OS : CentOS7.9
1. OpenLDAP 설치
# yum install openldap-servers openldap openldap-clients openldap-devel nss_ldap compat-openldap
# vi /etc/sysconfig/slapd
# OpenLDAP server configuration
# see 'man slapd' for additional information
# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
# (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap:///"
# Any custom options
#SLAPD_OPTIONS=""
# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
# vi /etc/openldap/ldap.conf
- URI, BASE 추가
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://ygbaek02.gitcluster.com:389
BASE dc=gitcluster,dc=com
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
# systemctl enable slapd
# systemctl start slapd
# slappasswd
{SSHA}ujblou8EfvI----
패스워드 설정하고 출력 기록해놓고 다음 단계에서 사용
# cd /etc/openldap/slapd.d/cn=config/
# vi admin.ldif
olcRootPW에 기록해놓은 패스워드 기입
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=gitcluster,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=gitcluster,dc=com
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}ujblou8EfvI----
# ldapmodify -Y EXTERNAL -H ldapi:/// -f admin.ldif
# vi monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=gitcluster,dc=com" read by * none
# ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap /var/lib/ldap/DB_CONFIG
# cd /etc/openldap/schema/
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
# vi base.ldif
#gitcluster.com
dn: dc=gitcluster,dc=com
dc: gitcluster
objectClass: top
objectClass: domain
#ldapadm, gitcluster.com
dn: cn=ldapadm, dc=gitcluster,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager
#People, gitcluster.com
dn: ou=People, dc=gitcluster,dc=com
objectClass: organizationalUnit
ou: People
#Group, gitcluster.com
dn: ou=Group, dc=gitcluster,dc=com
objectClass: organizationalUnit
ou: Group
# ldapadd -x -W -D "cn=ldapadm,dc=gitcluster,dc=com" -f base.ldif
# ldapsearch -x -H 'ldap://ygbaek02.gitcluster.com:389' -D "cn=ldapadm,dc=gitcluster,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=gitcluster,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# gitcluster.com
dn: dc=gitcluster,dc=com
dc: gitcluster
objectClass: top
objectClass: domain
# ldapadm, gitcluster.com
dn: cn=ldapadm,dc=gitcluster,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager
# People, gitcluster.com
dn: ou=People,dc=gitcluster,dc=com
objectClass: organizationalUnit
ou: People
# Group, gitcluster.com
dn: ou=Group,dc=gitcluster,dc=com
objectClass: organizationalUnit
ou: Group
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
2. Krb server 설치
krb서버 노드만
# yum install krb5-server krb5-server-ldap openldap-clients krb5-workstation
# vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
GITCLUSTER.COM = {
master_key_type = aes256-cts
max_renewable_life = 604800
max_life = 86400
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
전체노드
# yum install openldap-clients krb5-workstation
krb서버 노드 OpenLDAP에 kerberos 스키마 생성
# cp /usr/share/doc/krb5-server-ldap-1.15.1/kerberos.schema /etc/openldap/schema
# vi /tmp/schema_convert.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/kerberos.schema
# mkdir /tmp/ldif_output
# slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output/ -n0 -s "cn{12}kerberos,cn=schema,cn=config" > /opt/cn=kerberos.ldif
# vi /tmp/cn=kerberos.ldif
# 위쪽 수정
dn: cn=kerberos,cn=schema,cn=config
...
cn: kerberos
# 아래쪽 여러줄 제거
structuralObjectClass: olcSchemaConfig
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
creatorsName: cn=config
createTimestamp: 20090111203515Z
entryCSN: 20090111203515.326445Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090111203515
# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn=kerberos.ldif
# vi /etc/openldap/slapd.d/cn=config/index.ldif
dn: olcDatabase={2}hdb,cn=config
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub
# ldapmodify -Y EXTERNAL -H ldapi:/// -f index.ldif
# vi /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
# includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = GITCLUSTER.COM
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
GITCLUSTER.COM = {
kdc = ygbaek02.gitcluster.com
admin_server = ygbaek02.gitcluster.com
database_module = openldap_ldapconf
}
[domain_realm]
.gitcluster.com = GITCLUSTER.COM
gitcluster.com = GITCLUSTER.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 3600
renew_lifetime = 3600
forwardable = true
krb4_convert = false
}
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = cn=kerberos,dc=gitcluster,dc=com
ldap_kdc_dn = cn=ldapadm,dc=gitcluster,dc=com
ldap_kadmind_dn = cn=ldapadm,dc=gitcluster,dc=com
ldap_service_password_file = /etc/krb5.conf.d/stash.keyfile
ldap_servers = ldapi:///ldap_conns_per_server = 5
}
# kdb5_ldap_util -D cn=ldapadm,dc=gitcluster,dc=com create -subtrees cn=kerberos,dc=gitcluster,dc=com -r GITCLUSTER.COM -s -H ldap://ygbaek02.gitcluster.com
Password for "cn=ldapadm,dc=gitcluster,dc=com":
Initializing database for realm 'GITCLUSTER.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
# kdb5_ldap_util -D cn=ldapadm,dc=gitcluster,dc=com stashsrvpw -f /etc/krb5.conf.d/stash.keyfile cn=ldapadm,dc=gitcluster,dc=com
Password for "cn=ldapadm,dc=gitcluster,dc=com":
Password for "cn=ldapadm,dc=gitcluster,dc=com":
Re-enter password for "cn=ldapadm,dc=gitcluster,dc=com":
# systemctl restart krb5kdc
# systemctl restart kadmin
# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@GITCLUSTER.COM with password.
WARNING: no policy specified for admin/admin@GITCLUSTER.COM; defaulting to no policy
Enter password for principal "admin/admin@GITCLUSTER.COM":
Re-enter password for principal "admin/admin@GITCLUSTER.COM":
Principal "admin/admin@GITCLUSTER.COM" created.
realm 확인
# vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@GITCLUSTER.COM *
# systemctl restart krb5kdc
# systemctl restart kadmin
3. ldap admin 설치
'Linux' 카테고리의 다른 글
| mtail을 활용한 prometheus metric 생성 (0) | 2025.10.01 |
|---|---|
| rsync 사용법 정리 (4) | 2025.07.29 |
| Redhat8 swappiness 설정 이슈 (0) | 2024.04.05 |
