7. 389 Directory Server のインストール
#-- rootdn、パスワード 等、必要な情報を変数に設定
# ROOT_DN="cn=manager"
# ROOT_PASSWORD=HogeHoge
# DOMAIN=sacloud.ma3ki.net
# BASE=$(echo ${DOMAIN} | sed -e 's/\(^\|\.\)/,dc=/g' -e 's/^,//')
# DC=$(echo ${DOMAIN} | awk -F\. '{print $1}')
# PEOPLE="ou=People,${BASE}"
# TERMED=$(echo ${PEOPLE} | sed 's/ou=People/ou=Termed/')
# WORKDIR=/root/mailserver/ldap
# mkdir -p ${WORKDIR}
#-- 389ds のインストール
# dnf -y module enable 389-ds
# dnf -y install 389-ds-base openldap-clients
#-- LDAPサーバの作成
# dscreate create-template ${WORKDIR}/389ds
# sed -ri "s/;(root_dn).*/\1=${ROOT_DN}/;s/;(root_password).*/\1=${ROOT_PASSWORD}/" ${WORKDIR}/389ds
# dscreate from-file ${WORKDIR}/389ds
#-- LDPAサーバの起動
# systemctl enable dirsrv@localhost.service
# systemctl start dirsrv@localhost
#-- LDAPサーバの設定変更(制限緩和)
# cat <<-_EOL_> ${WORKDIR}/config.ldif
dn: cn=config
changetype: modify
replace: nsslapd-allow-hashed-passwords
nsslapd-allow-hashed-passwords: on
changetype: modify
replace: nsslapd-sizelimit
nsslapd-sizelimit: -1
_EOL_
# ldapmodify -D ${ROOT_DN} -w ${ROOT_PASSWORD} -f ${WORKDIR}/config.ldif
# cat <<-_EOL_> ${WORKDIR}/limit.ldif
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-lookthroughlimit
nsslapd-lookthroughlimit: -1
_EOL_
# ldapmodify -D ${ROOT_DN} -w ${ROOT_PASSWORD} -f ${WORKDIR}/limit.ldif
#-- ルートDNを作成
# dsconf localhost backend create --suffix ${BASE} --be-name userRoot1
#-- ドメインと adminアカウントの登録
# cat <<_EOL_>${WORKDIR}/${DOMAIN}.ldif
dn: ${BASE}
objectClass: dcObject
objectClass: organization
dc: ${DC}
o: ${DOMAIN}
dn: ${PEOPLE}
ou: People
objectclass: organizationalUnit
dn: ${TERMED}
ou: Termed
objectclass: organizationalUnit
dn: uid=admin,${PEOPLE}
objectClass: mailRecipient
objectClass: top
userPassword: ${ROOT_PASSWORD}
mailMessageStore: 127.0.0.1
mailHost: 127.0.0.1
mailAccessDomain: ${DOMAIN}
mailRoutingAddress: admin@${DOMAIN}
mailAlternateAddress: admin@${DOMAIN}
mailAlternateAddress: dmarc-report@${DOMAIN}
mailAlternateAddress: sts-report@${DOMAIN}
mailAlternateAddress: postmaster@${DOMAIN}
mailAlternateAddress: root@${DOMAIN}
mailAlternateAddress: abuse@${DOMAIN}
mailAlternateAddress: nobody@${DOMAIN}
mailAlternateAddress: archive@${DOMAIN}
_EOL_
# ldapadd -x -D "${ROOT_DN}" -w ${ROOT_PASSWORD} -f ${WORKDIR}/${DOMAIN}.ldif
#-- ドメインの acl を登録
# echo "dn: ${BASE}" > ${WORKDIR}/${DOMAIN}_acl.ldif
# cat <<-'_EOL_'>> ${WORKDIR}/${DOMAIN}_acl.ldif
changeType: modify
replace: aci
aci: (targetattr="UserPassword")(target!="ldap:///uid=*,ou=Termed,dc=*")(version 3.0; acl "1"; allow(write) userdn="ldap:///self";)
aci: (targetattr="*")(target!="ldap:///uid=*,ou=Termed,dc=*")(version 3.0; acl "5"; allow(read) userdn="ldap:///self";)
aci: (targetattr="UserPassword")(target!="ldap:///uid=*,ou=Termed,dc=*")(version 3.0; acl "2"; allow(compare) userdn="ldap:///anyone";)
aci: (targetattr!="UserPassword")(target!="ldap:///uid=*,ou=Termed,dc=*")(version 3.0; acl "3"; allow(search,read) userdn="ldap:///anyone";)
_EOL_
# ldapmodify -D ${ROOT_DN} -w ${ROOT_PASSWORD} -f ${WORKDIR}/${DOMAIN}_acl.ldif
#-- ldapsearch を実行して登録内容が表示できることを確認
# ldapsearch -x -LLL -b "${BASE}"
dn: dc=sacloud,dc=ma3ki,dc=net
objectClass: dcObject
objectClass: organization
objectClass: top
dc: sacloud
o: sacloud.ma3ki.net
dn: ou=People,dc=sacloud,dc=ma3ki,dc=net
ou: People
objectClass: organizationalUnit
objectClass: top
dn: ou=Termed,dc=sacloud,dc=ma3ki,dc=net
ou: Termed
objectClass: organizationalUnit
objectClass: top
dn: uid=admin,ou=People,dc=sacloud,dc=ma3ki,dc=net
objectClass: mailRecipient
objectClass: top
mailMessageStore: 127.0.0.1
mailHost: 127.0.0.1
mailAccessDomain: sacloud.ma3ki.net
mailRoutingAddress: admin@sacloud.ma3ki.net
mailAlternateAddress: admin@sacloud.ma3ki.net
mailAlternateAddress: dmarc-report@sacloud.ma3ki.net
mailAlternateAddress: sts-report@sacloud.ma3ki.net
mailAlternateAddress: postmaster@sacloud.ma3ki.net
mailAlternateAddress: root@sacloud.ma3ki.net
mailAlternateAddress: abuse@sacloud.ma3ki.net
mailAlternateAddress: nobody@sacloud.ma3ki.net
mailAlternateAddress: archive@sacloud.ma3ki.net
uid: admin
#-- rootdn で ldapsearchを実行してパスワードが表示できることを確認
# ldapsearch -x -LLL -b "${BASE}" -D "${ROOT_DN}" -w ${ROOT_PASSWORD} mailRoutingAddress=admin@sacloud.ma3ki.net userPassword
dn: uid=admin,ou=People,dc=sacloud,dc=ma3ki,dc=net
userPassword:: e1BCS0RGMl9TSEEyNTZ9QUFBSUFLZHF4NU5VY1kxWGZNc.............
次の投稿では dovecot をセットアップします。