¶ OpenLDAP
¶ OpenLDAP
OpenLDAP은 OpenLDAP 프로젝트가 개발한 LDAP의 자유 오픈 소스 구현체이다. OpenLDAP 퍼블릭 라이선스라는 이름의 자체 BSD 스타일 라이선스로 배포된다.
¶ openldap 설치
¶ 소스 다운로드
- Ubunt 배포본에는 openldap이 포함되어있으나 Redhat 계열 배포본에는 패키지가 포함되어있지 않으므로 소스를 받아 컴파일 해야 한다.
공식 홈페이지에서 소스를 다운로드 한다.
¶ 사전작업
- 필요 패키지 설치
# apt install build-essential libtool autoconf automake libssl-dev libsasl2-dev libdb-dev liblmdb-dev libevent-dev uuid-dev groff pcre2-utils libpcre3-dev
sudo dnf groupinstall -y "Development Tools"
sudo dnf install -y libtool make gcc openssl-devel libdb-devel cyrus-sasl-devel libuuid-devel libicu-devel krb5-devel systemd-devel wget vim systemd-devel perl-ExtUtils-Embed libtool-ltdl unixODBC
wget https://rpmfind.net/linux/centos-stream/9-stream/CRB/x86_64/os/Packages/libtool-ltdl-devel-2.4.6-46.el9.x86_64.rpm
sudo yum localinstall libtool-ltdl-devel-2.4.6-46.el9.x86_64.rpm
wget https://rpmfind.net/linux/centos-stream/9-stream/CRB/x86_64/os/Packages/unixODBC-devel-2.3.9-4.el9.x86_64.rpm
yum localinstall -y unixODBC-devel-2.3.9-4.el9.x86_64.rpm
¶ 컴파일
tar -xvzf openldap-2.5.19.tgz
cd openldap-2.5.19/
# ./configure --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-debug --enable-slapd --enable-modules --enable-rlookups --enable-backends=mod --enable-dynamic --with-tls=openssl --with-cyrus-sasl --enable-crypt --enable-spasswd
./configure --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-debug --enable-slapd --enable-modules --enable-rlookups --enable-dynamic --with-tls=openssl --with-cyrus-sasl --enable-crypt --enable-spasswd
make depend
make
make test
# make test 결과 에러 등이 있을 경우 ./configure 부터 다시 시작
# make test 결과가 정상일 경우.
su root -c 'make install'
¶ 관련 디렉토리 생성
sudo mkdir -p /var/lib/openldap /var/run/openldap /etc/openldap/slapd.d
# sudo chown -R $(whoami) /var/lib/openldap /var/run/openldap /etc/openldap
¶ 환경 변수 설정
export HOME=/root
export OPENLDAP_HOME=/usr/local/openldap
export KEYCLOAK_HOME=/usr/lib/keycloak
export PATH=$OPENLDAP/bin:$OPENLDAP/sbin:$KEYCLOAK_HOME/bin:$PATH
export LD_LIBRARY_PATH=$OPENLDAP_HOME/lib:$KECLOAK_HOME/lib:$LD_LIBRARY_PATH
cd /usr/local/openldap/sbin
ln -s ../libexec/slapd
¶ 바이너리 확인
slapd -V
# @(#) $OpenLDAP: slapd 2.6.10 (Jul 11 2025 09:56:02) $
# root@auth.haedongg.net:/root/temp/openldap/openldap-2.6.10/servers/slapd
ldapsearch -VV
# ldapsearch: @(#) $OpenLDAP: ldapsearch 2.6.10 (Jul 11 2025 09:55:12) $
# root@auth.haedongg.net:/root/temp/openldap/openldap-2.6.10/clients/tools
# (LDAP library: OpenLDAP 20610)
¶ user 생성
- openldap 구동을 위한 system user
sudo groupadd --system ldap
sudo useradd --system --no-create-home --shell /sbin/nologin --gid ldap ldap
¶ 관련 디렉토리 생성
mkdir /var/run/openldap
chown -R ldap:ldap /var/run/openldap
mkdir /var/lib/openldap
chown -R ldap:ldap /var/lib/openldap
¶ Schema 파일 복사
mkdir /usr/local/openldap/schema
