インストール
slapd
apt-get install slapd
lqqqqqqqqqqqqqqqqqqqqqqqqqqqu OpenLDAP configuration tqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x The LDAP directory can be initialized either via an existing LDIF datafile, or x
x automatically using information you supply. x
x x
x Directory initialization method: x
x x
x auto x
x ldif x
x x
x <Ok> x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqjautoを選択
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu OpenLDAP configuration tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x The LDAP directory suffix is the root of your LDAP database. You can select one of three x x possible suffix styles: x x x x Domain or host style uses the fully qualified hostname of your machine as the basis. x x x x Location uses country and organization name. x x x x Custom allows you to speficy your own root root using whatever suffix you want. x x x x Directory suffix style: x x x x domain or host x x location x x custom x x x x <Ok> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
domain or hostを選択
lqqqqu OpenLDAP configuration tqqqqqk
x x
x Enter the domain name x
x x
x n9d.no-ip.com________________ x
x x
x <Ok> x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj lqqqqqqqqqqqqqqqqqqqqqqqu OpenLDAP configuration tqqqqqqqqqqqqqqqqqqqqqqqqk
x Please enter the password for the admin entry in your LDAP directory. x
x x
x Admin password: x
x x
x _______________________________________________________________________ x
x x
x <Ok> x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqjここのパスワードは忘れないように忘れると苦労するので(笑)
lqqqqqqqqqqqqqqqqqqqqqqqqu OpenLDAP configuration tqqqqqqqqqqqqqqqqqqqqqqqqk
x x
x It is possible to replicate changes made in this LDAP server to another x
x server. x
x x
x Replicate to another LDAP server: x
x x
x <Yes> <No> x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqjnoを選択
slurpdを動かすときにはここでYesを答えること。
libnss-ldap
apt-get install libnss-ldap
lqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libnss-ldap tqqqqqqqqqqqqqqqqqqqqqqqqqqk x Please enter the address of the LDAP server used. x x x x Note: It is usually a good idea to use an IP address; this reduces risks of x x failure in the event name service is unavailable. x x x x LDAP server host address x x x x 127.0.0.1___________________________________________________________________ x x x x <Ok> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
lqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libnss-ldap tqqqqqqqqqqqqqqqqqqqqqqqqqqk x Please enter the distinguished name of the LDAP search base. Many sites use x x the components of their domain names for this purpose. For example, the x x domain "example.net" would use "dc=example,dc=net" as the distinguished name x x of the search base. x x x x distinguished name of the search base x x x x dc=n9d,dc=no-ip,dc=com___________________________________________________ x x x x <Ok> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
lqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libnss-ldap tqqqqqqqqqqqqqqqqqqqqqqqqk
x Please enter which version of the LDAP protocol ldapns is to use. It is x
x usually a good idea to set this to highest available version number. x
x x
x LDAP version to use x
x x
x 3 x
x 2 x
x x
x <Ok> x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj3を選択
lqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libnss-ldap tqqqqqqqqqqqqqqqqqqqqqqqqqqqk x x x Does the LDAP database require login? x x x x Answer this question affirmatively only if you can't retreive entries from the x x database without logging in. x x x x Note: Under a normal setup, this is not needed. x x x x database requires login x x x x <Yes> <No> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
yesを選択
lqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libnss-ldap tqqqqqqqqqqqqqqqqqqqqqqqqqqqk x x x Should the libnss-ldap configuration file be readable and writable only by the x x file owner? x x x x If you use passwords in your libnss-ldap configuration, it is usually a good x x idea to have the configuration set with mode 0600 (readable and writable only x x by the file's owner). x x x x Note: As a sanity check, libnss-ldap will check if you have nscd installed and x x will only set the mode to 0600 if nscd is present. x x x x make configuration readable/writeable by owner only x x x x <Yes> <No> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
noを選択
lqqqqqqqqqqqqqqqqqqqqqqu Configuring Libnss-ldap tqqqqqqqqqqqqqqqqqqqqqqqk
x Enter the name of the account that will be used to log in to the LDAP x
x database. x
x x
x unprivileged database user x
x x
x cn=admin,dc=n9d,dc=no-ip,dc=com___________________________________ x
x x
x <Ok> x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj lqqqqqqqqqqqqqqqqqqqqqqu Configuring Libnss-ldap tqqqqqqqqqqqqqqqqqqqqqqk
x Enter the password that will be used to log in to the LDAP database. x
x x
x password for database login account x
x x
x _____________________________________________________________________ x
x x
