LDAP Implementation HOWTO

Roel van Meer

Linvision BV <http://www.linvision.com>

   r.vanmeer@linvision.com
  

Giuseppe Lo Biondo

INFN MI <http://www.mi.infn.it>

   giuseppe.lobiondo@mi.infn.it
  

S - {|

   arms405@jade.dti.ne.jp
  

v0.5, 2001-03-30

Revision History                                                       
Revision 0.5           2001-03-30          Revised by: rvm             
Cleanup, fixes, overview rewritten.                                    
Revision 0.4           2001-02-01          Revised by: rvm             
Added dns section.                                                     
Revision 0.3           2001-01-18          Revised by: rvm             
Added MTA sections.                                                    
Revision 0.2           2000-11-12          Revised by: glb             
Improved section on nss. Added sections about certificates and         
wrappers.                                                              

̓̕AvP[Ṽf[^ LDAP T[oɋL^ɂĂ
ZpIȑʂ܂Bœ_ƂȂ̂́AX̃AvP[V LDAP
ɑΉ邽߂̐ݒ@łB܂ALDAP f[^̂ɖ𗧂Av
P[VɂĂqׂĂ܂B



Table of Contents
1. Tv
   
    1.1. Ȃ HOWTO ̂H
    1.2. ɂĂ̂̂Ȃ̂H
    1.3. ɂāuł͂Ȃv̂H
    1.4. ӎ
    1.5. Disclaimer (Ɛӎ)
    1.6. Copyright and license (쌠Ɨp)
   
2. pam_ldap  nss_ldap g LDAP F
   
    2.1. \vf
       
        2.1.1. F؁\ PAM  pam_ldap.so
        2.1.2. Name Service Switch  nss_ldap.so
        2.1.3. Lightweight Directory Access Protocol
        2.1.4. Name Service Caching Daemon
        2.1.5. Secure Socket Layer
       
    2.2. F؃VXe̍\z
       
        2.2.1. T[o
           
            2.2.1.1. OpenLDAP ̃CXg[Ɛݒ
           
        2.2.2. NCAg
           
            2.2.2.1. PAM LDAP ̃CXg[Ɛݒ
            2.2.2.2. NSS LDAP ̃CXg[Ɛݒ
            2.2.2.3. NSCD ̐ݒ
            2.2.2.4. LDAP NCAg̐ݒt@C
           
    2.3. N
    2.4. AJEg̕ێǗ
    2.5. m̐
    2.6. t@C̃p[~bV
   
3. LDAP g Radius F
   
    3.1. FreeRadius  Radiusd ̐ݒ
    3.2. Radius F؂̃eXg
    3.3. Cisco IOS ̐ݒ
   
4. Samba
5. DNS
   
    5.1. NSS g
       
        5.1.1. ݒ
        5.1.2. XL[}
       
    5.2. bind g
       
        5.2.1. bind w̃pb`
        5.2.2. ldap2dns
        5.2.3. ispman
       
6. [gXt@G[WFg (MTA)
   
    6.1. Sendmail
       
        6.1.1. Sendmail ɂ LDAP T|[g
        6.1.2. VXe̔zu
        6.1.3. Sendmail ݒt@C
        6.1.4. XL[}
        6.1.5. Ȃ̂߂
       
    6.2. Postfix
       
        6.2.1. T|[g
        6.2.2. ݒ
        6.2.3. ݒ
       
    6.3. qmail
   
7. AhXubN
8. Netscape [~OANZX
9. LDAP ɂfW^ؖ̔s
   
    9.1. LDAP T[o̐ݒ
    9.2. ؖ̔s
    9.3. LDAP ΉNCAg
   
10. SSL/TLS ƁASSL/TLS  LDAP pbp
   
    10.1. SSL ̊ȒPȐ
    10.2. OpenLDAP  SSL/TLS T|[g
    10.3. stunnel g LDAP V2 T[o SSL/TLS 񋟂@
    10.4. stunnel g LDAP NCAg SSL 񋟂@
    10.5. stunnel g slurpd vP[V SSL 񋟂@
   
11. ZLeB֘A
12. LDAP XL[}
13. t@C̗
   
    13.1. XL[}t@C
    13.2. x[X LDIF ̗
   
14. {ɂ

1. Tv

1.1. Ȃ HOWTO ̂H

҂ LDAP ɂĕ׋n߂̂́AЂ[UAJEg̏W
Ǘ̕KvāÂ߂ LDAP gƎvƂłB
ȁA邢͒fГIȕɂ邱Ƃɂ͂ɋCt܂A
܂Ƃ߂̂ȂƂ܂BꂪAn߂Rł
B

ɁALDAP ͓ƂɍLg悤ɂȂĂ܂BŁAlX
LDAP ĝۂɁAǂ̃AvP[V LDAP ΉȂ̂ɂ
đŜ̊TvނƂłȂ֗Ǝv܂B͂̕
ƁAVXe̐ݒ𒍈Ӑ[Îɖ𗧂Ƃł傤BύX
@\ǉ悤Ƃ邽тɑSȂKv͂ȂȂ̂
B

͍̕ŏA̗p`Ԃɍ킹 LDAP ɂ͂ǂ
悢ƂAvWFNg̃[h}bvƂĎn܂܂B
ق Linvision <http://www.linvision.com> Ȁꍇɂ
Ďۂɂ͖ɗȂƂ܂Œ@^ĂꂽŁAP
郍[h}bvł͂ȂALDAP ΉAvP[V̋ZpIȊTւƕς
܂B



1.2. ɂĂ̂̂Ȃ̂H

ʓIȃT[rX̂قƂǂ PAM (Pluggable Authentication Modules) 
ʂĔF؂sȂ܂Bpam_ldap  nss_ldap g΁APAM ꂽ
vO LDAP o悤ɂȂ܂Bthe Linux-PAM
site <http://www.kernel.org/pub/linux/libs/pam/> ́APAM ɂĂ
ʓIȏɓ邱Ƃł܂B pam_ldap  nss_ldap Ɋւ
 padl software <http://www.padl.com> ̃TCgɂ܂B

Samba ́Ał͑ƂɂȂĂ܂B_ł̈ Samba
ɂ LDAP T|[g܂BHEAD  TNG u`ɂ͂܂A
Ԃ񌋍ꂽc[ɂł傤BȂ̂́ASamba Ń[
UƃpX[hĂƂƂłB PAM 𗘗pł
łAꂾłׂ͂Ă̔F؂ƃ[U̎󂯓nɏ\Ƃ͌
BȂȂ Samba ɂ LDAP ͖̎łA̐
̂łB҂̌o炷ƁAiK (2000 N 5 )  HEAD
͏\Ɉ肵Ă܂񂵁Axł̂ł͂܂B
ȂAV[X LDAP T|[gSɋ@\悤ɂȂ΁A
Samba ܂Ã[Uׂ LDAP 擾悤ݒł邱
ƂɂȂ܂B

ق LDAP f[^x[XɋL^ł̂ɂ DNS ܂Blbg[
Nɐڑ}VĂƁADNS t@CƂŕҏŴ͎
ۓIł͂ȂȂĂ܂B}VAJEg LDAP ɋL^Ă΁A
ӂ DNS Gg (ЂƂ͖Ô߁AɂЂƂ͋t̂
) 𓯎ɒǉ̂ȒPɂłĂ܂܂B͂܂AVXe
̊ȑf炵܂BقƂǂ̃VXeɂƂāAGg LDAP
f[^x[Xɓo^邱ƂK{ƂƂɂ͂ȂȂł傤A
͕֗ƍllBoĂ邱Ƃł傤B

Sendmail (ڍׂ sendmail.net <http://www.sendmail.net/> QƂ̂)
̓o[W 8.9  LDAP T|[gĂ܂B Postfix  qmail 
 LDAP ΉłB̃[zXgtH[obNzXĝ郁[
VXe\zƂɂ́A񂷂ׂĂӏɏW߂ċL^Ăƕ
łBӂ͓VXeƂɕʁXɓ͂Đݒ肷Kv
̂łA LDAP g΁A̕Kv͂܂B

LDAP ̓[~OANZXɂgpł܂BNetscape 4.5 ȍ~ł́Aub
N}[N̑̃[Uf[^ HTML ܂ LDAP T[oɋL^Ă
Ƃł܂Bɂă[ÚAOC Netscape gƂ
ȂǂłłAȑO֗̕Ȑݒeg킯łB

Microsoft  Office vO̓AhXubNC|[gł܂B
AActive Directory T[rXgāA[UjbNl[Ɉv
[AhXIɗp邱Ƃł܂BLDAP ΁AƓ
Ƃ Microsoft Exchange Server ₻ɗނ̂g킸 Linux
VXeōsȂƂł܂B



1.3. ɂāuł͂Ȃv̂H

܂_B{ł́Aۂ̐ݒ LDAP ̂̊ǗɂĂ͘b
悤ɂ悤ƎvĂ܂BɂĈĂ LDAP-HOWTO Ƃ
΂炵 LDP (the Linux Documentation Project) ɂ̂ł
B

ɁAAvP[V̂Ɋւ鎖́Aꂪ LDAP Ɗ֌WȂƂ
ɂ͈ȂłB

ŌłA҂͂قƂǂ̏ꍇɂāALDAP ĝǂ
ẴAhoCX͂ł܂B̎̌oȂ̂łBg߂ɂ
΂悢ɂẮA]݂Ȃ΋Ă܂B
Aׂǂ͒fłȂ̂łBʓI LDAP ̗p͈
͂񂠂܂BB



1.4. ӎ

܂A҂̌قłLinvision <http://www.linvision.com> ҂ɁA
Ζԓɂ̍̕Ƃ@^ĂꂽƂɊӂƎv
܂B

ɁAL̕XɂӂƎv܂Bނ͂̕ɉ炩̍v
Ă܂ (s) \ Giuseppe Lo Biondo.



1.5. Disclaimer (Ɛӎ)

This document is provided as is and should be considered as a work in
progress. Several sections are as yet unfinished, and probably a lot of
things that should be in here, aren't. I would greatly appreciate any
comments on this document, of whatever nature they may be.

    Note: Ql
   
    ͂̂̕łAݐis`̐ʕƎvĂ
    ق悢ł傤B͖̏͂łAׂƂɂ
    ͂̂̂Ȃ̂Ƃł傤B҂́A̕ւ̂
    Ȃӌɂ傢Ɋӂ܂Bꂪǂ̂悤Ȑ̂̂ł낤
    AłB
   
In any case, think before you go messing around with your system and
don't come to me if it breaks.

    Note: Ql
   
    ȂꍇɂĂÃVXe܂Ɏ̂́A悭
    lĂɂĂBɂĂȂĂ܂ĂA
    ҂̂Ƃɂ͗ȂłB
   


1.6. Copyright and license (쌠Ɨp)

Copyright (c) by Roel van Meer, Giuseppe Lo Biondo. This document may
be distributed only subject to the terms and conditions set forth in
the LDP License at the Linux Documentation Project <http://
www.linuxdoc.org/COPYRIGHT.html>.

    Note: Ql
   
    Copyright (c) by Roel van Meer, Giuseppe Lo Biondo. ̕ 
    Linux Documentation Project <http://www.linuxdoc.org/
    COPYRIGHT.html>  LDP License ɋLqĂɏ]Ă
    ݔzz邱Ƃł܂B
   


2. pam_ldap  nss_ldap g LDAP F

̏͂ LDAP  NIS ̑piƂă[UJEg̊ǗɎg@ɏœ_
킹܂B̃[UAJEg̃zXgɕUĎ
ĂƁAAJEgݒɕs邱Ƃ悭܂BLDAP g
΁AWF؃VXe\z邱Ƃɂăf[^̏dѐ
𑝂肷邱Ƃł܂B

_ł́A[ŨAJEgf[^⑼̏lbg[NoRŋ
邽߂ɍł悭gĂ Network Information Service (NIS)
łBLDAP ƓlɁANIS T[o passwd, shadow, groups,
services, hosts X̐ݒt@CۊǂĒu悤ɂT[rX
B NIS T[o NIS NCAg₢킹󂯂āA
񋟂܂B

LDAP  NIS Ɠ@\񋟂łAɊALDAP ̕DĂ_
܂Bȉ̂ƂłB

 E LDAP T[ȍ́AeՂɕ̗prɗpł܂B HOWTO
    ŊTĂ悤ɁALDAP f[^x[X̓[UGǵAd
    bAX֔zBAȂǂ̂悤ȑ̃AvP[VɎg
    ŁAf[^̏d▵邱Ƃł܂B
   
 E LDAP ͕GȃANZXRg[Xgf[^x[XɓKpł܂
    B̓f[^x[X̃Ggɑ΂p[~bV̓K؂Ȕ
    \ɂ܂B
   
 E Secure Socket Layer (SSL) ʂƂɂāALDAP T[oƃNCA
    g̊ԂɃZLAȓ]oHł܂B
   
 E slapd vP[V [1]  DNS round robin query (͖{
    ł͈܂) gāAό̏ቻT[rX邱Ƃł
    ܂ (󒍁FDNS round robin query ͑ό̏ቻɂȂȂ̂ł͂Ȃ
    AƂ񍐂Ē҂ɊmFƂAuŏ DNS T[oւ̐
    ۂꂽƂɑ̃T[oւ̐ڑs邩̓NCAg
    ˑvƂ̉񓚂𓾂܂)B
   