cp $SOURCE_FILE_DIRECTORY/openldap-2.6.10/servers/slapd/schema/*.schema /usr/local/openldap/schema
chown -R ldap:ldap /usr/local/openldap
¶ 설정 파일 예제
cat <<EOF | sudo tee -a /etc/openldap/slapd.conf
### ========== Global Settings ==========
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# TLS/SSL Configuration
TLSCertificateFile /etc/openldap/certs/cert.pem
TLSCertificateKeyFile /etc/openldap/certs/key.pem
TLSCACertificateFile /etc/openldap/certs/ca.pem
# Module support (optional if you load extra backends)
modulepath /usr/local/openldap/libexec/openldap
moduleload back_mdb.la
### ========== Logging ==========
loglevel stats
### ========== Backend Configuration ==========
database mdb
maxsize 1073741824
suffix "dc=haedongg,dc=net"
rootdn "cn=root,dc=haedongg,dc=net"
rootpw PASSWORD
# Data directory (must exist and be writable)
directory /var/lib/openldap
# Indexing rules
index objectClass eq
index cn,sn,uid eq,pres,sub
index mail eq,pres,sub
# Access Control
# 순서도 중요하다
access to attrs=userPassword
by self write
by anonymous auth
by dn="cn=root,dc=haedongg,dc=net" write
by * none
# 관리자 권한
access to *
by dn.exact="uid=haedong,dc=haedongg,dc=net" manage
by dn.exact="uid=administrator,ou=administrators,dc=haedongg,dc=net" manage
by dn.exact="uid=leader,ou=project,dc=haedongg,dc=net" manage
by * read
access to *
by self write
by dn="cn=admin,dc=haedongg,dc=net" write
by users read
by * none
access to *
by * read
EOF
¶ 서비스 시작
¶ 서비스 스크립트 생성
- systemctl start|restart|stop slapd
cat <<EOF | sudo tee -a /lib/systemd/system/slapd.service
[Unit]
Description=OpenLDAP Server
After=network.target
[Service]
Type=simple
Environment="PATH=/usr/local/openldap/bin:/usr/local/openldap/sbin:/usr/bin:/sbin:/bin:/usr/sbin"
# Listen port를 변경하고자 할 때
# ExecStart=/usr/local/openldap/sbin/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -h "ldap://:1389 ldaps://:1636 ldapi:///"
ExecStart=/usr/local/openldap/sbin/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -h "ldap:/// ldaps:///"
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -TERM $MAINPID
# PIDFile=/var/run/slapd.pid
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
¶ 초기 DC 생성
cat <<EOF | sudo tee -a init
dn: dc=haedongg,dc=net
objectClass: top
objectClass: domain
dc: haedongg
EOF
ldapadd -x -D "cn=root,dc=haedongg,dc=net" -W -f init
¶ 서비스 확인
¶ on Linux shell
ldapwhoami -x -D "cn=root,dc=haedongg,dc=net" -W
Enter LDAP Password:
dn:cn=root,dc=haedongg,dc=net
¶ ldapadmin
¶ 계정 추가
¶ 패스워드 생성
slappasswd
# New password: test
# Re-enter new password: test
# {SSHA}ENCRYPTED_STRING
¶ 계정 파일 생성 (ldif)
cat <<EOF | sudo tee -a test
dn: uid=test,ou=test,ou=users,dc=haedongg,dc=net
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: test
sn: test
uid: test
userPassword: {SSHA}ENCRYPTED_STRING
EOF
¶ 계정 생성
ldapadd -x -H ldap://localhost:port -D "cn=root,dc=haedongg.net,dc=net" -W -f test