セキュリティ関係の設定
anonymous bindをrootdseのみに制限
dsconf localhost config replace nsslapd-allow-anonymous-access=rootdse
bind用cnを作成
dn: cn=readonly,dc=taruki,dc=com
objectClass: person
cn: readonly
sn: readonly
userPassword: password
作成したbinddn_acl.ldifを適用
ldapadd -h localhost -p 389 -D "cn=Directory Manager" -W -f binddn_acladd.ldif
dn: dc=taruki,dc=com
add: aci
aci: (targetattr=*)(version 3.0;acl"";allow(read,search,compare)(userdn="ldap:///cn=readonly,dc=taruki,dc=com");)
ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -W -f binddn_aclmod.ldif
readonlyユーザーのパスワード設定
ldappasswd -Z -h ldap01 -D "cn=Directory Manager" -W -S cn=readonly,dc=taruki,dc=com
memberofの有効化
dsconf localhost plugin memberof enable
LDAPユーザーの作成
グループ作成
$ dsidm localhost posixgroup create --cn ldapusers --gidNumber 20000
$ dsidm localhost posixgroup create --cn daisuketaruki --gidNumber 20001
ユーザー作成
# dsidm localhost user create
Enter password for cn=Directory Manager on ldap://192.168.24.21:
Enter value for uid : daisuketaruki
Enter value for cn : daisuketaruki
Enter value for displayName : daisuketaruki
Enter value for uidNumber : 20001
Enter value for gidNumber : 20001
Enter value for homeDirectory : /home/daisuketaruki
Successfully created daisuketaruki
# dsidm localhost group add_member ldapusers uid=daisuketaruki,ou=people,dc=taruki,dc=com
# dsidm localhost group add_member daisuketaruki uid=daisuketaruki,ou=people,dc=taruki,dc=com
# dsidm localhost account reset_password
# dsidm localhost user get daisuketaruki
自分自身のパスワード変更をできるようにしておく
dn: ou=People,dc=taruki,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword") (version 3.0; acl
"Allow users updating their password";
allow (write) userdn= "ldap:///self";)
ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -W -f passwd.ldif