๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
๐Ÿ’ปTech/๐Ÿ˜hadoop

OpenLDAP + phpLDAPadmin ์„ค์น˜ ๋ฐ ์„ค์ •

by _viper_ 2020. 9. 2.
๋ฐ˜์‘ํ˜•

OpenLDAP

  • LDAP ํ”„๋กœํ† ์ฝœ์„ ์‚ฌ์šฉํ•˜์—ฌ ๋””๋ ‰ํ† ๋ฆฌ(์‚ฌ์šฉ์ž/๊ทธ๋ฃน) ์ •๋ณด๋ฅผ ์ €์žฅํ•˜๊ณ  ๊ฒ€์ƒ‰ํ•˜๋Š” ์—ญํ• ์˜ ์„œ๋น„์Šค

phpLDAPadmin

  • OpenLDAP ์„œ๋ฒ„๋ฅผ ์›น ๊ธฐ๋ฐ˜์œผ๋กœ ๊ด€๋ฆฌํ•˜๊ธฐ ์œ„ํ•œ LDAP ํด๋ผ์ด์–ธํŠธ ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜

 

1. Install OpenLDAP 

$ sudo yum -y install openldap-servers openldap-clients
$ sudo systemctl start slapd
$ sudo systemctl status slapd
$ sudo systemctl enable slapd
$ sudo yum -y install net-tools
$ sudo netstat -antup | grep -i 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 8969/slapd
tcp6 0 0 :::389 :::* LISTEN 8969/slapd

 

2. Setup LDAP admin password

  • slappasswd ๊ฒฐ๊ณผ ์ƒ์„ฑ๋œ ๊ฒฐ๊ณผ๊ฐ’์ธ '{SSHA}...' ๋ถ€๋ถ„์€ db.ldif์—์„œ ์‚ฌ์šฉํ•ด์•ผ ํ•˜๋ฏ€๋กœ ๋ณ„๋„๋กœ ๊ธฐ๋กํ•ด์•ผ ํ•จ
$ slappasswd
New password:
Re-enter new password:
{SSHA}V+r+8lNWJ+l/XCJg6IJn/uE/EEjLOrHl

 

3. Configure OpenLDAP server

  • db.ldif ํŒŒ์ผ ์ƒ์„ฑํ•˜์—ฌ ๋ฐ˜์˜ํ•ด์คŒ
$ cd /etc/openldap/slapd.d/
$ vi db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=hadoop,dc=com
-
replace: olcRootDN
olcRootDN: cn=ldapadm,dc=hadoop,dc=com
-
replace: olcRootPW
olcRootPW: {SSHA}V+r+8lNWJ+l/XCJg6IJn/uE/EEjLOrHl

 

  • db.ldif ํŒŒ์ผ์„ ldapmodify ํ”„๋กœ๊ทธ๋žจ์„ ํ†ตํ•ด ์ ์šฉ
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "olcDatabase={2}hdb,cn=config"

 

  • monitor.ldif
$ vi monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=hadoop,dc=com" read by * none

 

  • monitor.ldif ํŒŒ์ผ์„ ldapmodify ํ”„๋กœ๊ทธ๋žจ์„ ํ†ตํ•ด ์ ์šฉ
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f monitor.ldif
$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "olcDatabase={1}monitor,cn=config"

 

4. Set up LDAP database

  • DB_CONFIG.example์„ ํ™œ์šฉํ•ด DB_CONFIG ์ ์šฉ
$ sudo cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
$ sudo chown ldap:ldap /var/lib/ldap/DB_CONFIG
$ sudo ls -al /var/lib/ldap/DB_CONFIG
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

 

  • base.ldif ํŒŒ์ผ ์ƒ์„ฑํ•  ๋•Œ ๊ฐ dn๋ณ„๋กœ 1์ค„์”ฉ ๊ณต๋ฐฑ์„ ์ค˜์•ผํ•จ
$ vi base.ldif
dn: dc=hadoop,dc=com
dc: hadoop
objectClass: top
objectClass: domain

dn: cn=ldapadm,dc=hadoop,dc=com
objectClass: organizationalRole
cn: ldapadm
description: LDAP Manager

dn: ou=user,dc=hadoop,dc=com
objectClass: organizationalUnit
ou: user

dn: ou=group,dc=hadoop,dc=com
objectClass: organizationalUnit
ou: group

 

  • ldapadd๋ฅผ ํ†ตํ•ด base.ldif ํŒŒ์ผ ์ ์šฉ, password ์ž…๋ ฅํ•„์š”
$ sudo ldapadd -x -W -D "cn=ldapadm,dc=hadoop,dc=com" -f base.ldif
Enter LDAP Password: 
adding new entry "cn=ldapadm,dc=hadoop,dc=com"
adding new entry "ou=user,dc=hadoop,dc=com"
adding new entry "ou=group,dc=hadoop,dc=com"

 

5. PhpLDAPAdmin install

  • phpldapadmin ์„ค์น˜๋ฅผ ์œ„ํ•ด epel-release๋ฅผ ์ถ”๊ฐ€๋กœ ์„ค์น˜ํ•œ ํ›„ phpldapadmin์„ ์„ค์น˜ํ•ด์•ผ ํ•จ
$ rpm -ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo yum --enablerepo=epel -y install phpldapadmin

 

  • rpm์œผ๋กœ epel ์„ค์น˜ ์‹œ ์—๋Ÿฌ ๋‚  ๊ฒฝ์šฐ ์ˆ˜๋™์œผ๋กœ ์ถ”๊ฐ€ ํ•ด์คŒ
$ yum remove epel-release.noarch
$ vi /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
#metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch&infra=$infra&content=$contentdir
#failovermethod=priority
enabled=1
gpgcheck=0
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

#[epel-debuginfo]
#name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug
#metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch&infra=$infra&content=$contentdir
#failovermethod=priority
#enabled=0
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
#gpgcheck=1

#[epel-source]
#name=Extra Packages for Enterprise Linux 7 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS
#metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch&infra=$infra&content=$contentdir
#failovermethod=priority
#enabled=0
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
#gpgcheck=1

 

  • /etc/phpldapadmin/config.php ์ˆ˜์ •
$ sudo vi /etc/phpldapadmin/config.php
...(์ค‘๋žต)
/* A convenient name that will appear in the tree viewer and throughout
phpLDAPadmin to identify this LDAP server to users. */
$servers->setValue('server','name','Local LDAP Server'); <-- ์—ฌ๊ธฐ ์ˆ˜์ •
/* Examples:
'ldap.example.com',
'ldaps://ldap.example.com/',
'ldapi://%2fusr%local%2fvar%2frun%2fldapi'
(Unix socket at /usr/local/var/run/ldap) */
// $servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','host','ip or host๋ช… ์ž…๋ ฅ'); <-- ์—ฌ๊ธฐ ์ˆ˜์ •
/* The port your LDAP server listens on (no quotes). 389 is standard. */
// $servers->setValue('server','port',389);
/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
auto-detect it for you. */
// $servers->setValue('server','base',array(''));
$servers->setValue('server','base',array('dc=hadoop,dc=com')); <-- ์—ฌ๊ธฐ ์ˆ˜์ •
...(์ค‘๋žต)
/* If you specified 'cookie' or 'session' as the auth_type above, you can
optionally specify here an attribute to use when logging in. If you enter
'uid' and login as 'dsmith', phpLDAPadmin will search for (uid=dsmith)
and log in as that user.
Leave blank or specify 'dn' to use full DN for logging in. Note also that if
your LDAP server requires you to login to perform searches, you can enter the
DN to use when searching in 'bind_id' and 'bind_pass' above. */
$servers->setValue('login','attr','dn'); <-- ์—ฌ๊ธฐ ์ˆ˜์ •, ์ฃผ์„ ํ•ด์ œ
//$servers->setValue('login','attr','uid'); <-- ์—ฌ๊ธฐ ์ˆ˜์ •, ์ฃผ์„ ์ฒ˜๋ฆฌ
...(์ค‘๋žต)

 

  • /etc/httpd/conf.d/phpldapadmin.conf ์ˆ˜์ •
$ sudo vi /etc/httpd/conf.d/phpldapadmin.conf

#
# Web-based tool for managing LDAP servers
#
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
	<IfModule mod_authz_core.c>
	# Apache 2.4
	# Require local
	Require all granted <-- ์—ฌ๊ธฐ ์ถ”๊ฐ€
	</IfModule>
	<IfModule !mod_authz_core.c>
	# Apache 2.2
	Order Deny,Allow
	Deny from all
	Allow from 127.0.0.1
	Allow from ::1
	</IfModule>
</Directory>

 

  • httpd ์žฌ๊ธฐ๋™
$ systemctl restart httpd

 

6. http://${์„ค์น˜์„œ๋ฒ„}/phpldapadmin/ ์ ‘์† 

Login DN: cn=ldapadm,dc=hadoop,dc=com

Password: ${password}

 

 

์ €์ž‘์žํ‘œ์‹œ

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”