALDAP vgRÌÂ\«É¢ÄÌACf
AðlXÉæè½^¦é½ßÅ·BÅãÉÍA slapd vZXðÀSÉ
f·éû@â slapd ÌOÉ¢ÄÌîñª èÜ·B
6.1. [~OANZX
[ó] ±ÌßÌà¾Íî{IÉ OpenLDAP 1.2.x ÉîâĢܷB
OpenLDAP 2.0.x ÅÍ®«âIuWFNgNXÌg£û@ÈǪÏXÉÈÁ
ĢܷB
[~OANZXÌÚIÍAlbgãÌDZɢÄà Netscape Navigator
Æ LDAP T[oðp¢ÄAubN}[NAÝèA[tB^ÈÇðæèo
¹éæ¤É·é±ÆÅ·B±êÍñíÉÖÈ@\Å·B ȽªÇ±Å Web
ÉANZXµæ¤ÆàA»±Åg¤uEUÉÍ È½©gÌÝèª éÌÅ
·BൠȽª·sÉo½æÅA ȽÌ[JubN}[NÉo^µÄ
éêÌTCgÉANZXµ½¢êàSz èܹñBubN}[NâÝ
èt@CÍ LDAP T[oÉAbv[h³êAãŠȽªÇ±É¢æ¤Æ
àubN}[NâÝèt@Cð·×Äæèo¹Ü·B
[ó] cOȪç Netscape 6 ÅÍ[~OANZX@\ª³Èèܵ
½B
[~OANZXðÀ»·éÉÍÌXebvÉ]¤Kvª èÜ·B
1. ®«Lqt@CðÏX·é
2. IuWFNgNXLqt@CðÏX·é
3. vt@Cði[·é½ßÌ LDIF t@Cð쬷é
4. [~OANZXT[oÆµÄ LDAP T[oðg¤æ¤É Netscape
Navigator ðÝè·é
5. Vµ¢ÝèÅ LDAP T[oðÄN®·é
6.1.1. ®«t@CÌÏX
slapd.at.conf (±êÍ slapd.conf ÉæèÜêét@CÅAÊí
/usr/local/etc/openldap É èÜ·)É^¦çêĢ鮫ÌêÉÌV
µ¢®«ðÇÁ·éKvª èÜ·B
attribute nsLIPtrURL ces
attribute nsLIPrefs ces
attribute nsLIProfileName cis
attribute nsLIData bin
attribute nsLIElementType cis
attribute nsLIServerType cis
attribute nsLIVersion cis
attribute nsServerPort cis
[ó] OpenLDAP 2.0.x ÌêA/usr/local/etc/openldap/schema/ ÉKÈ
t@CðpÓµÄÌè`ðÇÁµA»êð slapd.conf ÉæèÞæ¤É
µÜ·B
attributetype ( 2.16.840.1.113730.3.1.70
NAME 'serverRoot'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.76
NAME 'serverHostName'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113730.3.1.280
NAME 'nsServerPort'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113730.3.1.399
NAME 'nsLIPtrURL'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113730.3.1.400
NAME 'nsLIPrefs'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113730.3.1.401
NAME 'nsLIProfileName'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.402
NAME 'nsLIData'
EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
attributetype ( 2.16.840.1.113730.3.1.403
NAME 'nsLIElementType'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.404
NAME 'nsLIServerType'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
attributetype ( 2.16.840.1.113730.3.1.405
NAME 'nsLIVersion'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
6.1.2. IuWFNgNXt@CÌÏX
slapd.oc.conf (±êÍ slapd.conf ÉæèÜêét@CÅAÊ
/usr/local/etc/openldap É èÜ·)ÉÌVµ¢NXðÇÁ·éKvª
èÜ·B
objectclass nsLIPtr
requires
objectclass
allows
