Beyond Linux® From Scratch (systemd 版) - Version r12.0-1055+

第23章 その他のサーバーソフトウェア

OpenLDAP-2.6.6

OpenLDAP の概要

OpenLDAP パッケージはオープンソース実装による "軽量" ディレクトリアクセスプロトコル (Lightweight Directory Access Protocol) を提供します。

[注記]

注記

LFS や依存パッケージが本ブックに示す最新安定バージョンでなかった場合には、BLFS 開発版においては、パッケージのビルドや処理実行が適切に行われないことがあります。

パッケージ情報

追加のダウンロード

OpenLDAP の依存パッケージ

推奨

Cyrus SASL-2.1.28

任意

GnuTLS-3.8.2, Pth-2.0.7, unixODBC-2.3.12, MariaDB-10.11.6 or PostgreSQL-16.1 or MySQL, OpenSLP, WiredTiger, and Berkeley DB (非推奨) (for slapd, also deprecated)

OpenLDAP のインストール

[注記]

注記

If you only need to install the client side ldap* binaries, corresponding man pages, libraries and header files (referred to as a client-only install), issue these commands instead of the following ones (no test suite available): 

patch -Np1 -i ../openldap-2.6.6-consolidated-1.patch &&
autoconf &&

./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --disable-static     \
            --enable-dynamic     \
            --disable-versioning \
            --disable-debug      \
            --disable-slapd &&

make depend &&
make

Then, as the root user: 

make install

There should be a dedicated user and group to take control of the slapd daemon after it is started. Issue the following commands as the root user: 

groupadd -g 83 ldap &&
useradd  -c "OpenLDAP Daemon Owner" \
         -d /var/lib/openldap -u 83 \
         -g ldap -s /bin/false ldap

以下のコマンドを実行して OpenLDAP をビルドします。 

patch -Np1 -i ../openldap-2.6.6-consolidated-1.patch &&
autoconf &&

./configure --prefix=/usr         \
            --sysconfdir=/etc     \
            --localstatedir=/var  \
            --libexecdir=/usr/lib \
            --disable-static      \
            --disable-versioning  \
            --disable-debug       \
            --with-tls=openssl    \
            --with-cyrus-sasl     \
            --without-systemd     \
            --enable-dynamic      \
            --enable-crypt        \
            --enable-spasswd      \
            --enable-slapd        \
            --enable-modules      \
            --enable-rlookups     \
            --enable-backends=mod \
            --disable-sql         \
            --disable-wt          \
            --enable-overlays=mod &&

make depend &&
make

The tests are fragile, and errors may cause the tests to abort prior to finishing. Some errors may happen due to timing problems. The tests take around an hour, and the time is CPU independent due to delays in the tests. On most systems, the tests will run up to the test065-proxyauth for mdb test. To test the results, issue: make test.

root ユーザーになって以下を実行します。 

make install &&

sed -e "s/\.la/.so/" -i /etc/openldap/slapd.{conf,ldif}{,.default} &&

install -v -dm700 -o ldap -g ldap /var/lib/openldap     &&

install -v -dm700 -o ldap -g ldap /etc/openldap/slapd.d &&
chmod   -v    640     /etc/openldap/slapd.{conf,ldif}   &&
chown   -v  root:ldap /etc/openldap/slapd.{conf,ldif}   &&

install -v -dm755 /usr/share/doc/openldap-2.6.6 &&
cp      -vfr      doc/{drafts,rfc,guide} \
                  /usr/share/doc/openldap-2.6.6

コマンド説明

--disable-static: このスイッチはスタティックライブラリをインストールしないようにします。

--disable-debug: このスイッチは OpenLDAP におけるデバッグコードを無効にします。

--enable-dynamic: This switch forces the OpenLDAP libraries to be dynamically linked to the executable programs.

--disable-versioning: This switch disables symbol versioning in the OpenLDAP libraries.

--enable-crypt: This switch enables using crypt(3) passwords.

--enable-spasswd: This switch enables SASL password verification.

--enable-modules: This switch enables dynamic module support.

--enable-rlookups: This switch enables reverse lookups of client hostnames.

--enable-backends: This switch enables all available backends.

--enable-overlays: This switch enables all available overlays.

--disable-sql: This switch explicitly disables the SQL backend. Omit this switch if a SQL server is installed and you are going to use a SQL backend.

--disable-wt: This switch explicitly disables the WiredTiger backend. Omit this switch if WiredTiger is installed and you are going to use a WiredTiger backend.

--libexecdir=/usr/lib: This switch controls where the /usr/lib/openldap directory is installed. Everything in that directory is a library, so it belongs under /usr/lib instead of /usr/libexec.

--enable-slp: This switch enables SLPv2 support. Use it if you have installed OpenSLP.

