Centralized authentication using OpenLDAP/ko

This guide introduces the basics of LDAP and shows you how to setup OpenLDAP for authentication purposes between a group of Gentoo boxes.

What is LDAP?
LDAP stands for Lightweight Directory Access Protocol. Based on X.500 it encompasses most of its primary functions, but lacks the more esoteric functions that X.500 has. Now what is this X.500 and why is there an LDAP?

X.500 is a model for Directory Services in the OSI concept. It contains namespace definitions and the protocols for querying and updating the directory. However, X.500 has been found to be overkill in many situations. Enter LDAP. Like X.500 it provides a data/namespace model for the directory and a protocol too. However, LDAP is designed to run directly over the TCP/IP stack. See LDAP as a slim-down version of X.500.

I don't get it. What is a directory?
A directory is a specialized database designed for frequent queries but infrequent updates. Unlike general databases they don't contain transaction support or roll-back functionality. Directories are easily replicated to increase availability and reliability. When directories are replicated, temporary inconsistencies are allowed as long as they get synchronised eventually.

How is information structured?
All information inside a directory is structured hierarchically. Even more, if you want to enter data inside a directory, the directory must know how to store this data inside a tree. Lets take a look at a fictional company and an Internet-like tree:

Organisational structure for GenFic, a Fictional Gentoo company

Since you don't feed data to the database in this ascii-art like manner, every node of such a tree must be defined. To name such nodes, LDAP uses a naming scheme. Most LDAP distributions (including OpenLDAP) already contain quite a number of predefined (and general approved) schemes, such as the inetorgperson, a frequently used scheme to define users.

Interested users are encouraged to read the OpenLDAP Admin Guide.

So... What's the Use?
LDAP can be used for various things. This document focuses on centralised user management, keeping all user accounts in a single LDAP location (which doesn't mean that it's housed on a single server, LDAP supports high availability and redundancy), yet other goals can be achieved using LDAP as well.


 * Public Key Infrastructure


 * Shared Calendar


 * Shared Addressbook


 * Storage for DHCP, DNS, ...


 * System Class Configuration Directives (keeping track of several server configurations)



Initial Configuration
Let's first emerge OpenLDAP:

Now generate an encrypted password we'll use later on:

Now edit the LDAP Server config at. Below we'll give a sample configuration file to get things started. For a more detailed analysis of the configuration file, we suggest that you work through the OpenLDAP Administrator's Guide.

/etc/openldap/slapd.conf

Next we edit the LDAP Client configuration file:

Now edit and set the following OPTS line:

/etc/conf.d/slapd

Finally, create the structure:

slapd를 시작하십시오:

You can test with the following command:

If you receive an error, try adding  to increase the verbosity and solve the issue you have.

고가용성이 필요한 경우
고가용성을 필요로 하는 환경일 경우, 다중 LDAP 시스템에 걸친 변경 복제를 설정해야 합니다. OpenLDAP 내의 복제는 이 안내서에서 특정 복제 계정을 사용하여 설정하며, 첫번째 LDAP 서버에 대한 읽기 권한을 부여하고, 두번째 LDAP 서버에 첫번째 LDAP서버의 바뀐점을 보냅니다.

두번째 LDAP 서버가 첫번째 서버의 동작과 유사한 동작을 허용한 상태에서 이 설정을 복제합니다. OpenLDAP의 내부 구조에 감사해야 할 일은 LDAP 구조상 바뀐 내용이 또 있다 할지라도 중복 적용하지 않습니다.

복제 설정
복제를 설정하려면, 먼저 위에서 진행한 바와 같이 두번째 OpenLDAP 서버를 설정해야 합니다. 그러나, 설정 파일에 대해서는 다음을 신경쓰십시오.


 * 동기화 복제 제공자는 다른 시스템을 가리킵니다


 * 각각의 OpenLDAP의 서버ID는 다릅니다

Next, create the synchronisation account. We will create an LDIF file (the format used as data input for LDAP servers) and add it to each LDAP server:

기존 데이터를 LDAP로 이전
Configuring OpenLDAP for centralized administration and management of common Linux/Unix items isn't easy, but thanks to some tools and scripts available on the Internet, migrating a system from a single-system administrative point-of-view towards an OpenLDAP-based, centralized managed system isn't hard either.

Go to http://www.padl.com/OSS/MigrationTools.html and fetch the scripts there. You'll need the migration tools and the  script.

Next, extract the tools and copy the  script inside the extracted location:

다음 단계는 시스템 정보를 OpenLDAP로 옮기는 것입니다. LDAP 구조와 환경에 대한 정보를 제공한 후  스크립트로 이 과정을 진행하십시오.

작성하는 도중에, 도구에서 다음 입력사항을 요구합니다:

또한 도구에서 옮길 계정과 설정이 어떤건지 물어봅니다.

PAM 설정
First, we will configure PAM to allow LDAP authorization. Install  so that PAM supports LDAP authorization, and   so that your system can cope with LDAP servers for additional information (used by ).

이제 의 오른편에 다음 줄을 추가하십시오:

/etc/pam.d/system-auth

이제 읽어들이도록 를 바꾸십시오:

/etc/ldap.conf

Next, copy over the (OpenLDAP) file from the server to the client so the clients are aware of the LDAP environment:

마지막으로 클라이언트를 설정하여 시스템 계정에 대해 LDAP를 검사하도록 하십시오:

/etc/nsswitch.conf

If you noticed one of the lines you pasted into your was commented out (the   line): you don't need it unless you want to change a user's password as superuser. In this case you need to echo the root password to in plaintext. This is DANGEROUS and should be chmoded to 600. What you might want to do is keep that file blank and when you need to change someone's password that's both in the ldap and, put the pass in there for 10 seconds while changing the users password and remove it when done.

OpenLDAP 권한
If we take a look at you'll see that you can specify the ACLs (permissions if you like) of what data users can read and/or write:

/etc/openldap/slapd.conf

This gives you access to everything a user should be able to change. If it's your information, then you got write access to it; if it's another user their information then you can read it; anonymous people can send a login/pass to get logged in. There are four levels, ranking them from lowest to greatest:.

The next ACL is a bit more secure as it blocks normal users to read other people their shadowed password:

/etc/openldap/slapd.conf

This example gives root and John access to read/write/search for everything in the the tree below. This also lets users change their own 's. As for the ending statement everyone else just has a search ability meaning they can fill in a search filter, but can't read the search results. Now you can have multiple acls but the rule of the thumb is it processes from bottom up, so your toplevel should be the most restrictive ones.

디렉터리 관리
You can start using the directory to authenticate users in apache/proftpd/qmail/samba. You can manage it with phpldapadmin, diradm, jxplorer, or lat, which provide easy management interfaces.

감사문
이 안내서의 목적을 달성하기 위해 머신을 빌려준 Matt Heler에게 감사를 표합니다. 또한 #ldap @ irc.freenode.net의 대단한 분들께도 감사를 드립니다.

감사문
이 안내서에 제공한 노고에 대해 다음 작성자와 편집자분들께 감사의 말을 전하고자 합니다:


 * Benjamin Coles


 * swift


 * Brandon Hale


 * Benny Chuang


 * jokey


 * nightmorph