x <Ok> x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqjlqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libnss-ldap tqqqqqqqqqqqqqqqqqqqqqqqqqqqk x x x nsswitch.conf is not managed automatically x x x x For this package to work, you need to modify your /etc/nsswitch.conf to use x x the ldap datasource. There is an example file at x x /usr/share/doc/libnss-ldap/examples/nsswitch.ldap which can be used as an x x example for your nsswitch setup, or it can be copied over your current setup. x x x x Also, before removing this package, it is wise to remove the ldap entries from x x nsswitch.conf to keep basic services functioning. x x x x <Ok> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
で言われたとおりnsswitch.confを以下のように修正
passwd: compat ldap group: compat ldap shadow: compat ldap
これでファイルにユーザ名が無いときにldapを参照するようになる
ただしldapでログインしたときにはpasswdなどはこのままでは動かないので以下のlibpam-ldapを必要とする
whoamiは入れてもちゃんと動かない(謎
libpam-ldap
apt-get install libpam-ldap
lqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libpam-ldap tqqqqqqqqqqqqqqqqqqqqqqqqqqqk x x x This option will allow you to make password utilities that use pam, to behave x x like you would be changing local passwords. x x x x The password will be stored in a separate file which will be made ad readable x x to root only. x x x x If you are using NFS mounted /etc or any other custom setup, you should x x disable this. x x x x Make local root Database admin. x x x x <Yes> <No> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
yesを選択
lqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libpam-ldap tqqqqqqqqqqqqqqqqqqqqqqqqqqqk x x x You need to log in to the database only if you can't retreive entries from the x x database without it. x x x x This is not the same as root login, entering privileged login here is x x dangerous, as the configuration file has to be readable to all. x x x x Note: on a normal setup this is not needed. x x x x Database requires logging in. x x x x <Yes> <No> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
yesを選択
lqqqqqqqqqqqqqqqu Configuring Libpam-ldap tqqqqqqqqqqqqqqqqk
x This account will be used when root changes a password. x
x x
x Note: This account has to be a privileged account. x
x x
x Root login account x
x x
x cn=admin,dc=n9d,dc=no-ip,dc=com_____________________ x
x x
x <Ok> x
x x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqjlqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libpam-ldap tqqqqqqqqqqqqqqqqqqqqqqqqqqqk x This is the account that will be used to log in to the LDAP database. x x x x Warning: DO NOT use privileged accounts for logging in, the configuration file x x has to be world readable. x x x x Unprivileged database user. x x x x cn=admin,dc=n9d,dc=no-ip,dc=com____________________________________________ x x x x <Ok> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
lqqqqqqqqqqqqqqqqqqqqqqqqqqqu Configuring Libpam-ldap tqqqqqqqqqqqqqqqqqqqqqqqqqqqk x The PAM module can set the password crypt locally when changing the passwords, x x this is usually a good choice. By setting this to something else than clear x x you are making sure that the password gets crypted in some way. x x x x The meanings for selections are: x x x x clear - Don't set any encryptions, this is useful with servers that x x automatically encrypt userPassword entry. x x x x crypt - (Default) make userPassword use the same format as the flat x x filesystem. this will work for most configurations x x x x nds - Use Novell Directory Services-style updating, first remove the old x x password and then update with cleartext password. x x x x ad - Active Directory-style. Create Unicode password and update unicodePwd x x attribute x x x x exop - Use the OpenLDAP password change extended operation to update the x x password. x x x x Local crypt to use when changing passwords. x x x x crypt x x clear x x nds x x ad x x exop x x x x <Ok> x x x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
cryptを選択
/etc/pam.d/passwdを以下のように変更しpasswdコマンドでldapのパスワードを変えられるようにする
password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 try_first_pass
/etc/pam.d/loginを以下のように変更
# This module parses /etc/environment (the standard for setting # environ vars) and also allows you to use an extended config # file /etc/security/pam_env.conf. # (Replaces the `ENVIRON_FILE' setting from login.defs) auth required pam_env.so auth sufficient pam_ldap.so account sufficient pam_ldap.so password sufficient pam_ldap.so # Standard Un*x authentication. The "nullok" line allows passwordless # accounts. auth required pam_unix.so nullok use_first_pass
# The standard Unix authentication modules, used with NIS (man nsswitch) as # well as normal passwd and shadow entries. For the login service, # this is only used when the password expires and must be changed, so make # sure this one and the one in passwd are the same. The "nullok" # option allows users to change an empty password, else empty passwords are # treated as locked accounts. # # (Add `md5' after the module name to enable MD5 passwords the same way that # `MD5_CRYPT_ENAB' would do under login.defs). # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. Also the "min" and "max" options enforce the length of the # new password. password required pam_unix.so nullok obscure min=4 max=8 try_first_pass
ldap-utils
apt-get install ldap-utils
