Product SiteDocumentation Site

第14章 ディレクトリー サーバー

14.1. OpenLDAP
14.1.1. Introduction to LDAP
14.1.2. OpenLDAP 製品群のインストール
14.1.3. OpenLDAP サーバーの設定法
14.1.4. Running an OpenLDAP Server
14.1.5. システムが OpenLDAP を使用して認証を実行するように設定する
14.1.6. その他のリソース

14.1. OpenLDAP

LDAP (Lightweight Directory Access Protocol) is a set of open protocols used to access centrally stored information over a network. It is based on the X.500 standard for directory sharing, but is less complex and resource-intensive. For this reason, LDAP is sometimes referred to as X.500 Lite.
Like X.500, LDAP organizes information in a hierarchical manner using directories. These directories can store a variety of information such as names, addresses, or phone numbers, and can even be used in a manner similar to the Network Information Service (NIS), enabling anyone to access their account from any machine on the LDAP enabled network.
LDAP is commonly used for centrally managed users and groups, user authentication, or system configuration. It can also serve as a virtual phone directory, allowing users to easily access contact information for other users. Additionally, it can refer a user to other LDAP servers throughout the world, and thus provide an ad-hoc global repository of information. However, it is most frequently used within individual organizations such as universities, government departments, and private companies.
This section covers the installation and configuration of OpenLDAP 2.4, an open source implementation of the LDAPv2 and LDAPv3 protocols.

14.1.1. Introduction to LDAP

Using a client/server architecture, LDAP provides reliable means to create a central information directory accessible from the network. When a client attempts to modify information within this directory, the server verifies the user has permission to make the change, and then adds or updates the entry as requested. To ensure the communication is secure, the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) cryptographic protocols can be used to prevent an attacker from intercepting the transmission.

Mozilla NSS の使用法

The OpenLDAP suite in Fedora 16 no longer uses OpenSSL. Instead, it uses the Mozilla implementation of Network Security Services (NSS). OpenLDAP continues to work with existing certificates, keys, and other TLS configuration. For more information on how to configure it to use Mozilla certificate and key database, refer to How do I use TLS/SSL with Mozilla NSS.
The LDAP server supports several database systems, which gives administrators the flexibility to choose the best suited solution for the type of information they are planning to serve. Because of a well-defined client Application Programming Interface (API), the number of applications able to communicate with an LDAP server is numerous, and increasing in both quantity and quality.

14.1.1.1. LDAP の用語

The following is a list of LDAP-specific terms that are used within this chapter:
エントリー
A single unit within an LDAP directory. Each entry is identified by its unique Distinguished Name (DN).
属性
Information directly associated with an entry. For example, if an organization is represented as an LDAP entry, attributes associated with this organization might include an address, a fax number, etc. Similarly, people can be represented as entries with common attributes such as personal telephone number or email address.
An attribute can either have a single value, or an unordered space-separated list of values. While certain attributes are optional, other are required. Required attributes are specified using the objectClass definition, and can be found in schema files located in the /etc/openldap/slapd.d/cn=config/cn=schema/ directory.
The assertion of an attribute and its corresponding value is also referred to as a Relative Distinguished Name (RDN). Unlike distinguished names that are unique globally, a relative distinguished name is only unique per entry.
LDIF
The LDAP Data Interchange Format (LDIF) is a plain text representation of an LDAP entry. It takes the following form:
[id] dn: distinguished_name
attribute_type: attribute_valueattribute_type: attribute_value…
…
The optional id is a number determined by the application that is used to edit the entry. Each entry can contain as many attribute_type and attribute_value pairs as needed, as long as they are all defined in a corresponding schema file. A blank line indicates the end of an entry.

14.1.1.2. OpenLDAP 機能

OpenLDAP suite provides a number of important features:
  • LDAPv3 Support — Many of the changes in the protocol since LDAP version 2 are designed to make LDAP more secure. Among other improvements, this includes the support for Simple Authentication and Security Layer (SASL), Transport Layer Security (TLS), and Secure Sockets Layer (SSL) protocols.
  • LDAP Over IPC — The use of inter-process communication (IPC) enhances security by eliminating the need to communicate over a network.
  • IPv6 Support — OpenLDAP is compliant with Internet Protocol version 6 (IPv6), the next generation of the Internet Protocol.
  • LDIFv1 Support — OpenLDAP is fully compliant with LDIF version 1.
  • Updated C API — The current C API improves the way programmers can connect to and use LDAP directory servers.
  • Enhanced Standalone LDAP Server — This includes an updated access control system, thread pooling, better tools, and much more.

