LDAP Implementation HOWTO
Roel van Meer
Linvision BV <http://www.linvision.com>
r.vanmeer@linvision.com
Giuseppe Lo Biondo
INFN MI <http://www.mi.infn.it>
giuseppe.lobiondo@mi.infn.it
´S - ú{ê|ó
arms405@jade.dti.ne.jp
v0.5, 2001-03-30
Revision History
Revision 0.5 2001-03-30 Revised by: rvm
Cleanup, fixes, overview rewritten.
Revision 0.4 2001-02-01 Revised by: rvm
Added dns section.
Revision 0.3 2001-01-18 Revised by: rvm
Added MTA sections.
Revision 0.2 2000-11-12 Revised by: glb
Improved section on nss. Added sections about certificates and
wrappers.
±Ì¶ÍAvP[VÌf[^ð LDAP T[oÉL^·éÉ ½ÁÄÌ
ZpIȤÊðྵܷBÅ_ÆÈéÌÍAíXÌAvP[Vð LDAP
Éγ¹é½ßÌÝèû@Å·BܽALDAP f[^ðµ¤ÌÉð§ÂAv
P[VÉ¢Äàq×ĢܷB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
Table of Contents
1. Tv
1.1. Ⱥ±Ì HOWTO ª éÌ©H
1.2. ½É¢ÄÌàÌÈÌ©H
1.3. ½É¢ÄuÅÍÈ¢vÌ©H
1.4. Ó«
1.5. Disclaimer (ÆÓ)
1.6. Copyright and license (ì ÆpÂ)
2. pam_ldap Æ nss_ldap ðgÁ½ LDAP FØ
2.1. \¬vf
2.1.1. FØ\ PAM Æ pam_ldap.so
2.1.2. Name Service Switch Æ nss_ldap.so
2.1.3. Lightweight Directory Access Protocol
2.1.4. Name Service Caching Daemon
2.1.5. Secure Socket Layer
2.2. FØVXeÌ\z
2.2.1. T[o¤
2.2.1.1. OpenLDAP ÌCXg[ÆÝè
2.2.2. NCAg¤
2.2.2.1. PAM LDAP ÌCXg[ÆÝè
2.2.2.2. NSS LDAP ÌCXg[ÆÝè
2.2.2.3. NSCD ÌÝè
2.2.2.4. LDAP NCAgÌÝèt@C
2.3. N®
2.4. AJEgÌÛçÇ
2.5. ùm̧À
2.6. t@CÌp[~bV
3. LDAP ðgÁ½ Radius FØ
3.1. FreeRadius Å Radiusd ÌÝè
3.2. Radius FØÌeXg
3.3. Cisco IOS ÌÝèá
4. Samba
5. DNS
5.1. NSS ðg¤
5.1.1. Ýè
5.1.2. XL[}
5.2. bind ðg¤
5.2.1. bind wÌpb`
5.2.2. ldap2dns
5.2.3. ispman
6. [gXt@G[WFg (MTA)
6.1. Sendmail
6.1.1. Sendmail ɨ¯é LDAP T|[g
6.1.2. VXeÌzu
6.1.3. Sendmail Ýèt@C
6.1.4. XL[}
6.1.5. ³çÈéîñ̽ßÉ
6.2. Postfix
6.2.1. T|[g
6.2.2. Ýè
6.2.3. Ýèá
6.3. qmail
7. AhXubN
8. Netscape [~OANZX
9. LDAP ÉæéfW^ؾÌs
9.1. LDAP T[oÌÝè
9.2. ؾÌs
9.3. LDAP ÎNCAg
10. SSL/TLS ÆASSL/TLS Ì LDAP pbp
10.1. SSL ÌÈPÈà¾
10.2. OpenLDAP Ì SSL/TLS T|[g
10.3. stunnel ðgÁÄ LDAP V2 T[oÉ SSL/TLS ðñ·éû@
10.4. stunnel ðgÁÄ LDAP NCAgÉ SSL ðñ·éû@
10.5. stunnel ðgÁÄ slurpd vP[VÉ SSL ðñ·éû@
11. ZL
eBÖA
12. LDAP XL[}
13. t@CÌá
13.1. XL[}t@C
13.2. x[X LDIF Ìá
14. ú{êóÉ¢Ä
1. Tv
1.1. Ⱥ±Ì HOWTO ª éÌ©H
Òª LDAP É¢Ä×µnß½ÌÍAïЪ[UAJEgîñÌW
ÇÌKvð´¶ÄA»Ì½ßÉ LDAP ðg¢½¢ÆvÁ½Æ«Åµ½B¬³
ÈA é¢ÍfÐIȶª ¿±¿É é±ÆÉÍ·®ÉCt«Üµ½ªA
»êðÜÆß½à̪Ȣ±Æ઩èܵ½B±êªA«nß½RÅ·
B
³çÉALDAP Íú²ÆÉLgíêéæ¤ÉÈÁĢܷB»êÅAlXª
LDAP ðg¤Ìð¢·éÛÉAÇÌAvP[Vª LDAP ÎÈÌ©ÉÂ
¢ÄSÌÌTvð©ޱƪūéÈçÖ¾Æv¢Ü·B±Ì¶Í«Á
ÆAVXeÌÝèðÓ[Ið·éÌÉð§Â±Æŵå¤B½©ðÏX
µ½è@\ðÇÁµæ¤Æ·é½ÑÉSâèȨ·KvÍà¤ÈÈéÌÅ
·B
±Ì¶ÍÅA©ª½¿Ìp`ÔÉí¹Ä LDAP ðÀ·éÉÍǤµ
½ç梩Ƣ¤AvWFNgÌ[h}bvƵÄnÜèܵ½Bµ©µ
Ù¢åÌ Linvision <http://www.linvision.com> ªA©ª½¿ÌêÉ¢
ÄÀÛÉÍðɧ½È¢±ÆÜŲ¸·é@ïð^¦Ä꽨©°ÅAPÈ
é[h}bvÅÍÈALDAP ÎAvP[VÌZpIÈTàÖÆÏí
èܵ½B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.2. ½É¢ÄÌàÌÈÌ©H
êÊIÈT[rXÌÙÆñÇÍ PAM (Pluggable Authentication Modules) ð
ʵÄFØðsȦܷBpam_ldap â nss_ldap ðg¦ÎAPAM »³ê½ ç
äévOª LDAP ©çîñðæèo¹éæ¤ÉÈèÜ·Bthe Linux-PAM
site <http://www.kernel.org/pub/linux/libs/pam/> ©çÍAPAM É¢ÄÌ
êÊIÈîñð³çɾé±ÆªÅ«Ü·B pam_ldap Æ nss_ldap ÉÖ·é
îñÍ padl software <http://www.padl.com> ÌTCgÉ èÜ·B
Samba ÍA»óÅͽ¢Á½±ÆÉÈÁĢܷB»_ÅÌÀèÅ Samba
ÉÍ LDAP T|[gª èܹñBHEAD Æ TNG u`ÉÍ èÜ·©çA
½Ôñ³ê½c[Éà éŵå¤BâèÈÌÍASamba ª©ªÅ[
U¼ÆpX[hðÁÄ¢éÆ¢¤±ÆÅ·B½µ©É PAM ðpÅ«éÌ
Å·ªA»ê¾¯ÅÍ·×ÄÌFØÆ[UîñÌó¯nµÉ\ªÆ;¦Ü
¹ñBȺÈç Samba ɨ¯é LDAP ÌÀÍ¢®¬Å èA¢Â©Ì§À
ª éÌÅ·BÒÌo±©ç·éÆA»iK (2000 N 5 ß) Ì HEAD
Í\ªÉÀèµÄ¢Ü¹ñµA¬xà«Å«éàÌÅÍ èܹñBµ©µ
ȪçAVµ¢[XÅ LDAP T|[gª®SÉ@\·éæ¤ÉÈêÎA
Samba àܽA»Ì[Uîñð·×Ä LDAP ©çæ¾·éæ¤ÝèÅ«é±
ÆÉÈèÜ·B
Ù©É LDAP f[^x[XÉL^Å«éàÌÉÍ DNS ª èÜ·Blbg[
NÉÚ±·é}Vª¦ÄéÆADNS t@CðèìÆÅÒW·éÌÍÀ
ÛIÅÍÈÈÁÄ«Ü·B}VAJEgª LDAP ÉL^³êÄ¢êÎA
Ó½ÂÌ DNS Gg (ÐÆÂͼOð̽ßA³çÉÐÆÂÍtø«Ì½
ß) ð¯ÉÇÁ·é̪ÈPÉūĵܢܷB±êÍܽAVXeÇ
ÌÈf»ðàà½çµÜ·BÙÆñÇÌVXeÉÆÁÄAGgð LDAP
f[^x[XÉo^·é±ÆªK{Æ¢¤±ÆÉÍÈçȢŵ太A±ê
ÍÖ¾Æl¦élBàoÄé±Æŵå¤B
Sendmail (Ú×Í sendmail.net <http://www.sendmail.net/> ðQÆ̱Æ)
Ío[W 8.9 ©ç LDAP ðT|[gµÄ¢Ü·B Postfix â qmail àÜ
½ LDAP ÎÅ·B¡Ì[zXgâtH[obNzXgÌ é[
VXeð\z·éÆ«ÉÍAîñ·×ÄðêÓÉWßÄL^µÄ¨ÆÖ
Å·BÓ¤ͯ¶îñðVXe²ÆÉÊXÉü͵ÄÝè·éKvª
éÌÅ·ªA LDAP ðg¦ÎA»ÌKvÍ èܹñB
LDAP Í[~OANZXÉàgpÅ«Ü·BNetscape 4.5 È~ÅÍAub
N}[N»Ì¼Ì[Uf[^ð HTML Ü½Í LDAP T[oÉL^µÄ¨±
ƪūܷB±êÉæÁÄ[UÍAOCµÄ Netscape ðg¦éƱ
ëÈçDZÅÅàAÈO©çÌÖÈÝèàeðg¦éí¯Å·B
Microsoft Ì Office vOÍAhXubNðC|[gÅ«Ü·BÜ
½AActive Directory T[rXðgÁÄA[U¼âjbNl[Éêv·é
[AhXð©®IÉp·é±ÆàÅ«Ü·BLDAP ª êÎA±êƯ
¶±Æð Microsoft Exchange Server â»êÉÞ·éàÌðgí¸É Linux
VXeãÅsȤ±ÆªÅ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.3. ½É¢ÄuÅÍÈ¢vÌ©H
ܸæê_B{ÅÍAÀÛÌÝèâ LDAP ©ÌÌÇÉ¢ÄÍbµ·¬È
¢æ¤Éµæ¤ÆvÁĢܷB»êÉ¢ĵÁÄ¢é LDAP-HOWTO Æ¢¤
·Îçµ¢¶ª LDP (the Linux Documentation Project) É éÌÅ·©ç
B
æñÉAAvP[V©ÌÉÖ·é¿ÍA»êª LDAP ÆÖWȢƫ
É͵íÈ¢ÂàèÅ·B
ÅãÅ·ªAÒÍÙÆñÇÌêÉ¢ÄALDAP ðg¤Ìª«¾©Ç¤©É
¢ÄÌAhoCXÍūܹñB»ÌíÌo±ªÈ¢ÌÅ·Bg¤½ßÉÇ
¤·êÎ梩É¢ÄÍA൨]ÝÈçγ¦Ä °çêÜ·Bµ©µÈ
ªçA»¤·×«©Ç¤©ÍfèÅ«È¢ÌÅ·BêÊIÈ LDAP ÌpÍÍ
ðµÁ½¶Í½³ñ èÜ·B»¿çð²¾³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.4. Ó«
ܸAÒÌÙ¢åÅ éLinvision <http://www.linvision.com> ªÒÉA
αÔàɱ̶ÌìÆð·é@ïð^¦Äê½±ÆÉ´Óµ½¢Æv
¢Ü·B
³çÉAºLÌûXÉà´Óµ½¢Æv¢Ü·BÞçͱ̶ɽç©Ìv
£ðµÄêܵ½ (s¯) \ Giuseppe Lo Biondo.
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.5. Disclaimer (ÆÓ)
This document is provided as is and should be considered as a work in
progress. Several sections are as yet unfinished, and probably a lot of
things that should be in here, aren't. I would greatly appreciate any
comments on this document, of whatever nature they may be.
Note: Qló
±Ì¶Í±¤¢¤àÌÅ·©çA»Ýis`̬ʨÆvÁÄàçÁ½
Ù¤ªæ¢Åµå¤B¢Â©ÌÍÍ¢®¬Å èA é׫ƱëÉ
é͸Ìà̪ȢàÌར±Æŵå¤BÒÍA±Ì¶ÖÌ¢©
ÈéÓ©Éàå¢É´ÓµÜ·B»êªÇÌæ¤È«¿ÌàÌÅ ë¤Æ
àAÅ·B
In any case, think before you go messing around with your system and
don't come to me if it breaks.
Note: Qló
¢©Èéêɨ¢ÄàA©ªÌVXeÜíèÉèðüêéÌÍAæ
l¦Ä©çɵľ³¢B»êÉæÁĨ©µÈÁĵÜÁÄàA
ÒÌƱëÉÍȢž³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
1.6. Copyright and license (ì ÆpÂ)
Copyright (c) by Roel van Meer, Giuseppe Lo Biondo. This document may
be distributed only subject to the terms and conditions set forth in
the LDP License at the Linux Documentation Project <http://
www.linuxdoc.org/COPYRIGHT.html>.
