参照先
以下のページを参考にさせて頂きました。
http://www.sun.com/bigadmin/features/articles/nis_ldap_part1.jsp
LDAPサーバ側設定
idsconfigスクリプトの編集
バージョンチェックによってexitしてしまうところをコメントアウトします。
chk_ids_version()
{
[ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()"
# check iDS version number.
eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base
\"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/'
| cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1"
if [ $? -ne 0 ]; then
${ECHO} "ERROR: Can not determine the version number of iDS!"
exit 1
fi
IDS_VER=`cat ${TMPDIR}/checkDSver`
IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.`
IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.`
if [ "${IDS_MAJVER}" != "5" ]; then
${ECHO} "ERROR: $PROG only works with iDS version 5.x, not
${IDS_VER}."
# exit 1←ここをコメントアウト
fi
if [ $DEBUG -eq 1 ]; then
${ECHO} " IDS_MAJVER = $IDS_MAJVER"
${ECHO} " IDS_MINVER = $IDS_MINVER"
fi
idsconfigスクリプトを実行
#/usr/lib/ldap/idsconfig
It is strongly recommended that you BACKUP the directory server
before running idsconfig.
Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the iPlanet Directory Server's (iDS) hostname to setup:
server1
Enter the port number for iDS (h=help): [389]
ERROR: idsconfig only works with iDS version 5.x, not 6.0.
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [send.test]
Enter LDAP Base DN (h=help): [dc=send,dc=test]
Checking LDAP Base DN ...
Validating LDAP Base DN and Suffix ...
Enter the profile name (h=help): [default]
Default server list (h=help): [192.168.1.38]
Preferred server list (h=help): なし
Choose desired search scope (one, sub, h=help): [one] sub
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
Choose Authentication Method (h=help): [1] 2
Current authenticationMethod: simple
Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]
Do you want to modify the server sizelimit value (y/n/h)? [n]
Do you want to store passwords in "crypt" format (y/n/h)? [n]
Do you want to setup a Service Authentication Methods (y/n/h)? [n]
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you wish to setup Service Search Descriptors (y/n/h)? [n]
・・・・・・・・
LDAPエントリーの追加
DSCCにログインし「ディレクトリサーバ」タブを選択。
「エントリの管理」タブにて以下を追加します。
(1)group
ou=group,dc=send,dc=testに以下を新規作成する。
objectclassはposixGroupを選択。
必須属性
gidNumber:5001
フルネーム(cn):soluser
許可された属性
description:Solarisusers
memberUid:sunuser300
(2)ユーザ
ou=People,dc=send,dc=testに以下を新規作成する。
objectclassはユーザー(inetOrgPerson)を選択。
フルネーム(cn):taka
性(sn):taka
ユーザID(uid):taka
パスワード(userPassword):*****
続いてtakaのエントリーを編集する。
uid=takaが選択された状態で「エントリの編集」を押す。
変更画面が表示されるが「テキストビュー」タブを選択する。
「編集可能な属性」欄に以下を追加する。
objectclass: posixAccount
objectclass: shadowAccount
gidNumber: 5001
homeDirectory: /export/home/taka
uidNumber: 10003
anonymous接続の許可
ACLs設定の作成
#vi acis.ldif
dn: dc=send,dc=test
changetype: modify
replace: aci
aci: (target="ldap:///dc=send,dc=test") (targetattr="*") (version 3.0; acl "allow all Admin group"; allow (all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=send,dc=test";)
aci: (target="ldap:///dc=send,dc=test") (targetattr != "userPassword") (version 3.0; acl "Anonymous read-search access"; allow (read,search,testpare) (userdn = "ldap:///anyone");)aci: (target="ldap:///dc=send,dc=test") (targetattr != "userPassword") (version 3.0; acl "allow self read search testpare"; allow(read,search,testpare) userdn = "ldap:///self";)
aci: (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access; deny (write) userdn = "ldap:///self";)
aci: (targetattr = "loginShell") (version 3.0;acl "LDAP_Naming_Services_allow_certain_changes"; allow (write) userdn = "ldap:///self";)
aci: (target="ldap:///dc=send,dc=test") (targetattr != "userPassword") (version 3.0; acl "LDAP_Naming_Services_proxy_read"; allow(read,search,testpare) userdn = "ldap:///cn=proxyagent,ou=people,dc=send,dc=test";)
ldapmodifyコマンドにて適用します。
# ldapmodify -D "cn=Directory Manager" -w ****(パスワード) -f acis.ldif
LDAPクライアント側(Solaris10)
設定のバックアップ
設定前に以下のファイルのオリジナルをバックアップします。
/etc/nsswitch.conf
/etc/pam.conf
ldapclientコマンドにてldapサーバと接続します。
#ldapclient init -v -a profileName=default -a domainName="send.test" -a proxyDN="cn=proxyagent,ou=profile,dc=send,dc=test" -a proxyPassword=**** 192.168.1.38
その他オプション(必要ないかもしれません。)
#ldapclient mod -a authenticationMethod=simple
#ldapclient mod -a defaultSearchScope=sub
/etc/nsswitch.confの編集
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
tnrhtp: files ldap
tnrhdb: files ldap
/etc/pam.confの編集
#
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
・・・・・<省略>
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
***ユーザ用のホームディレクトリの作成
#mkdir /export/home/taka
#cd /export/home
#chown taka taka
#chgrp soluser taka
以上
最終更新:2008年02月11日 02:46