LDAP - LDAP OpenLDAP - postfix qpopper - LDAP heartbeat mon

LDAP Internet Week 2003 (taru@valinux.co.jp) VA Linux Systems

LDAP - LDAP OpenLDAP - postfix qpopper - LDAP heartbeat mon

LDAP OpenLDAP

LDAP Lightweight Directory Access Protocol

LDAP(X500)

- (DN) DIT (*1) ( ) = (RDN),< > (*1) Directory

(Attribute) = :

(Structual) objectclass RDN

objectclass 1 Structual objectclass Auxilial ( ) objectclass

( one level, )

< >=< > objectclass=* cn=taru* age>=18 (&(cn=taru*)(age>=18))

ldapsearch -x -h ldap -s sub -b ou=,o= cn= * telephonenumber

Novell edirectory (TM) Sun iplanet(tm) OpenLDAP NEC EDS (TM) LDAP

OpenLDAP (BSD ) LDAP LDAP slapd, slurpd slapadd, slapcat libldap ldapsearch, ldapadd

slapd LDAPv3 SASL starttls (SSL) (login)

OpenLDAP(2.1) Berkley DB 4.1 &./configure; make; sudo make install ~# /usr/local/libexec/slapd

~$ /usr/local/bin/ldapsearch -x -s base -b "" + rootdse

OpenLDAP slapd.conf ~# sudo killall slapd ~# /usr/local/libexec/slapd /etc/init.d/slapd restart

slapd.conf access to * by dn="cn=admin,dc=vass" write by * read

slapd.conf (2) ( )

LDIF - dn: dc=my-domain,dc=com objectclass: top objectclass: domain dc: my-domain ~$ ldapadd -x -D "cn=manager,dc=my-domain,dc=com" < test.ldif

dc=my-domain,dc=com objectclass: person dn: dc=my-domain,dc=com changetype: modify add: objectclass objectclass: person

LDAP

LDAP (2)

LDAP postfix postfix LDAP $ cd postfix-1.1.2/ $ make tidy $ make makefiles CCARGS="-I/usr/local/include -DHAS_LDAP" AUXLIBS="-L/usr/local/lib -lldap -llber" $ make $ bin/su -c "make install"

$ /usr/sbin/postconf -m static nis regexp environ ldap btree hash postfix LDAP

namingcontext

namingcontext slapd.conf database bdb suffix "o=vaj" rootdn "cn=manager,o=vaj" rootpw secret directory /usr/local/var/openldap/vaj/ index objectclass eq namingcontext $ ldapsearch -s base -b "" namingcontexts

ou=people,o=vaj LDIF dn: o=vaj objectclass: organization o: VAJ dn: ou=people, o=vaj objectclass: organizationalunit ou: People $ ldapadd -x -D "cn=manager,o=vaj" -w secret < people.ldif

taru LDIF dn: uid=taru,ou=people,o=vaj uid: taru cn: Masato Taruishi objectclass: posixaccount objectclass: inetorgperson userpassword: {CRYPT}h9Z4VF89hXpl. loginshell: /bin/bash uidnumber: 1000 gidnumber: 1000 homedirectory: /home/taru sn: Taruishi mail: taru@debian.org $ ldapadd -x -D "cn=manager,o=vaj" < taru.ldif

slappasswd $ /usr/local/sbin/slappasswd -h "{CRYPT}" New password: Re-enter new password: {CRYPT}h9Z4VF89hXpl.

postfix main.cf alias_maps = ldap:ldapalias LDAP LDAP ldapalias

postfix main.cf ldapalias ldapalias_server_host = localhost ldapalias_search_base = ou=people,o=vaj ldapalias_scope = sub ldapalias_query_filter = (uid=%s) ldapalias_result_attribute = mail $ postmap -q taru ldap:ldapalias taru@debian.org

pop LDAP qpopper pam_ldap PAM LDAP

pam_ldap $./configure $ make $ /bin/su -c "make install" /etc/ldap.conf (Debian /etc/pam_ldap.conf)

