LDAP Implementation HOWTO Roel van Meer Linvision BV <http://www.linvision.com> r.vanmeer@linvision.com Giuseppe Lo Biondo INFN MI <http://www.mi.infn.it> giuseppe.lobiondo@mi.infn.it ´S - ú{ê|ó arms405@jade.dti.ne.jp v0.5, 2001-03-30 Revision History Revision 0.5 2001-03-30 Revised by: rvm Cleanup, fixes, overview rewritten. Revision 0.4 2001-02-01 Revised by: rvm Added dns section. Revision 0.3 2001-01-18 Revised by: rvm Added MTA sections. Revision 0.2 2000-11-12 Revised by: glb Improved section on nss. Added sections about certificates and wrappers. ±Ì¶ÍAvP[VÌf[^ð LDAP T[oÉL^·éÉ ½ÁÄÌ ZpIȤÊðྵܷBÅ_ÆÈéÌÍAíXÌAvP[Vð LDAP Éγ¹é½ßÌÝèû@Å·BܽALDAP f[^ðµ¤ÌÉð§ÂAv P[VÉ¢Äàq×ĢܷB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª Table of Contents 1. Tv 1.1. Ⱥ±Ì HOWTO ª éÌ©H 1.2. ½É¢ÄÌàÌÈÌ©H 1.3. ½É¢ÄuÅÍÈ¢vÌ©H 1.4. Ó« 1.5. Disclaimer (ÆÓ) 1.6. Copyright and license (ì ÆpÂ) 2. pam_ldap Æ nss_ldap ðgÁ½ LDAP FØ 2.1. \¬vf 2.1.1. FØ\ PAM Æ pam_ldap.so 2.1.2. Name Service Switch Æ nss_ldap.so 2.1.3. Lightweight Directory Access Protocol 2.1.4. Name Service Caching Daemon 2.1.5. Secure Socket Layer 2.2. FØVXeÌ\z 2.2.1. T[o¤ 2.2.1.1. OpenLDAP ÌCXg[ÆÝè 2.2.2. NCAg¤ 2.2.2.1. PAM LDAP ÌCXg[ÆÝè 2.2.2.2. NSS LDAP ÌCXg[ÆÝè 2.2.2.3. NSCD ÌÝè 2.2.2.4. LDAP NCAgÌÝèt@C 2.3. N® 2.4. AJEgÌÛçÇ 2.5. ùm̧À 2.6. t@CÌp[~bV 3. LDAP ðgÁ½ Radius FØ 3.1. FreeRadius Å Radiusd ÌÝè 3.2. Radius FØÌeXg 3.3. Cisco IOS ÌÝèá 4. Samba 5. DNS 5.1. NSS ðg¤ 5.1.1. Ýè 5.1.2. XL[} 5.2. bind ðg¤ 5.2.1. bind wÌpb` 5.2.2. ldap2dns 5.2.3. ispman 6. [gXt@G[WFg (MTA) 6.1. Sendmail 6.1.1. Sendmail ɨ¯é LDAP T|[g 6.1.2. VXeÌzu 6.1.3. Sendmail Ýèt@C 6.1.4. XL[} 6.1.5. ³çÈéîñ̽ßÉ 6.2. Postfix 6.2.1. T|[g 6.2.2. Ýè 6.2.3. Ýèá 6.3. qmail 7. AhXubN 8. Netscape [~OANZX 9. LDAP ÉæéfW^ؾÌs 9.1. LDAP T[oÌÝè 9.2. ؾÌs 9.3. LDAP ÎNCAg 10. SSL/TLS ÆASSL/TLS Ì LDAP pbp 10.1. SSL ÌÈPÈྠ10.2. OpenLDAP Ì SSL/TLS T|[g 10.3. stunnel ðgÁÄ LDAP V2 T[oÉ SSL/TLS ðñ·éû@ 10.4. stunnel ðgÁÄ LDAP NCAgÉ SSL ðñ·éû@ 10.5. stunnel ðgÁÄ slurpd vP[VÉ SSL ðñ·éû@ 11. ZL eBÖA 12. LDAP XL[} 13. t@CÌá 13.1. XL[}t@C 13.2. x[X LDIF Ìá 14. ú{êóÉ墀 1. Tv 1.1. Ⱥ±Ì HOWTO ª éÌ©H Òª LDAP É¢Ä×µnß½ÌÍAïЪ[UAJEgîñÌW ÇÌKvð´¶ÄA»Ì½ßÉ LDAP ðg¢½¢ÆvÁ½Æ«Åµ½B¬³ ÈA é¢ÍfÐIȶª ¿±¿É é±ÆÉÍ·®ÉCt«Üµ½ªA »êðÜÆß½à̪Ȣ±Æ઩èܵ½B±êªA«nß½RÅ· B ³çÉALDAP Íú²ÆÉLgíêéæ¤ÉÈÁĢܷB»êÅAlXª LDAP ðg¤Ìð¢·éÛÉAÇÌAvP[Vª LDAP ÎÈÌ©É ¢ÄSÌÌTvð©ޱƪūéÈçÖ¾Æv¢Ü·B±Ì¶Í«Á ÆAVXeÌÝèðÓ[Ið·éÌÉð§Â±Æŵå¤B½©ðÏX µ½è@\ðÇÁµæ¤Æ·é½ÑÉSâèȨ·KvÍà¤ÈÈéÌÅ ·B ±Ì¶ÍÅA©ª½¿Ìp`ÔÉí¹Ä LDAP ðÀ·éÉÍǤµ ½ç梩Ƣ¤AvWFNgÌ[h}bvƵÄnÜèܵ½Bµ©µ Ù¢åÌ Linvision <http://www.linvision.com> ªA©ª½¿ÌêÉ¢ ÄÀÛÉÍðɧ½È¢±ÆÜŲ¸·é@ïð^¦Ä꽨©°ÅAPÈ é[h}bvÅÍÈALDAP ÎAvP[VÌZpIÈTàÖÆÏí èܵ½B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.2. ½É¢ÄÌàÌÈÌ©H êÊIÈT[rXÌÙÆñÇÍ PAM (Pluggable Authentication Modules) ð ʵÄFØðsȦܷBpam_ldap â nss_ldap ðg¦ÎAPAM »³ê½ ç äévOª LDAP ©çîñðæèo¹éæ¤ÉÈèÜ·Bthe Linux-PAM site <http://www.kernel.org/pub/linux/libs/pam/> ©çÍAPAM É¢ÄÌ êÊIÈîñð³çɾé±ÆªÅ«Ü·B pam_ldap Æ nss_ldap ÉÖ·é îñÍ padl software <http://www.padl.com> ÌTCgÉ èÜ·B Samba ÍA»óÅͽ¢Á½±ÆÉÈÁĢܷB»_ÅÌÀèÅ Samba ÉÍ LDAP T|[gª èܹñBHEAD Æ TNG u`ÉÍ èÜ·©çA ½Ôñ³ê½c[Éà éŵå¤BâèÈÌÍASamba ª©ªÅ[ U¼ÆpX[hðÁÄ¢éÆ¢¤±ÆÅ·B½µ©É PAM ðpÅ«éÌ Å·ªA»ê¾¯ÅÍ·×ÄÌFØÆ[UîñÌó¯nµÉ\ªÆ;¦Ü ¹ñBȺÈç Samba ɨ¯é LDAP ÌÀÍ¢®¬Å èA¢Â©Ì§À ª éÌÅ·BÒÌo±©ç·éÆA»iK (2000 N 5 ß) Ì HEAD Í\ªÉÀèµÄ¢Ü¹ñµA¬xà«Å«éàÌÅÍ èܹñBµ©µ ȪçAVµ¢[XÅ LDAP T|[gª®SÉ@\·éæ¤ÉÈêÎA Samba àܽA»Ì[Uîñð·×Ä LDAP ©çæ¾·éæ¤ÝèÅ«é± ÆÉÈèÜ·B Ù©É LDAP f[^x[XÉL^Å«éàÌÉÍ DNS ª èÜ·Blbg[ NÉÚ±·é}Vª¦ÄéÆADNS t@CðèìÆÅÒW·éÌÍÀ ÛIÅÍÈÈÁÄ«Ü·B}VAJEgª LDAP ÉL^³êÄ¢êÎA Ó½ÂÌ DNS Gg (ÐÆÂͼOð̽ßA³çÉÐÆÂÍtø«Ì½ ß) ð¯ÉÇÁ·é̪ÈPÉūĵܢܷB±êÍܽAVXeÇ ÌÈf»ðàà½çµÜ·BÙÆñÇÌVXeÉÆÁÄAGgð LDAP f[^x[XÉo^·é±ÆªK{Æ¢¤±ÆÉÍÈçȢŵ太A±ê ÍÖ¾Æl¦élBàoÄé±Æŵå¤B Sendmail (Ú×Í sendmail.net <http://www.sendmail.net/> ðQÆ̱Æ) Ío[W 8.9 ©ç LDAP ðT|[gµÄ¢Ü·B Postfix â qmail àÜ ½ LDAP ÎÅ·B¡Ì[zXgâtH[obNzXgÌ é[ VXeð\z·éÆ«ÉÍAîñ·×ÄðêÓÉWßÄL^µÄ¨ÆÖ Å·BÓ¤ͯ¶îñðVXe²ÆÉÊXÉü͵ÄÝè·éKvª éÌÅ·ªA LDAP ðg¦ÎA»ÌKvÍ èܹñB LDAP Í[~OANZXÉàgpÅ«Ü·BNetscape 4.5 È~ÅÍAub N}[N»Ì¼Ì[Uf[^ð HTML Ü½Í LDAP T[oÉL^µÄ¨± ƪūܷB±êÉæÁÄ[UÍAOCµÄ Netscape ðg¦éƱ ëÈçDZÅÅàAÈO©çÌÖÈÝèàeðg¦éí¯Å·B Microsoft Ì Office vOÍAhXubNðC|[gÅ«Ü·BÜ ½AActive Directory T[rXðgÁÄA[U¼âjbNl[Éêv·é [AhXð©®IÉp·é±ÆàÅ«Ü·BLDAP ª êÎA±êƯ ¶±Æð Microsoft Exchange Server â»êÉÞ·éàÌðgí¸É Linux VXeãÅsȤ±ÆªÅ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.3. ½É¢ÄuÅÍÈ¢vÌ©H ܸæê_B{ÅÍAÀÛÌÝèâ LDAP ©ÌÌÇÉ¢ÄÍbµ·¬È ¢æ¤Éµæ¤ÆvÁĢܷB»êÉ¢ĵÁÄ¢é LDAP-HOWTO Æ¢¤ ·Îçµ¢¶ª LDP (the Linux Documentation Project) É éÌÅ·©ç B æñÉAAvP[V©ÌÉÖ·é¿ÍA»êª LDAP ÆÖWȢƫ É͵íÈ¢ÂàèÅ·B ÅãÅ·ªAÒÍÙÆñÇÌêÉ¢ÄALDAP ðg¤Ìª«¾©Ç¤©É ¢ÄÌAhoCXÍūܹñB»ÌíÌo±ªÈ¢ÌÅ·Bg¤½ßÉÇ ¤·êÎ梩É¢ÄÍA൨]ÝÈçγ¦Ä °çêÜ·Bµ©µÈ ªçA»¤·×«©Ç¤©ÍfèÅ«È¢ÌÅ·BêÊIÈ LDAP ÌpÍÍ ðµÁ½¶Í½³ñ èÜ·B»¿çð²¾³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.4. Ó« ܸAÒÌÙ¢åÅ éLinvision <http://www.linvision.com> ªÒÉA αÔàɱ̶ÌìÆð·é@ïð^¦Äê½±ÆÉ´Óµ½¢Æv ¢Ü·B ³çÉAºLÌûXÉà´Óµ½¢Æv¢Ü·BÞçͱ̶ɽç©Ìv £ðµÄêܵ½ (s¯) \ Giuseppe Lo Biondo. ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.5. Disclaimer (ÆÓ) This document is provided as is and should be considered as a work in progress. Several sections are as yet unfinished, and probably a lot of things that should be in here, aren't. I would greatly appreciate any comments on this document, of whatever nature they may be. Note: Qló ±Ì¶Í±¤¢¤àÌÅ·©çA»Ýis`̬ʨÆvÁÄàçÁ½ Ù¤ªæ¢Åµå¤B¢Â©ÌÍÍ¢®¬Å èA é׫ƱëÉ é͸Ìà̪ȢàÌར±Æŵå¤BÒÍA±Ì¶ÖÌ¢© ÈéÓ©Éàå¢É´ÓµÜ·B»êªÇÌæ¤È«¿ÌàÌÅ ë¤Æ àAÅ·B In any case, think before you go messing around with your system and don't come to me if it breaks. Note: Qló ¢©Èéêɨ¢ÄàA©ªÌVXeÜíèÉèðüêéÌÍAæ l¦Ä©çɵľ³¢B»êÉæÁĨ©µÈÁĵÜÁÄàA ÒÌƱëÉÍȢž³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 1.6. Copyright and license (ì ÆpÂ) Copyright (c) by Roel van Meer, Giuseppe Lo Biondo. This document may be distributed only subject to the terms and conditions set forth in the LDP License at the Linux Documentation Project <http:// www.linuxdoc.org/COPYRIGHT.html>. Note: Qló Copyright (c) by Roel van Meer, Giuseppe Lo Biondo. ±Ì¶Í Linux Documentation Project <http://www.linuxdoc.org/ COPYRIGHT.html> Ì LDP License ÉLq³êÄ¢éðâðÉ]ÁÄÌ Ýzz·é±ÆªÅ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2. pam_ldap Æ nss_ldap ðgÁ½ LDAP FØ ±ÌÍÍ LDAP ð NIS ÌãpiƵÄ[UJEgÌÇÉg¤û@ÉÅ_ ðí¹Ü·B½³ñÌ[UAJEgðô©ÌzXgɪUµÄÁ Ä¢éÆAAJEgÝèÉs®ª¶¶é±Æªæ èÜ·BLDAP ðg¦ ÎAWFØVXeð\z·é±ÆÉæÁÄf[^Ìd¡ðð¯½èêÑ« ðµ½è·é±ÆªÅ«Ü·B »_ÅÍA[UÌAJEgf[^â¼Ìîñðlbg[NoRÅ ·é½ßÉÅàægíêÄ¢éû®Í Network Information Service (NIS) Å·BLDAP ƯlÉANIS àT[oÉ passwd, shadow, groups, services, hosts XÌÝèt@CðÛǵÄu¯éæ¤É·éT[rXÅ ·B NIS T[oÍ NIS NCAg©çâ¢í¹ðó¯ÄA±¤µ½îñ ðñµÜ·B LDAP Í NIS Ư¶@\ðñÅ«A³çÉô©ALDAP ÌûªDêÄ¢é_ ª èÜ·BȺÌƨèÅ·B E LDAP T[oãÌîñÍAeÕÉ¡ÌprÉpÅ«Ü·B±Ì HOWTO ÅTàµÄ¢éæ¤ÉALDAP f[^x[Xã̯¶[UGgÍAd b AXÖzBAõ¼ëÈÇÌæ¤È¼ÌAvP[VÉg¦éÌ ÅAf[^Ìd¡âµðð¯é±ÆªÅ«Ü·B E LDAP Í¡GÈANZXRg[Xgðf[^x[XÉKpÅ«Ü· B±êÍf[^x[XÌGgÉηép[~bVÌKØÈ÷²® ðÂ\ɵܷB E Secure Socket Layer (SSL) ðÊ·±ÆÉæÁÄALDAP T[oÆNCA gÌÔÉZL AÈ]oHðÀÅ«Ü·B E slapd vP[V [1] ¨æÑ DNS round robin query (±êÍ{¶ Å͵¢Ü¹ñª) ðgÁÄAÏÌá»T[rXðÀ·é±ÆªÅ« Ü· (óFDNS round robin query ÍÏÌá»ÉÈçÈ¢ÌÅÍÈ¢© AÆ¢¤ñª ÁÄÒÉmFµ½Æ±ëAuÅÌ DNS T[oÖÌÚ ±ªÛ³ê½Æ«É¼ÌT[oÖÌÚ±ðs·é©ÍNCAgÉ Ë¶·évÆÌñð¾Üµ½)B E lbg[NãÌ[UAJEgðêÓÉWßĨ±ÆÍAÐÆ ÌÇê©ç½³ñÌzXgÌ[UðÛçÇ·é¯ÉÈèÜ· (ÂÜèALDAP T[oÅAJEgð쬨æÑí·êÎA»ÌÏX_ ª¦ÀÉ LDAP NCAg©çpÅ«éæ¤ÉÈéÌÅ·)B ±±ÅAPluggable Authentication Module (PAM) Æ Name Service Switch (NSS) eNmWðõ¦½VXeãÅ LDAP T[oªÇÌæ¤ÉFØÆF ̽ßÉg¦é©ÉÅ_ðí¹é±ÆɵܷBÁÉ Linux Iy[eB OVXeɾy·éÂàèÅ·ªA»Ìྪ¼ÌIy[eBOVXe ÉKpūȢƢ¤í¯ÅÍ èܹñB ±±Åæèã°é«ÅÍPäÌ LDAP T[oª èA±±É[UAJE gf[^ªµ¢â·¢`®Åi[³êÜ·BUn*x NCAgÍA±Ìîñð gÁÄWÌ Un*x ̬VÅÌFØÆ\[XÉηéFÂðs¢Ü·B NCAg^T[oÊMÉÍAZL AÈoHàv³êÜ·BÆ¢¤Ìà A[UAJEgÌf[^Ìæ¤ÉNeBJÈîñÍAlbg[Nã Éàeª¾ÈÜÜM·×«ÅÍÈ¢©çÅ·B±ÌZL AÈoHÍ Secure Socket Layer ÉæÁÄõ¦çêÜ·B NCAg¤ÅÍLbV @\ð«\ãÌâè©çKvƵܷªA±ê Í Name Service Caching Daemon ÉæÁÄõ¦é±ÆªÅ«Ü·B ±ÌVXeð\z·éÌÉg¤\tgEFAÌ (ÙÚ) ·×ĪI[v\ [XÅ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.1. \¬vf ±ÌßÅÍAFØVXeð\z·é½ßÉgíêéíXÌ\¬vfðTൠܷBevfðÈPÉྵĢ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.1.1. FØ\ PAM Æ pam_ldap.so Pluggable Authentication Module ÍAW UNIX, RSA, DCE, LDAP Æ¢Á½ íXÌFØZpÆ login, passwd, rlogin, su, ftp, ssh XÌVXeT[ rXÆÌðÂ\ɵAµ©à±êçÌT[rXðÏX·éKvª èܹ ñB ÅÍ Sun Solaris ÉÀ³ê½ÌÅ·ªA¡â PAM Í RedHat â Debian ðÜÞ½Ì Linux fBXgr [VÅAFØÌggÝÌWIÈàÌ ÆÈÁĢܷB±êÉæÁijêé API ðʵÄAFØÌvªeNm WÁLÌ®ì (±êÍ PAM W [ÆÄÎêéCuÉæÁÄÀ³ êĢܷ) ÉèÄçêÜ·B±ÌèÄÍ PAM Ýèt@CÅsÈí êÜ·Bî{IɱÌt@CÌÅAeT[rXÉp¢éFØ@\ª^¦ç êé±ÆÉÈèÜ·B ¡ñÌêÍApam_ldap.so ¤LCuÅÀ³êé pam_ldap W [ ÉæÁÄA[UÆO[vÌFØÉ LDAP T[rXðg¦éæ¤ÉµÜ· B FØÝõðKvÆ·éT[rXÍ»ê¼êA PAM Ýèt@CðʵÄAÙÈ éFØû®ðg¤æ¤ÉÝèÅ«Ü·B±êÍÂÜèAPAM Ýèt@Cðg ÁÄA[Uª\[XÖÌANZXð¾é½ßɽ³ÈÄÍÈçÈ¢v Ìê\ð±ÆªÅ«éÆ¢¤Ó¡Å·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.1.2. Name Service Switch Æ nss_ldap.so ¢Á½ñ[UªFسêÄ©çàA½ÌAvP[VÍ[UîñÖ ÌANZXðKvƵܷB±ÌîñÍ`IÉÍeLXgt@C (/etc/ passwd, /etc/shadow, /etc/group) ÉüêçêĢܷªA¼Ìl[T[r XÉæÁÄ·é±ÆàÅ«Ü·B Vµ¢l[T[rX (½Æ¦Î LDAP) ª±ü³êéÉÂêA±Ìæ¤Èîñ æ¾ÌÀÍA (NIS â DNS Ìæ¤É) C CuàAܽͻÌVµ¢l [T[rXðg¢½¢AvP[VàÌAÇ¿çÅàÂ\ÆÈÁÄµÜ ¢Üµ½B ¢¸êɵÄàA±¤¢Á½±ÆÍA¤ÊÌÄpIÈl[T[rX API ðg ÁÄAeeNmWÉîîìÅT[rX©çîñð¾éCuQÉ» êðv·é±ÆÉ·êÎð¯çêÜ·B GNU C Library Í Name Service Switch ðÀµÄãLððµÜµ½B±ê Í Sun C library ÉN¹ð¿A¤ÊÌ API ðʵÄíXÌl[T[rX ©çîñð¾çêéæ¤É·éû@Å·B NSS ͤÊÌ API ÆÝèt@C (/etc/nsswitch.conf) ðgpµÜ·B±Ì Ýèt@CàÅAT|[g·éf[^x[XÉA»ÌT[rXðñ·é CuðwèµÜ·B »Ý NSS ÉæÁÄT|[g³êÄ¢é [2] f[^x[XÍ\ E aliases \[GCAXB E ethers \C[TlbgÌÔÌf[^B E group \[UÌO[vB E hosts \zXg̼OÆÔÌf[^B E netgroup \lbg[NSÌÌzXgÆ[UÌêB E network \lbg[NÉÖ·é¼OÆÔÌf[^B E protocols \lbg[NÌvgRB E passwd \[UÌpX[hB E rpc \ Remote Procedure Call ÉÖ·é¼OÆÔÌf[^B E services \lbg[NT[rXB E shadow \[UÌVhEpX[hB nss_ldap ¤LCuðg¦ÎALDAP ðp¢ÄãLÌèÄðÀ·é ±ÆªÅ«Ü·BÙñƤÍãL·×ÄÌèĪÀÅ«éÌÅ·¯êÇ àA±±ÅÍ shadow, passwd, group f[^x[XÌ LDAP ÀÉÌÝÅ_ð í¹é±ÆɵܷB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.1.3. Lightweight Directory Access Protocol ¡ñÌAvP[VÅÍA[UAJEgÆ[UO[vÉÖ·éî ñðNCAgÉ·é½ßÉ LDAP ªgp³êÜ·B[UÆO[v ð\í·ÌÉp¢çêéWIÈ objectclass Í top, posixAccount, shadowAccount, posixGroup Å·B f[^x[XãÌ[UÖAÌGgÍÈÆà [3] top, posixAccount, shadowAccount Ì objectclass É®µÄ¢ÈÄÍÈèܹñBO[vG gÍ top Æ posixGroup Ì objectclass É®µÄ¢ÈÄÍÈèܹñB ¡ñp·é pam_ldap Æ nss_ldap ÌÀª±Ì objectclass ðQÆ·é© çÅ·B±Ì objectclass Í RFC 2307 ÉLq³êÄ¢éàÌÅ·B Note: ÀÛÉÍALDAP Å NSS ͱ±ÅᦵȩÁ½ objectclass àF ¯µÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.1.4. Name Service Caching Daemon Name Service Caching Daemon (NSCD) Íl[T[rXÉæé¼OðÌÊ ðLbV ·é½ßÉgíêA NSS ÉæÁÄñ³êéT[rXÌ«\ðü ãÅ«Ü·B NCAg¤ªeÅ«é«\ð¾é½ßÉA passwd Gg̽ßÉå «ÈLbV ðÝèµÈÄÍÈèܹñB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.1.5. Secure Socket Layer Ú×É¢ÄÍ Section 10 ðQƵľ³¢B LDAP T[oÆNCAgCu (pam_ldap.so â nss_ldap.so) ÔÌÊ MÉÍ SSL ªKvÅ·BdvÈf[^A½Æ¦ÎpX[hGgÈÇÍA NCAgÆT[oÆÌÔÅû³êÄ¢éKvª é©çÅ·BSSL Í Ü½ANCAgªT[oðÁè·é±ÆðÂ\ɵܷ©çA±êÉæÁ ÄAsm©Èîñ¹©çFØîñð¾éÆ¢¤±Æðð¯çêÜ·B NCAgFØ (T[oªNCAgð¯Ê·é@\) Í»ÝÌ pam_ldap ¨æÑ nss_ldap W [ÌÀÅÍT|[g³êĢܹñB«ÁÆLp ÈÌŵ夯êÇàB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.2. FØVXeÌ\z ±ÌÍÅÍAOÍÉL³êÄ¢é\¬vfðp¢½FØVXeð\z·é½ ßÉKvÈèðྵܷB Figure 1. PAM Ìzu} PAM Ì_©ç©½AFØVXeeÌÔÌÖW Figure 2. NSS Ìzu} NSS ÌÏ_©çÌAFØVXeÌeÔÌÖW ±Ìzu}ÍA©ªÅÀ·éÉÍÆÄà¡GÉ©¦é©àµêܹñB¯ê ÇàÙÆñÇÌvfÍ·ÅÉ Linux ÌVXeàÉüÁĵÜÁĢܷB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.2.1. T[o¤ T[o¤É¨¢ÄÍALDAP T[oªCXg[³êA©ÂÝè³êÄ¢È ÄÍÈèܹñB±±Åg¤ LDAP T[oÍ OpenLDAP Æ¢¤I[v\[X Ì LDAP c[LbgÅALDAP T[o (slapd) ÆCuÆ[eBe BðÜñŢܷB »_Ì OpenLDAP ÉÍ LDAP ÌÀªÓ½Â èÜ·B V2 ÌÀ (OpenLDAP 1.2.x) Æ V3 ÌÀ (OpenLDAP 2.0.x) Å·B V3 ÌÀÍ{ÌÅ SSL @\ðñµÜ·ªAV2 ÍñµÜ¹ñBÆÍ¢¦A V2 ÌT[oÉà SSL bpðg¦éÌÅ SSL @\ðÇÁÅ«Ü· (Section 10 ðQÆ)B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.2.1.1. OpenLDAP ÌCXg[ÆÝè LDAP ÌCXg[ÆÝèÌèÍA LDAP-HOWTO ðQlÉÅ«Ü·B slapd ªKØÉÝè³ê½çAf[^x[XÌú¶¬Ì½ßÉf[^ðüê éKvª èÜ·B»±ÅALDIF (LDAP Data Interchange Format) t@C ðìçÈÄÍÈèܹñB±êÍeLXgt@CÅAȺÌR}hÉæ ÁÄ LDAP f[^x[XÉC|[g³êÜ·B #ldif2ldbm -i your_file.ldif Note: ldif2ldbm Í OpenLDAP 1.2.x pbP[WÅñ³êéÌÅA OpenLDAP 2.0.x ðg¤ÌÅ êÎ ldapadd R}hð (T[oN®ãÉ) g¤×«Å· (óF2.0.x Å ldif2ldbm É·éÌÍ slapadd ¾Æ ¢¤wEðînl©ç¢½¾«Üµ½BT[oâ~É slapadd -l your_file.ldifÆ·éûª¬ÄÈP絢ŷ)B OpenLDAP 2.0.x (LDAPv3) ðg¤ÌÅ êÎAWIÈ NIS XL[}ª /etc/ openldap/schema/nis.schema Æ¢¤t@CÉüÁĢܷ©çA»êð©ª Ì slapd.conf Å include fBNeBuÉæÁÄXL[}ðLøɵľ ³¢B 鼃 LDIF t@CÌÅàÈPÈáð°Ü·BeGgÍósŪ¯ç êĢܷB dn:dc=yourorg, dc=com objectclass: top objectclass: organizationalUnit dn:ou=groups, dc=yourorg, dc=com objectclass: top objectclass: organizationalUnit ou: groups dn:ou=people, dc=yourorg, dc=com objectclass: top objectclass: organizationalUnit ou: people dn: cn=Giuseppe LoBiondo, ou=people, dc=yourorg, dc=com cn: Giuseppe Lo Biondo sn: Lo Biondo objectclass: top objectclass: person objectclass: posixAccount objectclass: shadowAccount uid:giuseppe userpassword:{crypt}$1$ss2ii(0$gbs*do&@=)eksd uidnumber:104 gidnumber:100 gecos:Giuseppe Lo Biondo loginShell:/bin/zsh homeDirectory: /home/giuseppe shadowLastChange:10877 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 shadowInactive: -1 shadowExpire: -1 shadowFlag: 0 dn: cn=mygroup, ou=groups, dc=yourorg, dc=com objectclass: top objectclass: posixGroup cn: mygroup gidnumber: 100 memberuid: giuseppe memberuid: anotheruser Note: ·ß¬ésÍÌsð^u©Xy[X (¢¸ê©ðÐƾ¯) Å nßı¯çêé±Æðo¦Ä¨¢Ä¾³¢B±êÍ¼Ì LDIF ®Ì t@CÉàÄÍÜèÜ·B ±±ÅͺgDðñÂÂgDƵÄADN ðè`µÜµ½B dc=yourorg, dc=com Æ¢¤gDƵÄè`µÜµ½ªA»ÌºÉAÓ½ÂÌgDTujb g\ people Æ groups \ªÜÜêĢܷB»µÄ[UÍApeople gD jbgÆAgroups gDjbgºÌO[v (̤¿A[Uª®µÄ¢é àÌBóFgiuseppe ÌêÍ mygroup) ÆÉ®·éæ¤Lq³êĢܷ B Note: ù¶Ìf[^x[Xð LDIF ®ÉÏ··éÖÈc[ª PADL ÉæÁÄñ³êĢܷB±êÍftp://ftp.padl.com/pub/ MigrationTools.tar.gz Æ¢¤AhXÉ èÜ·B LDIF t@CÍAT[oª®ìµÄ¢È¢Æ«ÉC|[gµÈÄÍÈèÜ ¹ñBldif2ldbm R}hÍ LDAP T[oðʳ¸É¼Úf[^x[Xð\z ·é©çÅ·B LDIF t@Cðf[^x[XÉC|[g·êÎAT[oð N®Å«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.2.2. NCAg¤ NCAg¤ÉÍ pam_ldap.so Æ nss_ldap.so ªK{ÅA»êçÍ Netscape LDAP Library (Mozilla) ðgÁÄRpC³êÄ¢ÈÄÍÈè ܹñB»ÌCuª·é LDAPS (LDAP over SSL) Ì API ªv³ êé©çÅ·B»ÌCuÍoCipbP[WÅ Netscape One License ÌàÆÉzz³êĨèAI[v\[XÅÍ èܹñ (ÆÍ¢¦pub NhCÅÍ èÜ·)B »ÌpbP[WðA½Æ¦Î /usr/local/ldapsdk Æ¢¤fBNgàÉW JµÄ¾³¢B ³çÉANCAgCuÍؾf[^x[XÉANZXÅ«ÈÄÍ ÈèܹñB±Ìf[^x[XÉÍ LDAP (stunnel) T[oؾÆA»ÌT [oØ¾É (uMpÏÝ <trusted>vƵÄ) ¼µ½ CA Ì CA Ø¾Æ ªÜÜêĢȯêÎÈèܹñB ؾf[^x[XÍ Netscape Ì®ÌàÌÅȯêÎÈèܹñB pam_ldap Æ nss_ldap ðRpC·é½ßÉgíêÄ¢é Mozilla LDAP API ª Netscape Ì®Ìؾf[^x[Xðg¤©çÅ·B »Ìæ¤Èؾf[^x[Xðµ¤ÉÍANetscape ªñµÄ¢é PKCS#11 pbP[WàÉ é certutil Æ¢¤[eBeBðg¤ÌªÖÅ· [4] B LDAP NCAgÌåvÈÝèt@CÍ /etc/ldap.conf Å·B ൠnss_ldap ðg¤ÌÅ êÎAµ§ÉÍ pam_ldap ÌgpÍKvȢ̾ Æ¢¤±Æðo¦Ä¨¢Ä¾³¢B »Ì©íèÉ pam_unix_auth W [ðg¦Ü·BȺÈç nss_ldap Í çäé getpw* ¨æÑ getsh* R[ð LDAP QÆÉÄA pam_unix_auth Í[UFØɱÌR[ðp·é©çÅ·B (óF±±É¢ÄAÒ Ì Roel van Meer l©çÌÓ𢽾«Üµ½BÞÍ»ÌÅAPAM ªFØ ÉÌÝgíêé±ÆÆA PAM ª NSS CuÅÍÈPAM Cu©ç îñð¾é±ÆðwEµAuFØvÉÍ pam_ldap W [ªKv¾Aƨ ÁµáÁĢܵ½BC³³êé͸ÈÌÅA³mÈîñÍ´¶ÌÅVÅÉ ½Áľ³¢B) ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.2.2.1. PAM LDAP ÌCXg[ÆÝè pam_ldap ðRpCµÄCXg[·éÉÍAȺÌæ¤ÉµÄ¾³¢ B $ ./configure --with-ldap-lib=netscape4 --with-ldap-dir=/usr/local/ldapsdk $ make # make install configure Ì --with-ldap-lib IvVÍAÇÌ LDAP Cuðg¨¤ ƵĢé©ðwèµÜ·B --with-ldap-dir IvVÍAÇ±É Netscape ldapsdk c[LbgðC Xg[µÄ éÌ©ðwèµÜ·B ±êÉæÁÄ /lib/security/pam_ldap.so.1 ÆeíV{bNNªC Xg[³êÜ·B PAM ªVµ¢FØVXeÉANZXÅ«éæ¤ÉAKØÉÝè³êÈÄÍ ¢¯Ü¹ñBPAM Ýèt@CÍ /etc/pam.d Æ¢¤fBNgÉzu³ê AFت³êéT[rX¼Éµ½ªÁļt¯çêĢܷB ½Æ¦ÎÈºÍ login T[rX̽ßÌ PAM Ýèt@C (login Æ¢¤¼ OÌt@C) Å·B #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so use_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_cracklib.so password sufficient /lib/security/pam_ldap.so password required /lib/security/pam_unix_passwd.so use_first_pass md5 shadow session required /lib/security/pam_unix_session.so PAM Åg¤WIÈ PAM Ýèt@CÍ pam_ldap Ì\[XÌ pam_ldap-(o [W)/pam.d Æ¢¤fBNgÌÉ èÜ·B ±ÌWIÈt@CÍ /etc/pam.d fBNgÌÉRs[Å«Ü·Bà µ½©¨©µÈ±ÆðµÄµÜ¤ÆA¨»çÄÑOCÅ«ÈÈÁĵ ܤÌÅA±Ììð·éÍÓ[sÁľ³¢BVµ¢t@CðC Xg[·éOÉ /etc/pam.d ÌobNAbvðÆÁĨ«A»êðA³ ¹é ÀÌ éVFðJ¢½ÜÜɵĨ±Æð¨©ßµÜ·B Note: »ÌTvÌ pam.d fBNgÉÍ sshd Æ¢¤t@Cª èܹñB»Ì½ßA»êð쬵ȯêÎApam ðg¤ ssh ðîµÄ OCūܹñ (OpenSSH Í PAM ðgpµÜ·)B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.2.2.2. NSS LDAP ÌCXg[ÆÝè \[XðWJµÄ©çAMakefile ðmFµÄ¾³¢BÙÆñÇÌÝèàeÉ ÎµÄÍÒWÌKvÍ èܹñBÆÍ¢¦ASSL ðg¢½¢ÌÅ êÎ SSL ÎÌ LDAP Cu\½Æ¦Î Netscape ÌàÌ\ðNµÈÄÍÈ èܹñB LDAP Ì SDK ª /usr/local/ldapsdk àÉ éÆ·êÎASSL ðLøÉ·éÉ ÍAMakefile ðC³µÈ¯êÎÈèܹñB»ÌC³àeÍA Makefile.linux.mozilla àÅ NSFLAGS ðTµÄARgÉÈÁÄ¢é -DSSL ðLøÉ·é±ÆÅ·B ³çÉ LIBS Ìè`ð©ÄA»Ìt@CàÅwè³êÄ¢é ldapssl Cu ªA©ªÌCXg[µÄ éàÌƯ¶©Ç¤©ðmFµÄ¾³¢ (ldap_nss.so Í libldapssl40 Æ libldapssl30 ̼ûÉNµÄRpC ³êÜ·)B »ÌãACuðCXg[Å«Ü·\ $ make -f Makefile.linux.mozilla # make -f Makefile.linux.mozilla install #ldconfig ±êÉæÁÄ /lib/libnss_ldap.so ªCXg[³êÜ·B±êª nss_ldap CuÅ·B»µÄ /etc/nsswitch.ldap Æ /etc/ldap.conf Æ ªÜ¾¶ÝµÄÈ¢êÉÍATvÌÝèt@CƵÄCXg[³ êÜ·B CXg[µ½çA»Ì NSS Ýèt@C /etc/nsswitch.conf ðÒWµÈ ÄÍÈèܹñB LDAP Í çäéT[rXÉp¢é±ÆªÅ«éÌÅ·ª A¡ñÍ passwd, group, shadow ÉÌÝgpµÜ·B±ÌêAÝèt@C Ì`ªÉȺÌæ¤È±Æð¢Ä¨×«Å·B passwd: files ldap group: files ldap shadow: files ldap ±ÌÝè¾ÆGgÍAܸVXet@CàÅT³êÄAlªÔÁı È©Á½Èç LDAP T[oÉâ¢í¹çêÜ·B Note: LDAP ð DNS â¢í¹ÌobNGhƵÄg¤Æ«ÉÍÓµ ľ³¢BDNS ª»ÌT[oÌzXg¼ððÅ«È¢ÆA³À[v ÉüÁĵܤÌÅ·BȺÈç libldap ©Ìª gethostbyname() ðR [·é©çÅ·B (nsswitch.ldap àÌLqæè) ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.2.2.3. NSCD ÌÝè NSCD Í½Ì Linux fBXgr [VÉÍÅ©çüÁĢܷBü ÁÄ¢ÈÄà GNU C CuÌpbP[WàÉ èÜ·B NSCD ÌÝèt@CÍ /etc/nscd.conf Å·BesÍ®«ÆlAܽͮ«Æ LbV ¼ÆlÌ¢¸ê©ðwèµÜ·B»ê¼êÌtB[hÍXy[X ©^uÅæØçêÜ·BLbV ¼Í hosts, passwd, groups Ì¢¸ê©É ·é±ÆªÅ«Ü· (¡ñÍ hosts ðLbV µÜ¹ñ)B enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 keep-hot-count passwd 20 check-files passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 keep-hot-count group 20 check-files group yes LDAP ©ç¾½ passwd Ggð NSCD vOªLbV µÄµÜ¤Æ ¢¤±ÆðSÉÁLµÄ¨¢Ä¾³¢B ±êÍÂÜèALDAP T[oãÌ[UîñÉèðÁ¦½Æ«Éà NSCD Lb V ÍLøÈÜܾƢ¤±ÆÅ·B±ÌâèÍA check-files fBNeB uÉæÁÄÊíÌ UNIX t@Cðp·êÎð¯çêÜ·B±êÍηé t@CªÏX³ê½Æ«ÉÍLbV ð³øɵܷB±Ìæ¤ÈdgÝ ÍêÊIÈ͸ÈÌÉA»_Å LDAP ÉÍKp³êܹñBLDAP T[oÆL bV ÌÔÌs®ðð¯éû@ÍApasswd GgðXVµ½Æ«ÉÌ R}hðÅÁÄ©ªÅLbV ð³øÉ·é±ÆÅ·B #nscd --invalidate=TABLE ãL TABLE ÌƱëÍ passwd, groups, hosts Ì¢¸ê©ÉÈèÜ·B pÉÍA¬ðð¯é½ß NSCD ðgíÈ¢æ¤ÉµÄ¾³¢B ³çɾ¦ÎANSS Æ NSCD ÌgpÍåÊÌt@CfXNv^ðJ¢Äµ ܢܷB»Ì½ßAVXeãÌg¦ét@CfXNv^ªÈPÉs« µÄµÜ¢Ü· (±êÍVXeðnO³¹©Ëܹñ)B Linux }V (J[l 2.2.x) ÅÍAÌæ¤ÉµÄt@CfXNv^ ÌãÀðⷱƪūܷB #echo 16384 > /proc/sys/fs/file-max §³êét@CfXNv^ãÀlÍAÆÉ©»ÌVXeÌ\¬ÉË ¶µÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.2.2.4. LDAP NCAgÌÝèt@C LDAP NCAgÌÝèt@CÅ é /etc/ldap.conf ÍA¼Ì LDAP N CAg©çƯlApam_ldap â nss_ldap ©çàÇÜêÜ·BȺÍA»Ì t@Cª¡ñÌ«ÅÍÇÌæ¤ÉÈÁÄ¢é׫©ÌêáÅ·B # # @(#)$Id: ldap.conf,v 2.18 2001/03/28 23:35:00 lukeh Exp $ # ±êÍ LDAP NSS CuÆ LDAP PAM W [̽ßÌÝèt@CÅ·B # PADL Software # http://www.padl.com # # ൱Ìt@CÉ host à base àȯêÎA»ÌÆ«Í # _ldap._tcp.[defaultdomain]. Æ¢¤ DNS RR ªð³êÜ·B # [defaultdomain] ͯʼÉèÄçêA # ÚWÌzXgÍT[oƵÄgíêé±ÆÉÈèÜ·B # # ©ªÌ LDAP T[oÅ·BLDAP ðgí¸ÉðÅ«ÈÄÍÈèܹñB host 192.111.111.111 # # õx[X̯ʼŷB base dc=yourorg, dc=com # # gp·é LDAP Ìo[WÅ·B(ftHgÍ 2 Å·ªA # OpenLDAP 2.0.x â Netscape Directory Server ðg¤Èç 3 ɵľ³¢) # ldap_version 3 # # T[oÉoCh·é¯Ê¼Å·B # wèÍCÓÅ· \ wèµÈ¯êν¼oChÅ·B # binddn cn=manager,dc=padl,dc=com # # oCh·éiؾŷB # wèÍCÓÅ· \ wèµÈ¯êÎiؾªsvÅ·B #bindpw secret # # |[gÅ·B # wèÍCÓÅ· \ wèµÈ¯êÎ 389 Å·B636 Í LDAPS pÅ·B port 636 # # õXR[vÅ·B #scope sub #scope one #scope base # # ȺÌIvVÍ nss_ldap ÁLÌàÌÅ·B # # ©ªÌ libc ªg¤nbV ÌASYÅ·B # wèÍCÓÅ· \ wèµÈ¯êÎ des Å·B #crypt md5 #crypt sha #crypt des # # ȺÌIvVÍ pam_ldap ÁLÌàÌÅ·B # # uid=%s É AND ·étB^Å·B pam_filter objectclass=posixAccount # # [U ID Ì®«Å·B(ftHgÍ uid) pam_login_attribute uid # # pX[h|V[ð[g DSE ÅõµÜ·B # (Netscape Directory Server ÉLøÅ·) # (óF[g DSE É¢ÄÍ Root Directory Server Specific Entry # ̱ƾƢ¤ñ𢽾«Üµ½BóÒÍmèܹñŵ½B) #pam_lookup_policy yes # # ±ÌO[vÌoÅ é±ÆðvµÜ·B #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com # # O[voÌ®«Å·B pam_member_attribute memberuid # ev[gOCÌ®«ÆAftHgÌev[g[UÅ·B # (±êÈOÌ[UÌGgàÌ®«Åã«Å«Ü·) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # # [JÉpX[hðnbV µÜ·B # University of Michigan Å LDAP T[oÉKvƳêÜ·B # ܽAൠUNIX-Crypt ÌnbV @\ðgpµÄ¨èA # ©Â NT Synchronization (¯ú) T[rXðgpµÄ¢È¢ÈçÎ # Netscape Directory Server ÅLøÅ·B pam_crypt local # # SSL ÌÝè ssl yes sslpath /usr/local/ssl/certs Note: ±Ìt@CðÇÞ±ÆÌ éíXÌAvP[VÆÌâèð ð¯é½ßÉAp[^ÆlÆÌÔÉ^uðgí¸AXy[XÐƾ ¯ðg¤æ¤¨©ßµÜ·B pam_groupdn fBNeBuÍ LDAP T[oªêAÌNCAgÌFØîñ ðǵĢéêÉA[UªF³êéÌðêÌNCAg¾¯ÉÀ èµ½¢Æ«ÉÖÅ·B±ÌfBNeBuÍ NIS Ì netgroups Ư¶@ \ðñ·é±ÆªÅ«éÌÅ·B SSL ÝèÉÖ·éfBNeBuÍpbP[WàŶ»³êĢܹñªA SSL ðLøɵALDAP T[oؾ¨æÑ CA ؾðÜÞt@CªÇ±É i[³êÄ¢é©wèµÜ·B cert7.db Æ¢¤¼OÌ Netscape ؾf[^x[Xª sslpath àÅõ³ êÜ·B±Ìt@CÉÍT[oØ¾Æ (»ÌT[oؾª©È¼ÅÈ ¢©¬è) CA ؾÆðÜñŢȯêÎÈèܹñB±Ìt@C𶬷 éÉÍÓ½ÂÌû@\ Netscape PKCS#11 ðg¤© Netscape ÌuEUðg ¤©\ª èÜ·B Netscape ÌuEUðg¤êÍAT[oãÅ slapd Æ stunnel ðN®µ½ ÆÅ Netscape Navigator ð https://your.ldap.server:636/ Æ¢¤ URL ÉÚ±·éÆA©ªÌf[^x[XÉ»ÌT[oؾðüÍ·é椣³ê Ü·B(©È¼ÌؾðgíÈ¢ÌÅ êÎ) ¯lÉ (CA ©ç³êé) CA ؾàf[^x[XÉ[hµÈÄÍÈèܹñB±±ÜŽçA $HOME/.netscape/cert7.dbð sslpath ÉRs[Å«Ü·BãLÌìÆÌÛAf tHgÌ cert7.db ðÂúóÔÌAJEgÅsȤûªDܵ¢Å· BȺÈ穪Ìؾf[^x[XÉͼÌT[oؾª