![[PukiWiki]](image/picc.png "[PukiWiki]")
#author("2022-11-22T17:05:08+00:00","default:sysosa","sysosa") #author("2022-11-22T17:37:18+00:00","default:sysosa","sysosa") CentOS5のOpenLDAP 2.3からRockyLinux8のOpenLDAP 2.4にLDAPサービスを移してみる. 2.4で「slapd.conf」は廃止予定とされ「cn=config」形式が推奨. でも2.4でも「slapd.conf」でLDAPを作れるのだが、2.6が目に見えてきたので「cn=config」形式に乗り換えてみた次第. -RHEL8系 RockyLinux8 openldap-2.4.46 -RHEL9系 RockyLinux9 openldap-2.6.2 -ubuntu 18.04 LTS openldap-2.4.45 -ubuntu 20.04 LTS openldap-2.4.49 -ubuntu 22.04 LTS openldap-2.5.11 まずは簡単に CetnOS5 のopenLDAPでサービスを作ってみる. #code(nonumber){{ [root@centos5 ~]# cat /etc/redhat-release CentOS release 5.11 (Final) [root@centos5 ~]# yum install openldap-servers openldap-clients -y [root@centos5 ~]# /usr/sbin/slapd -VV @(#) $OpenLDAP: slapd 2.3.43 (Sep 29 2015 06:22:05) $ mockbuild@builder17.centos.org:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd [root@centos5 ~]# }} sambaスキーマも載せたいのでスキーマ格納場所にコピーします. sambaスキーマを反映させた「&color(magenta){slapd.conf};」ファイルを作成します #code(nonumber){{ [root@centos5 ~]# cp /usr/share/doc/samba-3.0.33/LDAP/samba.schema /etc/openldap/schema/ [root@centos5 ~]# vi /etc/openldap/slapd.conf [root@centos5 ~]# grep -v -e '^\s*#' -e '^\s*$' /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap database hdb suffix "dc=sybyl,dc=lab" rootdn "cn=manager,dc=sybyl,dc=lab" rootpw secret directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by anonymous auth by self write by * none access to dn.base="" by * read access to * by self write by * read [root@centos5 ~]# }} データベース(hdb:Hierarchical variant of bdb backend)向けのconfigファイルをコピーして、ldapサービスを稼働させます #code(nonumber){{ [root@centos5 ~]# cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@centos5 ~]# chown -R ldap. /var/lib/ldap/ [root@centos5 ~]# chmod 700 /var/lib/ldap/ [root@centos5 ~]# service ldap start Starting slapd: [ OK ] [root@centos5 ~]# [root@centos5 ~]# ps -ef |grep ldap ldap 3580 1 0 05:06 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -u ldap root 3585 3342 0 05:06 pts/0 00:00:00 grep ldap [root@centos5 ~]# }} コンテンツやsmbを載せて「LDAP Admin」から見ると下記のようになります. &size(10){[[LDAP]]のldap/domain.ldif、[[LDAP/data]]のldap/group.ldif、ldap/foo.ldifを登録、その後[[LDAP/smb]]のようにsmbを登録してみた. iptablesは停止}; &ref(2022y11m22d_100037694.png,nolink); この状態での設定関係のフォルダは下記のようになってます #code(nonumber){{ [root@centos5 ~]# ls -l /etc/openldap/ total 40 drwxr-xr-x 2 root root 4096 Sep 29 2015 cacerts -rw-r----- 1 root ldap 921 Sep 29 2015 DB_CONFIG.example -rw-r--r-- 1 root root 327 Nov 21 23:22 ldap.conf drwxr-xr-x 3 root root 4096 Nov 23 01:03 schema -rw-r----- 1 root ldap 4095 Nov 23 01:09 slapd.conf [root@centos5 ~]# }} っで、本題. 次にupgradeのために データを書き出します. [[LDAP/backup]]のホット・バックアップ形式でデータ(「&color(darkorange){main.ldif};」)を書き出します #code(nonumber){{ [root@centos5 ~]# slapcat -b dc=sybyl,dc=lab > main.ldif }} ですが、一方で「cn=config」のデータは「&color(orangered){slapd.d};」で作っていないので何もでません. 