Note: Qló
Copyright (c) by Roel van Meer, Giuseppe Lo Biondo. ±Ì¶Í
Linux Documentation Project <http://www.linuxdoc.org/
COPYRIGHT.html> Ì LDP License ÉLq³êÄ¢éðâðÉ]ÁÄÌ
Ýzz·é±ÆªÅ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2. pam_ldap Æ nss_ldap ðgÁ½ LDAP FØ
±ÌÍÍ LDAP ð NIS ÌãpiƵÄ[UJEgÌÇÉg¤û@ÉÅ_
ðí¹Ü·B½³ñÌ[UAJEgðô©ÌzXgɪUµÄÁ
Ä¢éÆAAJEgÝèÉs®ª¶¶é±Æªæ èÜ·BLDAP ðg¦
ÎAWFØVXeð\z·é±ÆÉæÁÄf[^Ìd¡ðð¯½èêÑ«
ðµ½è·é±ÆªÅ«Ü·B
»_ÅÍA[UÌAJEgf[^â¼Ìîñðlbg[NoRÅ
·é½ßÉÅàægíêÄ¢éû®Í Network Information Service (NIS)
Å·BLDAP ƯlÉANIS àT[oÉ passwd, shadow, groups,
services, hosts XÌÝèt@CðÛǵÄu¯éæ¤É·éT[rXÅ
·B NIS T[oÍ NIS NCAg©çâ¢í¹ðó¯ÄA±¤µ½îñ
ðñµÜ·B
LDAP Í NIS Ư¶@\ðñÅ«A³çÉô©ALDAP ÌûªDêÄ¢é_
ª èÜ·BȺÌƨèÅ·B
E LDAP T[oãÌîñÍAeÕÉ¡ÌprÉpÅ«Ü·B±Ì HOWTO
ÅTàµÄ¢éæ¤ÉALDAP f[^x[Xã̯¶[UGgÍAd
b AXÖzBAõ¼ëÈÇÌæ¤È¼ÌAvP[VÉg¦éÌ
ÅAf[^Ìd¡âµðð¯é±ÆªÅ«Ü·B
E LDAP Í¡GÈANZXRg[Xgðf[^x[XÉKpÅ«Ü·
B±êÍf[^x[XÌGgÉηép[~bVÌKØÈ÷²®
ðÂ\ɵܷB
E Secure Socket Layer (SSL) ðÊ·±ÆÉæÁÄALDAP T[oÆNCA
gÌÔÉZL
AÈ]oHðÀÅ«Ü·B
E slapd vP[V [1] ¨æÑ DNS round robin query (±êÍ{¶
Å͵¢Ü¹ñª) ðgÁÄAÏÌá»T[rXðÀ·é±ÆªÅ«
Ü· (óFDNS round robin query ÍÏÌá»ÉÈçÈ¢ÌÅÍÈ¢©
AÆ¢¤ñª ÁÄÒÉmFµ½Æ±ëAuÅÌ DNS T[oÖÌÚ
±ªÛ³ê½Æ«É¼ÌT[oÖÌÚ±ðs·é©ÍNCAgÉ
˶·évÆÌñð¾Üµ½)B
E lbg[NãÌ[UAJEgðêÓÉWßĨ±ÆÍAÐÆÂ
ÌÇê©ç½³ñÌzXgÌ[UðÛçÇ·é¯ÉÈèÜ·
(ÂÜèALDAP T[oÅAJEgð쬨æÑí·êÎA»ÌÏX_
ª¦ÀÉ LDAP NCAg©çpÅ«éæ¤ÉÈéÌÅ·)B
±±ÅAPluggable Authentication Module (PAM) Æ Name Service Switch
(NSS) eNmWðõ¦½VXeãÅ LDAP T[oªÇÌæ¤ÉFØÆFÂ
̽ßÉg¦é©ÉÅ_ðí¹é±ÆɵܷBÁÉ Linux Iy[eB
OVXeɾy·éÂàèÅ·ªA»Ìྪ¼ÌIy[eBOVXe
ÉKpūȢƢ¤í¯ÅÍ èܹñB
±±Åæèã°é«ÅÍPäÌ LDAP T[oª èA±±É[UAJE
gf[^ªµ¢â·¢`®Åi[³êÜ·BUn*x NCAgÍA±Ìîñð
gÁÄWÌ Un*x ̬VÅÌFØÆ\[XÉηéFÂðs¢Ü·B
NCAg^T[oÊMÉÍAZL
AÈoHàv³êÜ·BÆ¢¤Ìà
A[UAJEgÌf[^Ìæ¤ÉNeBJÈîñÍAlbg[Nã
Éàeª¾ÈÜÜM·×«ÅÍÈ¢©çÅ·B±ÌZL
AÈoHÍ
Secure Socket Layer ÉæÁÄõ¦çêÜ·B
NCAg¤ÅÍLbV
@\ð«\ãÌâè©çKvƵܷªA±ê
Í Name Service Caching Daemon ÉæÁÄõ¦é±ÆªÅ«Ü·B
±ÌVXeð\z·éÌÉg¤\tgEFAÌ (ÙÚ) ·×ĪI[v\
[XÅ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.1. \¬vf
±ÌßÅÍAFØVXeð\z·é½ßÉgíêéíXÌ\¬vfðTàµ
Ü·BevfðÈPÉྵĢ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.1.1. FØ\ PAM Æ pam_ldap.so
Pluggable Authentication Module ÍAW UNIX, RSA, DCE, LDAP Æ¢Á½
íXÌFØZpÆ login, passwd, rlogin, su, ftp, ssh XÌVXeT[
rXÆÌðÂ\ɵAµ©à±êçÌT[rXðÏX·éKvª èܹ
ñB
ÅÍ Sun Solaris ÉÀ³ê½ÌÅ·ªA¡â PAM Í RedHat â Debian
ðÜÞ½Ì Linux fBXgr
[VÅAFØÌggÝÌWIÈàÌ
ÆÈÁĢܷB±êÉæÁijêé API ðʵÄAFØÌvªeNm
WÁLÌ®ì (±êÍ PAM W
[ÆÄÎêéCuÉæÁÄÀ³
êĢܷ) ÉèÄçêÜ·B±ÌèÄÍ PAM Ýèt@CÅsÈí
êÜ·Bî{IɱÌt@CÌÅAeT[rXÉp¢éFØ@\ª^¦ç
êé±ÆÉÈèÜ·B
¡ñÌêÍApam_ldap.so ¤LCuÅÀ³êé pam_ldap W
[
ÉæÁÄA[UÆO[vÌFØÉ LDAP T[rXðg¦éæ¤ÉµÜ·
B
FØÝõðKvÆ·éT[rXÍ»ê¼êA PAM Ýèt@CðʵÄAÙÈ
éFØû®ðg¤æ¤ÉÝèÅ«Ü·B±êÍÂÜèAPAM Ýèt@Cðg
ÁÄA[Uª\[XÖÌANZXð¾é½ßɽ³ÈÄÍÈçÈ¢v
Ìê\ð±ÆªÅ«éÆ¢¤Ó¡Å·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.1.2. Name Service Switch Æ nss_ldap.so
¢Á½ñ[UªFسêÄ©çàA½ÌAvP[VÍ[UîñÖ
ÌANZXðKvƵܷB±ÌîñÍ`IÉÍeLXgt@C (/etc/
passwd, /etc/shadow, /etc/group) ÉüêçêĢܷªA¼Ìl[T[r
XÉæÁÄ·é±ÆàÅ«Ü·B
Vµ¢l[T[rX (½Æ¦Î LDAP) ª±ü³êéÉÂêA±Ìæ¤Èîñ
æ¾ÌÀÍA (NIS â DNS Ìæ¤É) C CuàAܽͻÌVµ¢l
[T[rXðg¢½¢AvP[VàÌAÇ¿çÅàÂ\ÆÈÁĵÜ
¢Üµ½B
¢¸êɵÄàA±¤¢Á½±ÆÍA¤ÊÌÄpIÈl[T[rX API ðg
ÁÄAeeNmWÉîîìÅT[rX©çîñð¾éCuQÉ»
êðv·é±ÆÉ·êÎð¯çêÜ·B
GNU C Library Í Name Service Switch ðÀµÄãLððµÜµ½B±ê
Í Sun C library ÉN¹ð¿A¤ÊÌ API ðʵÄíXÌl[T[rX
©çîñð¾çêéæ¤É·éû@Å·B
NSS ͤÊÌ API ÆÝèt@C (/etc/nsswitch.conf) ðgpµÜ·B±Ì
Ýèt@CàÅAT|[g·éf[^x[XÉA»ÌT[rXðñ·é
CuðwèµÜ·B
»Ý NSS ÉæÁÄT|[g³êÄ¢é [2] f[^x[XÍ\
E aliases \[GCAXB
E ethers \C[TlbgÌÔÌf[^B
E group \[UÌO[vB
E hosts \zXg̼OÆÔÌf[^B
E netgroup \lbg[NSÌÌzXgÆ[UÌêB
E network \lbg[NÉÖ·é¼OÆÔÌf[^B
E protocols \lbg[NÌvgRB
E passwd \[UÌpX[hB
E rpc \ Remote Procedure Call ÉÖ·é¼OÆÔÌf[^B
E services \lbg[NT[rXB
E shadow \[UÌVhEpX[hB
nss_ldap ¤LCuðg¦ÎALDAP ðp¢ÄãLÌèÄðÀ·é
±ÆªÅ«Ü·BÙñƤÍãL·×ÄÌèĪÀÅ«éÌÅ·¯êÇ
àA±±ÅÍ shadow, passwd, group f[^x[XÌ LDAP ÀÉÌÝÅ_ð
í¹é±ÆɵܷB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.1.3. Lightweight Directory Access Protocol
¡ñÌAvP[VÅÍA[UAJEgÆ[UO[vÉÖ·éî
ñðNCAgÉ·é½ßÉ LDAP ªgp³êÜ·B[UÆO[v
ð\í·ÌÉp¢çêéWIÈ objectclass Í top, posixAccount,
shadowAccount, posixGroup Å·B
f[^x[XãÌ[UÖAÌGgÍÈÆà [3] top, posixAccount,
shadowAccount Ì objectclass É®µÄ¢ÈÄÍÈèܹñBO[vG
gÍ top Æ posixGroup Ì objectclass É®µÄ¢ÈÄÍÈèܹñB
¡ñp·é pam_ldap Æ nss_ldap ÌÀª±Ì objectclass ðQÆ·é©
çÅ·B±Ì objectclass Í RFC 2307 ÉLq³êÄ¢éàÌÅ·B
Note: ÀÛÉÍALDAP Å NSS ͱ±ÅᦵȩÁ½ objectclass àF
¯µÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.1.4. Name Service Caching Daemon
Name Service Caching Daemon (NSCD) Íl[T[rXÉæé¼OðÌÊ
ðLbV
·é½ßÉgíêA NSS ÉæÁÄñ³êéT[rXÌ«\ðü
ãÅ«Ü·B
NCAg¤ªeÅ«é«\ð¾é½ßÉA passwd Gg̽ßÉå
«ÈLbV
ðÝèµÈÄÍÈèܹñB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.1.5. Secure Socket Layer
Ú×É¢ÄÍ Section 10 ðQƵľ³¢B
LDAP T[oÆNCAgCu (pam_ldap.so â nss_ldap.so) ÔÌÊ
MÉÍ SSL ªKvÅ·BdvÈf[^A½Æ¦ÎpX[hGgÈÇÍA
NCAgÆT[oÆÌÔÅû³êÄ¢éKvª é©çÅ·BSSL Í
ܽANCAgªT[oðÁè·é±ÆðÂ\ɵܷ©çA±êÉæÁ
ÄAsm©Èîñ¹©çFØîñð¾éÆ¢¤±Æðð¯çêÜ·B
NCAgFØ (T[oªNCAgð¯Ê·é@\) Í»ÝÌ pam_ldap
¨æÑ nss_ldap W
[ÌÀÅÍT|[g³êĢܹñB«ÁÆLp
ÈÌŵ夯êÇàB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.2. FØVXeÌ\z
±ÌÍÅÍAOÍÉL³êÄ¢é\¬vfðp¢½FØVXeð\z·é½
ßÉKvÈèðྵܷB
Figure 1. PAM Ìzu}
PAM Ì_©ç©½AFØVXeeÌÔÌÖW
Figure 2. NSS Ìzu}
NSS ÌÏ_©çÌAFØVXeÌeÔÌÖW
±Ìzu}ÍA©ªÅÀ·éÉÍÆÄà¡GÉ©¦é©àµêܹñB¯ê
ÇàÙÆñÇÌvfÍ·ÅÉ Linux ÌVXeàÉüÁĵÜÁĢܷB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.2.1. T[o¤
T[o¤É¨¢ÄÍALDAP T[oªCXg[³êA©ÂÝè³êÄ¢È
ÄÍÈèܹñB±±Åg¤ LDAP T[oÍ OpenLDAP Æ¢¤I[v\[X
Ì LDAP c[LbgÅALDAP T[o (slapd) ÆCuÆ[eBe
BðÜñŢܷB
»_Ì OpenLDAP ÉÍ LDAP ÌÀªÓ½Â èÜ·B V2 ÌÀ
(OpenLDAP 1.2.x) Æ V3 ÌÀ (OpenLDAP 2.0.x) Å·B
V3 ÌÀÍ{ÌÅ SSL @\ðñµÜ·ªAV2 ÍñµÜ¹ñBÆÍ¢¦A
V2 ÌT[oÉà SSL bpðg¦éÌÅ SSL @\ðÇÁÅ«Ü· (Section
10 ðQÆ)B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.2.1.1. OpenLDAP ÌCXg[ÆÝè
LDAP ÌCXg[ÆÝèÌèÍA LDAP-HOWTO ðQlÉÅ«Ü·B
slapd ªKØÉÝè³ê½çAf[^x[XÌú¶¬Ì½ßÉf[^ðüê
éKvª èÜ·B»±ÅALDIF (LDAP Data Interchange Format) t@C
ðìçÈÄÍÈèܹñB±êÍeLXgt@CÅAȺÌR}hÉæ
ÁÄ LDAP f[^x[XÉC|[g³êÜ·B
#ldif2ldbm -i your_file.ldif
Note: ldif2ldbm Í OpenLDAP 1.2.x pbP[WÅñ³êéÌÅA
OpenLDAP 2.0.x ðg¤ÌÅ êÎ ldapadd R}hð (T[oN®ãÉ)
g¤×«Å· (óF2.0.x Å ldif2ldbm É·éÌÍ slapadd ¾Æ
¢¤wEðînl©ç¢½¾«Üµ½BT[oâ~É slapadd -l
your_file.ldifÆ·éûª¬ÄÈP絢ŷ)B
OpenLDAP 2.0.x (LDAPv3) ðg¤ÌÅ êÎAWIÈ NIS XL[}ª /etc/
openldap/schema/nis.schema Æ¢¤t@CÉüÁĢܷ©çA»êð©ª
Ì slapd.conf Å include fBNeBuÉæÁÄXL[}ðLøɵľ
³¢B
鼃 LDIF t@CÌÅàÈPÈáð°Ü·BeGgÍósŪ¯ç
êĢܷB
dn:dc=yourorg, dc=com
objectclass: top
objectclass: organizationalUnit
dn:ou=groups, dc=yourorg, dc=com
objectclass: top
objectclass: organizationalUnit
ou: groups
dn:ou=people, dc=yourorg, dc=com
objectclass: top
objectclass: organizationalUnit
ou: people
dn: cn=Giuseppe LoBiondo, ou=people, dc=yourorg, dc=com
cn: Giuseppe Lo Biondo
sn: Lo Biondo
objectclass: top
objectclass: person
objectclass: posixAccount
objectclass: shadowAccount
uid:giuseppe
userpassword:{crypt}$1$ss2ii(0$gbs*do&@=)eksd
uidnumber:104
gidnumber:100
gecos:Giuseppe Lo Biondo
loginShell:/bin/zsh
homeDirectory: /home/giuseppe
shadowLastChange:10877
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
dn: cn=mygroup, ou=groups, dc=yourorg, dc=com
objectclass: top
objectclass: posixGroup
cn: mygroup
gidnumber: 100
memberuid: giuseppe
memberuid: anotheruser