14.1.1.3. OpenLDAP サーバーのセットアップ

The typical steps to set up an LDAP server on Fedora are as follows:
  1. OpenLDAP 製品群をインストールします。必要なパッケージの詳細は「OpenLDAP 製品群のインストール」を参照してください。
  2. 「OpenLDAP サーバーの設定法」に説明されているように設定をカスタマイズします。
  3. 「Running an OpenLDAP Server」に説明されているように slapd サービスを起動します。
  4. Use the ldapadd utility to add entries to the LDAP directory.
  5. Use the ldapsearch utility to verify that the slapd service is accessing the information correctly.

14.1.2. OpenLDAP 製品群のインストール

OpenLDAP のライブラリとツールの製品群は以下のパッケージにより提供されます:
表14.1 OpenLDAP パッケージの一覧
パッケージ 説明
openldap OpenLDAP のサーバーとクライアントのアプリケーションを実行するために必要なライブラリを含むパッケージです。
openldap-clients LDAP サーバーにあるディレクトリを表示および変更するためのコマンドラインユーティリティを含むパッケージです。
openldap-servers LDAP サーバーを設定および実行するためのサービスとユーティリティを含むパッケージです。これは スタンドアロン LDAP デーモンおよび slapd を含みます。
openldap-servers-sql SQL サポートモジュールを含むパッケージです。

加えて、以下のパッケージが一般的に LDAP サーバーとともに使用されます:
表14.2 一般的にインストールされる追加の LDAP パッケージの一覧
パッケージ 説明
nss-pam-ldapd A package containing nslcd, a local LDAP name service that allows a user to perform local LDAP queries.
mod_authz_ldap
A package containing mod_authz_ldap, the LDAP authorization module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. Note that the mod_ssl module is required when using the mod_authz_ldap module.

これらのパッケージをインストールするには、以下の形式で yum コマンドを使用します:
yum install package
たとえば、基本的な LDAP サーバーのインストールを実行するには、シェルプロンプトにおいて root として以下のように入力します:
yum install openldap openldap-clients openldap-servers
Note that you must have superuser privileges (that is, you must be logged in as root) to run this command. For more information on how to install new packages in Fedora, refer to 「パッケージのインストール」.

14.1.2.1. OpenLDAP サーバーユーティリティの概要

To perform administrative tasks, the openldap-servers package installs the following utilities along with the slapd service:
表14.3 OpenLDAP サーバーユーティリティの一覧
コマンド 説明
slapacl 属性の一覧へのアクセス権を確認できます。
slapadd LDIF ファイルから LDAP サーバーにエントリを追加できます。
slapauth 認証と認可の権限に対して ID の一覧を確認できます。
slapcat Allows you to pull entries from an LDAP directory in the default format and save them in an LDIF file.
slapdn Allows you to check a list of Distinguished Names (DNs) based on available schema syntax.
slapindex Allows you to re-index the slapd directory based on the current content. Run this utility whenever you change indexing options in the configuration file.
slappasswd Allows you to create an encrypted user password to be used with the ldapmodify utility, or in the slapd configuration file.
slapschema Allows you to check the compliance of a database with the corresponding schema.
slaptest LDAP サーバー設定を確認できます。

For a detailed description of these utilities and their usage, refer to the corresponding manual pages as referred to in 「インストールされているドキュメント」.

Make sure the files have correct owner

Although only root can run slapadd, the slapd service runs as the ldap user. Because of this, the directory server is unable to modify any files created by slapadd. To correct this issue, after running the slapd utility, type the following at a shell prompt:
chown -R ldap:ldap /var/lib/ldap

これらのユーティリティを使用する前に slapd を停止してください

データの完全性を維持するために、slapadd, slapcat, や slapindex を使用する前に slapd サービスを停止してください。シェルプロンプトにおいて root として以下のように入力することにより、そのようにできます:
systemctl stop slapd.service
起動、停止、再起動および slapd サービスの現在の状態を確認する方法の詳細は、「Running an OpenLDAP Server」を参照してください。