代わりに設定ファイル「&color(magenta){slapd.conf};」をupgradeに使います #code(nonumber){{ [root@centos5 ~]# slapcat -b cn=config slapcat: could not open database. [root@centos5 ~]# }} なのでupgradeサイトには -「&color(darkorange){main.ldif};」 -「&color(magenta){slapd.conf};」 を持参します. ***upgrade先 [#ube64e9b] 新規にLDAPサービスを稼働させるマシンは「RockyLinux8(ホスト名:ldap-server)」です. 「openldap-2.4.46」が使えます. その前にデータをupgrade先にコピーします #code(nonumber){{ [root@centos5 ~]# scp main.ldif root@ldap-server:main.ldif [root@centos5 ~]# scp /etc/openldap/slapd.conf root@ldap-server:slapd.conf }} 下拵えを行います. 移植なので既存のLDAP関係のカケラを消してます. #code(nonumber){{ [root@ldap-server ~]# cat /etc/redhat-release Rocky Linux release 8.5 (Green Obsidian) [root@ldap-server ~]# dnf --enablerepo=powertools install openldap-servers openldap-clients samba -y [root@ldap-server ~]# rm -rf /etc/openldap/slapd.d/* [root@ldap-server ~]# rm -rf /var/lib/ldap/* [root@ldap-server ~]# grep -v -e '^\s*#' -e '^\s*$' ./slapd.conf > ./slapd.conf.orig [root@ldap-server ~]# rm -rf ./slapd.conf }} 持ってきた「&color(magenta){slapd.conf};」は不要な行を削除して「slapd.conf.orig」にしてます. 基本この「slapd.conf.orig」を修正して使います まずは「/var/lib/ldap/」に置かれるmdb関係を捌きます. オリジナルから「&color(magenta){slapd.conf};」を作って修正を加えます. &size(10){「bdb」を「mdb」に変更. 末尾に「database monitor」を追加してます}; #code(nonumber){{ [root@ldap-server ~]# cp ./slapd.conf.orig ./slapd.conf [root@ldap-server ~]# vi ./slapd.conf [root@ldap-server ~]# diff -y ./slapd.conf.orig ./slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap modulepath /usr/lib64/openldap database bdb | database mdb suffix "dc=sybyl,dc=lab" suffix "dc=sybyl,dc=lab" rootdn "cn=manager,dc=sybyl,dc=lab" rootdn "cn=manager,dc=sybyl,dc=lab" rootpw secret rootpw secret directory /var/lib/ldap directory /var/lib/ldap index objectClass eq,pres index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub access to attrs=userPassword,shadowLastChange,sambaNTPassword access to attrs=userPassword,shadowLastChange,sambaNTPassword by self write by self write by anonymous auth by anonymous auth by * none by * none access to dn.base="" by * read access to dn.base="" by * read access to * access to * by self write by self write by * read by * read > database monitor [root@ldap-server ~]# [root@ldap-server ~]# cp -a /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG [root@ldap-server ~]# echo "" | slapadd -f ./slapd.conf (確認) [root@ldap-server ~]# ls -l /var/lib/ldap/ total 20 -rw-------. 1 root root 12288 Nov 22 08:24 data.mdb -rw-r--r--. 1 root root 845 Oct 11 2021 DB_CONFIG -rw-------. 1 root root 8192 Nov 22 08:24 lock.mdb [root@ldap-server ~]# }} 以上でmdbの作成は完了. ここにコンテンツが入るのかな. 次に「&color(orangered){slapd.d};」の構築. いわゆる「cn=config」形式と言われる設定情報を収める場所を作ります &size(10){「&color(magenta){slapd.conf};」の行頭に「database monitor」を置き、「bdb」を「mdb」にして、末尾に「database config」と「サーバ管理者」のパスワードを設定します. ここでは平分ですが、暗号化された文字列でもOK}; #code(nonumber){{ [root@ldap-server ~]# cp ./slapd.conf.orig ./slapd.conf [root@ldap-server ~]# vi ./slapd.conf [root@ldap-server ~]# diff -y slapd.conf.orig slapd.conf [root@ldap-server ~]# diff -y ./slapd.conf.orig ./slapd.conf > database monitor include /etc/openldap/schema/core.