nsliptrurl,
owner
objectclass nsLIProfile
requires
objectclass,
nsliprofilename
allows
nsliprefs,
uid,
owner
objectclass nsLIProfileElement
requires
objectclass,
nslielementtype
allows
owner,
nslidata,
nsliversion
objectclass nsLIServer
requires
objectclass,
serverhostname
allows
description,
cn,
nsserverport,
nsliservertype,
serverroot
[ó] OpenLDAP 2.0.x ÌêA/usr/local/etc/openldap/schema/ ÉKÈ
t@CðpÓµÄÌè`ðÇÁµA»êð slapd.conf ÉæèÞæ¤É
µÜ·B
objectclass ( 2.16.840.1.113730.3.2.74
NAME 'nsLIPtr'
SUP top
MUST objectClass
MAY ( nsLIPtrURL $ owner ) )
objectclass ( 2.16.840.1.113730.3.2.75
NAME 'nsLIProfile'
SUP top
MUST ( objectClass $ nsLIProfileName )
MAY ( nsLIPrefs $ uid $ owner ) )
objectclass ( 2.16.840.1.113730.3.2.76
NAME 'nsLIProfileElement'
SUP top
MUST ( objectClass $ nsLIElementType )
MAY ( owner $ nsLIData $ nsLIVersion ) )
objectclass ( 2.16.840.1.113730.3.2.77
NAME 'nsLIServer'
SUP top
MUST ( objectClass $ serverHostName )
MAY ( cn $ description $ nsLIServerType $
nsServerPort $ serverRoot ) )
6.1.3. LDIF t@CÌì¬
[ó] ±ÌXebvÉüéOÉ slapd.conf ÌÝèðµÄ¨«Üµå¤BÜ
¸ OpenLDAP 1.2.x Ìê `lastmod on' ɵÄ^p®« modifyTimestamp
ª©®IÉdzêéæ¤ÉµÈ¯êÎÈèܹñB³çÉAÌANZX
ðÝèµÄ slapd ðÄN®µÄ¾³¢B
OpenLDAP 1.2.x ÌêF
access to dn=".*,ou=Roaming,o=myOrg,c=NL" by dnattr=owner write
access to attr=userpassword by * none by self write
OpenLDAP 2.0.x ÌêF
access to dn=".*,ou=Roaming,o=myOrg,c=NL"
by dnattr=owner write
access to attr=userpassword
by self write
by anonymous auth
by dn="cn=Manager,o=myOrg,c=NL" write
by * none
access to *
by self write
by anonymous auth
É LDIF t@Cð쬷éKvª èÜ·BNetscape Ì[~OA
NZX@\ðgÁÄݽ¢e[UpÉAvt@CGgðÇÁµÜ
·BȺÉAvt@CGgð LDIF t@CÌÈPÈáð¦µÜ
·B
dn: o=myOrg,c=NL
objectClass: top
objectClass: organization
o: myOrg
dn: ou=People,o=myOrg,c=NL
objectClass: top
objectClass: organizationalUnit
ou: People
dn: cn=seallers,ou=People,o=myOrg,c=NL
userPassword: myPassword
objectClass: top
objectClass: person
cn: seallers
sn: seallers
dn: ou=Roaming,o=myOrg,c=NL
objectClass: top
objectClass: organizationalUnit
ou: Roaming
dn: nsLIProfileName=seallers,ou=Roaming,o=myOrg,c=NL
objectClass: top
objectClass: nsLIProfile
nsLIProfileName: seallers
owner: cn=seallers,ou=People,o=myOrg,c=NL