[注記]

注記

You can run ./configure --help to see if there are other switch you can pass to the configure command to enable other options or dependency packages.

install ..., chown ..., and chmod ...: Having slapd configuration files and ldap databases in /var/lib/openldap readable by anyone is a SECURITY ISSUE, especially since a file stores the admin password in PLAIN TEXT. That's why mode 640 and root:ldap ownership were used. The owner is root, so only root can modify the file, and group is ldap, so that the group which owns slapd daemon could read but not modify the file in case of a security breach.

OpenLDAP の設定

設定ファイル

  • For LDAP client: /etc/openldap/ldap.conf and ~/.ldaprc

  • For LDAP server, two configuration mechanisms are used: a legacy /etc/openldap/slapd.conf configuration file and the recommended slapd-config system, using an LDIF database stored in /etc/openldap/slapd.d.

設定情報

Configuring the slapd servers can be complex. Securing the LDAP directory, especially if you are storing non-public data such as password databases, can also be a challenging task. In order to set up OpenLDAP, you'll need to modify either the /etc/openldap/slapd.conf file (old method), or the /etc/openldap/slapd.ldif file and then use ldapadd to create the LDAP configuration database in /etc/openldap/slapd.d (recommended by the OpenLDAP documentation).

[警告]

警告

The instructions above install an empty LDAP structure and a default /etc/openldap/slapd.conf file, which are suitable for testing the build and other packages using LDAP. Do not use them on a production server.

Resources to assist you with topics such as choosing a directory configuration, backend and database definitions, access control settings, running as a user other than root and setting a chroot environment include:

Systemd Unit

LDAP サーバーをシステムブート時に自動起動するには blfs-systemd-units-20231205 パッケージに含まれるslapd.service ユニットを用います。 これを以下のコマンドによりインストールします。 

make install-slapd
[注記]

注記

You'll need to modify /etc/default/slapd to include the parameters needed for your specific configuration. See the slapd man page for parameter information.

設定のテスト

systemctl を使って LDAP サーバーを起動します。 

systemctl start slapd

以下のコマンド実行により LDAP サーバーへのアクセスを確認します。 

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

確認結果は以下のようになります。 

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=my-domain,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

パッケージ構成

インストールプログラム: ldapadd, ldapcompare, ldapdelete, ldapexop, ldapmodify, ldapmodrdn, ldappasswd, ldapsearch, ldapurl, ldapvc, ldapwhoami, slapacl, slapadd, slapauth, slapcat, slapd, slapdn, slapindex, slapmodify, slappasswd, slapschema, and slaptest
インストールライブラリ: liblber.so, libldap.so, /usr/lib/openldap 配下に数種のライブラリ
インストールディレクトリ: /etc/openldap, /{usr,var}/lib/openldap, /usr/share/doc/openldap-2.6.6

概略説明

ldapadd

opens a connection to an LDAP server, binds and adds entries

ldapcompare

opens a connection to an LDAP server, binds and performs a compare using specified parameters

ldapdelete

opens a connection to an LDAP server, binds and deletes one or more entries

ldapexop

issues the LDAP extended operation specified by oid or one of the special keywords whoami, cancel, or refresh

ldapmodify

opens a connection to an LDAP server, binds and modifies entries

ldapmodrdn

opens a connection to an LDAP server, binds and modifies the RDN of entries

ldappasswd

is a tool used to set the password of an LDAP user

ldapsearch

opens a connection to an LDAP server, binds and performs a search using specified parameters

ldapurl

is a command that allows to either compose or decompose LDAP URIs

ldapvc

verifies LDAP credentials

ldapwhoami

opens a connection to an LDAP server, binds and displays whoami information

slapacl

is used to check the behavior of slapd by verifying access to directory data according to the access control list directives defined in its configuration

slapadd

is used to add entries specified in LDAP Directory Interchange Format (LDIF) to an LDAP database

slapauth

is used to check the behavior of the slapd in mapping identities for authentication and authorization purposes, as specified in slapd.conf

slapcat

is used to generate an LDAP LDIF output based upon the contents of a slapd database

slapd

is the standalone LDAP server

slapdn

checks a list of string-represented DNs based on schema syntax

slapindex

is used to regenerate slapd indexes based upon the current contents of a database

slapmodify

modifies entries in a slapd database

slappasswd

is an OpenLDAP password utility

slapschema

is used to check schema compliance of the contents of a slapd database

slaptest

checks the sanity of the slapd.conf file

liblber.so

is a set of Lightweight Basic Encoding Rules routines. These routines are used by the LDAP library routines to encode and decode LDAP protocol elements using the (slightly simplified) Basic Encoding Rules defined by LDAP. They are not normally used directly by an LDAP application program except in the handling of controls and extended operations

libldap.so

supports the LDAP programs and provide functionality for other programs interacting with LDAP