Contents
389 Directory Serverを使ってAWXのユーザー認証をしてみました。
389 Directory ServerではphpLDAPadminを使って操作してみようと思います。
環境
項目 | バージョン |
---|---|
OS | CentOS 7.6 |
AWX | 3.0.0 |
389 Directory Server | 1.3.8.4-22.el7_6 |
事前条件
- AWX(またはAnsible Tower)はすでに用意されているものとします
- 389 Directory ServerではTLS/SSLは使用しません
インストール・セットアップ
389 Directory Server
hosts設定
hostsにホスト名を記述します。
1 2 3 4 |
[root@ldap01 ~]# vi /etc/hosts (snip) 192.168.0.150 ldap01.example.com |
Linux用チューニング
以下のアドレスを参考にチューニング設定をします。
https://directory.fedoraproject.org/docs/389ds/FAQ/performance-tuning.html
1 2 3 4 5 |
[root@ldap01 ~]# echo "net.ipv4.ip_local_port_range = 1024 65000" >> /etc/sysctl.conf [root@ldap01 ~]# echo "fs.file-max = 64000" >> /etc/sysctl.conf [root@ldap01 ~]# echo "* soft nofile 8192" >> /etc/security/limits.conf [root@ldap01 ~]# echo "* hard nofile 8192" >> /etc/security/limits.conf |
設定を反映します。
ulimit
コマンドを実行しているのはセットアップ時に警告を出さないため実行しています。
1 2 3 4 5 |
[root@ldap01 ~]# sysctl -p net.ipv4.ip_local_port_range = 1024 65000 fs.file-max = 64000 [root@ldap01 ~]# ulimit -n 8192 |
インストール
389 Directory Serverをインストールします。
1 2 |
[root@ldap01 ~]# yum -y install 389-ds-base |
セットアップ
389 Directory Serverのセットアップをします。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
[root@ldap01 ~]# setup-ds.pl ============================================================================== This program will set up the 389 Directory Server. It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" or the word "back" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program Would you like to continue with set up? [yes]: ============================================================================== Your system has been scanned for potential problems, missing patches, etc. The following output is a report of the items found that need to be addressed before running this software in a production environment. 389 Directory Server system tuning analysis version 14-JULY-2016. NOTICE : System is x86_64-unknown-linux3.10.0-957.5.1.el7.x86_64 (1 processor). Would you like to continue? [yes]: ============================================================================== Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose a setup type [2]: ============================================================================== Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form <hostname>.<domainname> Example: eros.example.com. To accept the default shown in brackets, press the Enter key. Warning: This step may take a few minutes if your DNS servers can not be reached or if DNS is not configured correctly. If you would rather not wait, hit Ctrl-C and run this program again with the following command line option to specify the hostname: General.FullMachineName=your.hostname.domain.name Computer name [ldap01.example.com]: ============================================================================== The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the server, create this user and group using your native operating system utilities. System User [dirsrv]: System Group [dirsrv]: ============================================================================== The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use. Directory server network port [389]: ============================================================================== Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier. Directory server identifier [ldap01]: ============================================================================== The suffix is the root of your directory tree. The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes. Suffix [dc=example, dc=com]: ============================================================================== Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. Press Control-B or type the word "back", then Enter to back up and start over. Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): Your new DS instance 'ldap01' was successfully created. Exiting . . . Log file is '/tmp/setupGaCEwI.log' |
動作確認
ldapsearchを実行して動作を確認してみます。
結果が引ければ問題ありません。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[root@ldap01 ~]# ldapsearch -D "cn=directory manager" -b "dc=example,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: top objectClass: domain dc: example (snip) |
phpLDAPadmin
インストール
phpLDAPadminをEPELからインストールします。
1 2 3 |
[root@ldap01 ~]# yum -y install epel-release [root@ldap01 ~]# yum -y install phpldapadmin |
セットアップ
phpLDAPadminの設定ファイルを以下のように修正します。
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@ldap01 ~]# vi /etc/phpldapadmin/config.php (snip) /* If you specified 'cookie' or 'session' as the auth_type above, you can optionally specify here an attribute to use when logging in. If you enter 'uid' and login as 'dsmith', phpLDAPadmin will search for (uid=dsmith) and log in as that user. Leave blank or specify 'dn' to use full DN for logging in. Note also that if your LDAP server requires you to login to perform searches, you can enter the DN to use when searching in 'bind_id' and 'bind_pass' above. */ $servers->setValue('login','attr','dn'); // $servers->setValue('login','attr','uid'); |
Apacheの設定ファイルを以下のように修正します。
以下は、アクセス制御をしていない設定になります。そのため、アクセス制御をする場合は接続元制限の設定にしてください。
1 2 3 4 5 6 7 8 9 |
[root@ldap01 ~]# vi /etc/httpd/conf.d/phpldapadmin.conf <Directory /usr/share/phpldapadmin/htdocs> <IfModule mod_authz_core.c> # Apache 2.4 #Require local Require all granted </IfModule> (snip) |
起動
Apacheを起動します。
1 2 3 |
[root@ldap01 ~]# systemctl start httpd [root@ldap01 ~]# systemctl enable httpd |
LDAP操作
ログインしてAWXで使うユーザーを作成します。
ユーザーを作成するには、まずグループの作成が必要なのでグループ作成もします。
項目 | パラメーター |
---|---|
グループ名 | Ansible Users |
ユーザー名 | test user01 |
add group and user to 389 directory server from sky_joker on Vimeo.
AWX操作
LDAP認証設定
AWXにログインし 設定
をクリックして Authentication
をクリックします。
LDAP
をクリックします。
各種パラメーターは以下の通りです。
パラメーター | 説明 |
---|---|
LDAPサーバURI | LDAPサーバの情報 |
LDAP バインドDN | LDAPに問い合わせるユーザー情報 |
LDAP バインドパスワード | LDAPに問い合わせるユーザーのパスワード情報 |
LDAPユーザー検索 | LDAPのユーザー検索条件 |
LDAPグループ検索 | LDAPのユーザーのグループ検索条件 |
詳しくは以下のページを参照してください。
https://docs.ansible.com/ansible-tower/latest/html/administration/ldap_auth.html
最後にページ一番下にある 保存
をクリックします。
LDAPユーザーでログインができれば完了です。