 E lbg[Ñ[UAJEgӏɏW߂ĂƂ́AЂƂ
    ̊Ǘꏊ炽̃zXg̃[UێǗ鏕ɂȂ܂
    (܂ALDAP T[oŃAJEg쐬э폜΁A̕ύX_
     LDAP NCAg犈pł悤ɂȂ̂ł)B
   
ŁAPluggable Authentication Module (PAM)  Name Service Switch
(NSS) eNmWVXe LDAP T[oǂ̂悤ɔF؂ƔF
̂߂Ɏg邩ɏœ_킹邱Ƃɂ܂B Linux Iy[eB
OVXeɌyłA̐̃Iy[eBOVXe
ɓKpłȂƂ킯ł͂܂B

Ŏグł͂P LDAP T[oAɃ[UAJE
gf[^₷`Ŋi[܂BUn*x NCAǵȀ
gĕW Un*x ̗Vł̔F؂ƃ\[Xɑ΂Fs܂B

NCAg^T[oʐMɂ́AZLAȌoHv܂BƂ̂
A[UAJEg̃f[^̂悤ɃNeBJȏ́Albg[N
ɓeȂ܂ܑMׂł͂ȂłB̃ZLAȌoH
Secure Socket Layer ɂĔ܂B

NCAgł̓LbV@\𐫔\̖肩KvƂ܂A
 Name Service Caching Daemon ɂĔ邱Ƃł܂B

̃VXe\ẑɎg\tgEFA (ق) ׂĂI[v\
[XłB



2.1. \vf

̐߂ł́AF؃VXe\z邽߂ɎgX̍\vfT
܂BevfȒPɐĂ܂B



2.1.1. F؁\ PAM  pam_ldap.so

Pluggable Authentication Module ́AW UNIX, RSA, DCE, LDAP Ƃ
X̔F؋Zp login, passwd, rlogin, su, ftp, ssh X̃VXeT[
rXƂ̓\ɂÃT[rXύXKv܂
B

ŏ Sun Solaris Ɏꂽ̂łA PAM  RedHat  Debian
܂ޑ Linux fBXgr[VŁAF؂̘gg݂̕WIȂ
ƂȂĂ܂Bɂċ API ʂāAF؂̗veNm
WL̓ ( PAM W[ƌĂ΂郉CuɂĎ
Ă܂) Ɋ蓖Ă܂B̊蓖Ă PAM ݒt@CōsȂ
܂B{Iɂ̃t@C̒ŁAeT[rXɗpF؋@\^
邱ƂɂȂ܂B

̏ꍇ́Apam_ldap.so LCuŎ pam_ldap W[
ɂāA[UƃO[v̔F؂ LDAP T[rXg悤ɂ܂
B

FؐݔKvƂT[rX͂ꂼA PAM ݒt@CʂāAق
Fؕg悤ɐݒł܂B͂܂APAM ݒt@Cg
āA[U\[Xւ̃ANZX𓾂邽߂ɖȂĂ͂ȂȂv
̈ꗗ\ƂłƂӖłB



2.1.2. Name Service Switch  nss_ldap.so

񃆁[UF؂ĂÃAvP[V̓[U
̃ANZXKvƂ܂B͓̏`Iɂ̓eLXgt@C (/etc/
passwd, /etc/shadow, /etc/group) ɓĂ܂Ãl[T[r
Xɂċ邱Ƃł܂B

Vl[T[rX (Ƃ LDAP) ɂÂ悤ȏ
擾̎́A (NIS  DNS ̂悤) C CuA܂͂̐Vl
[T[rXgAvP[V́Aǂł\ƂȂĂ
܂B

ɂĂAƂ́Aʂ̔ėpIȃl[T[rX API g
āAeeNmWɊÂŃT[rX𓾂郉CuQɂ
v邱ƂɂΔ܂B

GNU C Library  Name Service Switch ďL܂B
 Sun C library ɋNAʂ API ʂĎX̃l[T[rX
𓾂悤ɂ@łB

NSS ͋ʂ API Ɛݒt@C (/etc/nsswitch.conf) gp܂B
ݒt@CŁAT|[gf[^x[XɁÃT[rX񋟂
Cuw肵܂B

 NSS ɂăT|[gĂ [2] f[^x[X́\

 E aliases \[GCAXB
   
 E ethers \C[Tlbg̔ԍ̃f[^B
   
 E group \[ŨO[vB
   
 E hosts \zXg̖OƔԍ̃f[^B
   
 E netgroup \lbg[NŜ̃zXgƃ[ÜꗗB
   
 E network \lbg[NɊւ閼OƔԍ̃f[^B
   
 E protocols \lbg[ÑvgRB
   
 E passwd \[ŨpX[hB
   
 E rpc \ Remote Procedure Call Ɋւ閼OƔԍ̃f[^B
   
 E services \lbg[NT[rXB
   
 E shadow \[ŨVhEpX[hB
   
nss_ldap LCug΁ALDAP pďL̊蓖Ă
Ƃł܂BقƂ͏LׂĂ̊蓖Ăł̂ł
Ał shadow, passwd, group f[^x[X LDAP ɂ̂ݏœ_
킹邱Ƃɂ܂B



2.1.3. Lightweight Directory Access Protocol

̃AvP[Vł́A[UAJEgƃ[UO[vɊւ
NCAgɋ邽߂ LDAP gp܂B[UƃO[v
\킷̂ɗpWI objectclass  top, posixAccount,
shadowAccount, posixGroup łB

f[^x[X̃[U֘ÃGg͏ȂƂ [3] top, posixAccount,
shadowAccount  objectclass ɑĂȂĂ͂Ȃ܂BO[vG
g top  posixGroup  objectclass ɑĂȂĂ͂Ȃ܂B

񗘗p pam_ldap  nss_ldap ̎ objectclass QƂ邩
łB objectclass  RFC 2307 ɋLqĂ̂łB

    Note: ۂɂ́ALDAP  NSS ͂ŗᎦȂ objectclass F
    ܂B
   


2.1.4. Name Service Caching Daemon

Name Service Caching Daemon (NSCD) ̓l[T[rXɂ閼Ǒ
LbV邽߂ɎgA NSS ɂĒ񋟂T[rX̐\
ł܂B

NCAgeł鐫\𓾂邽߂ɁA passwd Gĝ߂ɑ
ȃLbVݒ肵ȂĂ͂Ȃ܂B



2.1.5. Secure Socket Layer

ڍׂɂĂ Section 10 QƂĂB

LDAP T[oƃNCAgCu (pam_ldap.so  nss_ldap.so) Ԃ̒
Mɂ SSL KvłBdvȃf[^AƂ΃pX[hGgȂǂ́A
NCAgƃT[oƂ̊ԂňÍĂKv邩łBSSL 
܂ANCAgT[o肷邱Ƃ\ɂ܂Aɂ
āAsmȏ񌹂F؏𓾂ƂƂ܂B

NCAgF (T[oNCAgʂ@\) ݂͌ pam_ldap
 nss_ldap W[̎ł̓T|[gĂ܂BƗLp
Ȃ̂ł傤ǂB



2.2. F؃VXe̍\z

̏͂ł́AO͂ɋLĂ\vfpF؃VXe\z邽
߂ɕKvȎ菇܂B

Figure 1. PAM ̔zu}

PAM ̎_猩AF؃VXee̊Ԃ̊֌W

Figure 2. NSS ̔zu}

NSS ̊ϓ_́AF؃VXe̊eԂ̊֌W

̔zu}́AŎɂ͂ƂĂGɌ邩܂B
ǂقƂǂ̗vf͂ł Linux ̃VXeɓĂ܂Ă܂B



2.2.1. T[o

T[oɂẮALDAP T[oCXg[Aݒ肳ĂȂ
Ă͂Ȃ܂BŎg LDAP T[o OpenLDAP ƂI[v\[X
 LDAP c[LbgŁALDAP T[o (slapd) ƃCuƃ[eBe
B܂ł܂B

_ OpenLDAP ɂ LDAP ̎ӂ܂B V2 ̎
(OpenLDAP 1.2.x)  V3 ̎ (OpenLDAP 2.0.x) łB

V3 ͖̎{̂ SSL @\񋟂܂AV2 ͒񋟂܂BƂ͂A
V2 ̃T[oɂ SSL bpĝ SSL @\ǉł܂ (Section
10 Q)B



2.2.1.1. OpenLDAP ̃CXg[Ɛݒ

LDAP ̃CXg[Ɛݒ̎菇́A LDAP-HOWTO Qlɂł܂B

slapd K؂ɐݒ肳ꂽAf[^x[X̏̂߂Ƀf[^
Kv܂BŁALDIF (LDAP Data Interchange Format) t@C
ȂĂ͂Ȃ܂B̓eLXgt@CŁAȉ̃R}hɂ
 LDAP f[^x[XɃC|[g܂B

#ldif2ldbm -i your_file.ldif                                           

    Note: ldif2ldbm  OpenLDAP 1.2.x pbP[WŒ񋟂̂ŁA
    OpenLDAP 2.0.x ĝł ldapadd R}h (T[oN)
    gׂł (󒍁F2.0.x  ldif2ldbm ɑ̂ slapadd 
    wEnl炢܂BT[o~ slapadd -l
    your_file.ldifƂĊȒP炵ł)B
   
OpenLDAP 2.0.x (LDAPv3) ĝł΁AWI NIS XL[} /etc/
openldap/schema/nis.schema Ƃt@CɓĂ܂A
 slapd.conf  include fBNeBuɂăXL[}LɂĂ
B

ȉ LDIF t@C̍łȒPȗ܂BeGg͋sŕ
Ă܂B

dn:dc=yourorg, dc=com                                                  
objectclass: top                                                       
objectclass: organizationalUnit                                        
                                                                       
dn:ou=groups, dc=yourorg, dc=com                                       
objectclass: top                                                       
objectclass: organizationalUnit                                        
ou: groups                                                             
                                                                       
dn:ou=people, dc=yourorg, dc=com                                       
objectclass: top                                                       
objectclass: organizationalUnit                                        
ou: people                                                             
                                                                       
dn: cn=Giuseppe LoBiondo, ou=people, dc=yourorg, dc=com                
cn: Giuseppe Lo Biondo                                                 
sn: Lo Biondo                                                          
objectclass: top                                                       
objectclass: person                                                    
objectclass: posixAccount                                              
objectclass: shadowAccount                                             
uid:giuseppe                                                           
userpassword:{crypt}$1$ss2ii(0$gbs*do&@=)eksd                          
uidnumber:104                                                          
gidnumber:100                                                          
gecos:Giuseppe Lo Biondo                                               
loginShell:/bin/zsh                                                    
homeDirectory: /home/giuseppe                                          
shadowLastChange:10877                                                 
shadowMin: 0                                                           
shadowMax: 999999                                                      
shadowWarning: 7                                                       
shadowInactive: -1                                                     
shadowExpire: -1                                                       
shadowFlag: 0                                                          
                                                                       
dn: cn=mygroup, ou=groups, dc=yourorg, dc=com                          
objectclass: top                                                       
objectclass: posixGroup                                                
cn: mygroup                                                            
gidnumber: 100                                                         
memberuid: giuseppe                                                    
memberuid: anotheruser                                                 

    Note: ߂s͎̍s^uXy[X (ꂩЂƂ) 
    n߂đ邱ƂoĂĂB͑ LDIF 
    t@CɂĂ͂܂܂B
   
ł͉gDgDƂāADN `܂B dc=yourorg,
dc=com ƂgDƂĒ`܂ẢɁAӂ̑gDTujb
g\ people  groups \܂܂Ă܂Bă[ÚApeople gD
jbgƁAgroups gDjbg̃O[v (̂A[UĂ
́B󒍁Fgiuseppe ̏ꍇ mygroup) Ƃɏ悤LqĂ܂
B

    Note: ̃f[^x[X LDIF ɕϊ֗ȃc[ PADL
    ɂĒ񋟂Ă܂Bftp://ftp.padl.com/pub/
    MigrationTools.tar.gz ƂAhXɂ܂B
   
LDIF t@ĆAT[o삵ĂȂƂɃC|[gȂĂ͂Ȃ
Bldif2ldbm R}h LDAP T[oʂɒڃf[^x[X\z
邩łB LDIF t@Cf[^x[XɃC|[g΁AT[o
Nł܂B



2.2.2. NCAg

NCAgɂ pam_ldap.so  nss_ldap.so K{ŁA
Netscape LDAP Library (Mozilla) găRpCĂȂĂ͂Ȃ
܂B̃Cu LDAPS (LDAP over SSL)  API v
邩łB̃Cu̓oCipbP[W Netscape One License
̂ƂɔzzĂAI[v\[Xł͂܂ (Ƃ͂pub
NhCł͂܂)B

̃pbP[WAƂ /usr/local/ldapsdk ƂfBNgɓW
JĂB

ɁANCAgCu͏ؖf[^x[XɃANZXłȂĂ
Ȃ܂B̃f[^x[Xɂ LDAP (stunnel) T[oؖƁÃT
[oؖ (uMpς <trusted>vƂ)  CA  CA ؖ
܂܂ĂȂ΂Ȃ܂B

