Centralized authentication using OpenLDAP/ko

This guide introduces the basics of LDAP and shows you how to setup OpenLDAP for authentication purposes between a group of computers.

LDAP는 무엇인까요?
LDAP는 "경량 디렉터리 접근 프로토콜을 의미합니다. X.500을 기반하며 주된 기능의 대부분을 아우르고 있지만 X.500이 가진 일부 기능은 부족합니다. 자, 그러면 X.500은 무엇이고 왜 LDAP가 있는걸까요?

X.500 is a model for Directory Services in the OSI concept. It contains namespace definitions and the protocols for querying and updating the directory. However, X.500 has been found to be overkill in many situations. Enter LDAP. Like X.500 it provides a data/namespace model for the directory and a protocol. However, LDAP is designed to run directly over the TCP/IP stack. See LDAP as a slim-down version of X.500.

잘 모르겠는데요. 디렉터리가 뭔가요?
A directory is a specialized database designed for frequent queries but infrequent updates. Unlike general databases they don't contain transaction support or roll-back functionality. Directories are easily replicated to increase availability and reliability. When directories are replicated, temporary inconsistencies are allowed as long as they get synchronised eventually.

정보가 어떻게 구성되어 있죠?
모든 디렉터리 내부 정보는 계층 구조로 되어 있습니다. 게다가 디렉터리에 데이터를 입력하면 트리에 데이터를 어떻게 저장하는지 알아야 합니다. 그러면 허구속의 회사와 인터넷과 비슷한 트리를 보도록 하겠습니다:

GenFic 조직 구조도, 비현실 속 젠투 회사

Since you don't feed data to the database in this ascii-art like manner, every node of such a tree must be defined. To name such nodes, LDAP uses a naming scheme. Most LDAP distributions (including OpenLDAP) already contain quite a number of predefined (and general approved) schemas, such as the inetOrgPerson, or a frequently used schema to define users which Unix/Linux boxes can use, called posixAccount. Note there are GUI web based tools to make managing LDAP painless: see Working with OpenLDAP for an non-exhaustive list.

흥미로운 사용자라면 OpenLDAP 관리자 안내서를 보십시오.

So... What can it be used for?
LDAP can be used for various things. This document focuses on centralised user management, keeping all user accounts in a single LDAP location (which doesn't mean that it's housed on a single server, LDAP supports high availability and redundancy), yet other goals can be achieved using LDAP as well.


 * 공개 키 인프라스트럭처


 * 공유 달력


 * 공유 주소록


 * DHCP, DNS등의 저장소


 * 시스템 수준 설정 지시문(몇가지 서버 설정 유지)


 * Centralised Authentication (PosixAccount)



OpenLDAP Server Configuration
The domain genfic.com is an example in this guide. You will of course want to change this. However, make sure that the top node is an official top level domain (net, com, cc, be, ...).

Let's first emerge OpenLDAP. Ensure the USE flags berkdb, crypt, gnutls, ipv6, sasl, ssl, syslog and tcpd are used.

OpenLDAP has a main user "rootdn" (Root Distinguished Name) password which is generated with the below command and needs to be placed in the as noted later on.

Now edit the LDAP Server configuration in. The provided is from the original openLDAP source. Below is a sample configuration file one can use to replace it with to get things started.

/etc/openldap/slapd.conf

For a more detailed analysis of the configuration file, we suggest that you work through the OpenLDAP Administrator's Guide.

Verifying the configuration
After customizing the file you can check it with the following command.

Vary the debug level (the "-d 1" above) for more info. If all goes well you will see config file testing succeeded. If there's an error,  will list the line number to which it applies (of the  file).

Note that OpenLDAP can store its configuration in two places. One in the original and also in. The second is the new place and designed not be edited with a text editor but generated from the using   in the following manor in. It is not required to convert the configuration and use for now, but support for the currently documented approach will be removed in future versions of this document.

Running this command will transfer and translate the configuration. Once this has been run successfully the command needs to be run every time the is updated. The directory and its contents need to be owned by the ldap service account.

For more instructions read the in-line comments of the generated files.

The below line will enable the configuration method.

/etc/conf.d/slapd

Finally, create the structure:

Start slapd:

If it does not start then increase the loglevel variable in to 4 or more, and look in  for more information.

Configuring the OpenLDAP Client tools
Edit the LDAP Client configuration file. This file is read by ldapsearch and other ldap command line tools.

You can test the running server with the following command:

If you receive an error, try adding  to increase the verbosity and solve the issue you have.

Client Configuration for Centralised Authentication
There are numerous methods/tools that can be used for remote authentication. Some distributions also have their own easy to use configuration tool. Below there are some in no particular order. It is possible to combine local users and centrally authorized accounts at the same time. This is important because, for instance, if the LDAP server cannot be accessed one can still login as root.


 * SSSD (Single Sign-on Services Daemon). Its primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system. It provides PAM and NSS modules, and in the future will support D-Bus interfaces for extended user information. It also provides a better database to store local users as well as extended user data.


 * Use  to login to the LDAP server and authenticate. Passwords are not sent over the network in clear text.