[ó] à¿ëñALDIF t@Cð쬷龯ÅÍÈÄA±êðÀÛÉ
ldapadd ÈÇðgÁÄfBNgÉi[µÄ¾³¢B
6.1.4. Netscape Navigator ÌÝè
ÌXebvÍALDAP T[oÉεÄ[~OANZXªÂ\ÆÈéæ¤
É Netscape Navigator ðÝè·é±ÆÅ·B
o j
[uÒWv¨uÝèv¨u[~O [UvðIðµÜ·B
ܸA±Ìvt@CÅ[~OANZXðÂ\ɵȯêÎÈèܹ
ñBYÌ`FbN{bNXðNbNµÜ·B
o [U¼Ì{bNXÉKØÈlA½Æ¦Î seallers ðü͵ܷB
uÝèvEBhE̶¤É éu[~O [UvIvVÌîóð
v_EµÄA[~OANZXÌTuIvVð\¦µÜ·B
o uT[oîñvðNbNµÄuLDAP fBNg T[ovIvV
ðLøɵA{bNXÉÌæ¤Èîñðü͵ܷB
Address: ldap://myHost/nsLIProfileName=$USERID,ou=Roaming,o=myOrg,c=NL
User DN: cn=$USERID,ou=People,o=myOrg,c=NL
dvFNetscape ÍAuEUðÀs·éOÉA ȽªIðµ½vt@C
̼OÅ $USERID ð©®IÉu«·¦Ü·Bµ½ªÁÄA Ƚªv
t@C seallers ðIðµÄ¢êÎ $USERID Í seallers Éu«·íèA
vt@C gonzales ðIðµÄ¢êÎ $USERID Í gonzales Éu«·í
èÜ·Bvt@CÉ¢ÄæmçȯêÎA Netscape Comunicator
pbP[WÉ¢Äé Profile Manager AvP[VðN®µÄ¾
³¢B±êÍA¯¶}VãÅ¡[UªÀSÉuEUðµ¦éæ¤Ýv
³ê½AvP[VÅ èAÂXÌ[Uª©ª¾¯ÌuEUÝèðÛ
LÅ«Ü·B
[ó] óÒªmFµ½Æ±ëÅÍA$USERID Í [~O [UÌÝèÅ
ü͵½[U¼Åu«·íéæ¤Å·B
6.1.5. LDAP T[oÌÄN®
ÅIXebvÍAT[oÌÄN®Å·BLDAP T[oðÀSÉI¹³¹éû@
É¢ÄÍ ``LDAP T[oðI¹·éû@''AÄÑN®·éû@É¢Ä
Í``LDAP T[oÌÀs''ðQƵľ³¢B
[ó] óÒªmFµ½Æ±ëÅÍA±±ÅÄN®·éKvª éÌÍ LDAP
T[oÅÍÈÄ Netscape Å·B
6.2. Netscape ÌAhX
LDAP T[oªÀsµÄ¢êÎA¢ë¢ëÈNCAg(½Æ¦Î
ldapsearch R}hC[eBeB)Å LDAP T[oÉANZXÅ«Ü
·BñíÉ»¡[¢NCAgÉ Netscape ÌAhX ª èÜ·B±ê
Í Netscape Ìo[W 4.x ©çpÅ«éæ¤ÉÈÁĢܷªALDAP
T[oÆÀSÉâèÆè·é½ßÉÍ 4.5 ÈãÌàÌðg¤Kvª èÜ
·B
[ó] cOȪç Netscape 6 ÅÍ LDAP T[oÖÌANZX@\ª³È
èܵ½B
AhX ðg¦éæ¤É·éÉÍÌæ¤ÉµÄ¾³¢B
Netscape Navigator ÌN® -> Communicator j
[ÌIð -> AhX
(Address Book)
Netscape ÌAhX ÉÍAftHgÌ LDAP fBNgªùÉ¢Â
©o^³êĢܷB È½Ì LDAP fBNgào^·éKvª èÜ
·I
t@C(File)j
[ÌIð -> Vµ¢fBNg(New Directory)
ȽÌT[oÌîñðü͵ܷB½Æ¦ÎÌæ¤ÉÝèµÜ·B
o Description : TUDelft
o LDAP Server : dutedin.et.tudelft.nl
o Server Root : o=TUDelft, c=NL
ftHgÌ LDAP |[gÍ 389 Å èAT[o¤Å±ÌIvVðÏX
µÄ¢éÌÅÈ¢Àè|[gðÏXµÈ¢Å¾³¢B
±êÅA{bNX Show Names Containing ðgÁÄ È½ÌT[oÉÈPÈ
⹪ūܷµASearch {^Å¡GÈâ¹àÅ«éæ¤ÉÈÁÄ¢
Ü·B
6.3. LDAP Migration Tools
LDAP Migration Tools ÍAÝèt@C(configuration files)ð LDIF tH
[}bgÉÏ··é Perl XNvgWÅ·B±ÌXNvgWÍ PADL
Software Ltd ÉæÁÄñ³êÄ¢ÄAp·éOÉCZXðÉÚð
ƨµÄ¨±Æð©ßÜ·ªAÆÉ©t[Å·B[UÌFØÉ LDAP
T[oðpµæ¤ÆµÄ¢éÈçA±Ìc[ÍñíÉLpÅ·B
Migration Tools ÍANIS âpX[hÌA[JCuð LDIF ÉÏ·µA»ê
çÌt@CÆÝ·Ì éîñð LDAP T[oÅg¦éæ¤ÉµÜ·BܽA
[UAO[vAhosts, aliases, netgroups, networks, protocols, RPC
»µÄù¶Ìl[T[rX(NISAtbgt@CANetInfo)ÌT[rXð
LDIF tH[}bgÉÚs·éÌÉàA±Ì Perl XNvgWðKpµÄ
¾³¢BLDAP Migration Tools Ì_E[hƳçÈéîñðüè·éÉ
ÍAÌAhXÉsÁľ³¢B
http://www.padl.com/tools.html
±ÌpbP[WÉÍ README t@Cªt¢Ä¢ÄAXNvgt@C̼
OÍ@\ð\µÄ¢Ü·BÜ¸Í README t@CÉÚðƨµÄA»ÌãÉ
XNvgÌKpðJnµÄ¾³¢B
6.4. LDAP ðp¢½FØ
PAM (Pluggable Authentication Modules)Æ¢¤@\ðp¢ÄALDAP Í[
UðFØÅ«Ü·BUNIX ªoêµ½©ç[UÌFØÍA[UªpX
[hðü͵A»Ìüͳê½pX[hª /etc/passwd Éi[³êÄ¢
éû³ê½³®ÈpX[hÉY·é©ðVXeª¸·é±ÆÉæ
èsíêīܵ½B
±êÍú̱ÆÅ èA»ÌãA½Ì[UÌFتêÊIÉÈèܵ
½B»ÌÉÍ /etc/passwd ðæè¡Gɵ½àÌâAX}[gJ[hÆ¢
¤n[hEFAfoCXà èܵ½B±Ìæ¤ÈFØÌâèÍAVµ¢FØ
û®ªJ³êé½ÑÉA»ÌVµ¢FØû@ðT|[g·é½ßÉFتK
vÈvO(login, ftpd ÈÇ)Ì·×Ä𫷦ȯêÎÈçÈ¢±Æ
Å·B PAM ÍAFØû®©çƧµÄvOðJ·éèiðñµÜ
·B±Ìæ¤ÈvOÍAÀsÉFØðs¤½ßÉÚ±·éuFØ
W
[vðKvƵܷB
LDAP ̽ßÌFØW
[ÍÌAhX©ç tar ball Ì`®ÅüèÅ
«Ü·B
http://www.padl.com/pam_ldap.html
±±ÅÍAùÉ Linux fBXgr
[VÉ PAM ªpÓ³êÄ¢éàÌ
ƵܷBൠPAM ªpÓ³êĢȯêÎ
http://www.kernel.org/pub/linux/libs/pam ðQƵľ³¢BÀÛÌÆ
±ëA³Ü´ÜÈ Linux fBXgr
[VÅÌ PAM ÌWÝèÍ»ê
¼êáÁĢܷBÊAPAM ÌÝèt@CÍ /etc/pam.d/ fBNg
ɶݵܷB±ÌfBNgÉÍA}VÅÀs·éeT[rX²ÆÉê
ÂÌt@Cª èÜ·B½Æ¦ÎALinux Ìu[gAbvÌãÅ[UÌ
OCÉ LDAP T[oðg¢½¢ÈçA(±ÌiÌÅÉà¾µÄ é
æ¤É) È½Ì Linux Å PAM ðg¦éæ¤ÉµALDAP PAM W
[ðC
Xg[µA/etc/pam.d/ fBNgÉ é login Æ¢¤ PAM Ýèt@
CðÒWµÄÌæ¤ÈàeɵܷB
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
[ó] pam_ldap ÍFØðs¤¾¯ÈÌÅAuid, gid, z[fBNgÈ
ÇÌÇoµà LDAP ÅÅ«éæ¤É NSS (Name Service Switch)ÌW
[
nss_ldap ðCXg[µÄ¨Kvª éŵå¤Bnss_ldap à PADL
Software Ì Web TCg©çüèÅ«Ü·BܽAfBNgàÌGg
Ìì¬ÉÍAOqÌ LDAP Migration Tools ðg¤Ææ¢Åµå¤B
6.5. OtBJÈ LDAP c[
o Kldap
Kldap Í KDE ̽ßÉ©ê½OtBJÈ LDAP NCAgÅ
·BKldap Íæ¢C^tF[Xð¿AfBNgÉi[³ê½îñc
[ð·×ÄQÆÅ«Ü·BÌ Web TCgÅA±ÌAvP[VÌXN
[VbgÌ`FbNÆ_E[hªÅ«Ü·B
http://www.mountpoint.ch/oliver/kldap
o GQ
GQ Æ¢¤ÈÈC^tF[Xðõ¦½OtBJ LDAP NCAgà
èÜ·B±êÍ GNOME ̽ßÉ©ê½àÌÅ·BGQ Í KDE Åà®ìµ
Ü·µA Kldap à GNOME Å®©¹Ü·BÌ Web TCgÅA_E[h
â³çÈéîñðæ¾Å«Ü·B
http://biot.com/gq/
6.6. Logs
slapd ÍO𶬷éÌÉ syslog(8) @\ðp¢Ü·Bsyslog(8) @\Ì
ftHg[UÍ LOCAL4 Å·ªALOCAL0, LOCAL1 ©ç LOCAL7 ÜÅÌÇ
ê©É·é±ÆàÅ«Ü·B
Oð¶¬ðÅ«éæ¤É·éÉÍA½¢Ä¢Í /etc fBNgÉ é
syslog.conf t@CðÒWµÈ¯êÎÈèܹñB
Ìæ¤ÈsðÇÁµÜ·B
local4.* /usr/adm/ldalog
±ÌÝèÅÍ syslog @\ÉftHg[U LOCAL4 ðg¢Ü·B±ÌsÌ
\¶ðmçȯêÎAsyslog, syslog.conf, syslogd Ì man y[Wð©Ä
¾³¢BftHg[UðÏXµ½èA¶¬·éOÌxðwè·éÉ
ÍAslapd ðN®·éÆ«ÉÌIvVðwèµÜ·B
-s syslog-level
±ÌIvVÍAsyslog(8) @\ÉÇÌxÌfobOîñðoÍ·é©
ð slapd É`¦Ü·B±ÌxÍbZ[WÌdåxðq×Ä¢ÄA