14.1.2.2. OpenLDAP クライアントユーティリティの概要

openldap-clients パッケージは、LDAP ディレクトリのエントリを追加、変更および削除するために使用できる以下のユーティリティをインストールします:
表14.4 OpenLDAP クライアントユーティリティの一覧
コマンド 説明
ldapadd ファイルまたは標準入力からLDAP ディレクトリにエントリを追加できます。ldapmodify -a へのシンボリックリンクです。
ldapcompare 与えられた属性と LDAP ディレクトリのエントリを比較できます。
ldapdelete LDAP ディレクトリからエントリを削除できます。
ldapexop 拡張 LDAP 操作を実行できます。
ldapmodify ファイルまたは標準入力から LDAP ディレクトリにあるエントリを変更できます。
ldapmodrdn LDAP ディレクトリのエントリの RDN 属性を変更できます。
ldappasswd LDAP ユーザーのパスワードを設定または変更できます。
ldapsearch Allows you to search LDAP directory entries.
ldapurl Allows you to compose or decompose LDAP URLs.
ldapwhoami LDAP サーバーにおいて whoami 操作を実行できます。

With the exception of ldapsearch, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.

14.1.2.3. 一般的な LDAP クライアントアプリケーションの概要

Although there are various graphical LDAP clients capable of creating and modifying directories on the server, none of them is included in Fedora. Popular applications that can access directories in a read-only mode include Mozilla Thunderbird, Evolution, or Ekiga.

14.1.3. OpenLDAP サーバーの設定法

By default, the OpenLDAP configuration is stored in the /etc/openldap/ directory. The following table highlights the most important directories and files within this directory:
表14.5 List of OpenLDAP configuration files and directories
パス 説明
/etc/openldap/ldap.conf The configuration file for client applications that use the OpenLDAP libraries. This includes ldapadd, ldapsearch, Evolution, etc.
/etc/openldap/slapd.d/ The directory containing the slapd configuration.

Note that OpenLDAP no longer reads its configuration from the /etc/openldap/slapd.conf file. Instead, it uses a configuration database located in the /etc/openldap/slapd.d/ directory. If you have an existing slapd.conf file from a previous installation, you can convert it to the new format by running the following command as root:
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
The slapd configuration consists of LDIF entries organized in a hierarchical directory structure, and the recommended way to edit these entries is to use the server utilities described in 「OpenLDAP サーバーユーティリティの概要」.

Do not edit LDIF files directly

An error in an LDIF file can render the slapd service unable to start. Because of this, it is strongly advised that you avoid editing the LDIF files within the /etc/openldap/slapd.d/ directly.

14.1.3.1. 全体設定の変更方法

Global configuration options for the LDAP server are stored in the /etc/openldap/slapd.d/cn=config.ldif file. The following directives are commonly used:
olcAllows
The olcAllows directive allows you to specify which features to enable. It takes the following form:
olcAllows: feature
It accepts a space-separated list of features as described in 表14.6「利用可能な olcAllows オプション」. The default option is bind_v2.
表14.6 利用可能な olcAllows オプション
オプション 説明
bind_v2 LDAP バージョン 2 バインド要求の受付を有効にします。
bind_anon_cred Distinguished Name (DN) が空白のときに匿名バインドを有効にします。
bind_anon_dn Distinguished Name (DN) が空白ではないときに匿名バインドを有効にします。
update_anon 匿名の更新操作の処理を有効にします。
proxy_authz_anon Enables processing of anonymous proxy authorization control.

例14.1 Using the olcAllows directive
olcAllows: bind_v2 update_anon

olcConnMaxPending
The olcConnMaxPending directive allows you to specify the maximum number of pending requests for an anonymous session. It takes the following form:
olcConnMaxPending: number
デフォルトのオプションは 100 です。
例14.2 olcConnMaxPending ディレクティブの使用法
olcConnMaxPending: 100

olcConnMaxPendingAuth
The olcConnMaxPendingAuth directive allows you to specify the maximum number of pending requests for an authenticated session. It takes the following form:
olcConnMaxPendingAuth: number
デフォルトのオプションは 1000 です。
例14.3 olcConnMaxPendingAuth ディレクティブの使用法
olcConnMaxPendingAuth: 1000

olcDisallows
The olcDisallows directive allows you to specify which features to disable. It takes the following form:
olcDisallows: feature
It accepts a space-separated list of features as described in 表14.7「利用可能な olcDisallows オプション」. No features are disabled by default.
表14.7 利用可能な olcDisallows オプション
オプション 説明
bind_anon 匿名のバインド要求の受付を無効にします。
bind_simple Disables the simple bind authentication mechanism.
tls_2_anon Disables the enforcing of an anonymous session when the STARTTLS command is received.
tls_authc Disallows the STARTTLS command when authenticated.