ؖf[^x[X Netscape ̏̂̂łȂ΂Ȃ܂B pam_ldap
 nss_ldap RpC邽߂ɎgĂ Mozilla LDAP API 
Netscape ̏̏ؖf[^x[XgłB

̂悤ȏؖf[^x[Xɂ́ANetscape 񋟂Ă PKCS#11
pbP[Wɂ certutil Ƃ[eBeBĝ֗ł [4]
B

LDAP NCAg̎vȐݒt@C /etc/ldap.conf łB

 nss_ldap ĝł΁Aɂ pam_ldap ̎gp͕KvȂ̂
ƂƂoĂĂB

̂ pam_unix_auth W[g܂BȂȂ nss_ldap ͂
 getpw*  getsh* R[ LDAP QƂɊāA pam_unix_auth
̓[UF؂ɂ̃R[𗘗p邩łB (󒍁FɂāA
 Roel van Meer l̒ӂ܂Bނ͂̒ŁAPAM F
ɂ̂ݎg邱ƂƁA PAM  NSS Cuł͂ȂPAM Cu
𓾂邱ƂwEAuF؁vɂ pam_ldap W[KvAƂ
Ă܂BC͂Ȃ̂ŁAmȏ͌̍ŐVłɂ
ĂB)



2.2.2.1. PAM LDAP ̃CXg[Ɛݒ

pam_ldap RpCăCXg[ɂ́Aȉ̂悤ɂĂ
B

$ ./configure --with-ldap-lib=netscape4 --with-ldap-dir=/usr/local/ldapsdk 
$ make                                                                     
# make install                                                             

configure  --with-ldap-lib IvV́Aǂ LDAP Cug
ƂĂ邩w肵܂B

--with-ldap-dir IvV́Aǂ Netscape ldapsdk c[LbgC
Xg[Ă̂w肵܂B

ɂ /lib/security/pam_ldap.so.1 ƊeV{bNNC
Xg[܂B

PAM VF؃VXeɃANZXł悤ɁAK؂ɐݒ肳ȂĂ
܂BPAM ݒt@C /etc/pam.d ƂfBNgɔzu
AF؂T[rXɂĖtĂ܂B

ƂΈȉ login T[rX̂߂ PAM ݒt@C (login Ƃ
Õt@C) łB

                                                                               
#%PAM-1.0                                                                      
auth     required   /lib/security/pam_securetty.so                             
auth     required   /lib/security/pam_nologin.so                               
auth     sufficient /lib/security/pam_ldap.so                                  
auth     required   /lib/security/pam_unix_auth.so use_first_pass              
account  sufficient /lib/security/pam_ldap.so                                  
account  required   /lib/security/pam_unix_acct.so                             
password required   /lib/security/pam_cracklib.so                              
password sufficient /lib/security/pam_ldap.so                                  
password required   /lib/security/pam_unix_passwd.so use_first_pass md5 shadow 
session  required   /lib/security/pam_unix_session.so                          

PAM ŎgWI PAM ݒt@C pam_ldap ̃\[X pam_ldap-(o
[W)/pam.d ƂfBNg̒ɂ܂B

̕WIȃt@C /etc/pam.d fBNg̒ɃRs[ł܂B
ȂƂĂ܂ƁA炭ĂуOCłȂȂĂ
܂̂ŁȂ鎞͒Ӑ[sĂBVt@CC
Xg[O /etc/pam.d ̃obNAbvƂĂA𕜋A
錠̂VFJ܂܂ɂĂƂ߂܂B

    Note: ̃Tv pam.d fBNgɂ sshd Ƃt@C
    ܂B̂߁A쐬Ȃ΁Apam g ssh ă
    OCł܂ (OpenSSH  PAM gp܂)B
   


2.2.2.2. NSS LDAP ̃CXg[Ɛݒ

\[XWJĂAMakefile mFĂBقƂǂ̐ݒe
΂Ă͕ҏW̕Kv͂܂BƂ͂ASSL ĝł SSL
Ή LDAP Cu\Ƃ Netscape ̂́\NȂĂ͂
܂B

LDAP  SDK  /usr/local/ldapsdk ɂƂ΁ASSL Lɂ
́AMakefile CȂ΂Ȃ܂B̏CéA
Makefile.linux.mozilla  NSFLAGS TāARgɂȂĂ
-DSSL Lɂ邱ƂłB

 LIBS ̒`āÃt@CŎw肳Ă ldapssl Cu
ÃCXg[Ă̂ƓǂmFĂ
(ldap_nss.so  libldapssl40  libldapssl30 ̗ɃNăRpC
܂)B

̌ACuCXg[ł܂\

$ make -f Makefile.linux.mozilla                                       
# make -f Makefile.linux.mozilla install                               
#ldconfig                                                              

ɂ /lib/libnss_ldap.so CXg[܂Bꂪ
nss_ldap CułB /etc/nsswitch.ldap  /etc/ldap.conf 
܂݂ĂȂꍇɂ́ATv̐ݒt@CƂăCXg[
܂B

CXg[A NSS ݒt@C /etc/nsswitch.conf ҏW
Ă͂Ȃ܂B LDAP ͂T[rXɗp邱Ƃł̂ł
A passwd, group, shadow ɂ̂ݎgp܂B̏ꍇAݒt@C
̖`Ɉȉ̂悤ȂƂĂׂłB

                                                                       
passwd: files ldap                                                     
group:  files ldap                                                     
shadow: files ldap                                                     

̐ݒ肾ƃGǵA܂VXet@CŒTāAlԂĂ
ȂȂ LDAP T[oɖ₢킹܂B

    Note: LDAP  DNS ₢킹̃obNGhƂĎgƂɂ͒ӂ
    ĂBDNS ̃T[õzXgłȂƁA[v
    ɓĂ܂̂łBȂȂ libldap ̂ gethostbyname() R
    [邩łB (nsswitch.ldap ̋Lq)
   


2.2.2.3. NSCD ̐ݒ

NSCD ͑ Linux fBXgr[Vɂ͍ŏĂ܂B
ĂȂĂ GNU C CũpbP[Wɂ܂B

NSCD ̐ݒt@C /etc/nscd.conf łBes͑ƒlA܂͑
LbVƒl̂ꂩw肵܂Bꂼ̃tB[h̓Xy[X
^uŋ؂܂BLbV hosts, passwd, groups ̂ꂩ
邱Ƃł܂ ( hosts LbV܂)B

enable-cache           passwd  yes                                     
positive-time-to-live  passwd  600                                     
negative-time-to-live  passwd  20                                      
suggested-size         passwd  211                                     
keep-hot-count         passwd  20                                      
check-files            passwd  yes                                     
enable-cache           group  yes                                      
positive-time-to-live  group  3600                                     
negative-time-to-live  group  60                                       
suggested-size         group  211                                      
keep-hot-count         group  20                                       
check-files            group  yes                                      

LDAP 瓾 passwd Gg NSCD vOLbVĂ܂
ƂSɖLĂĂB

͂܂ALDAP T[õ[UɎƂɂ NSCD Lb
V͗LȂ܂܂ƂƂłB̖́A check-files fBNeB
uɂĒʏ UNIX t@C𗘗pΔ܂B͑Ή
t@CύXꂽƂɂ̓LbV𖳌ɂ܂B̂悤Ȏdg
͈ʓIȂ͂Ȃ̂ɁA_ LDAP ɂ͓Kp܂BLDAP T[oƃL
bV̊Ԃ̕s@́Apasswd GgXVƂɎ
R}hłĎŃLbV𖳌ɂ邱ƂłB

#nscd --invalidate=TABLE                                               

L TABLE ̂Ƃ passwd, groups, hosts ̂ꂩɂȂ܂B

pɂ́A邽 NSCD gȂ悤ɂĂB

Ɍ΁ANSS  NSCD ̎gp͑ʂ̃t@CfXNv^JĂ
܂܂B̂߁AVXe̎gt@CfXNv^ȒPɕs
Ă܂܂ (̓VXenO˂܂)B

Linux }V (J[l 2.2.x) ł́Â悤ɂăt@CfXNv^
̏𑝂₷Ƃł܂B

#echo 16384 > /proc/sys/fs/file-max                                    

t@CfXNv^ĺAƂɂ̃VXe̍\Ɉ
܂B



2.2.2.4. LDAP NCAg̐ݒt@C

LDAP NCAg̐ݒt@Cł /etc/ldap.conf ́A LDAP N
CAgƓlApam_ldap  nss_ldap ǂ܂܂Bȉ́A
t@C̊ł͂ǂ̂悤ɂȂĂׂ̈łB

#                                                                            
# @(#)$Id: ldap.conf,v 2.18 2001/03/28 23:35:00 lukeh Exp $                  
#  LDAP NSS Cu LDAP PAM W[̂߂̐ݒt@CłB 
# PADL Software                                                              
# http://www.padl.com                                                        
#                                                                            
# ̃t@C host  base Ȃ΁ÂƂ                     
# _ldap._tcp.[defaultdomain]. Ƃ DNS RR ܂B                 
# [defaultdomain] ͎ʖɊ蓖ĂA                                   
# ڕW̃zXg̓T[oƂĎg邱ƂɂȂ܂B                         
#                                                                            
#  LDAP T[ołBLDAP g킸ɉłȂĂ͂Ȃ܂B        
host 192.111.111.111                                                         
#                                                                            
# x[X̎ʖłB                                                   
base dc=yourorg, dc=com                                                      
#                                                                            
# gp LDAP ̃o[WłB(ftHg 2 łA                   
# OpenLDAP 2.0.x  Netscape Directory Server gȂ 3 ɂĂ)   
# ldap_version 3                                                             
#                                                                            
# T[oɃoCh鎯ʖłB                                           
# w͔Cӂł \ w肵ȂΓoChłB                         
# binddn cn=manager,dc=padl,dc=com                                           
#                                                                            
# oCh鎑iؖłB                                                 
# w͔Cӂł \ w肵ȂΎiؖsvłB                       
#bindpw secret                                                               
#                                                                            
# |[głB                                                               
# w͔Cӂł \ w肵Ȃ 389 łB636  LDAPS płB           
port 636                                                                     
#                                                                            
# XR[vłB                                                         
#scope sub                                                                   
#scope one                                                                   
#scope base                                                                  
#                                                                            
# ȉ̃IvV nss_ldap L̂̂łB                               
#                                                                            
#  libc gnbṼASYłB                             
# w͔Cӂł \ w肵Ȃ des łB                                
#crypt md5                                                                   
#crypt sha                                                                   
#crypt des                                                                   
#                                                                            
# ȉ̃IvV pam_ldap L̂̂łB                               
#                                                                            
# uid=%s  AND tB^łB                                           
pam_filter objectclass=posixAccount                                          
#                                                                            
# [U ID ̑łB(ftHg uid)                                   
pam_login_attribute uid                                                      
#                                                                            
# pX[h|V[[g DSE Ō܂B                              
# (Netscape Directory Server ɗLł)                                     
# (󒍁F[g DSE ɂĂ Root Directory Server Specific Entry          
# ̂ƂƂ񍐂܂B҂͒m܂łB)              
#pam_lookup_policy yes                                                       
#                                                                            
# ̃O[ṽoł邱Ƃv܂B                               
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com                                 
#                                                                            
# O[vȏłB                                                 
pam_member_attribute memberuid                                               
# ev[gOC̑ƁAftHg̃ev[g[UłB         
# (ȑÕ[ŨGg̑ŏ㏑ł܂)                       
#pam_login_attribute userPrincipalName                                       
#pam_template_login_attribute uid                                            
#pam_template_login nobody                                                   
#                                                                            
# [JɃpX[hnbV܂B                                     
# University of Michigan  LDAP T[oɕKvƂ܂B                    
# ܂A UNIX-Crypt ̃nbV@\gpĂA                       
#  NT Synchronization () T[rXgpĂȂȂ              
# Netscape Directory Server ŗLłB                                     
pam_crypt local                                                              
#                                                                            
# SSL ̐ݒ                                                                 
ssl yes                                                                      
sslpath /usr/local/ssl/certs                                                 

    Note: ̃t@CǂނƂ̂X̃AvP[VƂ̖
    邽߂ɁAp[^ƒlƂ̊ԂɃ^ug킸AXy[XЂƂ
    g悤߂܂B
   
pam_groupdn fBNeBu LDAP T[oÃNCAg̔F؏
ǗĂꍇɁA[UF̂ꕔ̃NCAgɌ
肵Ƃɕ֗łB̃fBNeBu NIS  netgroups Ɠ@
\񋟂邱Ƃł̂łB

SSL ݒɊւfBNeBu̓pbP[WŕĂ܂񂪁A
SSL LɂALDAP T[oؖ CA ؖ܂ރt@Cǂ
i[Ă邩w肵܂B

cert7.db ƂO Netscape ؖf[^x[X sslpath Ō
܂B̃t@Cɂ̓T[oؖ (̃T[oؖȏł
) CA ؖƂ܂łȂ΂Ȃ܂B̃t@C𐶐
ɂ͂ӂ̕@\ Netscape PKCS#11 g Netscape ̃uEUg
\܂B