é©àµê¸ A éÆ LDAP NCAgª»êðAMpÏÝÌFØT[oÈ̾ÆÝȵ ĵܤ©çÅ·B¢Á½ñT[oؾªC|[g³ê½uEUÍ SSL ðfobO·é½ßÉg¦Ü·B»ÌuEUÍ pam â nss ÌCuÌ æ¤ÉÓéܤ©çÅ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.3. N® T[o¤ÅAÌæ¤ÈR}hÉæÁÄA slapd (LDAP f[vZX) ðN®µÈÄÍ¢¯Ü¹ñB # slapd ൠstunnel ðg¤ÈçALDAPS Ì 636 ÔÌ|[gãÅN®µÈÄÍ¢¯ ܹñBÌæ¤ÉµÄ¾³¢B # /usr/local/sbin/stunnel -r ldap -d 636 -p /usr/local/ssl/certs/stunnel.pem TLS (OpenSSL) t«ÅRpC³ê½ OpenLDAP 2.0.x ðg¤ÌÅ êÎA ÌR}hÅT[oðN®Å«Ü·B # slapd -h "ldap:/// ldaps:///" NCAgãÅANSCD ð½ÌfBXgr [VÉÓ¤ÜÜêÄ¢ éN®XNvg©çN®Å«Ü·B # /etc/rc.d/init.d/nscd start PAM Æ NSS ªKØÉÝè³êÄ¢êÎA±êÅ\ªÌ͸ŷB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.4. AJEgÌÛçÇ ±±ÜŽ_ÅALDAP NCAgc[ðgÁÄAJEgì¬ÆÛç Ǫūé͸ŷB cOȪçÄpIÈc[ÌÙÆñÇÍ Un*x AJEgÌÇpÉÍÅ«Ä ¢Ü¹ñB»êÉ©¤@\ª éæ¤Év¦éàÌÍA LDAP Browser/ Editor (http://www-unix.mcs.anl.gov/~gawor/ldap) ª èA»êÍFXÈ ®ÅpX[hÌÝèªÅ«AT[oÉÚ±·é½ßÉ SSL ðgpÅ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.5. ùm̧À PÆÌ}X^T[oÉæé (X[uT[oÌÈ¢) NIS ÌêƯlÉA vP[VðpµÈ¢ LDAP ÍFØ@\ÉÆÁÄua single point of failure (Pê@íÌáQªVXeSÌÌáQÆÈÁĵܤã_)vÅ é ƾ¦Ü·BÅ·©ç LDAP vP[VðÀ·é±ÆÍAFØÆ¢¤ ÚI̽ßÉÍêwdvƾ¦Ü·BOpenLDAP (slapd) ÉæéT[oÍv P[V@\ðõ¦Ä¢Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 2.6. t@CÌp[~bV ȺÍFØVXeÅgíêét@CÉKp³êÄ¢é׫p[~bV ÌêÅ·B -rw-r--r-- root.root /etc/ldap.conf -rw------- root.root /usr/local/etc/openldap/slapd.conf -rwxr-xr-x root.root /lib/security/pam_ldap.so.1 -rw-r--r-- root.root /lib/libnss_ldap-2.1.2.so -rw-r--r-- root.root /usr/local/ssl/certs/cert7.db -rw------- root.root /usr/local/ssl/certs/stunnel.pem ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3. LDAP ðgÁ½ Radius FØ Radius T[oÍARadius vgRT[oÌJÝð Un*x Iy[eBO VXeÅÂ\Æ·éf[Å·B±êÍÓ¤A_CAAbv[UÌ FبæÑAJEgÇ̽ßÉgíêÜ·BT[oðp·éÉÍA»Ì T[oÉbµ©¯é±ÆÉÈéNCAgàKØÉÝè·éKvª èÜ· BÊíANCAgÍ^[~iT[o©AܽÍ^[~iT[oðG~ [g·éKØÈ\tg (PortSlave â radiusclient X) Ì é PC Å ·B [FreeRadius Ì FAQ æè] Radius Í[UÉ¢ÄÌ©OÌf[^x[XðÁĢܷªA¯¶îñª LDAP ÉàÜÜêÄ¢éÌÅA±Á¿ðg¤ûªÖÅ·I t[EFAÌ Radius T[oÍô© èÜ·ªA LDAP ÖÌT|[gªÇ ¢àÌÉ FreeRadius Æ¢¤T[o (http://www.freeradius.org) ª èÜ· B±êÍܾJÅÆÍ¢¦A LDAP W [ͤܮìµÄ¢Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3.1. FreeRadius Å Radiusd ÌÝè T[oðCXg[µ½ÈçAÝèt@Cðp¢ÄÝèµÈÄÍÈèÜ ¹ñBÝèt@CÍ /etc/raddb (Ü½Í /usr/local/etc/raddb) ȺÉz u³êĢܷB radiusd.conf ÌàeÍAȺÌæ¤ÉÒWµÄ¾³¢B [Ȫ] # Uncomment this if you want to use ldap (Auth-Type = LDAP) # Also uncomment it in the authenticate{} block below ldap { server = ldap.yourorg.com #login = "cn=admin,o=My Org,c=US" #password = mypass basedn = "ou=users,dc=yourorg,dc=com" filter = "(&(objectclass=posixAccount)(uid=%u))" } [Ȫ] # Authentication types, Auth-Type = System and PAM for now. authenticate { pam unix # sql # sql2 # Uncomment this if you want to use ldap (Auth-Type = LDAP) ldap } [Ȫ] ܽAdictionary t@CàȺÌæ¤ÉÒWµÄ¾³¢B [Ȫ] # # Non-Protocol Integer Translations # VALUE Auth-Type Local 0 VALUE Auth-Type System 1 VALUE Auth-Type SecurID 2 VALUE Auth-Type Crypt-Local 3 VALUE Auth-Type Reject 4 VALUE Auth-Type ActivCard 4 VALUE Auth-Type LDAP 5 [Ȫ] ³çÉ users t@CÌftHgÌFØû®ÌGgðÌæ¤ÉµÄ ¾³¢B [Ȫ] DEFAULT Auth-Type = LDAP Fall-Through = 1 [Ȫ] ·ÅÉ LDAP T[oð Un*x ÌAJEgÇ̽ßÉÝèµÄ êÎA±ê Å\ªÅ·B LDAP T[oãÅÍARadius T[oª çäé posixAccount Ì®« (ÁÉ uid Æ userpassword) ðmÀÉÇޱƪūéæ¤ÉµÄ¨¢Ä¾³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3.2. Radius FØÌeXg T[oðeXg·é½ßÉAÌæ¤É radiusd ðfobO[hÅN®µÄ ¾³¢B /usr/local/sbin/radiusd -X -A »ê©çÌæ¤È\¶Å radtest ðg¢Ü·B radtest [U¼ "pX[h" radius.yourorg.com 1 testing123 ·×Ĥܢ¯ÎAAccess-Accept pPbgð»Ì Radius T[o©çóM ·é͸ŷB NCAg[hÅ stunnel ðgÁÄA Radius T[oÆ LDAPS T[oÔ ÌÚ±É SSL ðñ·é±ÆàÅ«Ü·B SSL ÌÚ×É¢ÄÍ Section 10 ðQƵľ³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 3.3. Cisco IOS ÌÝèá Sðú·é½ßÉA±±É Cisco IOS ÌÝèáð¢Ä¨«Ü·B½¾A± ÌáÍ±Ì HOWTO ÌÚIÆÍOêĢܷÌÅA ȽÌvÉÍKµÄ¢ È¢©àµêܹñB [Ȫ] aaa new-model aaa authentication login default radius enable aaa authentication ppp default radius aaa authorization network radius [Ȫ] radius-server host 192.168.10.1 radius-server timeout 10 radius-server key cisco [Ȫ] Note: ÙÆñÇ·×ÄÌ NAS Í Radius É 1645 ÔÌ|[gðgpµÜ· BmF̤¦AKØÉT[oðÝèµÄ¾³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 4. Samba »_Ì stable c[Ì Samba ÉÍ LDAP T|[gªÜÜêĢܹñB HEAD ¨æÑ TNG u`ÉÍÜÜêÄ¢é͸ŷªA»êçÌu`Í Ü¾µ¢JÌrãÉ èÜ·BÀèŪ[X³ê½Æ«ÉA»Ì Samba ÌÀÉ¢ı±É±ÆɵܷB»êÜÅÍAIgnacio Coupeau Éæé±Ì¶ <http://www.unav.es/cti/ldap-smb/ ldap-smb-HEAD-howto.html> ð©Ä¨Æ¢¢Åµå¤B±êÉͼu` ÅÌ LDAP ÌÝè@ªLq³êĢܷB ÆÉ©»_ÅÍAܾ smbpasswd t@CðgíÈÄÍÈèܹñB [UAJEgîñÌ LDAP ©çÌæ¾ÍùÉÂ\ÈÌÅ·ªB(±êÍ Samba ÅÍÈ nsswitch ÉæÁÄsÈíêÄ¢é½ßÅ·B) Samba ª LDAP ðT |[g·êÎA»Ý smbpasswd t@CÆ smbusers t@CÉüêÄ éî ñð LDAP Éi[·é±ÆªÂ\ÉÈé͸ŷB samba ̤Lð®IÉ LDAP Åè`Å«éæ¤ÉÈé©Ç¤©É¢ÄÍMÒÍmèܹñªA½Ôñ sÂ\¾ë¤ÆvÁĢܷB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 5. DNS LDAP oRÅÝèÅ«é DNS ÉÍAÓ½ÂÌu`®vª èÜ·BÅÌàÌ ÍA(ܽàâ) nss_ldap ðADNS ÌãíèÉg¤Æ¢¤àÌÅ·B±êÍ ÜèA/etc/nsswitch.conf t@CÉèðÁ¦½NCAg¾¯ª LDAP © ç DNS Ggð©çêéæ¤ÉÈéÆ¢¤±ÆÅ·BÓ½ÂßÌû@Í LDAP ð bind â tinydns ÌobNGhƵÄgp·é±ÆÅ·B±êÉÖ AµÄ®µÄ¢évWFNgÍô© èÜ·B»êÍÌ¿ÙÇà¾·é ±ÆɵܷB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 5.1. NSS ðg¤ NSS ð (tÁIÈ) zXgGgÖÌANZXÉgÁÄ¢éÆ«ÉÍAue §vÈ}V (ÂÜèA©ªªmÁÄ¢ÄA»ÌÝèð§ä·é±ÆàÅ«é }V) ¾¯ª±ÌT[rXðg¦é̾Ƣ¤±ÆÉӵľ³¢B± êÍCglbgÅÌA±ë±ëÏíézXg¼ðÉÍLp©àµêܹ ñªA©ªÌEFuT[oÌo[`zXg¼ðS¢EÉöJ·éÉÍg¦ ܹñBܽ nslookup Í /etc/hosts à LDAP àoRµÈ¢½ßAÝ誤 Ü¢ÁÄ¢é©Ç¤©ÌmFÉÍg¦È¢Æ¢¤±Æào¦Ä¨¢Ä¾³ ¢B©íèÉAping Ìæ¤ÉàÅ gethostbyname() ÖðgÁļOð µÄ¢éàÌðg¤æ¤ÉµÄ¾³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 5.1.1. Ýè Name Service Switch É LDAP żOð³¹éÉÍA nss_ldap ðg¤æ¤ ÝèµÈÄÍÈèܹñB nss_ldap ÌÝèû@Í Section 2 É¢Ä è Ü·B±±ÅͳíÉ®¢Ä¢é nss_ldap ÌÝèª éàÌƵÄb𱯠ܷB NSS Éæé¼OðÍ /etc/nsswitch.conf àÌ hosts sÌàeŧ ä³êÜ·Bܾ hosts sªÈ¢Æ¢¤±ÆÍAܸ èܹñB½Ôñ files Æ dns ªGgƵĩêÄ¢é±Æŵå¤B»±É ldap ðA Ìæ¤ÉÇÁ·éÌÅ·B hosts: files, dns, ldap Ôðæl¦ÄwèµÄ¾³¢IÇÌæ¤ÈêÅàÅÉ files ðu 椵Ĩ«Ü·B»ê©çALDAP ð[J DNS T[oæèàDæ³ ¹½¢ÈçÎALDAP T[oÌ IP ªmÀÉ /etc/hosts t@CÌÉ éæ ¤ÉµÄ¾³¢B»¤µÈ¢ÆA¢Á½ÄA𪶶ĵܢܷBÂÜ è±¤¢¤±ÆÅ·Bu ézXg¼ððµ½¢¯êÇAt@CàÉÍG gªÈ¢ÌÅA LDAP T[oÉâ¢í¹æ¤Æ·éBµ©µT[oÌ IP ðmçÈ¢ÌÅt@CàðTµÄÝéªA»±ÉÍÈ¢ÌÅ LDAP T[oÉ ·±¤Æ·éccvv_ªÂ©ßܵ½ËH±ÌâèÍAzXg¼Ì©íèÉ IP ÔÅ LDAP T[oðQÆ·é (ÂÜè /etc/ldap.conf ÌɢĨ ) ±ÆÉæÁÄA®SÉñð·é±ÆªÅ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 5.1.2. XL[} ±ÌT[rXâ¯lÌT[rXÉgíêéXL[}ª RFC 2307 Éè`³êÄ ¢Ü·BIP ÔÉzXg¼ðèÄé½ßÌGgÍ ipHost Æ¢¤ objectclass ÉüèÜ·BèÄÌzXg¼ÌªÍ cn ®«ÌÉüêç êA IP ªÌûÍ ipHostNumber ÉüèÜ·BÅ·©çAT^IÈ LDIF Ì GgͱÌæ¤ÉÈèÜ·B dn: cn=somehostname.mydomain.com,ou=Network,o=YourOrg,c=NL objectclass: top objectclass: ipHost cn: somehostname.mydomain.com ipHostNumber: 10.1.5.13 à¿ëñAÓ¤ DNS Ét·é§Àâ@\ͱÌT[rXÉàÄÍÜèÜ ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 5.2. bind ðg¤ ¡úÅÍ bind â tinydns Éà½ÌÂ\«Í èÜ·ªA±êçÌ¢¸êà AÒÌÓ©ÅÍ (¡ÌƱë) uÙñƤÌvðôÅÍ èܹñBµ© µÈªçAÒª»êçðgÁ½o±ªÈ¢Æ¢¤±Æà¾ÁĨ©ÈÄÍ ÈèܹñB»êçðȺÉñµÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 5.2.1. bind wÌpb` David Storey ª bind ÖÌpb`ÌìÆðµÄ¢Ü·B±Ìpb`ÍAf[^ ð¼Ú LDAP ©çæ¾·éæ¤É·éàÌÅ·B»êÍ bind f[ãÉv ªÈ³êé½ÑÉ LDAP Åð·é±ÆðÓ¡µÜ·B»_ÅÌÞÌvæ (\[X©çøp) ÍAuÈÆàÓ½ÂÌ[h\LbV [hÆ_C i~bN[h\Å®æ¤É·é±ÆvÅ·BLbV [hÅÍA¿å ¤Ç rbtdb Ìæ¤ÉA][ðÜé²ÆÉ[hµÄ®ìµAT[oª HUP VOiðó¯éÆ[hµÈ¨µÜ·B_Ci~bN[hÅÍ»óÆ æÄ¢ÄA·×ÄÌvª LDAP ÖÌQÆÆÈèÜ·BÅVîñÍ\[X <ftp://ftp.eyeo.com/bind/> ðmFµÄ¾³¢B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 5.2.2. ldap2dns EFuTCg©çÜé²ÆøpµÜ·B uldap2dns Í DNS R[hð¼Ú LDAP fBNg©ç쬷évO Å·B±êÍAZJ_l[T[oðæñÌvC}T[oÅu·· é½ßÉg¤±ÆªÅ«Ü·µA»Ì½ßÉg¤×«Å·B ldap2dns Í ç äéÏíµ¢ÇìÆðy¸·é¯ÉÈèÜ·Bà¤P²Èt@CÒWÍ Kv èܹñB][t@CÒWàKv èܹñB ldap2dns ðCX g[µÄµÜ¦ÎAÇÒͽ¾ LDAP fBNgÉANZX·é¾¯Å æ¢ÌÅ·B]ÞÈçAÇÒÍ][²ÆÉANZXRg[ð©¯é ±ÆªÅ«Ü·BEFux[XÌ GUI ð쬵ÄADNS ɱ·é±ÆÈA çäéíÞÌ][â\[XR[hÌîñðÇÁ·é±ÆàÅ«Ü·B ldap2dns Í tinydns Égp³êé data.cdb Æ¢¤oCit@Cð« o·æ¤Ýv³êĢܷªAnamed Égp³êé .db t@Cð«o·æ ¤É·é±ÆàÅ«Ü·Bv ±ÌvWFNgÌz[y[Wͱ± <http://ldap2dns.tiscover.com/> Å ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 5.2.3. ispman ispman Í Perl Å©ê½ ISP ÇpbP[WÅ·B±êÍ LDAP f[^x [XðÝèÌobNGhÉg¢Ü·B±ÌpbP[WÍñíɽ̱ƪ Å«éÌÅA³mÉ©ªÌKvƵĢéàÌðmFµ½ûªæ¢©àµêÜ ¹ñBAhXÍ ispman.org <http://www.ispman.org> Å·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6. [gXt@G[WFg (MTA) ±ÌÍÅÍAÝÁÂÌÙÈé MTA, ÂÜè Sendmail, Postfix, qmail É¢ Äq×Ü·B±êçÍ LDAP ©çîñðæèo·æ¤ÉÝèÅ«é MTA Å·B ÂlIÈo±©ç·éÆ Postfix Ìûª Sendmail æèà¸ÁÆÈPÉÝèÅ «Ü·ªA±êÉ¢ÄÍ«A Sendmail ɨ¯é LDAP T|[gª³çÉ ¬nÌæÉB·é±ÆÅÏíÁÄé©àµêܹñBqmail ÍgÁ½±Æª èܹñB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6.1. Sendmail 6.1.1. Sendmail ɨ¯é LDAP T|[g Sendmail ÉÍAo[W 8.8.x ½è©ç ldapx Æ¢¤}bv^Cvðg ¤©½¿Å LDAP ªT|[g³êĢܷBo[W 8.10 È~ÅÍ LDAP f[^x[X^Cvª ldap ƵÄT|[g³êĢܷBµ©µ LDAP }b vÌT|[gÍARedHat ÌpbP[WÌftHgÌÜÜÌÝèÅͳøÉÈ ÁÄ¢éÌÅA²Ó¾³¢B Debian Ìo[W 2.2 È~ÉÍ Sendmail Ì LDAP T|[gª 黤ŷB©ªÅRpC·éKvª é êÍA Sendmail Ì\[XÌ sendmail/README Æ¢¤t@CðÇñž ³¢B±Ìt@CÉÍALDAP T|[gt«ÅRpC·éû@É¢ÄÌ LvÈîñªÜÜêĢܷB ±êçVÌ LDAP }bv^CvÉÍAÆàÉ LDAP f[^x[XàÌGg ðõ·é\ͪ èÜ·B½¾µAÐÆÂÓª èÜ·BõÌ®¹ ÉʪÐƵ©ÔÁıȢÌÅ·Bʪ¡ éƵÄàAÅÌà ̾¯ªgíêÜ·Bµ©àA»ÌÊÉÔèlª¡ ÁÄàÅÌl¾¯ ªÔ³êéÌÅ·BÌ LDIF t@CÌáÉÚµÄÝܵå¤B dn: cn=mailuser1,ou=mail,dc=company,dc=com objectclass: top objectclass: foo cn: mailuser1 mail: mailuser1@company.com mail: info@company.com õð cn=mailuser1 Ìæ¤ÈPÈõtB^ÅÀs·éÆAß鮫 ª mail ¾ÆµÄà mailuser1@company.com µ©Ô³êܹñB¼ûÌÊð ¾éÉÍA±êçÍPêlð®«ÉAR}ÅæØç꽩½¿Åi[³ êĢȯêÎÈçÈ¢ÌÅ·BÌæ¤È©½¿Å·B mail: mailuser1@company.com,info@company.com ±ÌbèÉÖAµ½îñðÜÞdq[bZ[WðA LIH z[ <http:/ /devel.linvision.com/doc/lih/alias_issues> Å©é±ÆªÅ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6.1.2. VXeÌzu LDAP }bvªpÅ«éÆ«ÉÍAÙÆñǽÅà LDAP f[^x[Xà©ç Tµo¹Ü·B»±ÅAȺÌæ¤È\¬ÌÝèðÈf»µ½¢Æv¢Ü·B KÍàµÍåKÍÌlbg[Nª é±Æɵܵå¤B½³ñÌh C̽ßÉ[ðóMµÜ·BÓ½ÂÌ[zXgÆAÓ½ÂÌtH [obNzXgÆ¢¤zuÅ·B±ê¾ÆÊíÍAȺÌOíÞÌîñði [·éêªAlÓÉÜÅÈÁĵܢܷB E ¼ûÌ[zXgª local-host-names t@C (`É]¦Î sendmail.cw) ðKvƵܷB±êÍAÇÌhCÖÌ[ðóM· é©É¢ÄL^µÄ¨àÌÅ·BtH[obNzXgͯ¶îñð access t@CÉ۵ĢܷªA±¿çÍóM[ðÇÌhC Öp·×«©ê·é½ßÉg¢Ü·B E [zXgÉͼûÆà virtusers t@Cª èÜ·B±Ìt@C Å¡ÌAhX ( é¢ÍhCSÌ) ðPÆ̼z[Uâ[J [UÉèÄÜ·B E ¼[zXgÉ aliases t@Cª èÜ·B±Ìt@Cżz[ Uð[AhXâ[J[UÉèÄÜ· (¡àÂ)B ±¤µ½îñªÐÆÂÌf[^x[XÉÜÆßÄi[³êÄ¢êÎAezXg ª»Ìf[^x[X©çÝèðÇÝo·±ÆÉæÁÄAlbg[NÌg£« ÆǵⷳªüãµÜ·BSf[^ð nfs É}bv³¹ÄA»êðPÆÌ zXgɽ¹éæ¤È`¾ÁÄl¦çêéŵå¤B»Ìæ¤ÈêàÚ± ·ézXgÉá¢ÍÜÁ½¶¶Ü¹ñB[UÉÆÁÄàÜÁ½¯lÉf èÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6.1.3. Sendmail Ýèt@C ±ÌîñªÇ¤âÁÄ LDAP f[^x[X©çWt@CÌãíèÉÇÝo ³êé©ðð·éÉÍAsendmail.cf t@CÉ¢ÄÌwiIÈm¯ª µKvÅ·B±±Åµ¤îñÍAÓ½ÂÌÙÈéû@Åi[³êĢܷB local-host-names t@CÍANXÉÇÝÜêÜ· (³mÉÍNX w Å·B±Ìä¦ÉÌÍ cw Æ¢¤g£qªt¢Ä¢Üµ½)BêûÅ virtusers t@CÍPÈ}bvðʵÄgíêÜ·Baliases t@Cà}bvÅ· ªAè`û@ªÙÈèÜ·µAàÅgíêéÌÅA[àÅQƳêéí ¯ÅÍ èܹñB îñª LDAP f[^x[X©çæèo³êéÆ«ÉÍK¸}bvàÅ®µÜ ·Blocal-host-names t@CÉi[³êé׫îñÉÆÁÄÍA±Ì_ªâ ââèÆÈèÜ·B±Ìt@CÌîñÍNXÉgíêé©çÅ·BÒÍ ±êÜÅÌƱëA}bv©çÌîñÅNXð½¹½½ßµª èܹ ñBÈPÉÅ«»¤ÈàÌÅ·ªAǤàsÂ\Èæ¤Å· (Ôᢪ êÎ AǤ©¨mç¹¾³¢)B»Ì½ßVµ}bvðè`µÈÄÍÈèܹ ñŵ½BSendmail ÌÝèÅA w NXàÌlðÇÞÆ«É (ÙÚ) ñA »Ì}bv©çlªõ³êéæ¤È[ðÇÁµ½ÌÅ·B }bvÉ¢ÄÍAÝèÏXªÈPÅ·BÊíA}bvͼOÆAf[^x[ X^CvÆAef[^x[XÁLÌIvV (á¦ÎÊígíêé newdb f [^x[X^CvÅÌt@CÌÊuÈÇ) ÆÅè`³êĢܷB»êÅ} bvÉ¢ÄÍAè`ðÏX·é¾¯Å\ªÅ·BÙçAà¤Å«Üµ½B³ ÄALDAP }bvÉͳçÉô©ÌIvVª èA»Ì¤¿Ì¢Â©Í OÉO[oè`µÄ¨¯Ü·B»êçÌIvVÍÌXgÅྠ³êĢܷ (±ÌXgÍAåª Booker Bense ̶ÉæèÜ·)B sendmail.cf ɨ¯é LDAP ÁLÌ}bvIvV -h Xy[XæØèÅ LDAP T[oÌzXg¼ðè`µÜ·B±ÌÔÅ⢠í¹ðsÈÁÄ¢«Aʪo½ç»±ÅI¹µÜ·BO[oÉÝ èÅ«Ü·B -b LDAP õx[Xðè`µÜ·BÂÜèA»Ì LDAP fBNgྯð õ·éÌÅ·BO[oÉÝèÅ«Ü·B -k LDAP õtB^ðè`µÜ·B±êÍusprintfv`®Ì¶ñÅA} bvªüÍlðÇÌæ¤Éó¯æÁÄ LDAP õð\z·éÌ©è`µÜ ·Bõ·élð %s Åu·µ½AêÊIÈ LDAP õtB^Ì`®ð ÆèÜ·BLDAP õtB^É¢ijçÉwѽ¢ûÍA RFC 2254 <http://www.cis.ohio-state.edu/htbin/rfc/rfc2254.html> ð²¾³ ¢BƱëÅA±ÌõtB^ÆãLÌõx[XÆÅÍAÅåÅàÐ ÆÂÌGgµ©Ô³È¢æ¤Èõðè`·×«Å·B LDAP }bv ÍAó¯æÁ½ÅÌGg¾¯ðp·éÌÅ·B -v ÇÌ LDAP ®«Ìlª}bvõÅÔ³êé±ÆÉÈéÌ©ðè`µÜ· BÚ×ÍãqµÜ·B LDAP IvVÍ·×Ä_uNH[gµA Sendmail IvV̼ãÉu ©È¯êÎÈèܹñB²Ó¾³¢Báð°Ü·B Kldapexamplemap ldap -h"localhost ldap.myorg.com" -b"ou=mail,dc=myorg,dc=com" -k"(&(objectclass=mailstuff)(uid=%s))" -v"mailaddress" ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6.1.4. XL[} ÒÍA±ÌÁÊÈÝè̽ßÉAmail Æ¢¤Tuc[ð LDAP fBNg àÅè`µÄ¢Ü·B±ÌºÉ[ÖAÌ çäéîñði[·é½ßÅ ·B[UÖAÌ[îñÍ ou=Users ÌTuc[ÉüêĨ±Æà \¾Á½Åµå¤ªA»êÍí´Æð¯Üµ½Be[UÆÊÉPêÌTuc [ðg¤ûªASendmail ̽ßÌîñª·×ÄêÓÉi[³êéÌÅA½ ³ñÌ[Uª¢éÆ«Ìõª¬ÈéÌÅ·BȺÈçAõ·éKv ª éÌÍ ou=Users Tuc[SÌÅÍÈAou=mail ¾¯¾©çÅ·B ±ÌTuc[àÉñíÞÌR[hðìèÜ·B 1. virtuser t@Câ aliases t@CÉR·éA¼z[UÐÆèÐ ÆèÌèÄðÛ·éGgÅ·B¼t@C©çÌèÄ及GgÉi[·é±Æɵܵ½B±êÉæÁÄAp¢Ä¢éÝèâ øʪ¾mÉÈé©çÅ·B±êÉÍAinetmailrecipient Æ¢¤ objectclass ÆA mailid, mailacceptinggeneralid, maildrop Æ¢¤Ý ÁÂÌ®«ðè`µÜµ½B inetmailrecipient ±ÌKÍA±ÌGgªAêÂܽ͡ÌÀ[AhXâ [hC©çAêlܽ͡lÌÀ[UÖÌ}bsOÅ é±Æð¦µÜ·B mailid ±Ì¼z[UªóM·é[AhXðLqµÜ·B foo@myorg.com Ìæ¤ÉÊÌAhXÌ`®Åà\Å·µA @my2nd.org Ìæ¤ÉhC²ÆÅàåävÅ·B±Ì®«Í¡¶ ÝÅ«Ü·ªAi[·élÍ»ê¼êÐƸÂÅȯêÎÈèܹ ñB±êçÌ ID »ê¼êÉεÄA[ª mailacceptinggeneralid ÉçêÜ·B ±±ÉÍA¡ÜÅ virtusers t@C̶¤É Á½f[^ðüêé ±ÆÉÈéí¯Å·B mailacceptinggeneralid ¼z[Uðè`µÜ·BÀÍA±êª virtusers t@CÆ aliases t@CÆÌq¬ÚÅ·B±Ì®«ªeGgÉÐƸ ¶ݵĢÈÄÍÈèܹñªA»êæè½ÄࢯܹñB µ©àlðÐƵ©üêçêܹñBlÉÍ[J[U¼©¼ z[Uðüêé±ÆªÅ«Ü·BãÒÌêÍ maildrop ®«ª¶ ݵÈÄÍÈèܹñBOÒÉÍKv èܹñB ±±ÉÍA±êÜÅ virtusers t@CÉ Á½îñÆ aliases t @C̶¤É Á½îñðüêé±ÆÉÈéí¯Å·B maildrop óMµ½[ÌzMæÆÈéAhXâ[Uðè`µÜ·B±Ì ®«ÍÐƵ©¶ÝūܹñªAR}æØèÌXgðüêç êÜ·B mailacceptinggeneralid Ìlª¼z[UÈçA±Ì®« ÍK{Å·BÀÝ·é[UÈçȪūܷB ÂÜèA±±ÉÍ aliases t@CÌE¤ÌªðüêéÆ¢¤±Æ Å·B êÊIÉAmailid Æ mailacceptinggeneralid ƪêÉÈÁÄ virtusers t@CÌ@\ðñ·éƾ¦Ü·B»µÄ mailacceptinggeneralid Æ maildrop ƪ aliases t@CÌ@\ðñ ·éÌÅ·B 2. Êí sendmail.cw t@Câ access t@CÉ éhC¼ðÛ· éGgÅ· (¡ÂêÜ·)B±ÌGg̽ßÉ inetmaildomain Æ¢¤ objectclass Æ maildomain, sendmailislokalkey , sendmailaccesskey Æ¢¤®«ðè`µÜµ½B inetmaildomain VXeÉ®·é[hCÌêÅ èA©ÂA[JÉz ·×«©¼zXgÉ]·×«©ÌêÅ éGgð\·K Å·B maildomain [hCðè`µÜ·BÐÆÂÌGgÉ¡¶ÝÅ«Ü· BlÍu@v}[NȵÌhCÉÈèÜ·B ±Ì®«ÍAlocal-host-names t@CàÌhCÌGg²Æ ÉAÐƸ¶ݵĢé׫ŷB sendmailislocalkey hCª[J©Ç¤©ð©ª¯é½ßÉ Sendmail Ì[Ì Åg¤AVvȾt (L[) ðè`µÜ·B Sendmail [ ÌÅg¤¶ñƳmÉêvµÄ¢ÈÄÍÈçȢƢ¤±Æ ð¯ÎA{ɽÅà\¢Ü¹ñBÒÍÆè ¦¸ <LDAPLOCAL> ðgÁĢܷBK{®«ÅAeGgɡͶÝūܹñB sendmailaccesskey Sendmail Ì[ÅgíêéL[̤¿A½ðg¤©è`µÜ·B± ÌL[ÅA»ÌhCÅs¤×«®ìðèµÜ·B RELAY, OK, REJECT, DISCARD ÆG[\¦ðg¦Ü·B(ÚµÍ Sendmail Ì\ [XàÌ cf/README t@CðQƵľ³¢B) Note: ²Ó¾³¢B¡ñÍÁÊÈÝèƵÄAaccess t@CÅ ÍhCÜé²ÆÌGgµ©gíÈ¢±Æɵܵ½B±êÍ ÂÜèAmaildomain ®«ð access t@CÌîñÉà local-host-names ÌîñÉàg¢ñ¹éÌÍ¡ñÌæ¤È꾯¾ Æ¢¤±ÆÅ·BANZXXgðàÁÆש§äµ½¢ÈçÎA êÌ maildomain ®«ÉµÄµÜí¸ÉA»ê¼êÊÌGgð g¤×«Å·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6.1.5. ³çÈéîñ̽ßÉ LpÆvíêéîñ¹ð¢Â©ÐîµÜ·B E Booker Bense ª±¤¢¤¶ <http://www.stanford.edu/~bbense/ldap/ Inst.html> ð¢Äêܵ½BSendmail 8.9.3 ÅÌ LDAP Ìgp@É Ö·éàÌÅ·B Sendmail Æ LDAP Ìg¢ûðwK·éÛÌon_É Íü¢Ä¢È¢AÆ{l;ÁĢܷªAÒÉÆÁÄÍA½¢Öñ ¯ÉÈèܵ½B E LDAP Æ Sendmail ÉÖ·éV L <http://ldapman.org/articles/ index.html> ª sendmail.net <http://www.sendmail.net> ãÅöJ³ê ĢܷBìÒÍ Michael Donnelly ÅA»à»à ldapmap.org <http:// /www.ldapmap.org> Æ¢¤A±êܽ»¡[¢êÊIÈ LDAP ÖAîñ ÚÌTCg©çnÜèܵ½B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6.2. Postfix 6.2.1. T|[g Postfix ÅÍA{ÌÉÅ©ç LDAP T|[gªüÁĢܷBIvVÌ ½ðÝè·é}bv̽³ñÌíÞÌÈ©ÉALDAP à éÌÅ·Be LDAP }bvÉ«AIvVªñAO èÜ·B (Section 6.2.2 ðQƵ ľ³¢B) Postfix É LDAP f[^x[XàÌf[^ðõ³¹é½ßÌèÍAÉßÄ í©èâ·ÈÁĢܷBÅàêÊIÈg¢û (ÆÒªv¤àÌ) ÍA¼ z[Uð LDAP f[^x[X©çQƳ¹é±ÆÅ·B±êðOqÌ nss_ldap ÆÆàÉg¦ÎA·×ÄÌdq[pÒÌîñð LDAP f[^x [XÉüêĨ¯Ü·Bµ©µAÝèÅ«éÚͼÉà èÜ·Bá¦Î Postfix ª[ð]Å«éhCâAtÉ Postfix ª]vðó¯t ¯éhCAܽobNAbvT[oƵĮì·×«hCÅ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6.2.2. Ýè ÝèIvVÉÖ·éà¾Í·×ÄAo[W 20001217 ɨ¯é Postfix docs Ì LDAP_README ©çøpµÄ¢Ü·B server_host LDAP T[o𮩵ĢézXg̼OÅ·BÝèáð°Ü·B ldapsource_server_host = ldap.your.com Oqµ½SÄÌCuÅA¡ÌT[oðXy[XÅæØÁÄwè· é±ÆàÅ«Ü·BÅÌà̪¸s·éÆACuÍ»êçðÉ sµÜ·Buldap.your.com:1444vÆ¢¤æ¤É¢ÄAeT[oÉ» ê¼êÙÈé|[gðn·±ÆàÅ«Ü·B server_port (389) LDAP T[oªvðó¯t¯é|[gÅ·Bá¦Î±¤ÈèÜ·B ldapsource_server_port = 778 search_base (ùèlȵ\ÝèªKvÅ·) õ·éÅãÊfBNgÅ·Bá¦Î±¤Å·B ldapsource_search_base = dc=your, dc=com timeout (10 b) õÊð «çßéÜÅÌbÅ·Bá¦Î±¤wèµÜ·B ldapsource_timeout = 5 query_filter (mailacceptinggeneralid=%s) fBNgõÉg¤ARFC2254 ®tB^Å·B Postfix ªðµæ ¤Æ·éAhXÌƱëÉAãíèÉ %s ðüêÜ·BáÍÌƨè B ldapsource_query_filter = (&(mail=%s)(paid_up=true)) domain (ùèlȵ\ÝèªKvÅ·) hC¼At@CÖÌpXA¨æÑ«ÌêÅ·Bwè³êÄ¢é ÆA±ÌÉ éhCżOªIíézXgµ©õµÜ¹ñB±ê ÉæÁÄ LDAP T[oÖÌâ¢í¹×ðIÉy¸Å«Ü·B ldapsource_domain = postfix.org, hash:/etc/postfix/searchdomains result_attribute (maildrop) õÉæÁÄÔ³êéfBNgGg©ç[AhXð̽ ßÉÇÝÞ®«Å· (¡àÂ)B ldapsource_result_attribute = mailbox,maildrop special_result_attribute (ùèlȵ) Gg̤¿ADN â URL ðÜñŢ鮫ŷ (¡àÂ)Bwè³ê Ä¢éÆA»ÌlðgÁÄÄAIÉõµÄ¢«Ü·B ldapsource_special_result_attribute = member scope (sub) LDAP õXR[v\ sub, base, one Ì¢¸ê©\Å·B»ê¼ê LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, LDAP_SCOPE_ONELEVEL ÉÏ·³ê Ü·B bind (yes) LDAP T[oÉoCh·é©Ç¤©ÌwèÅ·B LDAP ÌÅßÌÀÅÍ oChðKvƹ¸AÔðßñÅ«Ü·BÝèáÍÌƨèB ldapsource_bind = no oCh·éKvª éÈçA[J}VÌ|[gð LDAP T[oÖ Ì SSL glɵÄA»±ÉÚ±³¹½ûªæ¢©àµêܹñB LDAP T[oª SSL ðT|[gµÄ¢È¯êÎAT[o¤ÌVXeÉà glðÝuµÜ· (bpÅàvNVÅàAÄÑûͨDÝÅ)B± êÅApX[hªlbg[NðÛ©¦ÌÜÜÊßµÈÈèÜ·B bind_dn ("") oCh·éKvª éÆ«A±Ì¯Ê¼ÅoChµÜ·Bá¦Î±¤ Å·B ldapsource_bind_dn = uid=postfix, dc=your, dc=com bind_pw ("") ã̯ʼÌpX[hÅ·B±êðg¤KvÌ éÆ«Í«ÁÆA main.cf ð Postfix [U©çµ©©¦È¢æ¤Éµ½¢Æv¤Í¸Å· BÝèáͱ¤ÈèÜ·B ldapsource_bind_pw = postfixpw cache (no) LDAP Ú±ÉNCAgTChLbV ðg¤©Ç¤©Å·B ldap_enable_cache(3) ðQƵľ³¢B±êÍftHgÅÍItÉ ÈÁĢܷB cache_expiry (30 b) NCAgTChLbV ªLøÈÆ«A±±Åwèµ½bÌãÅ AÊÌLbV ðjüµÜ·B cache_size (32768 oCg) NCAg¤ÌLbV ªLøÈçA»ÌoCgÅ·B dereference (0) Ǥ¢¤Æ«É LDAP GCAXðHé©ÌwèÅ·B (Postfix ÌGC AXÆÍÖW èܹñÌÅӵľ³¢B) OpenLDAP Æ UM LDAP ÌÀÅLøÈlÍȺÌÊèÅ·B 0 êصȢ 1 õ 2 õ̽ßÉx[XIuWFNgÌÊuðT·Æ« 3 íÉ·é ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6.2.3. Ýèá o[`hC (foo.virtualdomain.com Ƶܷ) ðg¢½¢Æ«A» µÄ»ÌhCÌ[AhXð LDAP Éi[µ½¢Æ«ÉÍA main.cf ÉȺÌæ¤ÉKvª èÜ·B virtual_maps = ldap:ldapvirtual ldapvirtual_search_base = ou=mail,o=YourOrg,c=nl ldapvirtual_query_filter = (mailacceptinggeneralid=%s) ldapvirtual_domain = foo.virtualdomain.com ldapvirtual_result_attribute = maildrop ldapvirtual_bind = no ldapvirtual_scope = one ±ÌÝèÅÍAPostfix ªufoo.virtualdomain.comvhCÌ[UÖÌ [ðóM·éÆA mailacceptinggeneralid Æ¢¤®«ªu user@foo.virtualdomain.comvÉv·éGgðTµÜ·B»Ìæ¤ÈG gª êÎAmaildrop ®«Ìlª·×ÄÔÁÄ«Ü·B»±É[ªz ³êéÌÅ·Bàµuuser@foo.virtualdomain.comvªÈ¯êÎAhC SÌðÐÁéß½[UÉv·éæ¤ÉAu@foo.virtualdomain.comvÆ ¢¤ÊÌâ¢í¹ðµÜ·B±êàȢƫÍAbZ[Wªñ (oE X) ³êÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 6.3. qmail qmail ©ÌÉÍÜÁ½ LDAP T|[gª èܹñBµ©µÈªç Andre Oppermann Ì LDAP T|[gÌpb`ª èÜ·B±êÌpbP[WÍA¶ àÜßÄÞÌTCg <http://www.nrg4u.com> É èÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 7. AhXubN Linux T[oãÌ LDAP f[^x[XÌñíÉÖÈÁ¥ÆµÄAgDÉà lbg[Nª êÎOÌAæð·×ÄêÓÉWßĨ¯éÆ¢¤Ìª èÜ·B»êðO[vA é¢Íɪ·é±ÆàÅ«Ü·BàÍâ] ÆõÐÆèÐÆèÉÊXÌAhXubNðn·KvÍÈ¢ÌÅ·B±êÍA LDAP ðgíȯêÎ Microsoft Exchange Server â Lotus Domino, ܽ Active Directory [5] ÅàÅ«é±ÆÅ· (óFExchange XÌfBN gT[rXàÀÍ LDAP ðgÁÄ¢éÆvíêÜ·)B Microsoft ÌuAhX vÆ»êÉ˶·évOAÂÜè Microsoft Outlook â Microsoft Outlook Express, ܽ Microsoft Outlook 2000 Æ¢ Á½àÌðg¤ÔñÉÍALDAP Ìî{ÝèðϦéKvÍ èܹñBÆÍ¢ ¦AèðÁ¦éKvÌ éà̪ӽ èÜ·B æêÉAAhXâÖAf[^ðL^·é½ßÌfBNgc[ð쬵 ÈÄÍÈèܹñBSection 12 ÉAÇñÈGgª±Ìc[Égíêé Ì©ª¢Ä èÜ·B æñÉA[Jlbg[NãÌ çäézXgª±Ìc[ÌÇÝÝ ÀðmÀÉÁÄ¢éæ¤ÉµÈÄÍÈèܹñB±êÍ Section 11 ŵ íêé±ÆÉÈèÜ·B Microsoft Ìdq[ÌvOÍ·×Ä LDAP fBNgT[rXð g¦Ü·Bl¨ðõµ½¢ÈçuAhX vðgÁľ³¢Bdq[ ÌVKbZ[WðƫͼOÉKÈdq[AhXª©®Åt Á³êÜ·B±êÍ cn, sn, givenname »µÄ mail ÌtB[hðõµÄ sȢܷBMicrosoft Ìdq[vOÅ LDAP T[oð©ªÌAh XubNƵÄgÁ½èdq[AhXÌõpÉÝèµ½¢Æ«ÉÍ AȺ̱Æð·éKvª èÜ·B 1. DÝÌdq[vOðN®µÄAhX ðJ¢Ä¾³¢B± êÍA»ÌvO©çuc[¨AhX vðIð·êÎÅ«Ü· B é¢ÍX^[gj [©çuX^[g¨vO¨ANZT¨ AhX vðIñž³¢B 2. uc[¨AJEgvðNbNµÄC^[lbgAJEgÌEB hEðJ«Ü·B 3. uÇÁv(óF³çÉufBNgT[rXvðIÔ絢ŷ) ðN bNµÄ¾³¢B·éÆC^[lbgÚ±EBU[hÌEBhE ªoÄ«Ü·©çA©ªÌ LDAP T[oÌ IP AhX©zXg¼ðüÍ µÄuÖvðNbNµÜ·B 4. ÌEBhEÅÍAuÍ¢vƦÄA©ªª±ÌfBNgðgÁ ÄAhXð`FbNµ½¢Ì¾Æ¢¤±ÆðmèµÄ¾³¢BൠÍA»¤µ½È¢Èçu¢¢¦vƦľ³¢BÅÍuÖvÆu ®¹vðNbNµÄ¾³¢B 5. ·éÆC^[lbgAJEgEBhEÉßèÜ·BVµÇÁ³ê ½AJEgðIðµÄuvpeBvðNbNµÄ¾³¢B 6. vpeBEBhEÌuÚ×Ýèv^uðNbNµÄ¾³¢B 7. uõx[XvÌtB[hÉAAhXªL^³êéTuc[ÌÅã ÊÌGgðü͵ܷBáƵÄÍ ou=Addressbook,dc=yourorg,dc= com Æ¢¤æ¤ÉÈèÜ·B (óFWindows AhX ÅmFµ½Æ± ëÅÍA±±É½àüÍµÈ¢Æ c=JP ðwèµ½±ÆÉÈèÜ· (US Å Å c=US ÆÈé©Í¢mF)Bõx[Xð{Éóɵ½¢êÉÍ NULL ÆüÍ·éKvª èÜ·B) 8. uOKvðµÄEBhEð¶Au¶évðNbNµÄC^[l bgAJEgEBhEà¶ܷB·éÆAhXubNÌCE BhEÉßÁÄé͸ŷB ±êÅAuTo:vÌtB[hɼOðüêĨÆA (óFMàµÍ ¼OmFÉ) dq[AhXª LDAP fBNg©çTµo³êÄA ©®IÉè³êÜ·Bó⪩t©çÈ©Á½çEBhEª»íêÜ·Ì ÅAÅ¿Ôᢪ êμµÄAVKÉõð·é±ÆªÅ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 8. Netscape [~OANZX ±ê©çÂàèÅ·B ±ÌbèÉÖ·éDÇLª±± <http://www.linuxworld.com/linuxworld/ lw-1999-09/lw-09-ldap-netscape.html> É èÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 9. LDAP ÉæéfW^ؾÌs ±ÌÍÌÅ_ÍAfW^ؾð LDAP T[oàÉs·éû@É èÜ· B Certification Authority (FØÇ) ð^c·éÈçfW^ؾðs ·éKvª èÜ·BLDAP ÖÌsÍA±Ìîñðlbg[NàÅpÅ« éæ¤É·éVvÈû@ÌÐÆÂÅ·BܽAؾÎ\tgEFAÌ ½àA]ܵ¢|WgƵÄA[UØ¾É LDAP ðp¢Ä¢Ü·B ±Ìû@ÅÍ[Uؾð¼Ì[UîñÆêɵĨ¯éÌÅAf[^ ̳ÊÈ¡»ªKvÈÈèÜ·B ؾðæ赤ÉÍÃc[LbgªKvÅ·B±±Ågp·éÌÍ OpenSSL Å·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 9.1. LDAP T[oÌÝè ±±Ågp·é LDAP T[oÍ OpenLDAP 2.0.x Å·B LDAP T[oÍAؾðL^·é½ßÌ®«ðÄé objectclass ðT|[ gµÄ¢ÈÄÍÈèܹñB LDAP T[oàÉÍÁÉAFØÇؾAؾ jüXgAFÂjüXgA»µÄGh[UÌؾðL^µÄ¨ Kvª èÜ·B certificationAuthority Æ¢¤ objectclass Í authorityRevocationList (ÂÜèFÂjüXg), certificateRevocationList (ؾjüXg), cACertificate (FØÇؾ) Æ¢¤®«ðÀµÜ·B inetOrgPerson Æ¢¤ objectclass Í usercertificate ([Uؾ) Æ¢ ¤ (oCiÌ) ®«ðT|[gµÜ·B ܽAstrongAuthenticationUser Æ¢¤¬ objectclass ðgÁÄAñ inetOrgPerson