Note: ·ß¬ésÍÌsð^u©Xy[X (¢¸ê©ðÐƾ¯) Å
nßı¯çêé±Æðo¦Ä¨¢Ä¾³¢B±êÍ¼Ì LDIF ®Ì
t@CÉàÄÍÜèÜ·B
±±ÅͺgDðñÂÂgDƵÄADN ðè`µÜµ½B dc=yourorg,
dc=com Æ¢¤gDƵÄè`µÜµ½ªA»ÌºÉAÓ½ÂÌgDTujb
g\ people Æ groups \ªÜÜêĢܷB»µÄ[UÍApeople gD
jbgÆAgroups gDjbgºÌO[v (̤¿A[Uª®µÄ¢é
àÌBóFgiuseppe ÌêÍ mygroup) ÆÉ®·éæ¤Lq³êĢܷ
B
Note: ù¶Ìf[^x[Xð LDIF ®ÉÏ··éÖÈc[ª PADL
ÉæÁÄñ³êĢܷB±êÍftp://ftp.padl.com/pub/
MigrationTools.tar.gz Æ¢¤AhXÉ èÜ·B
LDIF t@CÍAT[oª®ìµÄ¢È¢Æ«ÉC|[gµÈÄÍÈèÜ
¹ñBldif2ldbm R}hÍ LDAP T[oðʳ¸É¼Úf[^x[Xð\z
·é©çÅ·B LDIF t@Cðf[^x[XÉC|[g·êÎAT[oð
N®Å«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.2.2. NCAg¤
NCAg¤ÉÍ pam_ldap.so Æ nss_ldap.so ªK{ÅA»êçÍ
Netscape LDAP Library (Mozilla) ðgÁÄRpC³êÄ¢ÈÄÍÈè
ܹñB»ÌCuª·é LDAPS (LDAP over SSL) Ì API ªv³
êé©çÅ·B»ÌCuÍoCipbP[WÅ Netscape One License
ÌàÆÉzz³êĨèAI[v\[XÅÍ èܹñ (ÆÍ¢¦pub
NhCÅÍ èÜ·)B
»ÌpbP[WðA½Æ¦Î /usr/local/ldapsdk Æ¢¤fBNgàÉW
JµÄ¾³¢B
³çÉANCAgCuÍؾf[^x[XÉANZXÅ«ÈÄÍ
ÈèܹñB±Ìf[^x[XÉÍ LDAP (stunnel) T[oؾÆA»ÌT
[oØ¾É (uMpÏÝ <trusted>vƵÄ) ¼µ½ CA Ì CA ؾÆ
ªÜÜêĢȯêÎÈèܹñB
ؾf[^x[XÍ Netscape Ì®ÌàÌÅȯêÎÈèܹñB pam_ldap
Æ nss_ldap ðRpC·é½ßÉgíêÄ¢é Mozilla LDAP API ª
Netscape Ì®Ìؾf[^x[Xðg¤©çÅ·B
»Ìæ¤Èؾf[^x[Xðµ¤ÉÍANetscape ªñµÄ¢é PKCS#11
pbP[WàÉ é certutil Æ¢¤[eBeBðg¤ÌªÖÅ· [4]
B
LDAP NCAgÌåvÈÝèt@CÍ /etc/ldap.conf Å·B
ൠnss_ldap ðg¤ÌÅ êÎAµ§ÉÍ pam_ldap ÌgpÍKvȢ̾
Æ¢¤±Æðo¦Ä¨¢Ä¾³¢B
»Ì©íèÉ pam_unix_auth W
[ðg¦Ü·BȺÈç nss_ldap Í
çäé getpw* ¨æÑ getsh* R[ð LDAP QÆÉÄA pam_unix_auth
Í[UFØɱÌR[ðp·é©çÅ·B (óF±±É¢ÄAÒ
Ì Roel van Meer l©çÌÓ𢽾«Üµ½BÞÍ»ÌÅAPAM ªFØ
ÉÌÝgíêé±ÆÆA PAM ª NSS CuÅÍÈPAM Cu©ç
îñð¾é±ÆðwEµAuFØvÉÍ pam_ldap W
[ªKv¾Aƨ
ÁµáÁĢܵ½BC³³êé͸ÈÌÅA³mÈîñÍ´¶ÌÅVÅÉ
½Áľ³¢B)
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.2.2.1. PAM LDAP ÌCXg[ÆÝè
pam_ldap ðRpCµÄCXg[·éÉÍAȺÌæ¤ÉµÄ¾³¢
B
$ ./configure --with-ldap-lib=netscape4 --with-ldap-dir=/usr/local/ldapsdk
$ make
# make install
configure Ì --with-ldap-lib IvVÍAÇÌ LDAP Cuðg¨¤
ƵĢé©ðwèµÜ·B
--with-ldap-dir IvVÍAÇ±É Netscape ldapsdk c[LbgðC
Xg[µÄ éÌ©ðwèµÜ·B
±êÉæÁÄ /lib/security/pam_ldap.so.1 ÆeíV{bNNªC
Xg[³êÜ·B
PAM ªVµ¢FØVXeÉANZXÅ«éæ¤ÉAKØÉÝè³êÈÄÍ
¢¯Ü¹ñBPAM Ýèt@CÍ /etc/pam.d Æ¢¤fBNgÉzu³ê
AFت³êéT[rX¼Éµ½ªÁļt¯çêĢܷB
½Æ¦ÎÈºÍ login T[rX̽ßÌ PAM Ýèt@C (login Æ¢¤¼
OÌt@C) Å·B
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so use_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_unix_passwd.so use_first_pass md5 shadow
session required /lib/security/pam_unix_session.so
PAM Åg¤WIÈ PAM Ýèt@CÍ pam_ldap Ì\[XÌ pam_ldap-(o
[W)/pam.d Æ¢¤fBNgÌÉ èÜ·B
±ÌWIÈt@CÍ /etc/pam.d fBNgÌÉRs[Å«Ü·Bà
µ½©¨©µÈ±ÆðµÄµÜ¤ÆA¨»çÄÑOCÅ«ÈÈÁĵ
ܤÌÅA±Ììð·éÍÓ[sÁľ³¢BVµ¢t@CðC
Xg[·éOÉ /etc/pam.d ÌobNAbvðÆÁĨ«A»êðA³
¹é ÀÌ éVFðJ¢½ÜÜɵĨ±Æð¨©ßµÜ·B
Note: »ÌTvÌ pam.d fBNgÉÍ sshd Æ¢¤t@Cª
èܹñB»Ì½ßA»êð쬵ȯêÎApam ðg¤ ssh ðîµÄ
OCūܹñ (OpenSSH Í PAM ðgpµÜ·)B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.2.2.2. NSS LDAP ÌCXg[ÆÝè
\[XðWJµÄ©çAMakefile ðmFµÄ¾³¢BÙÆñÇÌÝèàeÉ
εÄÍÒWÌKvÍ èܹñBÆÍ¢¦ASSL ðg¢½¢ÌÅ êÎ SSL
ÎÌ LDAP Cu\½Æ¦Î Netscape ÌàÌ\ðNµÈÄÍÈ
èܹñB
LDAP Ì SDK ª /usr/local/ldapsdk àÉ éÆ·êÎASSL ðLøÉ·éÉ
ÍAMakefile ðC³µÈ¯êÎÈèܹñB»ÌC³àeÍA
Makefile.linux.mozilla àÅ NSFLAGS ðTµÄARgÉÈÁÄ¢é
-DSSL ðLøÉ·é±ÆÅ·B
³çÉ LIBS Ìè`ð©ÄA»Ìt@CàÅwè³êÄ¢é ldapssl Cu
ªA©ªÌCXg[µÄ éàÌƯ¶©Ç¤©ðmFµÄ¾³¢
(ldap_nss.so Í libldapssl40 Æ libldapssl30 ̼ûÉNµÄRpC
³êÜ·)B
»ÌãACuðCXg[Å«Ü·\
$ make -f Makefile.linux.mozilla
# make -f Makefile.linux.mozilla install
#ldconfig
±êÉæÁÄ /lib/libnss_ldap.so ªCXg[³êÜ·B±êª
nss_ldap CuÅ·B»µÄ /etc/nsswitch.ldap Æ /etc/ldap.conf Æ
ªÜ¾¶ÝµÄÈ¢êÉÍATvÌÝèt@CƵÄCXg[³
êÜ·B
CXg[µ½çA»Ì NSS Ýèt@C /etc/nsswitch.conf ðÒWµÈ
ÄÍÈèܹñB LDAP Í çäéT[rXÉp¢é±ÆªÅ«éÌÅ·ª
A¡ñÍ passwd, group, shadow ÉÌÝgpµÜ·B±ÌêAÝèt@C
Ì`ªÉȺÌæ¤È±Æð¢Ä¨×«Å·B
passwd: files ldap
group: files ldap
shadow: files ldap
±ÌÝè¾ÆGgÍAܸVXet@CàÅT³êÄAlªÔÁı
È©Á½Èç LDAP T[oÉâ¢í¹çêÜ·B
Note: LDAP ð DNS â¢í¹ÌobNGhƵÄg¤Æ«ÉÍÓµ
ľ³¢BDNS ª»ÌT[oÌzXg¼ððÅ«È¢ÆA³À[v
ÉüÁĵܤÌÅ·BȺÈç libldap ©Ìª gethostbyname() ðR
[·é©çÅ·B (nsswitch.ldap àÌLqæè)
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.2.2.3. NSCD ÌÝè
NSCD Í½Ì Linux fBXgr
[VÉÍÅ©çüÁĢܷBü
ÁÄ¢ÈÄà GNU C CuÌpbP[WàÉ èÜ·B
NSCD ÌÝèt@CÍ /etc/nscd.conf Å·BesÍ®«ÆlAܽͮ«Æ
LbV
¼ÆlÌ¢¸ê©ðwèµÜ·B»ê¼êÌtB[hÍXy[X
©^uÅæØçêÜ·BLbV
¼Í hosts, passwd, groups Ì¢¸ê©É
·é±ÆªÅ«Ü· (¡ñÍ hosts ðLbV
µÜ¹ñ)B
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
keep-hot-count passwd 20
check-files passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
keep-hot-count group 20
check-files group yes
LDAP ©ç¾½ passwd Ggð NSCD vOªLbV
µÄµÜ¤Æ
¢¤±ÆðSÉÁLµÄ¨¢Ä¾³¢B
±êÍÂÜèALDAP T[oãÌ[UîñÉèðÁ¦½Æ«Éà NSCD Lb
V
ÍLøÈÜܾƢ¤±ÆÅ·B±ÌâèÍA check-files fBNeB
uÉæÁÄÊíÌ UNIX t@Cðp·êÎð¯çêÜ·B±êÍηé
t@CªÏX³ê½Æ«ÉÍLbV
ð³øɵܷB±Ìæ¤ÈdgÝ
ÍêÊIÈ͸ÈÌÉA»_Å LDAP ÉÍKp³êܹñBLDAP T[oÆL
bV
ÌÔÌs®ðð¯éû@ÍApasswd GgðXVµ½Æ«ÉÌ
R}hðÅÁÄ©ªÅLbV
ð³øÉ·é±ÆÅ·B
#nscd --invalidate=TABLE
ãL TABLE ÌƱëÍ passwd, groups, hosts Ì¢¸ê©ÉÈèÜ·B
pÉÍA¬ðð¯é½ß NSCD ðgíÈ¢æ¤ÉµÄ¾³¢B
³çɾ¦ÎANSS Æ NSCD ÌgpÍåÊÌt@CfXNv^ðJ¢Äµ
ܢܷB»Ì½ßAVXeãÌg¦ét@CfXNv^ªÈPÉs«
µÄµÜ¢Ü· (±êÍVXeðnO³¹©Ëܹñ)B
Linux }V (J[l 2.2.x) ÅÍAÌæ¤ÉµÄt@CfXNv^
ÌãÀðⷱƪūܷB
#echo 16384 > /proc/sys/fs/file-max
§³êét@CfXNv^ãÀlÍAÆÉ©»ÌVXeÌ\¬ÉË
¶µÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.2.2.4. LDAP NCAgÌÝèt@C
LDAP NCAgÌÝèt@CÅ é /etc/ldap.conf ÍA¼Ì LDAP N
CAg©çƯlApam_ldap â nss_ldap ©çàÇÜêÜ·BȺÍA»Ì
t@Cª¡ñÌ«ÅÍÇÌæ¤ÉÈÁÄ¢é׫©ÌêáÅ·B
#
# @(#)$Id: ldap.conf,v 2.18 2001/03/28 23:35:00 lukeh Exp $
# ±êÍ LDAP NSS CuÆ LDAP PAM W
[̽ßÌÝèt@CÅ·B
# PADL Software
# http://www.padl.com
#
# ൱Ìt@CÉ host à base àȯêÎA»ÌÆ«Í
# _ldap._tcp.[defaultdomain]. Æ¢¤ DNS RR ªð³êÜ·B
# [defaultdomain] ͯʼÉèÄçêA
# ÚWÌzXgÍT[oƵÄgíêé±ÆÉÈèÜ·B
#
# ©ªÌ LDAP T[oÅ·BLDAP ðgí¸ÉðÅ«ÈÄÍÈèܹñB
host 192.111.111.111
#
# õx[X̯ʼŷB
base dc=yourorg, dc=com
#
# gp·é LDAP Ìo[WÅ·B(ftHgÍ 2 Å·ªA
# OpenLDAP 2.0.x â Netscape Directory Server ðg¤Èç 3 ɵľ³¢)
# ldap_version 3
#
# T[oÉoCh·é¯Ê¼Å·B
# wèÍCÓÅ· \ wèµÈ¯êν¼oChÅ·B
# binddn cn=manager,dc=padl,dc=com
#
# oCh·éiؾŷB
# wèÍCÓÅ· \ wèµÈ¯êÎiؾªsvÅ·B
#bindpw secret
#
# |[gÅ·B
# wèÍCÓÅ· \ wèµÈ¯êÎ 389 Å·B636 Í LDAPS pÅ·B
port 636
#
# õXR[vÅ·B
#scope sub
#scope one
#scope base
#
# ȺÌIvVÍ nss_ldap ÁLÌàÌÅ·B
#
# ©ªÌ libc ªg¤nbV
ÌASYÅ·B
# wèÍCÓÅ· \ wèµÈ¯êÎ des Å·B
#crypt md5
#crypt sha
#crypt des
#
# ȺÌIvVÍ pam_ldap ÁLÌàÌÅ·B
#
# uid=%s É AND ·étB^Å·B
pam_filter objectclass=posixAccount
#
# [U ID Ì®«Å·B(ftHgÍ uid)
pam_login_attribute uid
#
# pX[h|V[ð[g DSE ÅõµÜ·B
# (Netscape Directory Server ÉLøÅ·)
# (óF[g DSE É¢ÄÍ Root Directory Server Specific Entry
# ̱ƾƢ¤ñ𢽾«Üµ½BóÒÍmèܹñŵ½B)
#pam_lookup_policy yes
#
# ±ÌO[vÌoÅ é±ÆðvµÜ·B
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
#
# O[voÌ®«Å·B
pam_member_attribute memberuid
# ev[gOCÌ®«ÆAftHgÌev[g[UÅ·B
# (±êÈOÌ[UÌGgàÌ®«Åã«Å«Ü·)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
#
# [JÉpX[hðnbV
µÜ·B
# University of Michigan Å LDAP T[oÉKvƳêÜ·B
# ܽAൠUNIX-Crypt ÌnbV
@\ðgpµÄ¨èA
# ©Â NT Synchronization (¯ú) T[rXðgpµÄ¢È¢ÈçÎ
# Netscape Directory Server ÅLøÅ·B
pam_crypt local
#
# SSL ÌÝè
ssl yes
sslpath /usr/local/ssl/certs
Note: ±Ìt@CðÇÞ±ÆÌ éíXÌAvP[VÆÌâèð
ð¯é½ßÉAp[^ÆlÆÌÔÉ^uðgí¸AXy[XÐƾ
¯ðg¤æ¤¨©ßµÜ·B
pam_groupdn fBNeBuÍ LDAP T[oªêAÌNCAgÌFØîñ
ðǵĢéêÉA[UªF³êéÌðêÌNCAg¾¯ÉÀ
èµ½¢Æ«ÉÖÅ·B±ÌfBNeBuÍ NIS Ì netgroups Ư¶@