例14.4 Using the olcDisallows directive
olcDisallows: bind_anon

olcIdleTimeout
The olcIdleTimeout directive allows you to specify how many seconds to wait before closing an idle connection. It takes the following form:
olcIdleTimeout: number
このオプションはデフォルトで無効にされています(つまり、0 に設定されています)。
例14.5 olcIdleTimeout ディレクティブの使用法
olcIdleTimeout: 180

olcLogFile
The olcLogFile directive allows you to specify a file in which to write log messages. It takes the following form:
olcLogFile: file_name
The log messages are written to standard error by default.
例14.6 olcLogFile ディレクティブの使用法
olcLogFile: /var/log/slapd.log

olcReferral
The olcReferral option allows you to specify a URL of a server to process the request in case the server is not able to handle it. It takes the following form:
olcReferral: URL
このオプションはデフォルトで無効にされています。
例14.7 olcReferral ディレクティブの使用法
olcReferral: ldap://root.openldap.org

olcWriteTimeout
The olcWriteTimeout option allows you to specify how many seconds to wait before closing a connection with an outstanding write request. It takes the following form:
olcWriteTimeout
このオプションはデフォルトで無効にされています(つまり、0 に設定されています)。
例14.8 olcWriteTimeout ディレクティブの使用法
olcWriteTimeout: 180

14.1.3.2. データベース固有の設定の変更法

By default, the OpenLDAP server uses Berkeley DB (BDB) as a database back end. The configuration for this database is stored in the /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif file. The following directives are commonly used in a database-specific configuration:
olcReadOnly
The olcReadOnly directive allows you to use the database in a read-only mode. It takes the following form:
olcReadOnly: boolean
It accepts either TRUE (enable the read-only mode), or FALSE (enable modifications of the database). The default option is FALSE.
例14.9 Using the olcReadOnly directive
olcReadOnly: TRUE

olcRootDN
The olcRootDN directive allows you to specify the user that is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. It takes the following form:
olcRootDN: distinguished_name
It accepts a Distinguished Name (DN). The default option is cn=Manager,dn=my-domain,dc=com.
例14.10 Using the olcRootDN directive
olcRootDN: cn=root,dn=example,dn=com

olcRootPW
The olcRootPW directive allows you to set a password for the user that is specified using the olcRootDN directive. It takes the following form:
olcRootPW: password
It accepts either a plain text string, or a hash. To generate a hash, use the slappaswd utility, for example:
~]$ slappaswd
New password: 
Re-enter new password: 
{SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD
例14.11 Using the olcRootPW directive
olcRootPW: {SSHA}WczWsyPEnMchFf1GRTweq2q7XJcvmSxD

olcSuffix
The olcSuffix directive allows you to specify the domain for which to provide information. It takes the following form:
olcSuffix: domain_name
It accepts a fully qualified domain name (FQDN). The default option is dc=my-domain,dc=com.
例14.12 Using the olcSuffix directive
olcSuffix: dc=example,dc=com

14.1.3.3. Extending Schema

Since OpenLDAP 2.3, the /etc/openldap/slapd.d/ directory also contains LDAP definitions that were previously located in /etc/openldap/schema/. It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. However, this task is beyond the scope of this chapter. For more information on this topic, refer to http://www.openldap.org/doc/admin/schema.html.

14.1.4. Running an OpenLDAP Server

This section describes how to start, stop, restart, and check the current status of the Standalone LDAP Daemon. For more information on how to manage system services in general, refer to 7章サービスおよびデーモン.

14.1.4.1. Starting the Service

To run the slapd service, type the following at a shell prompt as root:
systemctl start slapd.service
If you want the service to start automatically at the boot time, use the following command:
systemctl enable slapd.service
Refer to 7章サービスおよびデーモン for more information on how to configure services in Fedora.

14.1.4.2. Stopping the Service

To stop the running slapd service, type the following at a shell prompt as root:
systemctl stop slapd.service
To prevent the service from starting automatically at the boot time, type:
systemctl disable slapd.service
Refer to 7章サービスおよびデーモン for more information on how to configure services in Fedora.