 * NSLCD (Name Service Look up Daemon). Similar to SSSD, but older.


 * NSS (Name Service Switch) using the traditional  module to fetch password hashes over the network. To permit users to update their password this has to be combined with the   method.

The first two are demonstrated below with the minimum necessary configuration options to get working.

Client PAM configuration SSSD Method
Here is the more direct method. The three files that are required to be edited are mentioned below.

Add sss to the end as shown below to enable the lookup to be handed to the sssd system service. Once you have finished editing start the sssd daemon.

The last file is the most critical. Open an extra root terminal as a fallback before editing this. The lines in bold have been added to enable remote authentication. Note the use of to support creating the user home directories.

Now try logging in from another box.

Client PAM configuration the pam_ldap Module Method
First, we will configure PAM to allow LDAP authorization. Install so that PAM supports LDAP authorization, and  so that your system can cope with LDAP servers for additional information (used by ).

The last file is the most critical open a few extra root windows as a backup before editing this. The lines in bold have been added to enable remote authentication.

/etc/pam.d/system-auth

이제 읽어들이도록 를 바꾸십시오:

/etc/ldap.conf

Next, copy over the (OpenLDAP) file from the server to the client so the clients are aware of the LDAP environment:

마지막으로 클라이언트를 설정하여 시스템 계정에 대해 LDAP를 검사하도록 하십시오:

/etc/nsswitch.conf

If you noticed one of the lines you pasted into your was commented out (the   line): you don't need it unless you want to change a user's password as superuser. In this case you need to echo the root password to in plaintext. This is DANGEROUS and should be chmoded to 600. What you might want to do is keep that file blank and when you need to change someone's password that's both in the ldap and, put the pass in there for 10 seconds while changing the users password and remove it when done.

Migrate existing data to ldap
Configuring OpenLDAP for centralized administration and management of common Linux/Unix items isn't easy, but thanks to some tools and scripts available on the Internet, migrating a system from a single-system administrative point-of-view towards an OpenLDAP-based, centralized managed system isn't hard either.

Go to http://www.padl.com/OSS/MigrationTools.html and fetch the scripts there. You'll need the migration tools and the script.

Next, extract the tools and copy the script inside the extracted location:

The next step now is to migrate the information of your system to OpenLDAP. The script will do this for you, after you have provided it with the information regarding your LDAP structure and environment.

작성하는 도중에, 도구에서 다음 입력사항을 요구합니다:

또한 도구에서 옮길 계정과 설정이 어떤건지 물어봅니다.

High availability
To setup replication of changes across multiple LDAP systems. Replication within OpenLDAP is, in this guide, set up using a specific replication account which has read rights on the primary LDAP server and which pulls in changes from the primary LDAP server to the secondary.

두번째 LDAP 서버가 첫번째 서버의 동작과 유사한 동작을 허용한 상태에서 이 설정을 복제합니다. OpenLDAP의 내부 구조에 감사해야 할 일은 LDAP 구조상 바뀐 내용이 또 있다 할지라도 중복 적용하지 않습니다.

복제 설정
복제를 설정하려면, 먼저 위에서 진행한 바와 같이 두번째 OpenLDAP 서버를 설정해야 합니다. 그러나, 설정 파일에 대해서는 다음을 신경쓰십시오.


 * 동기화 복제 제공자는 다른 시스템을 가리킵니다


 * 각각의 OpenLDAP의 서버ID는 다릅니다

다음, 동기화 계정을 만드십시오. LDIF 파일(LDAP서버 에서 데이터 입력할때 사용하는 형식)을 만들고 LDAP 서버 각각에 이를 추가하겠습니다.

OpenLDAP 권한
If we take a look at you'll see that you can specify the ACLs (permissions if you like) of what data users can read and/or write:

/etc/openldap/slapd.conf

This gives you access to everything a user should be able to change. If it's your information, then you got write access to it; if it's another user their information then you can read it; anonymous people can send a login/pass to get logged in. There are four levels, ranking them from lowest to greatest:.

The next ACL is a bit more secure as it blocks normal users to read other people their shadowed password:

/etc/openldap/slapd.conf

This example gives root and John access to read/write/search for everything in the the tree below. This also lets users change their own 's. As for the ending statement everyone else just has a search ability meaning they can fill in a search filter, but can't read the search results. Now you can have multiple acls but the rule of the thumb is it processes from bottom up, so your toplevel should be the most restrictive ones.

디렉터리 관리
You can start using the directory to authenticate users in apache/proftpd/qmail/samba. You can manage it with LAM (Ldap Account Manager), phpldapadmin, diradm, jxplorer, or lat, which provide easy management interfaces.

감사문
이 안내서의 목적을 달성하기 위해 머신을 빌려준 Matt Heler에게 감사를 표합니다. 또한 #ldap @ irc.freenode.net의 대단한 분들께도 감사를 드립니다.

감사문
이 안내서에 제공한 노고에 대해 다음 작성자와 편집자분들께 감사의 말을 전하고자 합니다:


 * Benjamin Coles


 * swift


 * Brandon Hale


 * Benny Chuang


 * jokey


 * nightmorph