\ðñ·é±ÆªÅ«éÌÅ·B
SSL ÝèÉÖ·éfBNeBuÍpbP[WàŶ»³êĢܹñªA
SSL ðLøɵALDAP T[oؾ¨æÑ CA ؾðÜÞt@CªÇ±É
i[³êÄ¢é©wèµÜ·B
cert7.db Æ¢¤¼OÌ Netscape ؾf[^x[Xª sslpath àÅõ³
êÜ·B±Ìt@CÉÍT[oØ¾Æ (»ÌT[oؾª©È¼ÅÈ
¢©¬è) CA ؾÆðÜñŢȯêÎÈèܹñB±Ìt@C𶬷
éÉÍÓ½ÂÌû@\ Netscape PKCS#11 ðg¤© Netscape ÌuEUðg
¤©\ª èÜ·B
Netscape ÌuEUðg¤êÍAT[oãÅ slapd Æ stunnel ðN®µ½
ÆÅ Netscape Navigator ð https://your.ldap.server:636/ Æ¢¤ URL
ÉÚ±·éÆA©ªÌf[^x[XÉ»ÌT[oؾðüÍ·é椣³ê
Ü·B(©È¼ÌؾðgíÈ¢ÌÅ êÎ) ¯lÉ (CA ©ç³êé)
CA ؾàf[^x[XÉ[hµÈÄÍÈèܹñB±±ÜŽçA
$HOME/.netscape/cert7.dbð sslpath ÉRs[Å«Ü·BãLÌìÆÌÛAf
tHgÌ cert7.db ðÂúóÔÌAJEgÅsȤûªDܵ¢Å·
BȺÈ穪Ìؾf[^x[XÉͼÌT[oؾª é©àµê¸
A éÆ LDAP NCAgª»êðAMpÏÝÌFØT[oÈ̾ÆÝȵ
ĵܤ©çÅ·B¢Á½ñT[oؾªC|[g³ê½uEUÍ SSL
ðfobO·é½ßÉg¦Ü·B»ÌuEUÍ pam â nss ÌCuÌ
æ¤ÉÓéܤ©çÅ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.3. N®
T[o¤ÅAÌæ¤ÈR}hÉæÁÄA slapd (LDAP f[vZX)
ðN®µÈÄÍ¢¯Ü¹ñB
# slapd
ൠstunnel ðg¤ÈçALDAPS Ì 636 ÔÌ|[gãÅN®µÈÄÍ¢¯
ܹñBÌæ¤ÉµÄ¾³¢B
# /usr/local/sbin/stunnel -r ldap -d 636 -p /usr/local/ssl/certs/stunnel.pem
TLS (OpenSSL) t«ÅRpC³ê½ OpenLDAP 2.0.x ðg¤ÌÅ êÎA
ÌR}hÅT[oðN®Å«Ü·B
# slapd -h "ldap:/// ldaps:///"
NCAgãÅANSCD ð½ÌfBXgr
[VÉÓ¤ÜÜêÄ¢
éN®XNvg©çN®Å«Ü·B
# /etc/rc.d/init.d/nscd start
PAM Æ NSS ªKØÉÝè³êÄ¢êÎA±êÅ\ªÌ͸ŷB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.4. AJEgÌÛçÇ
±±ÜŽ_ÅALDAP NCAgc[ðgÁÄAJEgì¬ÆÛç
Ǫūé͸ŷB
cOȪçÄpIÈc[ÌÙÆñÇÍ Un*x AJEgÌÇpÉÍÅ«Ä
¢Ü¹ñB»êÉ©¤@\ª éæ¤Év¦éàÌÍA LDAP Browser/
Editor (http://www-unix.mcs.anl.gov/~gawor/ldap) ª èA»êÍFXÈ
®ÅpX[hÌÝèªÅ«AT[oÉÚ±·é½ßÉ SSL ðgpÅ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.5. ùm̧À
PÆÌ}X^T[oÉæé (X[uT[oÌÈ¢) NIS ÌêƯlÉA
vP[VðpµÈ¢ LDAP ÍFØ@\ÉÆÁÄua single point of
failure (Pê@íÌáQªVXeSÌÌáQÆÈÁĵܤã_)vÅ é
ƾ¦Ü·BÅ·©ç LDAP vP[VðÀ·é±ÆÍAFØÆ¢¤
ÚI̽ßÉÍêwdvƾ¦Ü·BOpenLDAP (slapd) ÉæéT[oÍv
P[V@\ðõ¦Ä¢Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
2.6. t@CÌp[~bV
ȺÍFØVXeÅgíêét@CÉKp³êÄ¢é׫p[~bV
ÌêÅ·B
-rw-r--r-- root.root /etc/ldap.conf
-rw------- root.root /usr/local/etc/openldap/slapd.conf
-rwxr-xr-x root.root /lib/security/pam_ldap.so.1
-rw-r--r-- root.root /lib/libnss_ldap-2.1.2.so
-rw-r--r-- root.root /usr/local/ssl/certs/cert7.db
-rw------- root.root /usr/local/ssl/certs/stunnel.pem
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3. LDAP ðgÁ½ Radius FØ
Radius T[oÍARadius vgRT[oÌJÝð Un*x Iy[eBO
VXeÅÂ\Æ·éf[Å·B±êÍÓ¤A_CAAbv[UÌ
FبæÑAJEgÇ̽ßÉgíêÜ·BT[oðp·éÉÍA»Ì
T[oÉbµ©¯é±ÆÉÈéNCAgàKØÉÝè·éKvª èÜ·
BÊíANCAgÍ^[~iT[o©AܽÍ^[~iT[oðG~
[g·éKØÈ\tg (PortSlave â radiusclient X) Ì é PC Å
·B [FreeRadius Ì FAQ æè]
Radius Í[UÉ¢ÄÌ©OÌf[^x[XðÁĢܷªA¯¶îñª
LDAP ÉàÜÜêÄ¢éÌÅA±Á¿ðg¤ûªÖÅ·I
t[EFAÌ Radius T[oÍô© èÜ·ªA LDAP ÖÌT|[gªÇ
¢àÌÉ FreeRadius Æ¢¤T[o (http://www.freeradius.org) ª èÜ·
B±êÍܾJÅÆÍ¢¦A LDAP W
[ͤܮìµÄ¢Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3.1. FreeRadius Å Radiusd ÌÝè
T[oðCXg[µ½ÈçAÝèt@Cðp¢ÄÝèµÈÄÍÈèÜ
¹ñBÝèt@CÍ /etc/raddb (Ü½Í /usr/local/etc/raddb) ȺÉz
u³êĢܷB
radiusd.conf ÌàeÍAȺÌæ¤ÉÒWµÄ¾³¢B
[Ȫ]
# Uncomment this if you want to use ldap (Auth-Type = LDAP)
# Also uncomment it in the authenticate{} block below
ldap {
server = ldap.yourorg.com
#login = "cn=admin,o=My Org,c=US"
#password = mypass
basedn = "ou=users,dc=yourorg,dc=com"
filter = "(&(objectclass=posixAccount)(uid=%u))"
}
[Ȫ]
# Authentication types, Auth-Type = System and PAM for now.
authenticate {
pam
unix
# sql
# sql2
# Uncomment this if you want to use ldap (Auth-Type = LDAP)
ldap
}
[Ȫ]
ܽAdictionary t@CàȺÌæ¤ÉÒWµÄ¾³¢B
[Ȫ]
#
# Non-Protocol Integer Translations
#
VALUE Auth-Type Local 0
VALUE Auth-Type System 1
VALUE Auth-Type SecurID 2
VALUE Auth-Type Crypt-Local 3
VALUE Auth-Type Reject 4
VALUE Auth-Type ActivCard 4
VALUE Auth-Type LDAP 5
[Ȫ]
³çÉ users t@CÌftHgÌFØû®ÌGgðÌæ¤ÉµÄ
¾³¢B
[Ȫ]
DEFAULT Auth-Type = LDAP
Fall-Through = 1
[Ȫ]
·ÅÉ LDAP T[oð Un*x ÌAJEgÇ̽ßÉÝèµÄ êÎA±ê
Å\ªÅ·B
LDAP T[oãÅÍARadius T[oª çäé posixAccount Ì®« (ÁÉ
uid Æ userpassword) ðmÀÉÇޱƪūéæ¤ÉµÄ¨¢Ä¾³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3.2. Radius FØÌeXg
T[oðeXg·é½ßÉAÌæ¤É radiusd ðfobO[hÅN®µÄ
¾³¢B
/usr/local/sbin/radiusd -X -A
»ê©çÌæ¤È\¶Å radtest ðg¢Ü·B
radtest [U¼ "pX[h" radius.yourorg.com 1 testing123
·×Ĥܢ¯ÎAAccess-Accept pPbgð»Ì Radius T[o©çóM
·é͸ŷB
NCAg[hÅ stunnel ðgÁÄA Radius T[oÆ LDAPS T[oÔ
ÌÚ±É SSL ðñ·é±ÆàÅ«Ü·B SSL ÌÚ×É¢ÄÍ Section 10
ðQƵľ³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
3.3. Cisco IOS ÌÝèá
Sðú·é½ßÉA±±É Cisco IOS ÌÝèáð¢Ä¨«Ü·B½¾A±
ÌáÍ±Ì HOWTO ÌÚIÆÍOêĢܷÌÅA ȽÌvÉÍKµÄ¢
È¢©àµêܹñB
[Ȫ]
aaa new-model
aaa authentication login default radius enable
aaa authentication ppp default radius
aaa authorization network radius
[Ȫ]
radius-server host 192.168.10.1
radius-server timeout 10
radius-server key cisco
[Ȫ]
Note: ÙÆñÇ·×ÄÌ NAS Í Radius É 1645 ÔÌ|[gðgpµÜ·
BmF̤¦AKØÉT[oðÝèµÄ¾³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
4. Samba
»_Ì stable c[Ì Samba ÉÍ LDAP T|[gªÜÜêĢܹñB
HEAD ¨æÑ TNG u`ÉÍÜÜêÄ¢é͸ŷªA»êçÌu`Í
ܾµ¢JÌrãÉ èÜ·BÀèŪ[X³ê½Æ«ÉA»Ì
Samba ÌÀÉ¢ı±É±ÆɵܷB»êÜÅÍAIgnacio Coupeau
Éæé±Ì¶ <http://www.unav.es/cti/ldap-smb/
ldap-smb-HEAD-howto.html> ð©Ä¨Æ¢¢Åµå¤B±êÉͼu`
ÅÌ LDAP ÌÝè@ªLq³êĢܷB
ÆÉ©»_ÅÍAܾ smbpasswd t@CðgíÈÄÍÈèܹñB
[UAJEgîñÌ LDAP ©çÌæ¾ÍùÉÂ\ÈÌÅ·ªB(±êÍ Samba
ÅÍÈ nsswitch ÉæÁÄsÈíêÄ¢é½ßÅ·B) Samba ª LDAP ðT
|[g·êÎA»Ý smbpasswd t@CÆ smbusers t@CÉüêÄ éî
ñð LDAP Éi[·é±ÆªÂ\ÉÈé͸ŷB samba ̤Lð®IÉ
LDAP Åè`Å«éæ¤ÉÈé©Ç¤©É¢ÄÍMÒÍmèܹñªA½Ôñ
sÂ\¾ë¤ÆvÁĢܷB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
5. DNS
LDAP oRÅÝèÅ«é DNS ÉÍAÓ½ÂÌu`®vª èÜ·BÅÌàÌ
ÍA(ܽàâ) nss_ldap ðADNS ÌãíèÉg¤Æ¢¤àÌÅ·B±êÍÂ
ÜèA/etc/nsswitch.conf t@CÉèðÁ¦½NCAg¾¯ª LDAP ©
ç DNS Ggð©çêéæ¤ÉÈéÆ¢¤±ÆÅ·BÓ½ÂßÌû@Í
LDAP ð bind â tinydns ÌobNGhƵÄgp·é±ÆÅ·B±êÉÖ
AµÄ®µÄ¢évWFNgÍô© èÜ·B»êÍÌ¿ÙÇྷé
±ÆɵܷB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
5.1. NSS ðg¤
NSS ð (tÁIÈ) zXgGgÖÌANZXÉgÁÄ¢éÆ«ÉÍAue
§vÈ}V (ÂÜèA©ªªmÁÄ¢ÄA»ÌÝèð§ä·é±ÆàÅ«é
}V) ¾¯ª±ÌT[rXðg¦é̾Ƣ¤±ÆÉӵľ³¢B±
êÍCglbgÅÌA±ë±ëÏíézXg¼ðÉÍLp©àµêܹ
ñªA©ªÌEFuT[oÌo[`zXg¼ðS¢EÉöJ·éÉÍg¦
ܹñBܽ nslookup Í /etc/hosts à LDAP àoRµÈ¢½ßAÝ誤
Ü¢ÁÄ¢é©Ç¤©ÌmFÉÍg¦È¢Æ¢¤±Æào¦Ä¨¢Ä¾³
¢B©íèÉAping Ìæ¤ÉàÅ gethostbyname() ÖðgÁļOð
µÄ¢éàÌðg¤æ¤ÉµÄ¾³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
5.1.1. Ýè
Name Service Switch É LDAP żOð³¹éÉÍA nss_ldap ðg¤æ¤
ÝèµÈÄÍÈèܹñB nss_ldap ÌÝèû@Í Section 2 É¢Ä è
Ü·B±±ÅͳíÉ®¢Ä¢é nss_ldap ÌÝèª éàÌƵÄbð±¯
Ü·B NSS Éæé¼OðÍ /etc/nsswitch.conf àÌ hosts sÌàeŧ
ä³êÜ·Bܾ hosts sªÈ¢Æ¢¤±ÆÍAܸ èܹñB½Ôñ
files Æ dns ªGgƵĩêÄ¢é±Æŵå¤B»±É ldap ðA
Ìæ¤ÉÇÁ·éÌÅ·B
hosts: files, dns, ldap
Ôðæl¦ÄwèµÄ¾³¢IÇÌæ¤ÈêÅàÅÉ files ðu
椵Ĩ«Ü·B»ê©çALDAP ð[J DNS T[oæèàDæ³
¹½¢ÈçÎALDAP T[oÌ IP ªmÀÉ /etc/hosts t@CÌÉ éæ
¤ÉµÄ¾³¢B»¤µÈ¢ÆA¢Á½ÄA𪶶ĵܢܷBÂÜ
豤¢¤±ÆÅ·Bu ézXg¼ððµ½¢¯êÇAt@CàÉÍG
gªÈ¢ÌÅA LDAP T[oÉâ¢í¹æ¤Æ·éBµ©µT[oÌ IP
ðmçÈ¢ÌÅt@CàðTµÄÝéªA»±ÉÍÈ¢ÌÅ LDAP T[oÉ
·±¤Æ·éccvv_ªÂ©ßܵ½ËH±ÌâèÍAzXg¼Ì©íèÉ
IP ÔÅ LDAP T[oðQÆ·é (ÂÜè /etc/ldap.conf ÌɢĨ
) ±ÆÉæÁÄA®SÉñð·é±ÆªÅ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
5.1.2. XL[}
±ÌT[rXâ¯lÌT[rXÉgíêéXL[}ª RFC 2307 Éè`³êÄ
¢Ü·BIP ÔÉzXg¼ðèÄé½ßÌGgÍ ipHost Æ¢¤
objectclass ÉüèÜ·BèÄÌzXg¼ÌªÍ cn ®«ÌÉüêç
êA IP ªÌûÍ ipHostNumber ÉüèÜ·BÅ·©çAT^IÈ LDIF Ì
GgͱÌæ¤ÉÈèÜ·B
dn: cn=somehostname.mydomain.com,ou=Network,o=YourOrg,c=NL
objectclass: top
objectclass: ipHost
cn: somehostname.mydomain.com