GgÉؾðt¯é±ÆàÅ«Ü·B ºLÌXL[}ð©ªÌ slapd.conf t@CÉÜßÄAKvÈXL[}ð OpenLDAP ÉCN[hµÄ¾³¢B include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 9.2. ؾÌs Ø¾Í ASN.1 Ì DER (Distinguished Encoding Rules) ðgÁÄGR[h ³êÜ·B»Ì½ß LDAP T[oàÉÍoCif[^Å (BER GR[hÅ) s³êÈÄÍÈèܹñB PEM ؾÍA±Ìæ¤É OpenSSL ðgÁÄ DER ®ÉÏ·Å«Ü·B openssl x509 -outform DER -in incert.pem -out outcert.der »¤·éÆAOpenLDAP ÉæÁÄñ³êé ldif Æ¢¤[eBeBðgÁ Ä LDIF t@Cðì¬Å«Ü·B±¤Å·B ldif -b "usercertificate;binary" < outcert.der > cert.ldif ±ÌR}hÍ BASE64 ÅGR[h³ê½ usercertificate ®«ðì¬µÜ ·B±Ìæ¤Éؾð LDIF GgÉÇÁÅ«Ü·ÌÅA»ê©ç ldapmodify ðgÁÄ (óFT[oãÌ) GgÉؾðÇÁÅ«Ü·B ldapmodify -x -W -D "cn=Manager,dc=yourorg,dc=com" -f cert.ldif ±Ì cert.ldif ÍAÌæ¤ÈàÌðÜñŢܷB dn: cn=user,ou=people,dc=yourorg,dc=com changetype: modify add: usercertificate usercertificate;binary:: MIIC2TCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBGMQswCQYD VQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UECxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZO IENBICgyKTAeFw05OTA2MjMxMTE2MDdaFw0wMzA4MDExMTE2MDdaMEYxCzAJBgNVBAYTAklUMQ0w CwYDVQQKEwRJTkZOMRIwEAYDVQQLEwlBdXRob3JpdHkxFDASBgNVBAMTC0lORk4gQ0EgKDIpMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrHdRKJsobcjXz/OsGjyq8v73DbggG3JCGrQZ9f1Vm 9RrIWJPwggczqgxwWL6JLPKglxbUjAtUxiZm3fw2kX7FGMUq5JaN/Pk2PT4ExA7bYLnbLGZ9jKJs Dh4bNOKrGRIxRO9Ff+YwmH8EQdoVpSRFbBpNnoDIkHLc4DtzB+B4wwIDAQABo4HWMIHTMAwGA1Ud EwQFMAMBAf8wHQYDVR0OBBYEFK3QjOXGc4j9LqYEYTn9WvSRAcusMG4GA1UdIwRnMGWAFK3QjOXG c4j9LqYEYTn9WvSRAcusoUqkSDBGMQswCQYDVQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UE CxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZOIENBICgyKYIBADALBgNVHQ8EBAMCAQYwEQYJYIZI AYb4QgEBBAQDAgAHMAkGA1UdEQQCMAAwCQYDVR0SBAIwADANBgkqhkiG9w0BAQQFAAOBgQCDs5b1 jmbIYVq2epd5iDjQ109SJ/V7b6DFw2NIl8CWeDPOOjL1E5M8dnlmCDeTR2TlBxqUZaBBJZPqzFdv xpxqsHC0HfkCXAnUe5MaefFNAH9WbxoB/A2pkXtT6WGWed+QsL5wyKJaO4oD9UD5T+x12aGsHcsD Cy3EVEaGEOl+/A== ܽALDIF t@CàÅؾð±Ìæ¤Éwè·é±ÆàÂ\Å·B userCertificate;binary:< file:///path/to/cert.der ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 9.3. LDAP ÎNCAg T[oÉؾðL^µÄ©çA»êðǤâÁÄæèo·Ì©svcÉv¤ ©àµêܹñB ¼ÌNCAgƯlANetscape Í LDAP T[o©ç©®IÉؾðæè o·@\ðT|[gµÄ¢Ü·BuZL eB¨[Uؾ¨fBNg ðõvÆ·é±ÆÅA LDAP fBNgàÌؾðõµÄA»êð Netscape ؾf[^x[XÉ©®ÅCXg[·é±ÆªÅ«éÌÅ·B ±Ì¼ÉAؾÖÌT|[gÌÇ¢NCAgÉÍ web2ldap ( www.web2ldap.de <http://www.web2ldap.de/>) ª èÜ·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 10. SSL/TLS ÆASSL/TLS Ì LDAP pbp 10.1. SSL ÌÈPÈྠSecure Socket Layer (SSL) Íp[eBÔÌZL AÈ]oHðñ·éA vP[VCvgRÅ·B HTTP, LDAP, SMTP XÌAvP[ VxÌvgRÆ TCP/IP ÆÌÔðÆèàÂàÌÅAöJ®ÃV Xe (íXÌûû@ªpÂ\) Æ X.509 ؾû®ÉîâĢܷB SSL ÍàÆàÆ Netscape ÌvgRŵ½ªAXÉWIÈàÌÆÈè A¡ÅÍ TLS (Transmission Layer Security) ÆÄÎêéàÌÉÈèܵ½B êÊIÉ SSL/TLS Ƶľy³êÜ·B SSL/TLS vgRÍȺÌ@\ðñµÜ·B E f[^Ìû\NCAg^T[oÔÌZbVªÃ»³êÜ· B E T[oFØ\NCAg¤©çAT[oª{¨©Ç¤©ðØ·é±Æ ªÅ«Ü·B E bZ[W®S«\f[^Í]ÉèðÁ¦çêܹñB±êÍuman in the middlevU[6]ðh~µÜ·B E NCAgFØ\T[oÍNCAgª{¨©Ç¤©ØÅ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 10.2. OpenLDAP Ì SSL/TLS T|[g LDAP V3 Ìc[LbgÅ é OpenLDAP 2.0.x ©çÍAT[oÉæÁÄ SSL/ TLS T|[gªõ¦çêĢܷB½¾µ SSL/TLS ðÇÁ·é½ßÉÍA OpenLDAP 2.0.x ª OpenSSL ÌCuðgÁÄRpC³êéKvª èÜ·BܽA2.0.x ÉÍ Start-TLS ÌT|[gà èÜ·B Note: Start-TLS ÍANCAgªvµ½Æ«¾¯ TLS ðLøÉ·é ±ÆªÅ«éæ¤ÉµÜ·B±Ìû@¾ÆAPÆÌ LDAP |[gðZL AÈڱƻ¤ÅȢڱ̼ûÉg¤±ÆªÂ\Å·B OpenLDAP 1.2.x Í»êÆÍÙÈè LDAP V2 vgRÉæéÀÅ èASSL /TLS ðõ¦Ä¢Ü¹ñB OpenLDAP 2.0.x ãÌ SSL/TLS ÉÖµÄÍ OpenLDAP ÌEFuTCgÉ¿l éîñª èÜ·ÌÅA±±ÅÍ SSL/TLS ÉεĢȢ LDAP p[eBð SSL glðgÁÄZL AÉ·éû@ÉÅ_ðí¹é±ÆɵܷB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 10.3. stunnel ðgÁÄ LDAP V2 T[oÉ SSL/TLS ðñ·éû@ OpenLDAP 1.2.x ðgÁÄ¢éÈçÎAT[oÉ SSL @\ðÇÁ·é½ßÉÍ Äp SSL bpªKvÉÈèÜ·Bstunnel (www.stunnel.org <http:// www.stunnel.org>) ÍÀèµÄ¢ÄA±ÌÚIÉKµÄ¢Ü·B stunnel ÌCXg[ÍÆÄàÈPÅ·ªAͶßÉ OpenSSL ( www.OpenSSL.org <http://www.OpenSSL.org>) ðCXg[µÄAKvÈ CuÆc[ðpÓµÈÄÍÈèܹñB OpenSSL ÆÍ SSL vgRÌI[v\[XÉæéÀÅ èA SSL Ì CuÆÃc[ê®ðõ¦Ä¢Ü·B OpenSSL ðCXg[·éÉÍÌR}hðü͵ÈÄÍÈèܹñB $ ./config $ make $ make test # make install Ó¤ÍA·×Ä /usr/local/ssl àÉCXg[³êé±ÆÉÈèÜ·B OpenSSL ª³µCXg[³êÄ¢êÎAstunnel ðRpCµÄC Xg[·é½ßÉüͪKvÈÌÍAÌR}h¾¯Å·B $ ./configure $ make # make install stunnel Í SSL ÉT[oؾðg¢Ü·B±êͩȼÌؾ (self signed certificate) Åàæ¢ÌÅ·ªA³çÉÇ¢ÌÍ©ªÌFØÇ (Certification Authotrity) ÉæÁļ³ê½Ø¾Å· (SSL NCA gà»Ì CA ðMpµÄ¢ÈÄÍÈèܹñª)B »Ìæ¤ÈؾÌAêÊIÉp¢çêéÛÇêͱ±Å·B /usr/local/ssl/certs/stunnel.pem àµFØÇÌL³ðCɵȢÌÅ êÎA OpenSSL ZbgÉæÁÄñ³ê éc[ðgÁÄA©È¼Ìؾðì¬Å«Ü·B stunnel ÌfBNgàÌ stunnel.cnf Æ¢¤Ýèt@Cðg¤½ßA» ÌfBNgÅAÌR}hðü͵ľ³¢B $ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem $ openssl gendh 512 >> stunnel.pem ±êÉæÁÄA©È¼ÉæéêNÔLøÈؾª stunnel.pem t@CÌ É쬳êÜ·B stunnel ªCXg[³ê½çAܸÅÉÌæ¤ÉµÄ LDAP T[oð 389 ÔÌ|[g (ftHgÌ LDAP |[g) ãÉN®µÄ¾³¢B # /usr/local/libexec/slapd »ê©çÌæ¤É 636 ÔÌ (LDAPS NCAgÉæÁÄgp³êé) |[ gÉ stunnel ÅglµÄ¾³¢B # /usr/local/sbin/stunnel -r ldap -d 636 -p /usr/local/ssl/certs/stunnel.pem fobO̽ßÉÌ®ÅtHAOEhÉ stunnel ðN®·é±ÆàÅ «Ü·B # /usr/local/sbin/stunnel -r ldap -d 636 -D 7 -f -p /usr/local/ssl/certs/stunnel.pem ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 10.4. stunnel ðgÁÄ LDAP NCAgÉ SSL ðñ·éû@ ½Ì LDAP NCAgÍ SSL ÎÅÍ èܹñBµ©µ stunnel ðN CAg[hÅg¤±ÆÅA±êçÌNCAgÉ SSL ðñ·é±Æ ªÂ\Å·B ±êÍñíÉÈPÅ·BNCAgzXgãÅ stunnel ðÌæ¤ÉN®µ ÄALDAPS |[gÉηévðÀÛÌ LDAP T[oÉ]·éæ¤ÉµÄ ¾³¢B # stunnel -c -d 636 -r ldapserver.yourorg.com:636 ±ÌÆ« LDAP NCAgÍ localhost:636 ð LDAPS T[oƵÄg¤æ ¤Ýè³êÈÄÍÈèܹñB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 10.5. stunnel ðgÁÄ slurpd vP[VÉ SSL ðñ·éû@ »_Å slurpd (slapd vP[Vf[) Í SSL @\ðÁÄ¢ È¢ÆÍ¢¦Astunnel ðNCAg[hÅgÁÄA±Ìðð³¹é± ƪūܷB Ìæ¤É}X^T[oãÅNCAg[hÌ stunnel ðg¢A[J |[gð[g|[gÉ]µÄ¾³¢B # stunnel -c -d 9636 -r ldapreplica.yourorg.com:636 »µÄ}X^ LDAP T[oÌ slapd.conf ÉÌLqðüêľ³¢B replica host=localhost:9636 ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 11. ZL eBÖA (óF´¶ª èܹñ) ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 12. LDAP XL[} ±êÜÅ°½@\ÉKvÈf[^ÌêðÈñÆ©·éÌÍXL[}Ìâ èÅ·BÇñÈ«ÅàAµlɵ¤×«àÌÆÝȵĩµ±Üé׫ÅÍ èܹñB±±É éáÍÚIɩȤ͸ŷªA©ªÌÁèÌKvÉ í¹ÈÄÍÈçÈ¢±Æཪ éÆv¢Ü·B eGgÌÓ¡Æüêé׫îñðð¾·é½ßÉÆÄàêJµÄ«½ (« ÁÆÍÁ«è¢Ä éÌŵ太AÇ±É¢Ä é©ªª©çÈ¢) Ì ÅAÒàsöëÅâÁÄÝÜ·Bµ©µÓ·×«±ÆÉAeprÌXL [}ð¯ÉâèÈpÅ«éÆ¢¤í¯ÅÍ èܹñB Microsoft ÌA hX ÉÍA\¦³êÄ¢éÌÉ LDAP ÅgpµÈ¢tB[hª éæ¤ Å·BuðEvujbNl[vus欺vus¹{§vu(©îÌ) XÖÔ vu(©îÌ) /nævu(©îÌ) Web y[WvÌGgÉÍA½Ìîñ àKvÈ¢æ¤Év¦Ü· (óFú{êÅÅÌ®ìÍ¢mF)BuÂlîñv uNetMeetingvufW^ IDvÉ¢ÄÍAܾÇÌæ¤É LDAP f[^x[ XÉüêçêéÌ©ð¾·é½ßÌwÍðµÄ¢Ü¹ñBÇñÈîñà½}µ Ü·B Netscape ÌAhX Éà¯lÌâèª èÜ·BR[hª LDAP fBNg©ç[JÌAhX ÉRs[³êéÆ«ÉAô©ÌtB [hªÁ¦ÄµÜ¤ÌÅ·B±êÍåâèÆ;¦ÈÆàAgDSÌÅg ¤AhXubNÆ¢¤«¿ãA[UÍ[JÉRs[·éCðÈ·Í ¸Å·Bµ©àA Netscape ÌAhX ÉÍA¼É൨©µÈ_ª è Ü·BÊÌAhXR[hÅÍAujbNl[vªi[³êé®«Í xmozillanickname Å·BƱëªõÍPÈé nickname ÈÌÅ·BlbN l[ÌGgªXL[}ÉñxoÄéÌÉÍA±¤¢¤Rª éÌÅ ·B ±ÌXL[}Í Microsoft Outlook 2000 Æ Netscape 4.73 Å®ìªmF³ê ĢܷªAà¾A@\AGgÌKv«ÉÖµÄÔᢪ êÎAǤ© ¨mç¹¾³¢I (óFú{êÌtB[h\¦Í Windows 98 ÌAh X Æ Windows Å Netscape 6.1 ©çªµ½àÌÅ·Bú{êÅÅÌ®ìÍ ÙÆñÇ¢mFÅ·B½¾Aú{êÅ Windows Me + Outlook 2000 ÅAhX ð±µ½ÍÍÅͳµ¢æ¤Åµ½B) ±ÌXL[}ð\»µ½t@CÍ Section 13.1 É èÜ·B(óFóÒÍ A±Ìt@CðǤg¤Ì©ª©èܹñŵ½B®ªÃ¢Ì©àH) ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª Table 1. LDAP Ì®«Æ objectclass \ÈPÈྠ¡¦¦¦¦¢ @\ Objectclass ®« ྠùèlâá ¥©©©©§ [UAJ top ftHg Eg ¥©©§ ou jbg¼ Users (Organizational Unit) ¥©©©§ person ±Ì objectclass ÌLÒÍlÔÅ · ¥©©§ uid Unix OC¼ foo ¥©©§ cn ¼ (Common Foo Bar Name) ¥©©§ sn © (Surname) Bar ¥©©©§ account ±Ì objectclass ÌLÒÉÍAJ Egª èÜ· ¥©©©§ posixaccount ±Ì objectclass ÌLÒÉÍ Unix AJEg ª èÜ· ¥©©§ uidNumber [U ID (uid) 513 Ô ¥©©§ gidNumber O[v ID 100 (gid) Ô ¥©©§ homedirectory z[fBNg /home/users/ foo ¥©©§ userpassword Unix pX[h S3cr3t ¥©©©§ sambaaccount ±Ì objectclass ÌLÒÉÍ Samba AJEg ª èÜ· ¥©©§ ntuid s¾ uid ¥©©§ rid s¾ uidnumber ¥©©§ lmpassword Lanman ÌpX ¢gp [hÌnbV l ¥©©§ ntpasswd NT ÌpX[h ¢gp ÌnbV l ¥©©§ loginshell [UÌVF /bin/pleurop ¥©©©©§ }VAJ top ftHg Eg ¥©©§ ou jbg¼ Machines (Organizational Unit) ¥©©©§ posixaccount ±Ì objectclass ÌLÒÉÍ Unix AJEg ª èÜ· ¥©©§ uid OC¼ speed$ ¥©©§ uidnumber Unix Ì[U ID 514 (uid) Ô ¥©©§ gidnumber O[v ID 100 (gid) Ô ¥©©§ homedirectory z[fBNg ¢gp ¥©©©©§ Microsoft top ftHg AhX ¥©©§ ou jbg¼ Addressbook (Organizational Unit) ¥©©©§ microsoftaddressbook ±Ì objectclass ÌLÒÉÍ Microsoft Ah X ÌvpeB ª èÜ· ¥©©§ cn \¦¼ (Common Name) ¥©©§ c αæÌ/næ (Country) ¥©©§ department αæ̼ ¥©©§ facsimiletelephonenumber αæÌt@bN X ¥©©§ givenname ¼ ¥©©§ homephone ©îÌdbÔ ¥©©§ homepostaladdress ©îÌÔn ¥©©§ info ¥©©§ initials CjV ¥©©§ l αæÌs欺 ¥©©§ mail dq[Ah X ¥©©§ mobile ©îÌgÑdb ¥©©§ organizationname ïм ¥©©§ otherfacsimiletelephonenumber ©îÌt@bNX ¥©©§ otherpager αæÌ|Pbg upagervà x H ¥©©§ physicaldeliveryofficename αæÌItBX ¥©©§ postaladdress αæÌÔn ¥©©§ postalcode αæÌXÖÔ ¥©©§ sn © (Surname) ¥©©§ st αæÌs¹{§ ¥©©§ telephonenumber αæÌdbÔ ¥©©§ title ðE ¥©©§ url αæÌ Web y [W ¥©©©©§ Netscape top ftHg AhX ¥©©§ ou jbg¼ Addressbook (Organizational Unit) ¥©©©§ netscapeaddressbook ±Ì objectclass ÌLÒÉÍ Netscape Ìv peBª èÜ· ¥©©§ cn \¦ (Common Name) ¥©©§ cellphone gÑdb ¥©©§ countryname ¥©©§ description ྠ¥©©§ facsimiletelephonenumber Fax ¥©©§ givenname ¼ ¥©©§ homephone ©îÌdbÔ ¥©©§ homeurl ©îÌ Web y[ W ¥©©§ locality ©îÌs欺 ¥©©§ mail dq[ ¥©©§ nickname jbNl[ ¥©©§ o gD ¥©©§ ou ¥©©§ pagerphone |Pbgx ¥©©§ postalcode ©îÌXÖÔ ¥©©§ sn © (Surname) ¥©©§ st s¹{§ ¥©©§ streetaddress ©îÌÔn ¥©©§ telephonenumber αæÌdbÔ ¥©©§ title ðE ¥©©§ xmozillaanyphone αæÌdbÔ ¥©©§ xmozillanickname jbNl[ unicknamev Ư¶Å· ¥©©§ xmozillausehtmlmail bZ[WðóM TRUE ·éÆ«ÌDæ ®ª HTML ¥©©©©§ Netscape top ftHg [~O ¥©©§ ANZX ou jbg¼ Roaming (Organizational Unit) ¤¨¨¨¨£ ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª Note: Netscape Æ Microsoft ÅÍAAhX ÌGgÌg¢ûª XÙÈèÜ·BNetscape ÍXÖ̶æ (Z) ð streetaddress Gg É base64 GR[hÅi[µAMicrosoft Í postaladdress Gg ðg¢Ü·Bµ©µÈªçAstreetaddress Ggª éÆ Microsoft Í postaladdress ÌãíèÉ»¿çðg¢Ü·BÆ±ëª Microsoft Ì streetaddress ÌlÍ base 64 GR[hȵ̽¶ (v[eLX g) Å·BÅ·©çA¯ÉÍg¦Ü¹ñB Linux Center <http://ldap.hklc.com/> ÅÍA LDAP XL[}SÊÉÖ·éî ñð³çɾçêÜ·B Microsoft AhX ÌvpeBððൽ¶Í Microsoft Developers Network <http://msdn.microsoft.com/library/psdk/ adsi/gluser_4437.htm> É èܵ½B ӵľ³¢BMicrosoft Ìy[WÉ éà¾ÍAhX Ì\¦àeÉ ¨¯étB[hÆvµÜ¹ñBܽAAhX ÌtB[h·×Īî ñðÁÄ¢éí¯ÅÍ èܹñªA°çêĢ鮫ŤܮìµÈ ¢ÈçA{ÍÇÌ®«ª¤Ü®ì·éÌ©AÆ¢¤±ÆÜÅͪ©èܹ ñB ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 13. t@CÌá t@CÌáÅ·B±êðgÁÄA±Ì¶ÅླêÄ¢éƨèÌ\¬ð \zÅ«Ü·B ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 13.1. XL[}t@C # Unix ÖA¨æÑftHgÌ objectclass (C³ è) attribute userpassword ces attribute telephonenumber tel attribute facsimiletelephonenumber fax tel attribute pagertelephonenumberpager tel attribute homephone tel attribute mobiletelephonenumber mobile tel attribute member dn attribute owner dn attribute dn dn objectclass top requires objectClass objectclass organization requires objectClass, o allows description objectclass organizationalUnit requires objectClass, ou allows description objectclass person requires objectClass, cn allows description objectclass account requires objectClass, uid allows description, host, o, ou # Samba ÖAÌ objectclass (IWi) objectclass sambaaccount requires objectclass, uid, uidnumber, ntuid, rid allows gidnumber, grouprid, nickname, userpassword, ou, description, lmpassword, ntpassword, pwdlastset, smbhome, homedrive, script, profile, workstations, acctflags, pwdcanchange, pwdmustchange objectclass sambagroup requires cn, rid allows ntuid, member, description objectclass sambaconfig requires id allows nextrid objectclass sambabuiltin requires cn, sid allows ntuid, rid, member, description # Sendmail ÖAÌ objectclass (VK / C³ è) objectclass inetmailrecipient requires objectclass allows mailid, mailacceptinggeneralid, maildrop objectclass inetmaildomain requires objectclass, sendmailislocalkey allows maildomain, sendmailaccesskey # AhXubNÖAÌ objectclass objectclass netscapeaddressbook requires objectclass, cn allows cellphone, countryname, description, facsimiletelephonenumber, givenname, homephone, homeurl, locality, mail, nickname, o, ou, pagerphone, postalcode, sn, st, streetaddress, telephonenumber, title, xmozillanickname, xmozillausehtmlmail, xmozillaanyphone objectclass microsoftaddressbook requires objectclass, cn allows c, department, facsimiletelephonenumber, givenname, homephone, homepostaladdress, info, initials, l, mail, mobile, organizationname, otherfacsimiletelephonenumber, otherpager, physicaldeliveryofficename, postaladdress, postalcode, sn, st, telephonenumber, title, url ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 13.2. x[X LDIF Ìá dn: dc=yourorg,dc=com objectClass: top objectClass: organization o: YourOrg description: This is our organizations base dn. Everything is stored beneath this dn: ou=Users,dc=yourorg,dc=com objectClass: top objectClass: organizationalunit ou: Users description: This is the tree were user accounts are stored dn: ou=Machines,dc=yourorg,dc=com objectClass: top objectClass: organizationalunit ou: Machines description: This is the tree were machine accounts are stored dn: ou=Roaming,dc=yourorg,dc=com objectClass: top objectClass: organizationalunit ou: Roaming description: This is the tree were netscape roaming profiles are stored dn: ou=Addressbook,dc=yourorg,dc=com objectClass: top objectClass: organizationalunit ou: Addressbook description: This is the tree were addressbook entries are stored ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª 14. ú{êóÉ墀 ÌûXÉæÁÄZ³³êܵ½B|óÒ©ç´Ó\µã°Ü·B´¶ÉÈ¢ Ôá¢Í·×Ä|óÒÌÍÊs«ÉæéàÌÅ èA´¶æèDê½_Í·× ÄZ³ÒÌûX̨©°Å·B E xcÏpl E ì{_êl E în«l E konkiti l E ìml E ìYl Note: Z³ÒÌûXÖFLüRêâ\LÌssª²´¢Üµ½ç\µ ó èܹñBóÒÜŲêñ¾³¢B ¨Ct«Ì_ÍóÒ© JF vWFNgÜŲA¾³¢B Notes [1] LDAP f[^x[XÌ¡»ðT[oÔÅsȤdgÝ [2] NIS ÅèÄÄ¢éêÍÙÈèÜ·B [3] ÐÆÂÌGgª¡Ì objectclass É®·é±ÆªÅ«Ü·B [4] EZƵÄANetscape Communicator Ìؾf[^x[Xðg¤±Æà Å«Ü·B [5] óF´¶ÅÍ Netscape Active Directory Æ èÜ·ªAuNetscapev ÍuMicrosoftvÌÔá¢ÆvíêÜ·B [6] óFMÒÉÈè·Üµ½æOÒªf[^ðüâ·éÈÇBuÔîü vÆà󷻤ŷB