Netscape ̃uEUgꍇ́AT[o slapd  stunnel N
Ƃ Netscape Navigator  https://your.ldap.server:636/ Ƃ URL
ɐڑƁÃf[^x[Xɂ̃T[oؖ͂悤
܂B(ȏ̏ؖgȂ̂ł) l (CA 狟)
CA ؖf[^x[XɃ[hȂĂ͂Ȃ܂B܂ŗA
$HOME/.netscape/cert7.db sslpath ɃRs[ł܂BL̍Ƃ̍ہAf
tHg cert7.db Ԃ̃AJEgōsȂD܂ł
BȂȂ玩̏ؖf[^x[Xɂ͑̃T[oؖ邩ꂸ
A LDAP NCAgAMpς݂̔F؃T[oȂ̂Ƃ݂Ȃ
Ă܂łBT[oؖC|[gꂽuEU SSL
fobO邽߂Ɏg܂B̃uEU pam  nss ̃Cu
悤ɂӂ܂łB



2.3. N

T[oŁÂ悤ȃR}hɂāA slapd (LDAP f[vZX)
NȂĂ͂܂B

# slapd                                                                

 stunnel gȂALDAPS  636 Ԃ̃|[gŋNȂĂ͂
܂B̂悤ɂĂB

                                                                            
# /usr/local/sbin/stunnel -r ldap -d 636 -p /usr/local/ssl/certs/stunnel.pem

TLS (OpenSSL) tŃRpCꂽ OpenLDAP 2.0.x ĝł΁A
̃R}hŃT[oNł܂B

                                                                       
# slapd -h "ldap:/// ldaps:///"                                        

NCAgŁANSCD 𑽂̃fBXgr[Vɂӂ܂܂Ă
NXNvgNł܂B

                                                                       
# /etc/rc.d/init.d/nscd start                                          

PAM  NSS K؂ɐݒ肳Ă΁Aŏ\̂͂łB



2.4. AJEg̕ێǗ

܂ŗ_ŁALDAP NCAgc[găAJEg쐬ƕێ
Ǘł͂łB

cOȂėpIȃc[̂قƂǂ Un*x AJEg̊Ǘpɂ͂ł
܂BɌ@\悤Ɏv̂́A LDAP Browser/
Editor (http://www-unix.mcs.anl.gov/~gawor/ldap) A͐FXȏ
ŃpX[h̐ݒ肪łAT[oɐڑ邽߂ SSL gpł܂B



2.5. m̐

PƂ̃}X^T[oɂ (X[uT[ôȂ) NIS ̏ꍇƓlɁA
vP[V𗘗pȂ LDAP ͔F؋@\ɂƂāua single point of
failure (P@̏QVXeŜ̏QƂȂĂ܂_)vł
ƌ܂Bł LDAP vP[V邱Ƃ́AF؂Ƃ
ړÎ߂ɂ͈wdvƌ܂BOpenLDAP (slapd) ɂT[o̓v
P[V@\Ă܂B



2.6. t@C̃p[~bV

ȉ͔F؃VXeŎgt@CɓKpĂׂp[~bV
̈ꕔłB

                                                                       
-rw-r--r--  root.root /etc/ldap.conf                                   
-rw-------  root.root /usr/local/etc/openldap/slapd.conf               
-rwxr-xr-x  root.root /lib/security/pam_ldap.so.1                      
-rw-r--r--  root.root /lib/libnss_ldap-2.1.2.so                        
-rw-r--r--  root.root /usr/local/ssl/certs/cert7.db                    
-rw-------  root.root /usr/local/ssl/certs/stunnel.pem                 



3. LDAP g Radius F

Radius T[óARadius vgRT[o̊J݂ Un*x Iy[eBO
VXeŉ\Ƃf[łB͂ӂA_CAAbv[U
F؂уAJEgǗ̂߂Ɏg܂BT[o𗘗pɂ́A
T[oɘb邱ƂɂȂNCAgK؂ɐݒ肷Kv܂
BʏANCAg̓^[~iT[oA܂̓^[~iT[oG~
[gK؂ȃ\tg (PortSlave  radiusclient X) ̂ PC 
B [FreeRadius  FAQ ]

Radius ̓[UɂĂ̎Õf[^x[XĂ܂A
LDAP ɂ܂܂Ă̂ŁAg֗łI

t[EFA Radius T[o͊܂A LDAP ւ̃T|[g
̂ FreeRadius ƂT[o (http://www.freeradius.org) ܂
B͂܂JłƂ͂A LDAP W[͂܂삵Ă܂B



3.1. FreeRadius  Radiusd ̐ݒ

T[oCXg[ȂAݒt@CpĐݒ肵ȂĂ͂Ȃ
Bݒt@C /etc/raddb (܂ /usr/local/etc/raddb) ȉɔz
uĂ܂B

radiusd.conf ̓éAȉ̂悤ɕҏWĂB

[ȗ]                                                                 
# Uncomment this if you want to use ldap (Auth-Type = LDAP)            
# Also uncomment it in the authenticate{} block below                  
        ldap {                                                         
                server   = ldap.yourorg.com                            
                #login    = "cn=admin,o=My Org,c=US"                   
                #password = mypass                                     
                basedn   = "ou=users,dc=yourorg,dc=com"                
                filter   = "(&(objectclass=posixAccount)(uid=%u))"     
        }                                                              
                                                                       
[ȗ]                                                                 
                                                                       
# Authentication types, Auth-Type = System and PAM for now.            
authenticate {                                                         
        pam                                                            
        unix                                                           
#       sql                                                            
#       sql2                                                           
# Uncomment this if you want to use ldap (Auth-Type = LDAP)            
        ldap                                                           
}                                                                      
[ȗ]                                                                 

܂Adictionary t@Cȉ̂悤ɕҏWĂB

[ȗ]                                                                 
#                                                                      
#       Non-Protocol Integer Translations                              
#                                                                      
                                                                       
VALUE           Auth-Type               Local                   0      
VALUE           Auth-Type               System                  1      
VALUE           Auth-Type               SecurID                 2      
VALUE           Auth-Type               Crypt-Local             3      
VALUE           Auth-Type               Reject                  4      
VALUE           Auth-Type               ActivCard               4      
VALUE           Auth-Type               LDAP                    5      
[ȗ]                                                                 

 users t@C̃ftHg̔Fؕ̃Gĝ悤ɂĂ
B

[ȗ]                                                                 
DEFAULT         Auth-Type = LDAP                                       
                Fall-Through = 1                                       
[ȗ]                                                                 

ł LDAP T[o Un*x ̃AJEgǗ̂߂ɐݒ肵Ă΁A
ŏ\łB

LDAP T[oł́ARadius T[o posixAccount ̑ (
uid  userpassword) mɓǂނƂł悤ɂĂĂB



3.2. Radius F؂̃eXg

T[oeXg邽߂ɁÂ悤 radiusd fobO[hŋN
B

/usr/local/sbin/radiusd -X -A                                          

ꂩ玟̂悤ȍ\ radtest g܂B

radtest [U "pX[h" radius.yourorg.com 1 testing123          

ׂĂ܂΁AAccess-Accept pPbg Radius T[oM
͂łB

NCAg[h stunnel gāA Radius T[o LDAPS T[o
̐ڑ SSL 񋟂邱Ƃł܂B SSL ̏ڍׂɂĂ Section 10
QƂĂB



3.3. Cisco IOS ̐ݒ

S邽߂ɁA Cisco IOS ̐ݒĂ܂BA
̗͂ HOWTO ̖ړIƂ͊OĂ܂̂ŁAȂ̗vɂ͓KĂ
Ȃ܂B

[ȗ]                                                                 
aaa new-model                                                          
aaa authentication login default radius enable                         
aaa authentication ppp default radius                                  
aaa authorization network radius                                       
[ȗ]                                                                 
radius-server host 192.168.10.1                                        
radius-server timeout 10                                               
radius-server key cisco                                                
[ȗ]                                                                 

    Note: قƂǂׂĂ NAS  Radius  1645 Ԃ̃|[ggp܂
    BmF̂AK؂ɃT[oݒ肵ĂB
   


4. Samba

_ stable c[ Samba ɂ LDAP T|[g܂܂Ă܂B
HEAD  TNG u`ɂ͊܂܂Ă͂łÃu`
܂J̓rɂ܂Bł[XꂽƂɁA
Samba ̎ɂĂɏƂɂ܂B܂ł́AIgnacio Coupeau
ɂ邱̕ <http://www.unav.es/cti/ldap-smb/
ldap-smb-HEAD-howto.html> ĂƂł傤Bɂ͗u`
ł LDAP ̐ݒ@LqĂ܂B

Ƃɂ_ł́A܂ smbpasswd t@CgȂĂ͂Ȃ܂B
[UAJEg LDAP ̎擾͊ɉ\Ȃ̂łB( Samba
ł͂Ȃ nsswitch ɂčsȂĂ邽߂łB) Samba  LDAP T
|[g΁A smbpasswd t@C smbusers t@CɓĂ
 LDAP Ɋi[邱Ƃ\ɂȂ͂łB samba ̋L𓮓I
LDAP Œ`ł悤ɂȂ邩ǂɂĂ͕M҂͒m܂񂪁AԂ
s\낤ƎvĂ܂B



5. DNS

LDAP oRŐݒł DNS ɂ́Aӂ́u`v܂Bŏ̂
́A(܂) nss_ldap ADNS ̑ɎgƂ̂łB͂
܂A/etc/nsswitch.conf t@CɎNCAg LDAP 
 DNS Gg悤ɂȂƂƂłBӂ߂̕@
LDAP  bind  tinydns ̃obNGhƂĎgp邱ƂłBɊ
AĊĂvWFNg͊܂B͂̂قǐ
Ƃɂ܂B



5.1. NSS g

NSS  (tI) zXgGgւ̃ANZXɎgĂƂɂ́Aue
vȃ}V (܂AmĂāA̐ݒ𐧌䂷邱Ƃł
}V) ̃T[rXĝƂƂɒӂĂB
̓Cglbgł́A낱ςzXgɂ͗Lp܂
񂪁ÃEFuT[õo[`zXgSEɌJɂ͎g
܂B܂ nslookup  /etc/hosts  LDAP oRȂ߁Aݒ肪
܂Ă邩ǂ̊mFɂ͎gȂƂƂoĂĂ
BɁAping ̂悤ɓ gethostbyname() ֐gĖO
Ă̂g悤ɂĂB



5.1.1. ݒ

Name Service Switch  LDAP ŖOɂ́A nss_ldap g悤
ݒ肵ȂĂ͂Ȃ܂B nss_ldap ̐ݒ@ Section 2 ɏĂ
܂Bł͐ɓĂ nss_ldap ̐ݒ肪̂ƂĘb𑱂
܂B NSS ɂ閼O /etc/nsswitch.conf  hosts s̓eŐ
䂳܂B܂ hosts sȂƂƂ́A܂܂BԂ 
files  dns GgƂďĂ邱Ƃł傤B ldap A
̂悤ɒǉ̂łB

hosts:          files, dns, ldap                                       

Ԃ悭lĎw肵ĂIǂ̂悤ȏꍇłŏ files u
悤Ă܂BꂩALDAP [J DNS T[oD悳
Ȃ΁ALDAP T[o IP m /etc/hosts t@C̒ɂ
ɂĂBȂƁAċAĂ܂܂B
肱ƂłBuzXgǁAt@Cɂ̓G
gȂ̂ŁA LDAP T[oɖ₢킹悤ƂBT[o IP
mȂ̂Ńt@CTĂ݂邪Aɂ͂Ȃ̂ LDAP T[o
Ƃccvv_߂܂ˁH̖́AzXĝ
IP ԍ LDAP T[oQƂ (܂ /etc/ldap.conf ̒ɏĂ
) ƂɂāASɉ邱Ƃł܂B



5.1.2. XL[}

̃T[rX⓯l̃T[rXɎgXL[} RFC 2307 ɒ`
܂BIP ԍɃzXg蓖Ă邽߂̃Gg ipHost Ƃ
objectclass ɓ܂B蓖ẴzXg̕ cn ̒ɓ
A IP ̕ ipHostNumber ɓ܂BłAT^I LDIF 
Gg͂̂悤ɂȂ܂B

dn: cn=somehostname.mydomain.com,ou=Network,o=YourOrg,c=NL             
objectclass: top                                                       
objectclass: ipHost                                                    
cn: somehostname.mydomain.com                                          
ipHostNumber: 10.1.5.13                                                

Aӂ DNS ɕt鐧@\͂̃T[rXɂĂ͂܂
B



5.2. bind g

ł bind  tinydns ɂ̉\͂܂Â
A҂̈ӌł (̂Ƃ) uقƂ́vł͂܂B
ȂA҂goȂƂƂĂȂĂ
Ȃ܂Bȉɗ񋓂܂B



5.2.1. bind w̃pb`

David Storey  bind ւ̃pb`̍ƂĂ܂B̃pb`́Af[^
𒼐 LDAP 擾悤ɂ̂łB bind f[ɗv
Ȃ邽т LDAP ŉ邱ƂӖ܂B_ł̔ނ̌v
(\[Xp) ́AuȂƂӂ̃[h\LbV[hƃ_C
i~bN[h\œ悤ɂ邱ƁvłBLbV[hł́A
 rbtdb ̂悤ɁA][܂邲ƃɃ[hē삵AT[o
HUP VOi󂯂ƃ[hȂ܂B_Ci~bN[hł͌
悭ĂāAׂĂ̗v LDAP ւ̎QƂƂȂ܂BŐV̓\[X
<ftp://ftp.eyeo.com/bind/> mFĂB