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap modulepath /usr/lib64/openldap database bdb | database mdb suffix "dc=sybyl,dc=lab" suffix "dc=sybyl,dc=lab" rootdn "cn=manager,dc=sybyl,dc=lab" rootdn "cn=manager,dc=sybyl,dc=lab" rootpw secret rootpw secret directory /var/lib/ldap directory /var/lib/ldap index objectClass eq,pres index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub access to attrs=userPassword,shadowLastChange,sambaNTPassword access to attrs=userPassword,shadowLastChange,sambaNTPassword by self write by self write by anonymous auth by anonymous auth by * none by * none access to dn.base="" by * read access to dn.base="" by * read access to * access to * by self write by self write by * read by * read > database config > rootpw secret [root@ldap-server ~]# [root@ldap-server ~]# slaptest -f ./slapd.conf -F /etc/openldap/slapd.d config file testing succeeded [root@ldap-server ~]# (確認) [root@ldap-server ~]# ls -l /etc/openldap/slapd.d/ total 4 drwxr-x---. 3 root root 182 Nov 22 11:57 'cn=config' -rw-------. 1 root root 1107 Nov 22 11:57 'cn=config.ldif' [root@ldap-server ~]# ls -l /etc/openldap/slapd.d/cn\=config total 64 drwxr-x---. 2 root root 132 Nov 22 11:57 'cn=schema' -rw-------. 1 root root 46206 Nov 22 11:57 'cn=schema.ldif' -rw-------. 1 root root 605 Nov 22 11:57 'olcDatabase={0}config.ldif' -rw-------. 1 root root 596 Nov 22 11:57 'olcDatabase={-1}frontend.ldif' -rw-------. 1 root root 536 Nov 22 11:57 'olcDatabase={1}monitor.ldif' -rw-------. 1 root root 1436 Nov 22 11:57 'olcDatabase={2}mdb.ldif' [root@ldap-server ~]# }} これで準備が完了したので、LDAPサービスを開始します #code(nonumber){{ [root@ldap-server ~]# chown -R ldap. /etc/openldap/slapd.d [root@ldap-server ~]# chown -R ldap. /var/lib/ldap [root@ldap-server ~]# systemctl start slapd [root@ldap-server ~]# ldapsearch -x -D cn=config -w secret -b cn=config | less <-- スキーマの確認 [root@ldap-server ~]# ldapsearch -x -LLL -w secret -D cn=config -b cn=config dn dn: cn=config dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}inetorgperson,cn=schema,cn=config dn: cn={3}nis,cn=schema,cn=config dn: cn={4}samba,cn=schema,cn=config dn: olcDatabase={-1}frontend,cn=config dn: olcDatabase={0}config,cn=config dn: olcDatabase={1}monitor,cn=config dn: olcDatabase={2}mdb,cn=config [root@ldap-server ~]# }} 最後にコンテンツ「&color(darkorange){main.ldif};」を戻します. #code(nonumber){{ [root@ldap-server ~]# systemctl stop slapd [root@ldap-server ~]# cat ./main.ldif | slapadd -F /etc/openldap/slapd.d -b dc=sybyl,dc=lab [root@ldap-server ~]# systemctl start slapd }} 再度「LDAP Admin」で確認します. 運営ノードが「centos5」から「ldap-server」に代わったことに注目でしょうか. &ref(2022y11m23d_020343776.png,nolink);
