389ds導入設定~その2~

セキュリティ関係の設定

anonymous bindをrootdseのみに制限
dsconf localhost config replace nsslapd-allow-anonymous-access=rootdse
bind用cnを作成

dn: cn=readonly,dc=taruki,dc=com
objectClass: person
cn: readonly
sn: readonly
userPassword: password

作成したbinddn_acl.ldifを適用
ldapadd -h localhost -p 389 -D "cn=Directory Manager" -W -f binddn_acladd.ldif

dn: dc=taruki,dc=com
add: aci
aci: (targetattr=*)(version 3.0;acl"";allow(read,search,compare)(userdn="ldap:///cn=readonly,dc=taruki,dc=com");)

ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -W -f binddn_aclmod.ldif
readonlyユーザーのパスワード設定
ldappasswd -Z -h ldap01 -D "cn=Directory Manager" -W -S cn=readonly,dc=taruki,dc=com
memberofの有効化
dsconf localhost plugin memberof enable

LDAPユーザーの作成

グループ作成


$ dsidm localhost posixgroup create --cn ldapusers --gidNumber 20000
$ dsidm localhost posixgroup create --cn daisuketaruki --gidNumber 20001

ユーザー作成


# dsidm localhost user create
Enter password for cn=Directory Manager on ldap://192.168.24.21:
Enter value for uid : daisuketaruki
Enter value for cn : daisuketaruki
Enter value for displayName : daisuketaruki
Enter value for uidNumber : 20001
Enter value for gidNumber : 20001
Enter value for homeDirectory : /home/daisuketaruki
Successfully created daisuketaruki

# dsidm localhost group add_member ldapusers uid=daisuketaruki,ou=people,dc=taruki,dc=com
# dsidm localhost group add_member daisuketaruki uid=daisuketaruki,ou=people,dc=taruki,dc=com
# dsidm localhost account reset_password
# dsidm localhost user get daisuketaruki

自分自身のパスワード変更をできるようにしておく

dn: ou=People,dc=taruki,dc=com
changetype: modify
add: aci
aci: (targetattr="userPassword") (version 3.0; acl
"Allow users updating their password";
allow (write) userdn= "ldap:///self";)

ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -W -f passwd.ldif