5.2.2. ldap2dns

EFuTCg܂邲ƈp܂B

uldap2dns  DNS R[h𒼐 LDAP fBNg쐬vO
łB́AZJ_l[T[õvC}T[oŒu
邽߂ɎgƂł܂Â߂ɎgׂłB ldap2dns ͂
ς킵ǗƂy鏕ɂȂ܂BPȃt@CҏW
Kv܂B][t@CҏWKv܂B ldap2dns CX
g[Ă܂΁AǗ҂͂ LDAP fBNgɃANZX邾
悢̂łB]ނȂAǗ҂̓][ƂɃANZXRg[
Ƃł܂BEFux[X GUI 쐬āADNS Ɋ邱ƂȂA
ނ̃][⃊\[XR[h̏ǉ邱Ƃł܂B
ldap2dns  tinydns Ɏgp data.cdb ƂoCit@C
o悤݌vĂ܂Anamed Ɏgp .db t@Co
ɂ邱Ƃł܂Bv

̃vWFNg̃z[y[W͂ <http://ldap2dns.tiscover.com/> 
B



5.2.3. ispman

ispman  Perl ŏꂽ ISP ǗpbP[WłB LDAP f[^x
[Xݒ̃obNGhɎg܂B̃pbP[W͔ɑ̂Ƃ
ł̂ŁAmɎ̕KvƂĂ̂mF悢
BAhX ispman.org <http://www.ispman.org> łB



6. [gXt@G[WFg (MTA)

̏͂ł́A݂̈قȂ MTA, ܂ Sendmail, Postfix, qmail ɂ
ďqׂ܂B LDAP o悤ɐݒł MTA łB
lIȌo炷 Postfix ̕ Sendmail ƊȒPɐݒ
܂AɂĂ͏A Sendmail ɂ LDAP T|[g
n̈ɒB邱ƂŕςĂ邩܂Bqmail ͎gƂ
܂B



6.1. Sendmail

6.1.1. Sendmail ɂ LDAP T|[g

Sendmail ɂ́Ao[W 8.8.x 肩 ldapx Ƃ}bv^Cvg
 LDAP T|[gĂ܂Bo[W 8.10 ȍ~ł LDAP
f[^x[X^Cv ldap ƂăT|[gĂ܂B LDAP }b
ṽT|[ǵARedHat ̃pbP[W̃ftHĝ܂܂̐ݒł͖ɂ
Ă̂ŁAӂB Debian ̃o[W 2.2 ȍ~ɂ
Sendmail  LDAP T|[g邻łBŃRpCKv
ꍇ́A Sendmail ̃\[X sendmail/README Ƃt@Cǂł
B̃t@Cɂ́ALDAP T|[gtŃRpC@ɂĂ
Lvȏ񂪊܂܂Ă܂B

V LDAP }bv^Cvɂ́AƂ LDAP f[^x[X̃Gg
\͂܂BAЂƂӂ܂B̊
ɌʂЂƂԂĂȂ̂łBʂƂĂAŏ̂
̂g܂BǍʂɕԂlĂŏ̒l
Ԃ̂łB LDIF t@C̗ɒڂĂ݂܂傤B

dn: cn=mailuser1,ou=mail,dc=company,dc=com                             
objectclass: top                                                       
objectclass: foo                                                       
cn: mailuser1                                                          
mail: mailuser1@company.com                                            
mail: info@company.com                                                 

 cn=mailuser1 ̂悤ȒPȌtB^ŎsƁA߂鑮
 mail ƂĂ mailuser1@company.com Ԃ܂B̌ʂ
ɂ́A͒PlɁAR}ŋ؂ꂽŊi[
ĂȂ΂ȂȂ̂łB̂悤ȂłB

mail: mailuser1@company.com,info@company.com                           

̘bɊ֘A܂ޓdq[bZ[WA LIH z[ <http:/
/devel.linvision.com/doc/lih/alias_issues> Ō邱Ƃł܂B



6.1.2. VXe̔zu

LDAP }bvpłƂɂ́AقƂǉł LDAP f[^x[X
To܂BŁAȉ̂悤ȍ\̐ݒȑfƎv܂B

K͂͑K͂̃lbg[N邱Ƃɂ܂傤B̃h
Ĉ߂Ƀ[M܂Bӂ̃[zXgƁAӂ̃tH
[obNzXgƂzułBꂾƒʏ́Aȉ̎Oނ̏i
[ꏊAlӏɂ܂łȂĂ܂܂B

 E ̃[zXg local-host-names t@C (`ɏ]
    sendmail.cw) KvƂ܂B́Aǂ̃hCւ̃[M
    邩ɂċL^Ă̂łBtH[obNzXg͓
    access t@CɕێĂ܂A͎M[ǂ̃hC
    ֒pׂꗗ邽߂Ɏg܂B
   
 E [zXgɂ͗Ƃ virtusers t@C܂B̃t@C
    ŕ̃AhX (邢̓hCS) PƂ̉z[U⃍[J
    [UɊ蓖Ă܂B
   
 E [zXg aliases t@C܂B̃t@Cŉz[
    U[AhX⃍[J[UɊ蓖Ă܂ ()B
   
񂪂ЂƂ̃f[^x[Xɂ܂Ƃ߂Ċi[Ă΁AezXg
̃f[^x[XݒǂݏoƂɂāAlbg[N̊g
ƊǗ₷サ܂BSf[^ nfs Ƀ}bvāAPƂ
zXgɎ悤Ȍ`člł傤B̂悤ȏꍇڑ
zXgɈႢ͂܂܂B[UɂƂĂ܂lɉf
܂B



6.1.3. Sendmail ݒt@C

̏񂪂ǂ LDAP f[^x[XWt@C̑ɓǂݏo
邩𗝉ɂ́Asendmail.cf t@CɂĂ̔wiIȒm
KvłBň́Aӂ̈قȂ@Ŋi[Ă܂B
local-host-names t@ĆANXɓǂݍ܂܂ (mɂ̓NX w
łB̂䂦ɐ̂ cw ƂgqtĂ܂)B virtusers
t@C͒Pȃ}bvʂĎg܂Baliases t@C}bvł
A`@قȂ܂AŎĝŁA[ŎQƂ
ł͂܂B

 LDAP f[^x[XoƂɂ͕K}bvŊ
Blocal-host-names t@CɊi[ׂɂƂẮA̓_
ƂȂ܂B̃t@C̏̓NXɎg邩łB҂
܂ł̂ƂA}bv̏ŃNX𖞂߂܂
BȒPɂłȂ̂łAǂs\Ȃ悤ł (ԈႢ
Aǂm点)B̂ߐV}bv`ȂĂ͂Ȃ܂
łBSendmail ̐ݒŁA w NX̒lǂނƂ (ق) A
̃}bvl悤ȃ[ǉ̂łB

}bvɂẮAݒύXȒPłBʏA}bv͖OƁAf[^x[
X^CvƁAef[^x[XL̃IvV (ႦΒʏg newdb f
[^x[X^Cvł̃t@C̈ʒuȂ) ƂŒ`Ă܂BŃ}
bvɂẮA`ύX邾ŏ\łBقAł܂B
āALDAP }bvɂ͂Ɋ̃IvVÂ̂
OɃO[o`Ă܂B̃IvṼ͎XgŐ
Ă܂ (̃XǵA啔 Booker Bense ̕ɂ܂)B

sendmail.cf ɂ LDAP L̃}bvIvV

-h
   
    Xy[X؂ LDAP T[õzXg`܂B̏ԂŖ₢
    킹sȂĂAʂo炻ŏI܂BO[oɐ
    ł܂B
   
-b
   
    LDAP x[X`܂B܂A LDAP fBNg
    ̂łBO[oɐݒł܂B
   
-k
   
    LDAP tB^`܂B́usprintfv`̕ŁA}
    bv͒lǂ̂悤Ɏ󂯎 LDAP \ẑ`
    Bl %s ŒuAʓI LDAP tB^̌`
    Ƃ܂BLDAP tB^ɂĂɊwт́A RFC 2254
    <http://www.cis.ohio-state.edu/htbin/rfc/rfc2254.html> 
    BƂŁǍtB^ƏĽx[XƂł́Aőł
    Ƃ̃GgԂȂ悤Ȍ`ׂłB LDAP }bv
    ́A󂯎ŏ̃Gg𗘗p̂łB
   
-v
   
    ǂ LDAP ̒l}bvŕԂ邱ƂɂȂ̂`܂
    Bڍׂ͌q܂B
   
LDAP IvVׂ͂ă_uNH[gA Sendmail IvV̒ɒu
Ȃ΂Ȃ܂BӂB܂B

Kldapexamplemap ldap -h"localhost ldap.myorg.com" -b"ou=mail,dc=myorg,dc=com" -k"(&(objectclass=mailstuff)(uid=%s))" -v"mailaddress"



6.1.4. XL[}

҂́A̓ʂȐݒ̂߂ɁAmail ƂTuc[ LDAP fBNg
Œ`Ă܂B̉Ƀ[֘Âi[邽߂
B[U֘Ã[ ou=Users ̃Tuc[ɓĂƂ
\ł傤A͂킴Ɣ܂Be[UƕʂɒP̃Tuc
[gASendmail ̂߂̏񂪂ׂĈӏɊi[̂ŁA
̃[UƂ̌Ȃ̂łBȂȂAKv
̂ ou=Users Tuc[Ŝł͂ȂAou=mail łB

̃Tuc[ɓނ̃R[h܂B

 1. virtuser t@C aliases t@CɗRAz[UЂƂ
    Ƃ̊蓖ĂێGgłBt@C̊蓖Ă
    GgɊi[邱Ƃɂ܂BɂāApĂݒ
    ʂmɂȂ邩łBɂ́Ainetmailrecipient Ƃ
    objectclass ƁA mailid, mailacceptinggeneralid, maildrop Ƃ
    ̑`܂B
   
    inetmailrecipient
       
        ̊ḰÃGgA܂͕̎[AhX
        [hCAl܂͕l̎[Uւ̃}bsO
        邱Ƃ܂B
       
    mailid
       
        ̉z[UM郁[AhXLq܂B 
        foo@myorg.com ̂悤ɕʂ̃AhX̌`ł\łA 
        @my2nd.org ̂悤ɃhCƂłvłB͕̑
        ݂ł܂Ai[l͂ꂼЂƂłȂ΂Ȃ܂
        B ID ꂼɑ΂āA[ 
        mailacceptinggeneralid ɑ܂B
       
        ɂ́A܂ virtusers t@C̍ɂf[^
        ƂɂȂ킯łB
       
    mailacceptinggeneralid
       
        z[U`܂B́Aꂪ virtusers t@C
        aliases t@CƂ̌qڂłB̑eGgɂЂƂ
        ݂ĂȂĂ͂Ȃ܂񂪁A葽Ă܂B
        lЂƂ܂Blɂ̓[J[U
        z[U邱Ƃł܂B҂̏ꍇ maildrop 
        ݂ȂĂ͂Ȃ܂BO҂ɂ͕Kv܂B
       
        ɂ́A܂ virtusers t@Cɂ aliases t
        @C̍ɂ邱ƂɂȂ킯łB
       
    maildrop
       
        M[̔zMƂȂAhX⃆[U`܂B
        ͂ЂƂ݂ł܂񂪁AR}؂̃Xg
        ܂B mailacceptinggeneralid ̒lz[UȂȂ
        ͕K{łB݂郆[UȂȗł܂B
       
        ܂Aɂ aliases t@C̉E̕Ƃ
        łB
       
    ʓIɁAmailid  mailacceptinggeneralid ƂꏏɂȂ
    virtusers t@C̋@\񋟂ƌ܂B 
    mailacceptinggeneralid  maildrop Ƃ aliases t@C̋@\
    ̂łB
   
 2. ʏ sendmail.cw t@C access t@CɂhCێ
    Ggł (܂)B̃Gĝ߂ 
    inetmaildomain Ƃ objectclass  maildomain, sendmailislokalkey
    , sendmailaccesskey Ƃ`܂B
   
    inetmaildomain
       
        VXeɑ郁[hC̈ꗗłAA[Jɔz
        ׂzXgɓ]ׂ̈ꗗłGg\K
        łB
       
    maildomain
       
        [hC`܂BЂƂ̃Ggɕ݂ł܂
        Bĺu@v}[NȂ̃hCɂȂ܂B
       
        ̑́Alocal-host-names t@C̃hC̃Gg
        ɁAЂƂ݂ĂׂłB
       
    sendmailislocalkey
       
        hC[Jǂ邽߂ Sendmail ̃[
        ŎgAVvȍt (L[) `܂B Sendmail [
        ̒ŎgƐmɈvĂȂĂ͂ȂȂƂ
        ΁A{ɉł\܂B҂͂Ƃ肠 <LDAPLOCAL>
        gĂ܂BK{ŁAeGgɕ݂͑ł܂B
       
    sendmailaccesskey
       
        Sendmail ̃[ŎgL[̂Ag`܂B
        ̃L[ŁÃhCōsׂ肵܂B RELAY, OK, 
        REJECT, DISCARD ƃG[\g܂B(ڂ Sendmail ̃\
        [X cf/README t@CQƂĂB)
       