ipHostNumber: 10.1.5.13
à¿ëñAÓ¤ DNS Ét·é§Àâ@\ͱÌT[rXÉàÄÍÜèÜ
·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
5.2. bind ðg¤
¡úÅÍ bind â tinydns Éà½ÌÂ\«Í èÜ·ªA±êçÌ¢¸êà
AÒÌÓ©ÅÍ (¡ÌƱë) uÙñƤÌvðôÅÍ èܹñBµ©
µÈªçAÒª»êçðgÁ½o±ªÈ¢Æ¢¤±Æà¾ÁĨ©ÈÄÍ
ÈèܹñB»êçðȺÉñµÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
5.2.1. bind wÌpb`
David Storey ª bind ÖÌpb`ÌìÆðµÄ¢Ü·B±Ìpb`ÍAf[^
ð¼Ú LDAP ©çæ¾·éæ¤É·éàÌÅ·B»êÍ bind f[ãÉv
ªÈ³êé½ÑÉ LDAP Åð·é±ÆðÓ¡µÜ·B»_ÅÌÞÌvæ
(\[X©çøp) ÍAuÈÆàÓ½ÂÌ[h\LbV
[hÆ_C
i~bN[h\Å®æ¤É·é±ÆvÅ·BLbV
[hÅÍA¿å
¤Ç rbtdb Ìæ¤ÉA][ðÜé²ÆÉ[hµÄ®ìµAT[oª
HUP VOiðó¯éÆ[hµÈ¨µÜ·B_Ci~bN[hÅÍ»óÆ
æÄ¢ÄA·×ÄÌvª LDAP ÖÌQÆÆÈèÜ·BÅVîñÍ\[X
<ftp://ftp.eyeo.com/bind/> ðmFµÄ¾³¢B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
5.2.2. ldap2dns
EFuTCg©çÜé²ÆøpµÜ·B
uldap2dns Í DNS R[hð¼Ú LDAP fBNg©ç쬷évO
Å·B±êÍAZJ_l[T[oðæñÌvC}T[oÅu··
é½ßÉg¤±ÆªÅ«Ü·µA»Ì½ßÉg¤×«Å·B ldap2dns Í ç
äéÏíµ¢ÇìÆðy¸·é¯ÉÈèÜ·Bà¤P²Èt@CÒWÍ
Kv èܹñB][t@CÒWàKv èܹñB ldap2dns ðCX
g[µÄµÜ¦ÎAÇÒͽ¾ LDAP fBNgÉANZX·é¾¯Å
æ¢ÌÅ·B]ÞÈçAÇÒÍ][²ÆÉANZXRg[ð©¯é
±ÆªÅ«Ü·BEFux[XÌ GUI ð쬵ÄADNS ɱ·é±ÆÈA
çäéíÞÌ][â\[XR[hÌîñðÇÁ·é±ÆàÅ«Ü·B
ldap2dns Í tinydns Égp³êé data.cdb Æ¢¤oCit@Cð«
o·æ¤Ýv³êĢܷªAnamed Égp³êé .db t@Cð«o·æ
¤É·é±ÆàÅ«Ü·Bv
±ÌvWFNgÌz[y[Wͱ± <http://ldap2dns.tiscover.com/> Å
·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
5.2.3. ispman
ispman Í Perl Å©ê½ ISP ÇpbP[WÅ·B±êÍ LDAP f[^x
[XðÝèÌobNGhÉg¢Ü·B±ÌpbP[WÍñíɽ̱ƪ
Å«éÌÅA³mÉ©ªÌKvƵĢéàÌðmFµ½ûªæ¢©àµêÜ
¹ñBAhXÍ ispman.org <http://www.ispman.org> Å·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6. [gXt@G[WFg (MTA)
±ÌÍÅÍAÝÁÂÌÙÈé MTA, ÂÜè Sendmail, Postfix, qmail É¢
Äq×Ü·B±êçÍ LDAP ©çîñðæèo·æ¤ÉÝèÅ«é MTA Å·B
ÂlIÈo±©ç·éÆ Postfix Ìûª Sendmail æèà¸ÁÆÈPÉÝèÅ
«Ü·ªA±êÉ¢ÄÍ«A Sendmail ɨ¯é LDAP T|[gª³çÉ
¬nÌæÉB·é±ÆÅÏíÁÄé©àµêܹñBqmail ÍgÁ½±Æª
èܹñB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6.1. Sendmail
6.1.1. Sendmail ɨ¯é LDAP T|[g
Sendmail ÉÍAo[W 8.8.x ½è©ç ldapx Æ¢¤}bv^Cvðg
¤©½¿Å LDAP ªT|[g³êĢܷBo[W 8.10 È~ÅÍ LDAP
f[^x[X^Cvª ldap ƵÄT|[g³êĢܷBµ©µ LDAP }b
vÌT|[gÍARedHat ÌpbP[WÌftHgÌÜÜÌÝèÅͳøÉÈ
ÁÄ¢éÌÅA²Ó¾³¢B Debian Ìo[W 2.2 È~ÉÍ
Sendmail Ì LDAP T|[gª 黤ŷB©ªÅRpC·éKvª é
êÍA Sendmail Ì\[XÌ sendmail/README Æ¢¤t@CðÇñž
³¢B±Ìt@CÉÍALDAP T|[gt«ÅRpC·éû@É¢ÄÌ
LvÈîñªÜÜêĢܷB
±êçVÌ LDAP }bv^CvÉÍAÆàÉ LDAP f[^x[XàÌGg
ðõ·é\ͪ èÜ·B½¾µAÐÆÂÓª èÜ·BõÌ®¹
ÉʪÐƵ©ÔÁıȢÌÅ·Bʪ¡ éƵÄàAÅÌà
̾¯ªgíêÜ·Bµ©àA»ÌÊÉÔèlª¡ ÁÄàÅÌl¾¯
ªÔ³êéÌÅ·BÌ LDIF t@CÌáÉÚµÄÝܵå¤B
dn: cn=mailuser1,ou=mail,dc=company,dc=com
objectclass: top
objectclass: foo
cn: mailuser1
mail: mailuser1@company.com
mail: info@company.com
õð cn=mailuser1 Ìæ¤ÈPÈõtB^ÅÀs·éÆAß鮫
ª mail ¾ÆµÄà mailuser1@company.com µ©Ô³êܹñB¼ûÌÊð
¾éÉÍA±êçÍPêlð®«ÉAR}ÅæØç꽩½¿Åi[³
êĢȯêÎÈçÈ¢ÌÅ·BÌæ¤È©½¿Å·B
mail: mailuser1@company.com,info@company.com
±ÌbèÉÖAµ½îñðÜÞdq[bZ[WðA LIH z[ <http:/
/devel.linvision.com/doc/lih/alias_issues> Å©é±ÆªÅ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6.1.2. VXeÌzu
LDAP }bvªpÅ«éÆ«ÉÍAÙÆñǽÅà LDAP f[^x[Xà©ç
Tµo¹Ü·B»±ÅAȺÌæ¤È\¬ÌÝèðÈf»µ½¢Æv¢Ü·B
KÍàµÍåKÍÌlbg[Nª é±Æɵܵå¤B½³ñÌh
C̽ßÉ[ðóMµÜ·BÓ½ÂÌ[zXgÆAÓ½ÂÌtH
[obNzXgÆ¢¤zuÅ·B±ê¾ÆÊíÍAȺÌOíÞÌîñði
[·éêªAlÓÉÜÅÈÁĵܢܷB
E ¼ûÌ[zXgª local-host-names t@C (`É]¦Î
sendmail.cw) ðKvƵܷB±êÍAÇÌhCÖÌ[ðóM·
é©É¢ÄL^µÄ¨àÌÅ·BtH[obNzXgͯ¶îñð
access t@CÉ۵ĢܷªA±¿çÍóM[ðÇÌhC
Öp·×«©ê·é½ßÉg¢Ü·B
E [zXgÉͼûÆà virtusers t@Cª èÜ·B±Ìt@C
Å¡ÌAhX ( é¢ÍhCSÌ) ðPÆ̼z[Uâ[J
[UÉèÄÜ·B
E ¼[zXgÉ aliases t@Cª èÜ·B±Ìt@Cżz[
Uð[AhXâ[J[UÉèÄÜ· (¡àÂ)B
±¤µ½îñªÐÆÂÌf[^x[XÉÜÆßÄi[³êÄ¢êÎAezXg
ª»Ìf[^x[X©çÝèðÇÝo·±ÆÉæÁÄAlbg[NÌg£«
ÆǵⷳªüãµÜ·BSf[^ð nfs É}bv³¹ÄA»êðPÆÌ
zXgɽ¹éæ¤È`¾ÁÄl¦çêéŵå¤B»Ìæ¤ÈêàÚ±
·ézXgÉá¢ÍÜÁ½¶¶Ü¹ñB[UÉÆÁÄàÜÁ½¯lÉf
èÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6.1.3. Sendmail Ýèt@C
±ÌîñªÇ¤âÁÄ LDAP f[^x[X©çWt@CÌãíèÉÇÝo
³êé©ðð·éÉÍAsendmail.cf t@CÉ¢ÄÌwiIÈm¯ª
µKvÅ·B±±Åµ¤îñÍAÓ½ÂÌÙÈéû@Åi[³êĢܷB
local-host-names t@CÍANXÉÇÝÜêÜ· (³mÉÍNX w
Å·B±Ìä¦ÉÌÍ cw Æ¢¤g£qªt¢Ä¢Üµ½)BêûÅ virtusers
t@CÍPÈ}bvðʵÄgíêÜ·Baliases t@Cà}bvÅ·
ªAè`û@ªÙÈèÜ·µAàÅgíêéÌÅA[àÅQƳêéí
¯ÅÍ èܹñB
îñª LDAP f[^x[X©çæèo³êéÆ«ÉÍK¸}bvàÅ®µÜ
·Blocal-host-names t@CÉi[³êé׫îñÉÆÁÄÍA±Ì_ªâ
ââèÆÈèÜ·B±Ìt@CÌîñÍNXÉgíêé©çÅ·BÒÍ
±êÜÅÌƱëA}bv©çÌîñÅNXð½¹½½ßµª èܹ
ñBÈPÉÅ«»¤ÈàÌÅ·ªAǤàsÂ\Èæ¤Å· (Ôᢪ êÎ
AǤ©¨mç¹¾³¢)B»Ì½ßVµ}bvðè`µÈÄÍÈèܹ
ñŵ½BSendmail ÌÝèÅA w NXàÌlðÇÞÆ«É (ÙÚ) ñA
»Ì}bv©çlªõ³êéæ¤È[ðÇÁµ½ÌÅ·B
}bvÉ¢ÄÍAÝèÏXªÈPÅ·BÊíA}bvͼOÆAf[^x[
X^CvÆAef[^x[XÁLÌIvV (á¦ÎÊígíêé newdb f
[^x[X^CvÅÌt@CÌÊuÈÇ) ÆÅè`³êĢܷB»êÅ}
bvÉ¢ÄÍAè`ðÏX·é¾¯Å\ªÅ·BÙçAà¤Å«Üµ½B³
ÄALDAP }bvÉͳçÉô©ÌIvVª èA»Ì¤¿Ì¢Â©Í
OÉO[oè`µÄ¨¯Ü·B»êçÌIvVÍÌXgÅà¾
³êĢܷ (±ÌXgÍAåª Booker Bense ̶ÉæèÜ·)B
sendmail.cf ɨ¯é LDAP ÁLÌ}bvIvV
-h
Xy[XæØèÅ LDAP T[oÌzXg¼ðè`µÜ·B±ÌÔÅâ¢
í¹ðsÈÁÄ¢«Aʪo½ç»±ÅI¹µÜ·BO[oÉÝ
èÅ«Ü·B
-b
LDAP õx[Xðè`µÜ·BÂÜèA»Ì LDAP fBNgྯð
õ·éÌÅ·BO[oÉÝèÅ«Ü·B
-k
LDAP õtB^ðè`µÜ·B±êÍusprintfv`®Ì¶ñÅA}
bvªüÍlðÇÌæ¤Éó¯æÁÄ LDAP õð\z·éÌ©è`µÜ
·Bõ·élð %s Åu·µ½AêÊIÈ LDAP õtB^Ì`®ð
ÆèÜ·BLDAP õtB^É¢ijçÉwѽ¢ûÍA RFC 2254
<http://www.cis.ohio-state.edu/htbin/rfc/rfc2254.html> ð²¾³
¢BƱëÅA±ÌõtB^ÆãLÌõx[XÆÅÍAÅåÅàÐ
ÆÂÌGgµ©Ô³È¢æ¤Èõðè`·×«Å·B LDAP }bv
ÍAó¯æÁ½ÅÌGg¾¯ðp·éÌÅ·B
-v
ÇÌ LDAP ®«Ìlª}bvõÅÔ³êé±ÆÉÈéÌ©ðè`µÜ·
BÚ×ÍãqµÜ·B
LDAP IvVÍ·×Ä_uNH[gµA Sendmail IvV̼ãÉu
©È¯êÎÈèܹñB²Ó¾³¢Báð°Ü·B
Kldapexamplemap ldap -h"localhost ldap.myorg.com" -b"ou=mail,dc=myorg,dc=com" -k"(&(objectclass=mailstuff)(uid=%s))" -v"mailaddress"
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6.1.4. XL[}
ÒÍA±ÌÁÊÈÝè̽ßÉAmail Æ¢¤Tuc[ð LDAP fBNg
àÅè`µÄ¢Ü·B±ÌºÉ[ÖAÌ çäéîñði[·é½ßÅ
·B[UÖAÌ[îñÍ ou=Users ÌTuc[ÉüêĨ±ÆàÂ
\¾Á½Åµå¤ªA»êÍí´Æð¯Üµ½Be[UÆÊÉPêÌTuc
[ðg¤ûªASendmail ̽ßÌîñª·×ÄêÓÉi[³êéÌÅA½
³ñÌ[Uª¢éÆ«Ìõª¬ÈéÌÅ·BȺÈçAõ·éKv
ª éÌÍ ou=Users Tuc[SÌÅÍÈAou=mail ¾¯¾©çÅ·B
±ÌTuc[àÉñíÞÌR[hðìèÜ·B
1. virtuser t@Câ aliases t@CÉR·éA¼z[UÐÆèÐ
ÆèÌèÄðÛ·éGgÅ·B¼t@C©çÌèÄð¯
¶GgÉi[·é±Æɵܵ½B±êÉæÁÄAp¢Ä¢éÝèâ
øʪ¾mÉÈé©çÅ·B±êÉÍAinetmailrecipient Æ¢¤
objectclass ÆA mailid, mailacceptinggeneralid, maildrop Æ¢¤Ý
ÁÂÌ®«ðè`µÜµ½B
inetmailrecipient
±ÌKÍA±ÌGgªAêÂܽ͡ÌÀ[AhXâ
[hC©çAêlܽ͡lÌÀ[UÖÌ}bsOÅ
é±Æð¦µÜ·B
mailid
±Ì¼z[UªóM·é[AhXðLqµÜ·B
foo@myorg.com Ìæ¤ÉÊÌAhXÌ`®Åà\Å·µA
@my2nd.org Ìæ¤ÉhC²ÆÅàåävÅ·B±Ì®«Í¡¶
ÝÅ«Ü·ªAi[·élÍ»ê¼êÐƸÂÅȯêÎÈèܹ
ñB±êçÌ ID »ê¼êÉεÄA[ª
mailacceptinggeneralid ÉçêÜ·B
±±ÉÍA¡ÜÅ virtusers t@C̶¤É Á½f[^ðüêé
±ÆÉÈéí¯Å·B
mailacceptinggeneralid
¼z[Uðè`µÜ·BÀÍA±êª virtusers t@CÆ
aliases t@CÆÌq¬ÚÅ·B±Ì®«ªeGgÉÐƸ
¶ݵĢÈÄÍÈèܹñªA»êæè½ÄࢯܹñB
µ©àlðÐƵ©üêçêܹñBlÉÍ[J[U¼©¼
z[Uðüêé±ÆªÅ«Ü·BãÒÌêÍ maildrop ®«ª¶
ݵÈÄÍÈèܹñBOÒÉÍKv èܹñB
±±ÉÍA±êÜÅ virtusers t@CÉ Á½îñÆ aliases t
@C̶¤É Á½îñðüêé±ÆÉÈéí¯Å·B
maildrop
óMµ½[ÌzMæÆÈéAhXâ[Uðè`µÜ·B±Ì
®«ÍÐƵ©¶ÝūܹñªAR}æØèÌXgðüêç
êÜ·B mailacceptinggeneralid Ìlª¼z[UÈçA±Ì®«
ÍK{Å·BÀÝ·é[UÈçȪūܷB
ÂÜèA±±ÉÍ aliases t@CÌE¤ÌªðüêéÆ¢¤±Æ
Å·B
êÊIÉAmailid Æ mailacceptinggeneralid ƪêÉÈÁÄ
virtusers t@CÌ@\ðñ·éƾ¦Ü·B»µÄ
mailacceptinggeneralid Æ maildrop ƪ aliases t@CÌ@\ðñ
·éÌÅ·B
2. Êí sendmail.cw t@Câ access t@CÉ éhC¼ðÛ·
éGgÅ· (¡ÂêÜ·)B±ÌGg̽ßÉ
inetmaildomain Æ¢¤ objectclass Æ maildomain, sendmailislokalkey
, sendmailaccesskey Æ¢¤®«ðè`µÜµ½B
inetmaildomain
VXeÉ®·é[hCÌêÅ èA©ÂA[JÉz
·×«©¼zXgÉ]·×«©ÌêÅ éGgð\·K
Å·B
maildomain
[hCðè`µÜ·BÐÆÂÌGgÉ¡¶ÝÅ«Ü·
BlÍu@v}[NȵÌhCÉÈèÜ·B
±Ì®«ÍAlocal-host-names t@CàÌhCÌGg²Æ
ÉAÐƸ¶ݵĢé׫ŷB
sendmailislocalkey
hCª[J©Ç¤©ð©ª¯é½ßÉ Sendmail Ì[Ì
Åg¤AVvȾt (L[) ðè`µÜ·B Sendmail [
ÌÅg¤¶ñƳmÉêvµÄ¢ÈÄÍÈçȢƢ¤±Æ
ð¯ÎA{ɽÅà\¢Ü¹ñBÒÍÆè ¦¸ <LDAPLOCAL>
ðgÁĢܷBK{®«ÅAeGgɡͶÝūܹñB