14.1.4.3. サービスの再起動方法

実行中の slapd サービスを再起動するには、シェルプロンプトにおいて root として以下のように入力します:
systemctl restart slapd.service
これにより、サービスが停止し、再び起動します。設定を再読み込みするためにこのコマンドを使用します。

14.1.4.4. サービスの状態の確認方法

サービスが実行中であるかどうかを確認するには、シェルプロンプトにおいて以下のように入力します:
systemctl is-active slapd.service

14.1.5. システムが OpenLDAP を使用して認証を実行するように設定する

In order to configure a system to authenticate using OpenLDAP, make sure that the appropriate packages are installed on both LDAP server and client machines. For information on how to set up the server, follow the instructions in 「OpenLDAP 製品群のインストール」 and 「OpenLDAP サーバーの設定法」. On a client, type the following at a shell prompt as root:
yum install openldap openldap-clients nss-pam-ldapd
8章認証の設定 provides detailed instructions on how to configure applications to use LDAP for authentication.

14.1.5.1. 古い認証情報を LDAP フォーマットへ移行

The migrationtools package provides a set of shell and Perl scripts to help you migrate authentication information into an LDAP format. To install this package, type the following at a shell prompt as root:
yum install migrationtools
This will install the scripts to the /usr/share/migrationtools/ directory. Once installed, edit the /usr/share/migrationtools/migrate_common.ph file and change the following lines to reflect the correct domain, for example:
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.com";

# Default base
$DEFAULT_BASE = "dc=example,dc=com";
Alternatively, you can specify the environment variables directly on the command line. For example, to run the migrate_all_online.sh script with the default base set to dc=example,dc=com, type:
export DEFAULT_BASE="dc=example,dc=com" \
/usr/share/migrationtools/migrate_all_online.sh
To decide which script to run in order to migrate the user database, refer to 表14.8「一般的に使用される LDAP 移行スクリプト」.
表14.8 一般的に使用される LDAP 移行スクリプト
既存のネームサービス LDAP が実行中ですか? 使用するスクリプト
/etc フラットファイル はい migrate_all_online.sh
/etc フラットファイル いいえ migrate_all_offline.sh
NetInfo はい migrate_all_netinfo_online.sh
NetInfo いいえ migrate_all_netinfo_offline.sh
NIS (YP) はい migrate_all_nis_online.sh
NIS (YP) いいえ migrate_all_nis_offline.sh

For more information on how to use these scripts, refer to the README and the migration-tools.txt files in the /usr/share/doc/migrationtools-version/ directory.

14.1.6. その他のリソース

The following resources offer additional information on the Lightweight Directory Access Protocol. Before configuring LDAP on your system, it is highly recommended that you review these resources, especially the OpenLDAP Software Administrator's Guide.

14.1.6.1. インストールされているドキュメント

The following documentation is installed with the openldap-servers package:
/usr/share/doc/openldap-servers-version/guide.html
A copy of the OpenLDAP Software Administrator's Guide.
/usr/share/doc/openldap-servers-version/README.schema
A README file containing the description of installed schema files.
Additionally, there is also a number of manual pages that are installed with the openldap, openldap-servers, and openldap-clients packages:
クライアントアプリケーション
  • man ldapadd — Describes how to add entries to an LDAP directory.
  • man ldapdelete — Describes how to delete entries within an LDAP directory.
  • man ldapmodify — Describes how to modify entries within an LDAP directory.
  • man ldapsearch — Describes how to search for entries within an LDAP directory.
  • man ldappasswd — Describes how to set or change the password of an LDAP user.
  • man ldapcompare — Describes how to use the ldapcompare tool.
  • man ldapwhoami — Describes how to use the ldapwhoami tool.
  • man ldapmodrdn — Describes how to modify the RDNs of entries.
サーバーアプリケーション
  • man slapd — Describes command line options for the LDAP server.
管理アプリケーション
  • man slapadd — Describes command line options used to add entries to a slapd database.
  • man slapcat — Describes command line options used to generate an LDIF file from a slapd database.
  • man slapindex — Describes command line options used to regenerate an index based upon the contents of a slapd database.
  • man slappasswd — Describes command line options used to generate user passwords for LDAP directories.
設定ファイル
  • man ldap.conf — Describes the format and options available within the configuration file for LDAP clients.
  • man slapd-config — Describes the format and options available within the configuration directory.

14.1.6.2. 役に立つ Web サイト

http://www.openldap.org/doc/admin24/
OpenLDAP Software Administrator's Guide の最新バージョンです。
http://www.kingsmountain.com/ldapRoadmap.shtml
Jeff Hodges' LDAP Roadmap & FAQ containing links to several useful resources and emerging news concerning the LDAP protocol.
http://www.ldapman.org/articles/
A collection of articles that offer a good introduction to LDAP, including methods to design a directory tree and customizing directory structures.
http://www.padl.com/
いくつかの有用な LDAP ツールの開発者のウェブサイトです。