        Note: ӂB͓ʂȐݒƂāAaccess t@C
        ̓hC܂邲Ƃ̃GggȂƂɂ܂B
        ܂Amaildomain  access t@C̏ɂ 
        local-host-names ̏ɂg񂹂͍̂̂悤ȏꍇ
        ƂƂłBANZXXgƍׂ䂵Ȃ΁A
        ꏏ maildomain ɂĂ܂킸ɁAꂼʂ̃Gg
        gׂłB
       


6.1.5. Ȃ̂߂

LpƎv񌹂Љ܂B

 E Booker Bense  <http://www.stanford.edu/~bbense/ldap/
    Inst.html> Ă܂BSendmail 8.9.3 ł LDAP ̎gp@
    ւ̂łB Sendmail  LDAP ̎gwKۂ̏on_
    ͌ĂȂAƖ{l͌Ă܂A҂ɂƂẮAւ
    ɂȂ܂B
   
 E LDAP  Sendmail ɊւVL <http://ldapman.org/articles/
    index.html>  sendmail.net <http://www.sendmail.net> ŌJ
    Ă܂B҂ Michael Donnelly ŁA ldapmap.org <http://
    /www.ldapmap.org> ƂA܂[ʓI LDAP ֘A
    ڂ̃TCgn܂܂B
   


6.2. Postfix

6.2.1. T|[g

Postfix ł́A{̂ɍŏ LDAP T|[gĂ܂BIvV
ݒ肷}bv̂̎ނ̂ȂɁALDAP ̂łBe
LDAP }bvɂAIvVAO܂B (Section 6.2.2 QƂ
ĂB)

Postfix  LDAP f[^x[X̃f[^邽߂̎菇́Aɂ߂
킩₷ȂĂ܂BłʓIȎg (ƒ҂v) ́A
z[U LDAP f[^x[XQƂ邱ƂłBOq
nss_ldap ƂƂɎg΁AׂĂ̓dq[p҂̏ LDAP f[^x
[XɓĂ܂BAݒł鍀ڂ͑ɂ܂BႦ
Postfix []łhCAt Postfix ]v󂯕t
hCA܂obNAbvT[oƂē삷ׂhCłB



6.2.2. ݒ

ݒIvVɊւׂ͂āAo[W 20001217 ɂ
Postfix docs  LDAP_README pĂ܂B

server_host
   
    LDAP T[o𓮂ĂzXg̖OłBݒ܂B
   
    ldapsource_server_host = ldap.your.com                      
   
    OqSẴCuŁÃT[oXy[Xŋ؂Ďw肷
    邱Ƃł܂Bŏ̂̂sƁACu͂
    s܂Buldap.your.com:1444vƂ悤ɏāAeT[oɂ
    ꂼقȂ|[gnƂł܂B
   
server_port (389)
   
    LDAP T[ov󂯕t|[głBႦ΂Ȃ܂B
   
    ldapsource_server_port = 778                                
   
search_base (lȂ\ݒ肪Kvł)
   
    ŏʃfBNgłBႦ΂łB
   
    ldapsource_search_base = dc=your, dc=com                    
   
timeout (10 b)
   
    ʂ߂܂ł̕błBႦ΂w肵܂B
   
    ldapsource_timeout = 5                                      
   
query_filter (mailacceptinggeneralid=%s)
   
    fBNgɎgARFC2254 tB^łB Postfix 
    ƂAhX̂ƂɁA %s ܂B͎̂Ƃ
    B
   
    ldapsource_query_filter = (&(mail=%s)(paid_up=true))        
   
domain (lȂ\ݒ肪Kvł)
   
    hCAt@Cւ̃pXAю̈ꗗłBw肳Ă
    ƁA̒ɂhCŖOIzXg܂B
    ɂ LDAP T[oւ̖₢킹ׂIɌył܂B
   
    ldapsource_domain = postfix.org,                            
    hash:/etc/postfix/searchdomains                             
   
result_attribute (maildrop)
   
    ɂĕԂfBNgGg烁[AhX̂
    ߂ɓǂݍޑł ()B
   
    ldapsource_result_attribute = mailbox,maildrop              
   
special_result_attribute (lȂ)
   
    GĝADN  URL ܂ł鑮ł ()Bw肳
    ĂƁA̒lgčċAIɏĂ܂B
   
    ldapsource_special_result_attribute = member                
   
scope (sub)
   
    LDAP XR[v\ sub, base, one ̂ꂩ\łBꂼ
    LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE, LDAP_SCOPE_ONELEVEL ɕϊ
    ܂B
   
bind (yes)
   
    LDAP T[oɃoCh邩ǂ̎włB LDAP ̍ŋ߂̎ł
    oChKvƂAԂߖł܂Bݒ͎̂ƂB
   
    ldapsource_bind = no                                        
   
    oChKvȂA[J}Ṽ|[g LDAP T[o
     SSL glɂāAɐڑ悢܂B
    LDAP T[o SSL T|[gĂȂ΁AT[õVXeɂ
    glݒu܂ (bpłvNVłAĂѕ͂D݂)B
    ŁApX[hlbg[Nی̂܂ܒʉ߂ȂȂ܂B
   
bind_dn ("")
   
    oChKvƂA̎ʖŃoCh܂BႦ΂
    łB
   
    ldapsource_bind_dn = uid=postfix, dc=your, dc=com           
   
bind_pw ("")
   
    ̎ʖ̃pX[hłBgKv̂Ƃ͂ƁA
    main.cf  Postfix [U炵Ȃ悤ɂƎv͂ł
    Bݒ͂Ȃ܂B
   
    ldapsource_bind_pw = postfixpw                              
   
cache (no)
   
    LDAP ڑɃNCAgTChLbVgǂłB
    ldap_enable_cache(3) QƂĂB̓ftHgł̓It
    ȂĂ܂B
   
cache_expiry (30 b)
   
    NCAgTChLbVLȂƂAŎw肵b̌
    Aʂ̃LbVj܂B
   
cache_size (32768 oCg)
   
    NCAg̃LbVLȂÃoCgłB
   
dereference (0)
   
    ǂƂ LDAP GCAXH邩̎włB (Postfix ̃GC
    AXƂ͊֌W܂̂ŒӂĂB) OpenLDAP  UM LDAP
    ̎ŗLȒl͈ȉ̒ʂłB
   
    0 ؂Ȃ                                    
    1                                         
    2 ̂߂Ƀx[XIuWFNg̈ʒuTƂ
    3 ɂ                                      
   


6.2.3. ݒ

o[`hC (foo.virtualdomain.com Ƃ܂) gƂA
ẴhC̃[AhX LDAP Ɋi[Ƃɂ́A main.cf
Ɉȉ̂悤ɏKv܂B

virtual_maps = ldap:ldapvirtual                                        
ldapvirtual_search_base = ou=mail,o=YourOrg,c=nl                       
ldapvirtual_query_filter = (mailacceptinggeneralid=%s)                 
ldapvirtual_domain = foo.virtualdomain.com                             
ldapvirtual_result_attribute = maildrop                                
ldapvirtual_bind = no                                                  
ldapvirtual_scope = one                                                

̐ݒł́APostfix ufoo.virtualdomain.comvhC̃[Uւ̃
[MƁA mailacceptinggeneralid Ƃu
user@foo.virtualdomain.comvɍvGgT܂B̂悤ȃG
g΁Amaildrop ̒lׂĕԂĂ܂BɃ[z
̂łBuuser@foo.virtualdomain.comvȂ΁AhC
ŜЂ߂[Uɍv悤ɁAu@foo.virtualdomain.comv
ʂ̖₢킹܂BȂƂ́AbZ[W (oE
X) ܂B



6.3. qmail

qmail ̂ɂ͂܂ LDAP T|[g܂BȂ Andre
Oppermann  LDAP T|[g̃pb`܂B̃pbP[ẂA
܂߂Ĕނ̃TCg <http://www.nrg4u.com> ɂ܂B



7. AhXubN

Linux T[o LDAP f[^x[X̔ɕ֗ȓƂāAgDɓ
lbg[NΊO̘AׂĈӏɏW߂ĂƂ̂
܂BO[vA邢͕ɕ邱Ƃł܂B͂]
ƈЂƂЂƂɕʁX̃AhXubNnKv͂Ȃ̂łB́A
LDAP gȂ Microsoft Exchange Server  Lotus Domino, ܂
Active Directory [5] łł邱Ƃł (󒍁FExchange X̃fBN
gT[rX LDAP gĂƎv܂)B 

Microsoft ́uAhXvƂɈˑvOA܂ Microsoft
Outlook  Microsoft Outlook Express, ܂ Microsoft Outlook 2000 Ƃ
̂gԂɂ́ALDAP ̊{ݒςKv͂܂BƂ͂
AKv̂̂ӂ܂B

ɁAAhX֘Af[^L^邽߂̃fBNgc[쐬
ȂĂ͂Ȃ܂BSection 12 ɁAǂȃGg̃c[Ɏg
̂Ă܂B

ɁA[Jlbg[N̂zXg̃c[̓ǂݍ݌
mɎĂ悤ɂȂĂ͂Ȃ܂B Section 11 ň
邱ƂɂȂ܂B

Microsoft ̓dq[̃vOׂ͂ LDAP fBNgT[rX
g܂BlȂuAhXvgĂBdq[
̐VKbZ[WƂ͖OɓKȓdq[AhXŕt
܂B cn, sn, givenname  mail ̃tB[h
sȂ܂BMicrosoft ̓dq[vO LDAP T[õAh
XubNƂĎgdq[AhX̌pɐݒ肵Ƃɂ
Aȉ̂ƂKv܂B

 1. D݂̓dq[vONăAhXJĂB
    ́ÃvOuc[AhXvI΂ł܂
    B邢̓X^[gj[uX^[gvOANZT
    AhXvIłB
   
 2. uc[AJEgvNbNăC^[lbgAJEg̃EB
    hEJ܂B
   
 3. uǉv(󒍁FɁufBNgT[rXvIԂ炵ł) N
    bNĂBƃC^[lbgڑEBU[h̃EBhE
    oĂ܂A LDAP T[o IP AhXzXg
    āuցvNbN܂B
   
 4. ̃EBhEł́Au͂vƓāÃfBNgg
    ăAhX`FbN̂ƂƂm肵ĂB
    ́AȂȂuvƓĂBł́uցvƁu
    vNbNĂB
   
 5. ƃC^[lbgAJEgEBhEɖ߂܂BVǉ
    AJEgIāuvpeBvNbNĂB
   
 6. vpeBEBhÉuڍאݒv^uNbNĂB
   
 7. ux[XṽtB[hɁAAhXL^Tuc[̍ŏ
    ʂ̃Gg͂܂BƂĂ ou=Addressbook,dc=yourorg,dc=
    com Ƃ悤ɂȂ܂B (󒍁FWindows AhXŊmFƂ
    ł́Aɉ͂Ȃ c=JP w肵ƂɂȂ܂ (US 
     c=US ƂȂ邩͖mF)Bx[X{ɋɂꍇɂ
    NULL Ɠ͂Kv܂B)
   
 8. uOKvăEBhEAuvNbNăC^[l
    bgAJEgEBhE܂BƃAhXubÑCE
    BhEɖ߂Ă͂łB
   
ŁAuTo:ṽtB[hɖOĂƁA (󒍁FM
OmF) dq[AhX LDAP fBNgToāA
IɌ肳܂B₪tȂEBhE܂
ŁAłԈႢΒāAVKɌ邱Ƃł܂B



8. Netscape [~OANZX

ꂩ珑łB

̘bɊւDǋL <http://www.linuxworld.com/linuxworld/
lw-1999-09/lw-09-ldap-netscape.html> ɂ܂B



9. LDAP ɂfW^ؖ̔s

̏͂̏œ_́AfW^ؖ LDAP T[oɔs@ɂ܂
B Certification Authority (F؋) ^cȂfW^ؖ𔭍s
Kv܂BLDAP ւ̔śȀlbg[Nŗpł
悤ɂVvȕ@̂ЂƂłB܂AؖΉ\tgEFA
A]܂|WgƂāA[Uؖ LDAP pĂ܂B

̕@ł̓[Uؖ𑼂̃[UƈꏏɂĂ̂ŁAf[^
̖ʂȕKvȂȂ܂B

ؖ舵ɂ͈Íc[LbgKvłBŎgp̂
OpenSSL łB



9.1. LDAP T[o̐ݒ

Ŏgp LDAP T[o OpenLDAP 2.0.x łB

LDAP T[óAؖL^邽߂̑Ă objectclass T|[
gĂȂĂ͂Ȃ܂B LDAP T[oɂ͓ɁAF؋ǏؖAؖ
jXgAFjXgAăGh[ȔؖL^Ă
Kv܂B

certificationAuthority Ƃ objectclass  authorityRevocationList
(܂FjXg), certificateRevocationList (ؖjXg),
cACertificate (F؋Ǐؖ) Ƃ܂B

inetOrgPerson Ƃ objectclass  usercertificate ([Uؖ) Ƃ
 (oCi) T|[g܂B

܂AstrongAuthenticationUser Ƃ objectclass gāA
inetOrgPerson Ggɏؖt邱Ƃł܂B

L̃XL[} slapd.conf t@CɊ܂߂āAKvȃXL[}
OpenLDAP ɃCN[hĂB

                                                                       
include        /usr/local/etc/openldap/schema/core.schema              
include        /usr/local/etc/openldap/schema/cosine.schema            
include        /usr/local/etc/openldap/schema/inetorgperson.schema     



9.2. ؖ̔s

ؖ ASN.1  DER (Distinguished Encoding Rules) găGR[h
܂B̂ LDAP T[oɂ̓oCif[^ (BER GR[h)
sȂĂ͂Ȃ܂B

PEM ؖ́Â悤 OpenSSL g DER ɕϊł܂B

openssl x509 -outform DER -in incert.pem  -out outcert.der             

ƁAOpenLDAP ɂĒ񋟂 ldif Ƃ[eBeBg
 LDIF t@C쐬ł܂BłB

ldif -b "usercertificate;binary" < outcert.der > cert.ldif             

̃R}h BASE64 ŃGR[hꂽ usercertificate 쐬
B̂悤ɏؖ LDIF Ggɒǉł܂̂ŁAꂩ
ldapmodify g (󒍁FT[o) Ggɏؖǉł܂B

ldapmodify -x -W -D "cn=Manager,dc=yourorg,dc=com" -f cert.ldif        

 cert.ldif ́Â悤Ȃ̂܂ł܂B

dn: cn=user,ou=people,dc=yourorg,dc=com                                       
changetype: modify                                                            
add: usercertificate                                                          
usercertificate;binary:: MIIC2TCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBGMQswCQYD 
 VQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UECxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZO 
 IENBICgyKTAeFw05OTA2MjMxMTE2MDdaFw0wMzA4MDExMTE2MDdaMEYxCzAJBgNVBAYTAklUMQ0w 
 CwYDVQQKEwRJTkZOMRIwEAYDVQQLEwlBdXRob3JpdHkxFDASBgNVBAMTC0lORk4gQ0EgKDIpMIGf 
 MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrHdRKJsobcjXz/OsGjyq8v73DbggG3JCGrQZ9f1Vm 
 9RrIWJPwggczqgxwWL6JLPKglxbUjAtUxiZm3fw2kX7FGMUq5JaN/Pk2PT4ExA7bYLnbLGZ9jKJs 
 Dh4bNOKrGRIxRO9Ff+YwmH8EQdoVpSRFbBpNnoDIkHLc4DtzB+B4wwIDAQABo4HWMIHTMAwGA1Ud 
 EwQFMAMBAf8wHQYDVR0OBBYEFK3QjOXGc4j9LqYEYTn9WvSRAcusMG4GA1UdIwRnMGWAFK3QjOXG 
 c4j9LqYEYTn9WvSRAcusoUqkSDBGMQswCQYDVQQGEwJJVDENMAsGA1UEChMESU5GTjESMBAGA1UE 
 CxMJQXV0aG9yaXR5MRQwEgYDVQQDEwtJTkZOIENBICgyKYIBADALBgNVHQ8EBAMCAQYwEQYJYIZI 
 AYb4QgEBBAQDAgAHMAkGA1UdEQQCMAAwCQYDVR0SBAIwADANBgkqhkiG9w0BAQQFAAOBgQCDs5b1 
 jmbIYVq2epd5iDjQ109SJ/V7b6DFw2NIl8CWeDPOOjL1E5M8dnlmCDeTR2TlBxqUZaBBJZPqzFdv 
 xpxqsHC0HfkCXAnUe5MaefFNAH9WbxoB/A2pkXtT6WGWed+QsL5wyKJaO4oD9UD5T+x12aGsHcsD 
 Cy3EVEaGEOl+/A==                                                             

܂ALDIF t@Cŏؖ̂悤Ɏw肷邱Ƃ\łB

userCertificate;binary:< file:///path/to/cert.der                      



9.3. LDAP ΉNCAg

T[oɏؖL^ĂAǂĎôsvcɎv
܂B

̃NCAgƓlANetscape  LDAP T[o玩Iɏؖ
o@\T|[gĂ܂BuZLeB[UؖfBNg
vƂ邱ƂŁA LDAP fBNg̏ؖāA
Netscape ؖf[^x[XɎŃCXg[邱Ƃł̂łB

̑ɁAؖւ̃T|[g̗ǂNCAgɂ web2ldap (
www.web2ldap.de <http://www.web2ldap.de/>) ܂B



10. SSL/TLS ƁASSL/TLS  LDAP pbp

10.1. SSL ̊ȒPȐ

Secure Socket Layer (SSL) ̓p[eBԂ̃ZLAȓ]oH񋟂A
vP[VCvgRłB HTTP, LDAP, SMTP X̃AvP[
Vx̃vgR TCP/IP Ƃ̊ԂƂ̂ŁAJÍV
Xe (ẌÍ@p\)  X.509 ؖɊÂĂ܂B

SSL ͂Ƃ Netscape ̃vgRłAXɕWIȂ̂ƂȂ
Ał TLS (Transmission Layer Security) ƌĂ΂̂ɂȂ܂B
ʓI SSL/TLS ƂČy܂B

SSL/TLS vgR͈ȉ̋@\񋟂܂B

 E f[^̈Í\NCAg^T[oԂ̃ZbVÍ܂
    B
   
 E T[oF؁\NCAgAT[o{ǂ؂邱
    ł܂B
   
 E bZ[WS\f[^͓]Ɏ܂B́uman
    in the middlevU[6]h~܂B 
   
 E NCAgF؁\T[o̓NCAg{ǂ؂ł܂B
   


10.2. OpenLDAP  SSL/TLS T|[g

LDAP V3 ̃c[Lbgł OpenLDAP 2.0.x ́AT[oɂ SSL/
TLS T|[gĂ܂B SSL/TLS ǉ邽߂ɂ́A
OpenLDAP 2.0.x  OpenSSL ̃CugăRpCKv
܂B܂A2.0.x ɂ Start-TLS ̃T|[g܂B

    Note: Start-TLS ́ANCAgvƂ TLS Lɂ
    Ƃł悤ɂ܂B̕@ƁAPƂ LDAP |[gZL
    AȐڑƂłȂڑ̗ɎgƂ\łB
   
OpenLDAP 1.2.x ͂Ƃ͈قȂ LDAP V2 vgRɂłASSL
/TLS Ă܂B

OpenLDAP 2.0.x  SSL/TLS ɊւĂ OpenLDAP ̃EFuTCgɉl
񂪂܂̂ŁAł SSL/TLS ɑΉĂȂ LDAP p[eB
SSL glgăZLAɂ@ɏœ_킹邱Ƃɂ܂B



10.3. stunnel g LDAP V2 T[o SSL/TLS 񋟂@

OpenLDAP 1.2.x gĂȂ΁AT[o SSL @\ǉ邽߂ɂ
ėp SSL bpKvɂȂ܂Bstunnel (www.stunnel.org <http://
www.stunnel.org>) ͈肵ĂāA̖ړIɓKĂ܂B

stunnel ̃CXg[͂ƂĂȒPłA͂߂ OpenSSL (
www.OpenSSL.org <http://www.OpenSSL.org>) CXg[āAKvȃ
Cuƃc[pӂȂĂ͂Ȃ܂B

OpenSSL Ƃ SSL vgR̃I[v\[XɂłA SSL ̃
CuƈÍc[ꎮĂ܂B

OpenSSL CXg[ɂ͎̃R}h͂ȂĂ͂Ȃ܂B

$ ./config                                                             
$ make                                                                 
$ make test                                                            
# make install                                                         

ӂ́Aׂ /usr/local/ssl ɃCXg[邱ƂɂȂ܂B

OpenSSL CXg[Ă΁Astunnel RpCăC
Xg[邽߂ɓ͂KvȂ̂́ÃR}hłB

$ ./configure                                                          
$ make                                                                 
# make install                                                         

stunnel  SSL ɃT[oؖg܂B͎ȏ̏ؖ (self
signed certificate) ł悢̂łAɗǂ͎̂̔F؋
(Certification Authotrity) ɂďꂽؖł (SSL NCA
g CA MpĂȂĂ͂Ȃ܂)B

̂悤ȏؖ́AʓIɗpۊǏꏊ͂łB

/usr/local/ssl/certs/stunnel.pem                                       

F؋ǂ̗LCɂȂ̂ł΁A OpenSSL ZbgɂĒ񋟂
c[gāAȏ̏ؖ쐬ł܂B

stunnel ̃fBNg stunnel.cnf Ƃݒt@Cg߁A
̃fBNgŁÃR}h͂ĂB

$ openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem 
$ openssl gendh 512 >> stunnel.pem                                                                 

ɂāAȏɂNԗLȏؖ stunnel.pem t@C
ɍ쐬܂B

stunnel CXg[ꂽA܂ŏɎ̂悤ɂ LDAP T[o
389 Ԃ̃|[g (ftHg LDAP |[g) ɋNĂB

# /usr/local/libexec/slapd                                             

ꂩ玟̂悤 636 Ԃ (LDAPS NCAgɂĎgp) |[
g stunnel ŃglĂB

# /usr/local/sbin/stunnel -r ldap -d 636 -p /usr/local/ssl/certs/stunnel.pem

fobÔ߂Ɏ̏ŃtHAOEh stunnel N邱Ƃ
܂B

# /usr/local/sbin/stunnel -r ldap -d 636 -D 7 -f -p /usr/local/ssl/certs/stunnel.pem



10.4. stunnel g LDAP NCAg SSL 񋟂@

 LDAP NCAg SSL Ήł͂܂B stunnel N
CAg[hŎgƂŁÃNCAg SSL 񋟂邱
\łB

͔ɊȒPłBNCAgzXg stunnel ̂悤ɋN
āALDAPS |[gɑ΂vۂ LDAP T[oɓ]悤ɂĂ
B

# stunnel -c -d 636 -r ldapserver.yourorg.com:636                      

̂Ƃ LDAP NCAg localhost:636  LDAPS T[oƂĎg
ݒ肳ȂĂ͂Ȃ܂B



10.5. stunnel g slurpd vP[V SSL 񋟂@

_ slurpd (slapd vP[Vf[)  SSL @\Ă
ȂƂ͂Astunnel NCAg[hŎgāA̖邱
Ƃł܂B

̂悤Ƀ}X^T[oŃNCAg[h stunnel gA[J
|[g[g|[gɓ]ĂB

# stunnel -c -d 9636 -r ldapreplica.yourorg.com:636                    

ă}X^ LDAP T[o slapd.conf Ɏ̋LqĂB

replica host=localhost:9636                                            



11. ZLeB֘A

(󒍁F܂)



12. LDAP XL[}

܂ŋ@\ɕKvȃf[^̋ꏊȂƂ̂̓XL[}̖
łBǂȊłAlɈׂ̂Ƃ݂ȂĂ܂ׂł
܂Bɂ͖ړIɂȂ͂łA̓̕Kvɍ
킹ȂĂ͂ȂȂƂƎv܂B

eGg̈ӖƓׂ𖾂邽߂ɂƂĂJĂ (
Ƃ͂菑Ă̂ł傤AǂɏĂ邩Ȃ) 
ŁA҂słĂ݂܂BӂׂƂɁAepr̃XL
[}𓯎ɖȂpłƂ킯ł͂܂B Microsoft ̃A
hXɂ́A\Ă̂ LDAP ŎgpȂtB[h悤
łBuEvujbNl[vus撬vus{vu() X֔
vu() /nvu() Web y[WṽGgɂ́Ȁ
KvȂ悤Ɏv܂ (󒍁F{łł͖̓mF)Bulv
uNetMeetingvufW^ IDvɂẮA܂ǂ̂悤 LDAP f[^x[
Xɓ̂𖾂邽߂̓w͂Ă܂Bǂȏ}
܂B Netscape ̃AhXɂl̖肪܂BR[h LDAP
fBNg烍[J̃AhXɃRs[ƂɁA̃tB
[hĂ܂̂łB͑Ƃ͌ȂƂAgDŜŎg
AhXubNƂA[U̓[JɃRs[CȂ
łBA Netscape ̃AhXɂ́Aɂȓ_
܂Bʂ̃AhXR[hł́AujbNl[vi[鑮 
xmozillanickname łBƂ낪͒PȂ nickname Ȃ̂łBlbN
l[̃GgXL[}ɓxoĂ̂ɂ́AR̂
B

̃XL[} Microsoft Outlook 2000  Netscape 4.73 œ삪mF
Ă܂AA@\AGg̕KvɊւĊԈႢ΁Aǂ
m点I (󒍁F{̃tB[h\ Windows 98 ̃Ah
X Windows  Netscape 6.1 琄̂łB{łł̓
قƂǖmFłBA{ Windows Me + Outlook 2000 ŃAhX
͈͂ł͐悤łB)

̃XL[}\t@C Section 13.1 ɂ܂B(󒍁F҂
Ãt@Cǂĝ܂łBÂ̂H)