sendmailaccesskey
Sendmail Ì[ÅgíêéL[̤¿A½ðg¤©è`µÜ·B±
ÌL[ÅA»ÌhCÅs¤×«®ìðèµÜ·B RELAY, OK,
REJECT, DISCARD ÆG[\¦ðg¦Ü·B(ÚµÍ Sendmail Ì\
[XàÌ cf/README t@CðQƵľ³¢B)
Note: ²Ó¾³¢B¡ñÍÁÊÈÝèƵÄAaccess t@CÅ
ÍhCÜé²ÆÌGgµ©gíÈ¢±Æɵܵ½B±êÍ
ÂÜèAmaildomain ®«ð access t@CÌîñÉà
local-host-names ÌîñÉàg¢ñ¹éÌÍ¡ñÌæ¤È꾯¾
Æ¢¤±ÆÅ·BANZXXgðàÁÆש§äµ½¢ÈçÎA
êÌ maildomain ®«ÉµÄµÜí¸ÉA»ê¼êÊÌGgð
g¤×«Å·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6.1.5. ³çÈéîñ̽ßÉ
LpÆvíêéîñ¹ð¢Â©ÐîµÜ·B
E Booker Bense ª±¤¢¤¶ <http://www.stanford.edu/~bbense/ldap/
Inst.html> ð¢Äêܵ½BSendmail 8.9.3 ÅÌ LDAP Ìgp@É
Ö·éàÌÅ·B Sendmail Æ LDAP Ìg¢ûðwK·éÛÌon_É
Íü¢Ä¢È¢AÆ{l;ÁĢܷªAÒÉÆÁÄÍA½¢Öñ
¯ÉÈèܵ½B
E LDAP Æ Sendmail ÉÖ·éV
L <http://ldapman.org/articles/
index.html> ª sendmail.net <http://www.sendmail.net> ãÅöJ³ê
ĢܷBìÒÍ Michael Donnelly ÅA»à»à ldapmap.org <http://
/www.ldapmap.org> Æ¢¤A±êܽ»¡[¢êÊIÈ LDAP ÖAîñ
ÚÌTCg©çnÜèܵ½B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6.2. Postfix
6.2.1. T|[g
Postfix ÅÍA{ÌÉÅ©ç LDAP T|[gªüÁĢܷBIvVÌ
½ðÝè·é}bv̽³ñÌíÞÌÈ©ÉALDAP à éÌÅ·Be
LDAP }bvÉ«AIvVªñAO èÜ·B (Section 6.2.2 ðQƵ
ľ³¢B)
Postfix É LDAP f[^x[XàÌf[^ðõ³¹é½ßÌèÍAÉßÄ
í©èâ·ÈÁĢܷBÅàêÊIÈg¢û (ÆÒªv¤àÌ) ÍA¼
z[Uð LDAP f[^x[X©çQƳ¹é±ÆÅ·B±êðOqÌ
nss_ldap ÆÆàÉg¦ÎA·×ÄÌdq[pÒÌîñð LDAP f[^x
[XÉüêĨ¯Ü·Bµ©µAÝèÅ«éÚͼÉà èÜ·Bá¦Î
Postfix ª[ð]Å«éhCâAtÉ Postfix ª]vðó¯t
¯éhCAܽobNAbvT[oƵĮì·×«hCÅ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6.2.2. Ýè
ÝèIvVÉÖ·éà¾Í·×ÄAo[W 20001217 ɨ¯é
Postfix docs Ì LDAP_README ©çøpµÄ¢Ü·B
server_host
LDAP T[o𮩵ĢézXg̼OÅ·BÝèáð°Ü·B
ldapsource_server_host = ldap.your.com
Oqµ½SÄÌCuÅA¡ÌT[oðXy[XÅæØÁÄwè·
é±ÆàÅ«Ü·BÅÌà̪¸s·éÆACuÍ»êçðÉ
sµÜ·Buldap.your.com:1444vÆ¢¤æ¤É¢ÄAeT[oÉ»
ê¼êÙÈé|[gðn·±ÆàÅ«Ü·B
server_port (389)
LDAP T[oªvðó¯t¯é|[gÅ·Bá¦Î±¤ÈèÜ·B
ldapsource_server_port = 778
search_base (ùèlȵ\ÝèªKvÅ·)
õ·éÅãÊfBNgÅ·Bá¦Î±¤Å·B
ldapsource_search_base = dc=your, dc=com
timeout (10 b)
õÊð «çßéÜÅÌbÅ·Bá¦Î±¤wèµÜ·B
ldapsource_timeout = 5
query_filter (mailacceptinggeneralid=%s)
fBNgõÉg¤ARFC2254 ®tB^Å·B Postfix ªðµæ
¤Æ·éAhXÌƱëÉAãíèÉ %s ðüêÜ·BáÍÌƨè
B
ldapsource_query_filter = (&(mail=%s)(paid_up=true))
domain (ùèlȵ\ÝèªKvÅ·)
hC¼At@CÖÌpXA¨æÑ«ÌêÅ·Bwè³êÄ¢é
ÆA±ÌÉ éhCżOªIíézXgµ©õµÜ¹ñB±ê
ÉæÁÄ LDAP T[oÖÌâ¢í¹×ðIÉy¸Å«Ü·B
ldapsource_domain = postfix.org,
hash:/etc/postfix/searchdomains
result_attribute (maildrop)
õÉæÁÄÔ³êéfBNgGg©ç[AhXð̽
ßÉÇÝÞ®«Å· (¡àÂ)B
ldapsource_result_attribute = mailbox,maildrop
special_result_attribute (ùèlȵ)
Gg̤¿ADN â URL ðÜñŢ鮫ŷ (¡àÂ)Bwè³ê
Ä¢éÆA»ÌlðgÁÄÄAIÉõµÄ¢«Ü·B
ldapsource_special_result_attribute = member
scope (sub)
LDAP õXR[v\ sub, base, one Ì¢¸ê©\Å·B»ê¼ê
LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, LDAP_SCOPE_ONELEVEL ÉÏ·³ê
Ü·B
bind (yes)
LDAP T[oÉoCh·é©Ç¤©ÌwèÅ·B LDAP ÌÅßÌÀÅÍ
oChðKvƹ¸AÔðßñÅ«Ü·BÝèáÍÌƨèB
ldapsource_bind = no
oCh·éKvª éÈçA[J}VÌ|[gð LDAP T[oÖ
Ì SSL glɵÄA»±ÉÚ±³¹½ûªæ¢©àµêܹñB
LDAP T[oª SSL ðT|[gµÄ¢È¯êÎAT[o¤ÌVXeÉà
glðÝuµÜ· (bpÅàvNVÅàAÄÑûͨDÝÅ)B±
êÅApX[hªlbg[NðÛ©¦ÌÜÜÊßµÈÈèÜ·B
bind_dn ("")
oCh·éKvª éÆ«A±Ì¯Ê¼ÅoChµÜ·Bá¦Î±¤
Å·B
ldapsource_bind_dn = uid=postfix, dc=your, dc=com
bind_pw ("")
ã̯ʼÌpX[hÅ·B±êðg¤KvÌ éÆ«Í«ÁÆA
main.cf ð Postfix [U©çµ©©¦È¢æ¤Éµ½¢Æv¤Í¸Å·
BÝèáͱ¤ÈèÜ·B
ldapsource_bind_pw = postfixpw
cache (no)
LDAP Ú±ÉNCAgTChLbV
ðg¤©Ç¤©Å·B
ldap_enable_cache(3) ðQƵľ³¢B±êÍftHgÅÍItÉ
ÈÁĢܷB
cache_expiry (30 b)
NCAgTChLbV
ªLøÈÆ«A±±Åwèµ½bÌãÅ
AÊÌLbV
ðjüµÜ·B
cache_size (32768 oCg)
NCAg¤ÌLbV
ªLøÈçA»ÌoCgÅ·B
dereference (0)
Ǥ¢¤Æ«É LDAP GCAXðHé©ÌwèÅ·B (Postfix ÌGC
AXÆÍÖW èܹñÌÅӵľ³¢B) OpenLDAP Æ UM LDAP
ÌÀÅLøÈlÍȺÌÊèÅ·B
0 êصȢ
1 õ
2 õ̽ßÉx[XIuWFNgÌÊuðT·Æ«
3 íÉ·é
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6.2.3. Ýèá
o[`hC (foo.virtualdomain.com Ƶܷ) ðg¢½¢Æ«A»
µÄ»ÌhCÌ[AhXð LDAP Éi[µ½¢Æ«ÉÍA main.cf
ÉȺÌæ¤ÉKvª èÜ·B
virtual_maps = ldap:ldapvirtual
ldapvirtual_search_base = ou=mail,o=YourOrg,c=nl
ldapvirtual_query_filter = (mailacceptinggeneralid=%s)
ldapvirtual_domain = foo.virtualdomain.com
ldapvirtual_result_attribute = maildrop
ldapvirtual_bind = no
ldapvirtual_scope = one
±ÌÝèÅÍAPostfix ªufoo.virtualdomain.comvhCÌ[UÖÌ
[ðóM·éÆA mailacceptinggeneralid Æ¢¤®«ªu
user@foo.virtualdomain.comvÉv·éGgðTµÜ·B»Ìæ¤ÈG
gª êÎAmaildrop ®«Ìlª·×ÄÔÁÄ«Ü·B»±É[ªz
³êéÌÅ·Bàµuuser@foo.virtualdomain.comvªÈ¯êÎAhC
SÌðÐÁéß½[UÉv·éæ¤ÉAu@foo.virtualdomain.comvÆ
¢¤ÊÌâ¢í¹ðµÜ·B±êàȢƫÍAbZ[Wªñ (oE
X) ³êÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
6.3. qmail
qmail ©ÌÉÍÜÁ½ LDAP T|[gª èܹñBµ©µÈªç Andre
Oppermann Ì LDAP T|[gÌpb`ª èÜ·B±êÌpbP[WÍA¶
àÜßÄÞÌTCg <http://www.nrg4u.com> É èÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
7. AhXubN
Linux T[oãÌ LDAP f[^x[XÌñíÉÖÈÁ¥ÆµÄAgDÉà
lbg[Nª êÎOÌAæð·×ÄêÓÉWßĨ¯éÆ¢¤Ìª
èÜ·B»êðO[vA é¢Íɪ·é±ÆàÅ«Ü·BàÍâ]
ÆõÐÆèÐÆèÉÊXÌAhXubNðn·KvÍÈ¢ÌÅ·B±êÍA
LDAP ðgíȯêÎ Microsoft Exchange Server â Lotus Domino, ܽ
Active Directory [5] ÅàÅ«é±ÆÅ· (óFExchange XÌfBN
gT[rXàÀÍ LDAP ðgÁÄ¢éÆvíêÜ·)B
Microsoft ÌuAhX vÆ»êÉ˶·évOAÂÜè Microsoft
Outlook â Microsoft Outlook Express, ܽ Microsoft Outlook 2000 Æ¢
Á½àÌðg¤ÔñÉÍALDAP Ìî{ÝèðϦéKvÍ èܹñBÆÍ¢
¦AèðÁ¦éKvÌ éà̪ӽ èÜ·B
æêÉAAhXâÖAf[^ðL^·é½ßÌfBNgc[ð쬵
ÈÄÍÈèܹñBSection 12 ÉAÇñÈGgª±Ìc[Égíêé
Ì©ª¢Ä èÜ·B
æñÉA[Jlbg[NãÌ çäézXgª±Ìc[ÌÇÝÝ
ÀðmÀÉÁÄ¢éæ¤ÉµÈÄÍÈèܹñB±êÍ Section 11 ŵ
íêé±ÆÉÈèÜ·B
Microsoft Ìdq[ÌvOÍ·×Ä LDAP fBNgT[rXð
g¦Ü·Bl¨ðõµ½¢ÈçuAhX vðgÁľ³¢Bdq[
ÌVKbZ[WðƫͼOÉKÈdq[AhXª©®Åt
Á³êÜ·B±êÍ cn, sn, givenname »µÄ mail ÌtB[hðõµÄ
sȢܷBMicrosoft Ìdq[vOÅ LDAP T[oð©ªÌAh
XubNƵÄgÁ½èdq[AhXÌõpÉÝèµ½¢Æ«ÉÍ
AȺ̱Æð·éKvª èÜ·B
1. DÝÌdq[vOðN®µÄAhX ðJ¢Ä¾³¢B±
êÍA»ÌvO©çuc[¨AhX vðIð·êÎÅ«Ü·
B é¢ÍX^[gj
[©çuX^[g¨vO¨ANZT¨
AhX vðIñž³¢B
2. uc[¨AJEgvðNbNµÄC^[lbgAJEgÌEB
hEðJ«Ü·B
3. uÇÁv(óF³çÉufBNgT[rXvðIÔ絢ŷ) ðN
bNµÄ¾³¢B·éÆC^[lbgÚ±EBU[hÌEBhE
ªoÄ«Ü·©çA©ªÌ LDAP T[oÌ IP AhX©zXg¼ðüÍ
µÄuÖvðNbNµÜ·B
4. ÌEBhEÅÍAuÍ¢vƦÄA©ªª±ÌfBNgðgÁ
ÄAhXð`FbNµ½¢Ì¾Æ¢¤±ÆðmèµÄ¾³¢Bàµ
ÍA»¤µ½È¢Èçu¢¢¦vƦľ³¢BÅÍuÖvÆu
®¹vðNbNµÄ¾³¢B
5. ·éÆC^[lbgAJEgEBhEÉßèÜ·BVµÇÁ³ê
½AJEgðIðµÄuvpeBvðNbNµÄ¾³¢B
6. vpeBEBhEÌuÚ×Ýèv^uðNbNµÄ¾³¢B
7. uõx[XvÌtB[hÉAAhXªL^³êéTuc[ÌÅã
ÊÌGgðü͵ܷBáƵÄÍ ou=Addressbook,dc=yourorg,dc=
com Æ¢¤æ¤ÉÈèÜ·B (óFWindows AhX ÅmFµ½Æ±
ëÅÍA±±É½àüÍµÈ¢Æ c=JP ðwèµ½±ÆÉÈèÜ· (US Å
Å c=US ÆÈé©Í¢mF)Bõx[Xð{Éóɵ½¢êÉÍ
NULL ÆüÍ·éKvª èÜ·B)
8. uOKvðµÄEBhEð¶Au¶évðNbNµÄC^[l
bgAJEgEBhEà¶ܷB·éÆAhXubNÌCE
BhEÉßÁÄé͸ŷB
±êÅAuTo:vÌtB[hɼOðüêĨÆA (óFMàµÍ
¼OmFÉ) dq[AhXª LDAP fBNg©çTµo³êÄA
©®IÉè³êÜ·Bó⪩t©çÈ©Á½çEBhEª»íêÜ·Ì
ÅAÅ¿Ôᢪ êμµÄAVKÉõð·é±ÆªÅ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
8. Netscape [~OANZX
±ê©çÂàèÅ·B
±ÌbèÉÖ·éDÇLª±± <http://www.linuxworld.com/linuxworld/
lw-1999-09/lw-09-ldap-netscape.html> É èÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
9. LDAP ÉæéfW^ؾÌs
±ÌÍÌÅ_ÍAfW^ؾð LDAP T[oàÉs·éû@É èÜ·
B Certification Authority (FØÇ) ð^c·éÈçfW^ؾðs
·éKvª èÜ·BLDAP ÖÌsÍA±Ìîñðlbg[NàÅpÅ«
éæ¤É·éVvÈû@ÌÐÆÂÅ·BܽAؾÎ\tgEFAÌ
½àA]ܵ¢|WgƵÄA[UØ¾É LDAP ðp¢Ä¢Ü·B
±Ìû@ÅÍ[Uؾð¼Ì[UîñÆêɵĨ¯éÌÅAf[^
̳ÊÈ¡»ªKvÈÈèÜ·B
ؾðæ赤ÉÍÃc[LbgªKvÅ·B±±Ågp·éÌÍ
OpenSSL Å·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
9.1. LDAP T[oÌÝè
±±Ågp·é LDAP T[oÍ OpenLDAP 2.0.x Å·B
LDAP T[oÍAؾðL^·é½ßÌ®«ðÄé objectclass ðT|[
gµÄ¢ÈÄÍÈèܹñB LDAP T[oàÉÍÁÉAFØÇؾAؾ
jüXgAFÂjüXgA»µÄGh[UÌؾðL^µÄ¨
Kvª èÜ·B
certificationAuthority Æ¢¤ objectclass Í authorityRevocationList
(ÂÜèFÂjüXg), certificateRevocationList (ؾjüXg),