/etc/ldap.conf pam_ldap nss_ldap pam_ldap host 127.0.0.1 base ou=people,o=vaj ldap_version 3 pam_password crypt

/etc/pam.d/qpopper qpopper LDAP auth sufficient pam_ldap.so auth required pam_unix_auth.so shadow account sufficient pam_ldap.so account required pam_unix_acct.so

LDAP

- LDAP

index

( )

Referral ( ) ( ) +Referral+

Chain OpenLDAP

OpenLDAP +Referral replogfile /usr/local/var/openldap-data/replogfile database bdb... replica host=slave:389 bindmethod=simple binddn="cn=manager,o=vaj" credentials=secret...

... database bdb... updatedn "cn=manager,o=vaj" updateref "ldap://master:389/"... OpenLDAP (2)

index

index slapd.conf index {<attrlist> default} [pres,eq,approx,sub,<special>]... database bdb... index objectclass,uid eq index cn,sn eq,sub... index slapindex(8)

( ) LDAP index

- UNIX ID

- ( )

/ (Superior Knowledge Information) (Subordinate Knowledge Information)

slapd.conf referral ldap://superior/

UNIX uid 16bit qpopper uid uid 1

/?

-

-

OpenLDAP - LDAP heartbeat - mon -

heartbeat ( ) ACTIVE (hearbeat ) ACTIVE STANDBY mon ( ) ACTIVE LDAP (LDAP ) LDAP heartbeat

ACTIVE Virtual IP STANDBY ACTIVE Virtual IP LDAP

heartbeat $./configure; make; /bin/su -c "make install"

mon perl Peiod-1.20 Time-HiRes-1.42 Convert-BER-1.3101 Mon-0.11 Convert-ASN-0.16 perl-ldap-0.26 $ cd mon-0.99.2/ # install mon /usr/local/sbin/ # install alert.d/* alert/template /usr/local/lib/mon/alert.d/ # install mon.d/*.monitor /usr/local/lib/mon/mon.d/

heartbeat /usr/local/etc/ha.d/hacf /usr/local/etc/ha.d/authkeys /usr/local/etc/ha.d/haresources /usr/local/etc/ha.d/resource.d/ldap

hacf heartbeat ( )... node master # ACTIVE node backup # STANDBY...

authkeys auth 2 2 sha1 HI!

haresources... master 172.17.91.254 ldap...

resource.d/ldap LDAP

heartbeat - ACTIVE, STANDBY heartbeat /etc/init.d/heartbeat start ACTIVE Virtual IP /sbin/ifconfig ACTIVE LDAP ps ax grep slapd -f slapd.master.conf STANDBY LDAP ps ax grep slapd

heartbeat - ACTIVE heartbeat /etc/init.d/heartbeat stop ACTIVE LDAP STANDBY LDAP

mon /usr/local/etc/mon/mon.cf /usr/local/etc/ha.d/haresources /usr/local/lib/mon/alert.d/failover.alert

mon.cf alertdir = /usr/local/lib/mon/alert.d mondir = /usr/local/lib/mon/mon.d histlength = 100 hostgroup ldapmaster master # VirutlaIP watch ldapmaster service ldap interval 10s # failure_interval 2s # # ldapsearch monitor ldap.monitor --basedn= cn=manager,o=vaj --filter= cn=manager --value= organizationalrole period wd {Sun-Sat} alert failover.alert alertafter 10s # numalerts 1...

... master 172.17.91.254 ldap mon... haresources

mon - heartbeat ACTIVE LDAP

ACTIVE

OpenLDAP

-

LDAP OpenLDAP

OpenLDAP - http://www.openldap.org/ Berkeley DB - http://www.sleepycat.com/ heartbeat - http://www.linux-ha.org/ mon - http://www.us.kernel.org/pub/software/admin/mon/ postfix - http://www.postfix.org/ qpopper - http://www.eudora.com/qpopper/ pam-ldap - http://www.padl.com/oss/pam_ldap.html - http://www.valinux.co.jp/technical/ldap/