É(¢Ù¤©çá¢Ù¤É) °éL[[hÌ¢¸ê©Å éFemerg,
alert, crit, err, warning, notice, info, debug. ½Æ¦ÎÌæ¤Éwè
µÜ·B
slapd -f myslapd.conf -s debug
[ó] ±Ìà¾Í½©Ì¨á¢Ìæ¤Å·BÀÛÉÍÇÌfobOîñðo
Í·é©ðlÅwèµÜ·Bwè·élÉ¢ÄÍ slapd.conf Ì
loglevel IvVðQƵľ³¢B
-l syslog-local-user
syslog(8) @\Ì[J[UðwèµÜ·BlÉÍ LOCAL0, LOCAL1 ÈÇ
LOCAL7 ÜÅwèÅ«Ü·BftHgÍ LOCAL4 Å·Bµ©µA±ÌIv
VÍ syslog(8) @\Å[J[UðT|[g·éVXeÅÌÝ
³êÜ·B
³ÄA¶¬³ê½Oð©ÄÝľ³¢B±ÌOÍAâ¹AXVAoC
hÈÇÅN«éâèðð·éÌÉå«È¯ÆÈèÜ·B
7. îñ¹
±ÌßÅÍALDAP É¢ijçÉmè½¢l̽ßÉALpÈ URLAN[
ÈÐARFCdlðÐîµÜ·B
7.1. URLs
ɦ·ÌÍ LDAP É¢ÄñíÉLpÈîñðÜñ¾ URL Å·B±Ì
HOWTO ͱêçÌ URL ©çìÁ½ÌÅA±Ì¶ðÇñ¾ãÅæèÚ×Èî
ñªKvÈçA±êçÌ URL ũ¯çêé©àµêܹñB
o ~VKåwÌ LDAP y[WF
http://www.umich.edu/~dirsvcs/ldap/index.html
o ~VKåwÌ LDAP ¶y[WF
http://www.umich.edu/~dirsvcs/ldap/doc/
o OpenLDAP Administrator's Guide:
http://www.openldap.org/doc/admin
o Netscape Ì[~OANZXðèìÆÅÀ»·éû@F
http://help.netscape.com/products/client/communicator/manual_roam-
ing2.html
o Netscape Communicator 4.5 Ì LDAP ÝèÌJX^}CYF
http://developer.netscape.com/docs/manuals/communicator/ldap45.htm
o Introducing to Directory Service (X.500):
http://www.nic.surfnet.nl/surfnet/projects/x500/introducing/
o Linux Directory Service:
http://www.rage.net/ldap/
7.2. Ð
±êçÍ LDAP É¢ÄÅàæmçê½LpÈÐÅ·B
o Implementing LDAP by Mark Wilcox
o LDAP: Programming Directory-Enabled Applications with Lightweight
Directory Access Protocol by Howes and Smith [¼h÷AªO ó
uLDAP C^[lbg fBNg AvP[V vO~
OvAsA\§]
o Understanding and Deploying LDAP Directory Servers by Howes, Smith,
and Good
7.3. RFC
LDAP ÌJðT|[g·é RFC Å·B
o RFC 1558: A String Representation of LDAP Search Filters
o RFC 1777: Lightweight Directory Access Protocol
o RFC 1778: The String Representation of Standard Attribute Syntaxes
o RFC 1779: A String Representation of Distinguished Names
o RFC 1781: Using the OSI Directory to Achieve User Friendly Naming
o RFC 1798: Connectionless LDAP
o RFC 1823: The LDAP Application Programming Interface
o RFC 1959: An LDAP URL Format
o RFC 1960: A String Representation of LDAP Search Filters
o RFC 2251: Lightweight Directory Access Protocol (v3)
o RFC 2307: LDAP as a Network Information Service
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
e74e806c1a2640e922856d7eb69d1420
>
files
>
54