cACertificate (FØÇؾ) Æ¢¤®«ðÀµÜ·B
inetOrgPerson Æ¢¤ objectclass Í usercertificate ([Uؾ) Æ¢
¤ (oCiÌ) ®«ðT|[gµÜ·B
ܽAstrongAuthenticationUser Æ¢¤¬ objectclass ðgÁÄAñ
inetOrgPerson GgÉؾðt¯é±ÆàÅ«Ü·B
ºLÌXL[}ð©ªÌ slapd.conf t@CÉÜßÄAKvÈXL[}ð
OpenLDAP ÉCN[hµÄ¾³¢B
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
9.2. ؾÌs
Ø¾Í ASN.1 Ì DER (Distinguished Encoding Rules) ðgÁÄGR[h
³êÜ·B»Ì½ß LDAP T[oàÉÍoCif[^Å (BER GR[hÅ)
s³êÈÄÍÈèܹñB
PEM ؾÍA±Ìæ¤É OpenSSL ðgÁÄ DER ®ÉÏ·Å«Ü·B
openssl x509 -outform DER -in incert.pem -out outcert.der
»¤·éÆAOpenLDAP ÉæÁÄñ³êé ldif Æ¢¤[eBeBðgÁ
Ä LDIF t@Cðì¬Å«Ü·B±¤Å·B
ldif -b "usercertificate;binary" < outcert.der > cert.ldif
±ÌR}hÍ BASE64 ÅGR[h³ê½ usercertificate ®«ð쬵Ü
·B±Ìæ¤Éؾð LDIF GgÉÇÁÅ«Ü·ÌÅA»ê©ç
ldapmodify ðgÁÄ (óFT[oãÌ) GgÉؾðÇÁÅ«Ü·B
ldapmodify -x -W -D "cn=Manager,dc=yourorg,dc=com" -f cert.ldif
±Ì cert.ldif ÍAÌæ¤ÈàÌðÜñŢܷB
dn: cn=user,ou=people,dc=yourorg,dc=com
changetype: modify
add: usercertificate
usercertificate;binary:: MIIC2TCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBGMQswCQYD
VQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UECxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZO
IENBICgyKTAeFw05OTA2MjMxMTE2MDdaFw0wMzA4MDExMTE2MDdaMEYxCzAJBgNVBAYTAklUMQ0w
CwYDVQQKEwRJTkZOMRIwEAYDVQQLEwlBdXRob3JpdHkxFDASBgNVBAMTC0lORk4gQ0EgKDIpMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrHdRKJsobcjXz/OsGjyq8v73DbggG3JCGrQZ9f1Vm
9RrIWJPwggczqgxwWL6JLPKglxbUjAtUxiZm3fw2kX7FGMUq5JaN/Pk2PT4ExA7bYLnbLGZ9jKJs
Dh4bNOKrGRIxRO9Ff+YwmH8EQdoVpSRFbBpNnoDIkHLc4DtzB+B4wwIDAQABo4HWMIHTMAwGA1Ud
EwQFMAMBAf8wHQYDVR0OBBYEFK3QjOXGc4j9LqYEYTn9WvSRAcusMG4GA1UdIwRnMGWAFK3QjOXG
c4j9LqYEYTn9WvSRAcusoUqkSDBGMQswCQYDVQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UE
CxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZOIENBICgyKYIBADALBgNVHQ8EBAMCAQYwEQYJYIZI
AYb4QgEBBAQDAgAHMAkGA1UdEQQCMAAwCQYDVR0SBAIwADANBgkqhkiG9w0BAQQFAAOBgQCDs5b1
jmbIYVq2epd5iDjQ109SJ/V7b6DFw2NIl8CWeDPOOjL1E5M8dnlmCDeTR2TlBxqUZaBBJZPqzFdv
xpxqsHC0HfkCXAnUe5MaefFNAH9WbxoB/A2pkXtT6WGWed+QsL5wyKJaO4oD9UD5T+x12aGsHcsD
Cy3EVEaGEOl+/A==
ܽALDIF t@CàÅؾð±Ìæ¤Éwè·é±ÆàÂ\Å·B
userCertificate;binary:< file:///path/to/cert.der
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
9.3. LDAP ÎNCAg
T[oÉؾðL^µÄ©çA»êðǤâÁÄæèo·Ì©svcÉv¤
©àµêܹñB
¼ÌNCAgƯlANetscape Í LDAP T[o©ç©®IÉؾðæè
o·@\ðT|[gµÄ¢Ü·BuZL
eB¨[Uؾ¨fBNg
ðõvÆ·é±ÆÅA LDAP fBNgàÌؾðõµÄA»êð
Netscape ؾf[^x[XÉ©®ÅCXg[·é±ÆªÅ«éÌÅ·B
±Ì¼ÉAؾÖÌT|[gÌÇ¢NCAgÉÍ web2ldap (
www.web2ldap.de <http://www.web2ldap.de/>) ª èÜ·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
10. SSL/TLS ÆASSL/TLS Ì LDAP pbp
10.1. SSL ÌÈPÈà¾
Secure Socket Layer (SSL) Íp[eBÔÌZL
AÈ]oHðñ·éA
vP[VCvgRÅ·B HTTP, LDAP, SMTP XÌAvP[
VxÌvgRÆ TCP/IP ÆÌÔðÆèàÂàÌÅAöJ®ÃV
Xe (íXÌûû@ªpÂ\) Æ X.509 ؾû®ÉîâĢܷB
SSL ÍàÆàÆ Netscape ÌvgRŵ½ªAXÉWIÈàÌÆÈè
A¡ÅÍ TLS (Transmission Layer Security) ÆÄÎêéàÌÉÈèܵ½B
êÊIÉ SSL/TLS Ƶľy³êÜ·B
SSL/TLS vgRÍȺÌ@\ðñµÜ·B
E f[^Ìû\NCAg^T[oÔÌZbVªÃ»³êÜ·
B
E T[oFØ\NCAg¤©çAT[oª{¨©Ç¤©ðØ·é±Æ
ªÅ«Ü·B
E bZ[W®S«\f[^Í]ÉèðÁ¦çêܹñB±êÍuman
in the middlevU[6]ðh~µÜ·B
E NCAgFØ\T[oÍNCAgª{¨©Ç¤©ØÅ«Ü·B
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
10.2. OpenLDAP Ì SSL/TLS T|[g
LDAP V3 Ìc[LbgÅ é OpenLDAP 2.0.x ©çÍAT[oÉæÁÄ SSL/
TLS T|[gªõ¦çêĢܷB½¾µ SSL/TLS ðÇÁ·é½ßÉÍA
OpenLDAP 2.0.x ª OpenSSL ÌCuðgÁÄRpC³êéKvª
èÜ·BܽA2.0.x ÉÍ Start-TLS ÌT|[gà èÜ·B
Note: Start-TLS ÍANCAgªvµ½Æ«¾¯ TLS ðLøÉ·é
±ÆªÅ«éæ¤ÉµÜ·B±Ìû@¾ÆAPÆÌ LDAP |[gðZL
AÈڱƻ¤ÅȢڱ̼ûÉg¤±ÆªÂ\Å·B
OpenLDAP 1.2.x Í»êÆÍÙÈè LDAP V2 vgRÉæéÀÅ èASSL
/TLS ðõ¦Ä¢Ü¹ñB
OpenLDAP 2.0.x ãÌ SSL/TLS ÉÖµÄÍ OpenLDAP ÌEFuTCgÉ¿l
éîñª èÜ·ÌÅA±±ÅÍ SSL/TLS ÉεĢȢ LDAP p[eBð
SSL glðgÁÄZL
AÉ·éû@ÉÅ_ðí¹é±ÆɵܷB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
10.3. stunnel ðgÁÄ LDAP V2 T[oÉ SSL/TLS ðñ·éû@
OpenLDAP 1.2.x ðgÁÄ¢éÈçÎAT[oÉ SSL @\ðÇÁ·é½ßÉÍ
Äp SSL bpªKvÉÈèÜ·Bstunnel (www.stunnel.org <http://
www.stunnel.org>) ÍÀèµÄ¢ÄA±ÌÚIÉKµÄ¢Ü·B
stunnel ÌCXg[ÍÆÄàÈPÅ·ªAͶßÉ OpenSSL (
www.OpenSSL.org <http://www.OpenSSL.org>) ðCXg[µÄAKvÈ
CuÆc[ðpÓµÈÄÍÈèܹñB
OpenSSL ÆÍ SSL vgRÌI[v\[XÉæéÀÅ èA SSL Ì
CuÆÃc[ê®ðõ¦Ä¢Ü·B
OpenSSL ðCXg[·éÉÍÌR}hðü͵ÈÄÍÈèܹñB
$ ./config
$ make
$ make test
# make install
Ó¤ÍA·×Ä /usr/local/ssl àÉCXg[³êé±ÆÉÈèÜ·B
OpenSSL ª³µCXg[³êÄ¢êÎAstunnel ðRpCµÄC
Xg[·é½ßÉüͪKvÈÌÍAÌR}h¾¯Å·B
$ ./configure
$ make
# make install
stunnel Í SSL ÉT[oؾðg¢Ü·B±êͩȼÌؾ (self
signed certificate) Åàæ¢ÌÅ·ªA³çÉÇ¢ÌÍ©ªÌFØÇ
(Certification Authotrity) ÉæÁļ³ê½Ø¾Å· (SSL NCA
gà»Ì CA ðMpµÄ¢ÈÄÍÈèܹñª)B
»Ìæ¤ÈؾÌAêÊIÉp¢çêéÛÇêͱ±Å·B
/usr/local/ssl/certs/stunnel.pem
àµFØÇÌL³ðCɵȢÌÅ êÎA OpenSSL ZbgÉæÁÄñ³ê
éc[ðgÁÄA©È¼Ìؾðì¬Å«Ü·B
stunnel ÌfBNgàÌ stunnel.cnf Æ¢¤Ýèt@Cðg¤½ßA»
ÌfBNgÅAÌR}hðü͵ľ³¢B
$ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
$ openssl gendh 512 >> stunnel.pem
±êÉæÁÄA©È¼ÉæéêNÔLøÈؾª stunnel.pem t@CÌ
É쬳êÜ·B
stunnel ªCXg[³ê½çAܸÅÉÌæ¤ÉµÄ LDAP T[oð
389 ÔÌ|[g (ftHgÌ LDAP |[g) ãÉN®µÄ¾³¢B
# /usr/local/libexec/slapd
»ê©çÌæ¤É 636 ÔÌ (LDAPS NCAgÉæÁÄgp³êé) |[
gÉ stunnel ÅglµÄ¾³¢B
# /usr/local/sbin/stunnel -r ldap -d 636 -p /usr/local/ssl/certs/stunnel.pem
fobO̽ßÉÌ®ÅtHAOEhÉ stunnel ðN®·é±ÆàÅ
«Ü·B
# /usr/local/sbin/stunnel -r ldap -d 636 -D 7 -f -p /usr/local/ssl/certs/stunnel.pem
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
10.4. stunnel ðgÁÄ LDAP NCAgÉ SSL ðñ·éû@
½Ì LDAP NCAgÍ SSL ÎÅÍ èܹñBµ©µ stunnel ðN
CAg[hÅg¤±ÆÅA±êçÌNCAgÉ SSL ðñ·é±Æ
ªÂ\Å·B
±êÍñíÉÈPÅ·BNCAgzXgãÅ stunnel ðÌæ¤ÉN®µ
ÄALDAPS |[gÉηévðÀÛÌ LDAP T[oÉ]·éæ¤ÉµÄ
¾³¢B
# stunnel -c -d 636 -r ldapserver.yourorg.com:636
±ÌÆ« LDAP NCAgÍ localhost:636 ð LDAPS T[oƵÄg¤æ
¤Ýè³êÈÄÍÈèܹñB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
10.5. stunnel ðgÁÄ slurpd vP[VÉ SSL ðñ·éû@
»_Å slurpd (slapd vP[Vf[) Í SSL @\ðÁÄ¢
È¢ÆÍ¢¦Astunnel ðNCAg[hÅgÁÄA±Ìðð³¹é±
ƪūܷB
Ìæ¤É}X^T[oãÅNCAg[hÌ stunnel ðg¢A[J
|[gð[g|[gÉ]µÄ¾³¢B
# stunnel -c -d 9636 -r ldapreplica.yourorg.com:636
»µÄ}X^ LDAP T[oÌ slapd.conf ÉÌLqðüêľ³¢B
replica host=localhost:9636
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
11. ZL
eBÖA
(óF´¶ª èܹñ)
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
12. LDAP XL[}
±êÜÅ°½@\ÉKvÈf[^ÌêðÈñÆ©·éÌÍXL[}Ìâ
èÅ·BÇñÈ«ÅàAµlɵ¤×«àÌÆÝȵĩµ±Üé׫ÅÍ
èܹñB±±É éáÍÚIɩȤ͸ŷªA©ªÌÁèÌKvÉ
í¹ÈÄÍÈçÈ¢±Æཪ éÆv¢Ü·B
eGgÌÓ¡Æüêé׫îñðð¾·é½ßÉÆÄàêJµÄ«½ («
ÁÆÍÁ«è¢Ä éÌŵ太AÇ±É¢Ä é©ªª©çÈ¢) Ì
ÅAÒàsöëÅâÁÄÝÜ·Bµ©µÓ·×«±ÆÉAeprÌXL
[}ð¯ÉâèÈpÅ«éÆ¢¤í¯ÅÍ èܹñB Microsoft ÌA
hX ÉÍA\¦³êÄ¢éÌÉ LDAP ÅgpµÈ¢tB[hª éæ¤
Å·BuðEvujbNl[vus欺vus¹{§vu(©îÌ) XÖÔ
vu(©îÌ) /nævu(©îÌ) Web y[WvÌGgÉÍA½Ìîñ
àKvÈ¢æ¤Év¦Ü· (óFú{êÅÅÌ®ìÍ¢mF)BuÂlîñv
uNetMeetingvufW^ IDvÉ¢ÄÍAܾÇÌæ¤É LDAP f[^x[
XÉüêçêéÌ©ð¾·é½ßÌwÍðµÄ¢Ü¹ñBÇñÈîñà½}µ
Ü·B Netscape ÌAhX Éà¯lÌâèª èÜ·BR[hª LDAP
fBNg©ç[JÌAhX ÉRs[³êéÆ«ÉAô©ÌtB
[hªÁ¦ÄµÜ¤ÌÅ·B±êÍåâèÆ;¦ÈÆàAgDSÌÅg
¤AhXubNÆ¢¤«¿ãA[UÍ[JÉRs[·éCðÈ·Í
¸Å·Bµ©àA Netscape ÌAhX ÉÍA¼É൨©µÈ_ª è
Ü·BÊÌAhXR[hÅÍAujbNl[vªi[³ê鮫Í
xmozillanickname Å·BƱëªõÍPÈé nickname ÈÌÅ·BlbN
l[ÌGgªXL[}ÉñxoÄéÌÉÍA±¤¢¤Rª éÌÅ
·B
±ÌXL[}Í Microsoft Outlook 2000 Æ Netscape 4.73 Å®ìªmF³ê
ĢܷªAà¾A@\AGgÌKv«ÉÖµÄÔᢪ êÎAǤ©
¨mç¹¾³¢I (óFú{êÌtB[h\¦Í Windows 98 ÌAh
X Æ Windows Å Netscape 6.1 ©çªµ½àÌÅ·Bú{êÅÅÌ®ìÍ
ÙÆñÇ¢mFÅ·B½¾Aú{êÅ Windows Me + Outlook 2000 ÅAhX
ð±µ½ÍÍÅͳµ¢æ¤Åµ½B)