Table 1. LDAP ̑ objectclass \ȒPȐ


@\      Objectclass                                               l  

[UAJtop                                               ftHg                  
Eg                        
                              ou                            jbg      Users       
                                                            (Organizational             
                                                            Unit)                       
          
          person                                             objectclass            
                                                            ̏L҂͐lԂń            
                                                                                      
                              
                              uid                           Unix OC foo         
                              
                              cn                             (Common    Foo Bar     
                                                            Name)                       
                              
                              sn                             (Surname)    Bar         
          
          account                                            objectclass            
                                                            ̏L҂ɂ̓AJ            
                                                            Eg܂            
          
          posixaccount                                       objectclass            
                                                            ̏L҂ɂ                
                                                            Unix AJEg             
                                                            ܂                  
                              
                              uidNumber                     [U ID (uid) 513         
                                                            ԍ                        
                              
                              gidNumber                     O[v ID     100         
                                                            (gid) ԍ                  
                              
                              homedirectory                 z[fBNg/home/users/
                                                                          foo         
                              
                              userpassword                  Unix pX[h S3cr3t      
          
          sambaaccount                                       objectclass            
                                                            ̏L҂ɂ                
                                                            Samba AJEg            
                                                            ܂                  
                              
                              ntuid                         s            uid         
                              
                              rid                           s            uidnumber   
                              
                              lmpassword                    Lanman ̃pX gp      
                                                            [h̃nbVl            
                              
                              ntpasswd                      NT ̃pX[h gp      
                                                            ̃nbVl                
                              
                              loginshell                    [ŨVF  /bin/pleurop

}VAJtop                                               ftHg                  
Eg                        
                              ou                            jbg      Machines    
                                                            (Organizational             
                                                            Unit)                       
          
          posixaccount                                       objectclass            
                                                            ̏L҂ɂ                
                                                            Unix AJEg             
                                                            ܂                  
                              
                              uid                           OC      speed$      
                              
                              uidnumber                     Unix ̃[U ID514         
                                                            (uid) ԍ                  
                              
                              gidnumber                     O[v ID     100         
                                                            (gid) ԍ                  
                              
                              homedirectory                 z[fBNggp      
                                                                                      

Microsoft top                                               ftHg                  
AhX                    
                              ou                            jbg      Addressbook 
                                                            (Organizational             
                                                            Unit)                       
          
          microsoftaddressbook                               objectclass            
                                                            ̏L҂ɂ                
                                                            Microsoft Ah            
                                                            X̃vpeB            
                                                            ܂                  
                              
                              cn                            \ (Common              
                                                            Name)                       
                              
                              c                             Ζ̍/n             
                                                            (Country)                   
                              
                              department                    Ζ̕              
                              
                              facsimiletelephonenumber      Ζ̃t@bN            
                                                            X                          
                              
                              givenname                                               
                              
                              homephone                     ̓dbԍ              
                              
                              homepostaladdress             ̔Ԓn                  
                              
                              info                                                  
                              
                              initials                      CjV                  
                              
                              l                             Ζ̎s撬            
                              
                              mail                          dq[Ah            
                                                            X                          
                              
                              mobile                        ̌gѓdb              
                              
                              organizationname              Ж                      
                              
                              otherfacsimiletelephonenumber ̃t@bNX            
                              
                              otherpager                    Ζ̃|Pbgupagerv 
                                                            x            H          
                              
                              physicaldeliveryofficename    Ζ̃ItBX            
                              
                              postaladdress                 Ζ̔Ԓn                
                              
                              postalcode                    Ζ̗X֔ԍ            
                              
                              sn                             (Surname)                
                              
                              st                            Ζ̓s{            
                              
                              telephonenumber               Ζ̓dbԍ            
                              
                              title                         E                        
                              
                              url                           Ζ Web y             
                                                            [W                        

Netscape  top                                               ftHg                  
AhX                    
                              ou                            jbg      Addressbook 
                                                            (Organizational             
                                                            Unit)                       
          
          netscapeaddressbook                                objectclass            
                                                            ̏L҂ɂ                
                                                            Netscape ̃v             
                                                            peB܂            
                              
                              cn                            \ (Common                
                                                            Name)                       
                              
                              cellphone                     gѓdb                    
                              
                              countryname                                             
                              
                              description                                           
                              
                              facsimiletelephonenumber      Fax                         
                              
                              givenname                                               
                              
                              homephone                     ̓dbԍ              
                              
                              homeurl                        Web y[             
                                                            W                          
                              
                              locality                      ̎s撬              
                              
                              mail                          dq[                  
                              
                              nickname                      jbNl[                
                              
                              o                             gD                        
                              
                              ou                                                    
                              
                              pagerphone                    |Pbgx                
                              
                              postalcode                    ̗X֔ԍ              
                              
                              sn                             (Surname)                
                              
                              st                            s{                    
                              
                              streetaddress                 ̔Ԓn                  
                              
                              telephonenumber               Ζ̓dbԍ            
                              
                              title                         E                        
                              
                              xmozillaanyphone              Ζ̓dbԍ            
                              
                              xmozillanickname              jbNl[    unicknamev
                                                                            Ɠł  
                              
                              xmozillausehtmlmail           bZ[WMTRUE        
                                                            Ƃ̗D揑            
                                                             HTML                   

Netscape  top                                               ftHg                  
[~O                    
ANZX                      ou                            jbg      Roaming     
                                                            (Organizational             
                                                            Unit)                       



    Note: Netscape  Microsoft ł́AAhX̃Gg̎g
    XقȂ܂BNetscape ͗Xւ̈ (Z)  streetaddress Gg
     base64 GR[hŊi[AMicrosoft  postaladdress Gg
    g܂BȂAstreetaddress Gg Microsoft
     postaladdress ̑ɂg܂BƂ낪 Microsoft 
    streetaddress ̒l base 64 GR[hȂ̕ (v[eLX
    g) łBłAɂ͎g܂B
   
Linux Center <http://ldap.hklc.com/> ł́A LDAP XL[}SʂɊւ
ɓ܂B Microsoft AhX̃vpeB
Microsoft Developers Network <http://msdn.microsoft.com/library/psdk/
adsi/gluser_4437.htm> ɂ܂B

ӂĂBMicrosoft ̃y[Wɂ̓AhX̕\e
tB[hƍv܂B܂AAhX̃tB[hׂĂ
Ă킯ł͂܂񂪁AĂ鑮ł܂삵
ȂA{͂ǂ̑܂삷̂AƂƂ܂ł͕܂
B



13. t@C̗

t@C̗łBgāA̕ŐĂƂ̍\
\zł܂B



13.1. XL[}t@C

# Unix ֘AуftHg objectclass (C)                   
                                                                       
attribute       userpassword                            ces            
attribute       telephonenumber                         tel            
attribute       facsimiletelephonenumber        fax     tel            
attribute       pagertelephonenumberpager               tel            
attribute       homephone                               tel            
attribute       mobiletelephonenumber           mobile  tel            
attribute       member                                  dn             
attribute       owner                                   dn             
attribute       dn                                      dn             
                                                                       
objectclass top                                                        
        requires                                                       
                objectClass                                            
                                                                       
objectclass organization                                               
        requires                                                       
                objectClass,                                           
                o                                                      
        allows                                                         
                description                                            
                                                                       
objectclass organizationalUnit                                         
        requires                                                       
                objectClass,                                           
                ou                                                     
        allows                                                         
                description                                            
                                                                       
objectclass person                                                     
        requires                                                       
                objectClass,                                           
                cn                                                     
        allows                                                         
                description                                            
                                                                       
objectclass account                                                    
        requires                                                       
                objectClass,                                           
                uid                                                    
        allows                                                         
                description,                                           
                host,                                                  
                o,                                                     
                ou                                                     
                                                                       
# Samba ֘A objectclass (IWi)                                
                                                                       
objectclass sambaaccount                                               
        requires                                                       
                objectclass,                                           
                uid,                                                   
                uidnumber,                                             
                ntuid,                                                 
                rid                                                    
        allows                                                         
                gidnumber,                                             
                grouprid,                                              
                nickname,                                              
                userpassword,                                          
                ou,                                                    
                description,                                           
                lmpassword,                                            
                ntpassword,                                            
                pwdlastset,                                            
                smbhome,                                               
                homedrive,                                             
                script,                                                
                profile,                                               
                workstations,                                          
                acctflags,                                             
                pwdcanchange,                                          
                pwdmustchange                                          
                                                                       
objectclass sambagroup                                                 
        requires                                                       
                cn,                                                    
                rid                                                    
        allows                                                         
                ntuid,                                                 
                member,                                                
                description                                            
                                                                       
objectclass sambaconfig                                                
        requires                                                       
                id                                                     
        allows                                                         
                nextrid                                                
                                                                       
objectclass sambabuiltin                                               
        requires                                                       
                cn,                                                    
                sid                                                    
        allows                                                         
                ntuid,                                                 
                rid,                                                   
                member,                                                
                description                                            
                                                                       
# Sendmail ֘A objectclass (VK / C)                        
                                                                       
objectclass inetmailrecipient                                          
        requires                                                       
                objectclass                                            
        allows                                                         
                mailid,                                                
                mailacceptinggeneralid,                                
                maildrop                                               
                                                                       
objectclass inetmaildomain                                             
        requires                                                       
                objectclass,                                           
                sendmailislocalkey                                     
        allows                                                         
                maildomain,                                            
                sendmailaccesskey                                      
                                                                       
# AhXubN֘A objectclass                                     
                                                                       
objectclass netscapeaddressbook                                        
        requires                                                       
                objectclass,                                           
                cn                                                     
        allows                                                         
                cellphone,                                             
                countryname,                                           
                description,                                           
                facsimiletelephonenumber,                              
                givenname,                                             
                homephone,                                             
                homeurl,                                               
                locality,                                              
                mail,                                                  
                nickname,                                              
                o,                                                     
                ou,                                                    
                pagerphone,                                            
                postalcode,                                            
                sn,                                                    
                st,                                                    
                streetaddress,                                         
                telephonenumber,                                       
                title,                                                 
                xmozillanickname,                                      
                xmozillausehtmlmail,                                   
                xmozillaanyphone                                       
                                                                       
objectclass microsoftaddressbook                                       
        requires                                                       
                objectclass,                                           
                cn                                                     
        allows                                                         
                c,                                                     
                department,                                            
                facsimiletelephonenumber,                              
                givenname,                                             
                homephone,                                             
                homepostaladdress,                                     
                info,                                                  
                initials,                                              
                l,                                                     
                mail,                                                  
                mobile,                                                
                organizationname,                                      
                otherfacsimiletelephonenumber,                         
                otherpager,                                            
                physicaldeliveryofficename,                            
                postaladdress,                                         
                postalcode,                                            
                sn,                                                    
                st,                                                    
                telephonenumber,                                       
                title,                                                 
                url                                                    



13.2. x[X LDIF ̗

dn: dc=yourorg,dc=com                                                             
objectClass: top                                                                  
objectClass: organization                                                         
o: YourOrg                                                                        
description: This is our organizations base dn. Everything is stored beneath this 
                                                                                  
dn: ou=Users,dc=yourorg,dc=com                                                    
objectClass: top                                                                  
objectClass: organizationalunit                                                   
ou: Users                                                                         
description: This is the tree were user accounts are stored                       
                                                                                  
dn: ou=Machines,dc=yourorg,dc=com                                                 
objectClass: top                                                                  
objectClass: organizationalunit                                                   
ou: Machines                                                                      
description: This is the tree were machine accounts are stored                    
                                                                                  
dn: ou=Roaming,dc=yourorg,dc=com                                                  
objectClass: top                                                                  
objectClass: organizationalunit                                                   
ou: Roaming                                                                       
description: This is the tree were netscape roaming profiles are stored           
                                                                                  
dn: ou=Addressbook,dc=yourorg,dc=com                                              
objectClass: top                                                                  
objectClass: organizationalunit                                                   
ou: Addressbook                                                                   
description: This is the tree were addressbook entries are stored                 



14. {ɂ

̕XɂčZ܂B|҂犴Ӑ\グ܂BɂȂ
ԈႢׂ͂Ė|҂̗͗ʕsɂ̂łADꂽ_͂
čZ҂̕X̂łB

 E xcωpl
   
 E {_l
   
 E nl
   
 E konkiti l
   
 E ml
   
 E 앐Yl
   
    Note: Z҂̕XցFLR\L̕ss܂\
    󂠂܂B҂܂ł񂭂B
   
Ct̓_͖҂ JF vWFNg܂łAB

Notes

[1] LDAP f[^x[X̕T[oԂōsȂdg                    
                                                                       
[2] NIS Ŋ蓖ĂĂꍇ͈قȂ܂B                             
                                                                       
[3] ЂƂ̃Gg objectclass ɑ邱Ƃł܂B      
                                                                       
[4] EZƂāANetscape Communicator ̏ؖf[^x[XgƂ 
    ł܂B                                                         
                                                                       
[5] 󒍁Fł Netscape Active Directory Ƃ܂AuNetscapev
    ́uMicrosoftv̊ԈႢƎv܂B                              
                                                                       
[6] 󒍁FM҂ɂȂ肷܂O҂f[^₂ȂǁBuԉ 
    vƂ󂷂łB                                               