±ÌXL[}ð\»µ½t@CÍ Section 13.1 É èÜ·B(óFóÒÍ
A±Ìt@CðǤg¤Ì©ª©èܹñŵ½B®ªÃ¢Ì©àH)
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
Table 1. LDAP Ì®«Æ objectclass \ÈPÈà¾
¡¦¦¦¦¢
@\ Objectclass ®« ྠùèlâá
¥©©©©§
[UAJ top ftHg
Eg ¥©©§
ou jbg¼ Users
(Organizational
Unit)
¥©©©§
person ±Ì objectclass
ÌLÒÍlÔÅ
·
¥©©§
uid Unix OC¼ foo
¥©©§
cn ¼ (Common Foo Bar
Name)
¥©©§
sn © (Surname) Bar
¥©©©§
account ±Ì objectclass
ÌLÒÉÍAJ
Egª èÜ·
¥©©©§
posixaccount ±Ì objectclass
ÌLÒÉÍ
Unix AJEg
ª èÜ·
¥©©§
uidNumber [U ID (uid) 513
Ô
¥©©§
gidNumber O[v ID 100
(gid) Ô
¥©©§
homedirectory z[fBNg /home/users/
foo
¥©©§
userpassword Unix pX[h S3cr3t
¥©©©§
sambaaccount ±Ì objectclass
ÌLÒÉÍ
Samba AJEg
ª èÜ·
¥©©§
ntuid s¾ uid
¥©©§
rid s¾ uidnumber
¥©©§
lmpassword Lanman ÌpX ¢gp
[hÌnbV
l
¥©©§
ntpasswd NT ÌpX[h ¢gp
ÌnbV
l
¥©©§
loginshell [UÌVF /bin/pleurop
¥©©©©§
}VAJ top ftHg
Eg ¥©©§
ou jbg¼ Machines
(Organizational
Unit)
¥©©©§
posixaccount ±Ì objectclass
ÌLÒÉÍ
Unix AJEg
ª èÜ·
¥©©§
uid OC¼ speed$
¥©©§
uidnumber Unix Ì[U ID 514
(uid) Ô
¥©©§
gidnumber O[v ID 100
(gid) Ô
¥©©§
homedirectory z[fBNg ¢gp
¥©©©©§
Microsoft top ftHg
AhX ¥©©§
ou jbg¼ Addressbook
(Organizational
Unit)
¥©©©§
microsoftaddressbook ±Ì objectclass
ÌLÒÉÍ
Microsoft Ah
X ÌvpeB
ª èÜ·
¥©©§
cn \¦¼ (Common
Name)
¥©©§
c αæÌ/næ
(Country)
¥©©§
department αæ̼
¥©©§
facsimiletelephonenumber αæÌt@bN
X
¥©©§
givenname ¼
¥©©§
homephone ©îÌdbÔ
¥©©§
homepostaladdress ©îÌÔn
¥©©§
info
¥©©§
initials CjV
¥©©§
l αæÌs欺
¥©©§
mail dq[Ah
X
¥©©§
mobile ©îÌgÑdb
¥©©§
organizationname ïм
¥©©§
otherfacsimiletelephonenumber ©îÌt@bNX
¥©©§
otherpager αæÌ|Pbg upagervà
x H
¥©©§
physicaldeliveryofficename αæÌItBX
¥©©§
postaladdress αæÌÔn
¥©©§
postalcode αæÌXÖÔ
¥©©§
sn © (Surname)
¥©©§
st αæÌs¹{§
¥©©§
telephonenumber αæÌdbÔ
¥©©§
title ðE
¥©©§
url αæÌ Web y
[W
¥©©©©§
Netscape top ftHg
AhX ¥©©§
ou jbg¼ Addressbook
(Organizational
Unit)
¥©©©§
netscapeaddressbook ±Ì objectclass
ÌLÒÉÍ
Netscape Ìv
peBª èÜ·
¥©©§
cn \¦ (Common
Name)
¥©©§
cellphone gÑdb
¥©©§
countryname
¥©©§
description à¾
¥©©§
facsimiletelephonenumber Fax
¥©©§
givenname ¼
¥©©§
homephone ©îÌdbÔ
¥©©§
homeurl ©îÌ Web y[
W
¥©©§
locality ©îÌs欺
¥©©§
mail dq[
¥©©§
nickname jbNl[
¥©©§
o gD
¥©©§
ou
¥©©§
pagerphone |Pbgx
¥©©§
postalcode ©îÌXÖÔ
¥©©§
sn © (Surname)
¥©©§
st s¹{§
¥©©§
streetaddress ©îÌÔn
¥©©§
telephonenumber αæÌdbÔ
¥©©§
title ðE
¥©©§
xmozillaanyphone αæÌdbÔ
¥©©§
xmozillanickname jbNl[ unicknamev
Ư¶Å·
¥©©§
xmozillausehtmlmail bZ[WðóM TRUE
·éÆ«ÌDæ
®ª HTML
¥©©©©§
Netscape top ftHg
[~O ¥©©§
ANZX ou jbg¼ Roaming
(Organizational
Unit)
¤¨¨¨¨£
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
Note: Netscape Æ Microsoft ÅÍAAhX ÌGgÌg¢ûª
XÙÈèÜ·BNetscape ÍXÖ̶æ (Z) ð streetaddress Gg
É base64 GR[hÅi[µAMicrosoft Í postaladdress Gg
ðg¢Ü·Bµ©µÈªçAstreetaddress Ggª éÆ Microsoft
Í postaladdress ÌãíèÉ»¿çðg¢Ü·BÆ±ëª Microsoft Ì
streetaddress ÌlÍ base 64 GR[hȵ̽¶ (v[eLX
g) Å·BÅ·©çA¯ÉÍg¦Ü¹ñB
Linux Center <http://ldap.hklc.com/> ÅÍA LDAP XL[}SÊÉÖ·éî
ñð³çɾçêÜ·B Microsoft AhX ÌvpeBððൽ¶Í
Microsoft Developers Network <http://msdn.microsoft.com/library/psdk/
adsi/gluser_4437.htm> É èܵ½B
ӵľ³¢BMicrosoft Ìy[WÉ éà¾ÍAhX Ì\¦àeÉ
¨¯étB[hÆvµÜ¹ñBܽAAhX ÌtB[h·×Īî
ñðÁÄ¢éí¯ÅÍ èܹñªA°çêĢ鮫ŤܮìµÈ
¢ÈçA{ÍÇÌ®«ª¤Ü®ì·éÌ©AÆ¢¤±ÆÜÅͪ©èܹ
ñB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
13. t@CÌá
t@CÌáÅ·B±êðgÁÄA±Ì¶ÅླêÄ¢éƨèÌ\¬ð
\zūܷB
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
13.1. XL[}t@C
# Unix ÖA¨æÑftHgÌ objectclass (C³ è)
attribute userpassword ces
attribute telephonenumber tel
attribute facsimiletelephonenumber fax tel
attribute pagertelephonenumberpager tel
attribute homephone tel
attribute mobiletelephonenumber mobile tel
attribute member dn
attribute owner dn
attribute dn dn
objectclass top
requires
objectClass
objectclass organization
requires
objectClass,
o
allows
description
objectclass organizationalUnit
requires
objectClass,
ou
allows
description
objectclass person
requires
objectClass,
cn
allows
description
objectclass account
requires
objectClass,
uid
allows
description,
host,
o,
ou
# Samba ÖAÌ objectclass (IWi)
objectclass sambaaccount
requires
objectclass,
uid,
uidnumber,
ntuid,
rid
allows
gidnumber,
grouprid,
nickname,
userpassword,
ou,
description,
lmpassword,
ntpassword,
pwdlastset,
smbhome,
homedrive,
script,
profile,
workstations,
acctflags,
pwdcanchange,
pwdmustchange
objectclass sambagroup
requires
cn,
rid
allows
ntuid,
member,
description
objectclass sambaconfig
requires
id
allows
nextrid
objectclass sambabuiltin
requires
cn,
sid
allows
ntuid,
rid,
member,
description
# Sendmail ÖAÌ objectclass (VK / C³ è)
objectclass inetmailrecipient
requires
objectclass
allows
mailid,
mailacceptinggeneralid,
maildrop
objectclass inetmaildomain
requires
objectclass,
sendmailislocalkey
allows
maildomain,
sendmailaccesskey
# AhXubNÖAÌ objectclass
objectclass netscapeaddressbook
requires
objectclass,
cn
allows
cellphone,
countryname,
description,
facsimiletelephonenumber,
givenname,
homephone,
homeurl,
locality,
mail,
nickname,
o,
ou,
pagerphone,
postalcode,
sn,
st,
streetaddress,
telephonenumber,
title,
xmozillanickname,
xmozillausehtmlmail,
xmozillaanyphone
objectclass microsoftaddressbook
requires
objectclass,
cn
allows
c,
department,
facsimiletelephonenumber,
givenname,
homephone,
homepostaladdress,
info,
initials,
l,
mail,
mobile,
organizationname,
otherfacsimiletelephonenumber,
otherpager,
physicaldeliveryofficename,
postaladdress,
postalcode,
sn,
st,
telephonenumber,
title,
url
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
13.2. x[X LDIF Ìá
dn: dc=yourorg,dc=com
objectClass: top
objectClass: organization
o: YourOrg
description: This is our organizations base dn. Everything is stored beneath this
dn: ou=Users,dc=yourorg,dc=com
objectClass: top
objectClass: organizationalunit
ou: Users
description: This is the tree were user accounts are stored
dn: ou=Machines,dc=yourorg,dc=com
objectClass: top
objectClass: organizationalunit
ou: Machines
description: This is the tree were machine accounts are stored
dn: ou=Roaming,dc=yourorg,dc=com
objectClass: top
objectClass: organizationalunit
ou: Roaming
description: This is the tree were netscape roaming profiles are stored
dn: ou=Addressbook,dc=yourorg,dc=com
objectClass: top
objectClass: organizationalunit
ou: Addressbook
description: This is the tree were addressbook entries are stored
ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
14. ú{êóÉ¢Ä
ÌûXÉæÁÄZ³³êܵ½B|óÒ©ç´Ó\µã°Ü·B´¶ÉÈ¢
Ôá¢Í·×Ä|óÒÌÍÊs«ÉæéàÌÅ èA´¶æèDê½_Í·×
ÄZ³ÒÌûX̨©°Å·B
E xcÏpl
E ì{_êl
E în«l
E konkiti l
E ìml
E ìYl
Note: Z³ÒÌûXÖFLüRêâ\LÌssª²´¢Üµ½ç\µ
ó èܹñBóÒÜŲêñ¾³¢B
¨Ct«Ì_ÍóÒ© JF vWFNgÜŲA¾³¢B
Notes
[1] LDAP f[^x[XÌ¡»ðT[oÔÅsȤdgÝ
[2] NIS ÅèÄÄ¢éêÍÙÈèÜ·B
[3] ÐÆÂÌGgª¡Ì objectclass É®·é±ÆªÅ«Ü·B
[4] EZƵÄANetscape Communicator Ìؾf[^x[Xðg¤±Æà
Å«Ü·B
[5] óF´¶ÅÍ Netscape Active Directory Æ èÜ·ªAuNetscapev
ÍuMicrosoftvÌÔá¢ÆvíêÜ·B
[6] óFMÒÉÈè·Üµ½æOÒªf[^ðüâ·éÈÇBuÔîü
vÆà󷻤ŷB
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
e74e806c1a2640e922856d7eb69d1420
>
files
>
55
