From owner-FreeBSD-users-jp@jp.FreeBSD.org Thu Dec 27 16:41:45 2007
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id lBR7fjI82356;
	Thu, 27 Dec 2007 16:41:45 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from iscan2.sys.hokudai.ac.jp (iscan2.sys.hokudai.ac.jp [133.87.1.97])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet id lBR7fj682327
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Thu, 27 Dec 2007 16:41:45 +0900 (JST)
	(envelope-from reo@iic.hokudai.ac.jp)
Received: from iscan2.sys.hokudai.ac.jp (localhost [127.0.0.1])
	by localhost.sys.hokudai.ac.jp (Postfix) with ESMTP id E86FA2930
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Thu, 27 Dec 2007 16:41:39 +0900 (JST)
Received: from genki01.cc.hokudai.ac.jp (genki01.cc.hokudai.ac.jp [133.87.2.41])
	by iscan2.sys.hokudai.ac.jp (Postfix) with ESMTP id D1103292E
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Thu, 27 Dec 2007 16:41:39 +0900 (JST)
Received: from bareares.cc.hokudai.ac.jp (bareares.cc.hokudai.ac.jp [133.87.2.22])
	by genki01.cc.hokudai.ac.jp (Postfix) with ESMTP id A528E67649
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Thu, 27 Dec 2007 16:41:36 +0900 (JST)
Message-ID: <864pe4d1ov.wl%reo@iic.hokudai.ac.jp>
From: Hiroki Kashiwazaki <reo@iic.hokudai.ac.jp>
To: FreeBSD-users-jp@jp.FreeBSD.org
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6
 (=?ISO-2022-JP?B?GyRCNF0yLBsoQg==?=) FLIM/1.14.8
 (=?ISO-2022-JP?B?GyRCO00+chsoQg==?=) APEL/10.7 Emacs/22.1 (i386-pc-freebsd)
 MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - =?ISO-2022-JP?B?IhskQjRdGyhC?=
 =?ISO-2022-JP?B?GyRCMiwbKEIi?=)
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Thu, 27 Dec 2007 16:41:36 +0900
X-Sequence: FreeBSD-users-jp 91311
Subject: [FreeBSD-users-jp 91311] [Q] nss_ldap, pam_ldap
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: reo@iic.hokudai.ac.jp
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+060209

$BGp:j!wKLBg$G$9!%(B

$B$I$&$K$b$I$s$E$^$j$K$J$C$F$7$^$C$?$N$G<ALd$5$;$F2<$5$$!%(B

$B#87n$0$i$$$K(B jail $B4V$NG'>ZE}9g$G(B ldap $B;H$&$Y$-$+$J!<!$$_$?$$$J<ALd$r(B
$BEj$2$5$;$F$b$i$$$^$7$F!$:#:"$K$J$C$F=E$$9x$r>e$2$F:n6H$r3+;O$7$F$_$^(B
$B$7$?$H$3$m!$$I$&$K$bG'>Z$NE}9g$,=PMh$J$/$FG:$s$G$*$j$^$9!%(B

$B9=@.$O0J2<$N$h$&$J46$8$G!$(Bhost $B%^%7%s$K(B jail $B$,$8$c$i$8$c$i;0$D$[$I(B
$B$V$i$5$,$C$F$*$j!$(Bhost $B$O(B jail (ldap) $B$H(B nss $B$H(B PAM $B$G$NG'>ZE}9g$r$7(B
$B$F$$$F2TF/$7$F$$$^$9!%(B

+ host 133.87.X.Y & 192.168.0.1
    +--- jail (ldap) 192.168.0.22,  base=hoge
    +--- jail (mail) 192.168.0.21
    +--- jail (www)  192.168.0.20

$B$G!$(Bjail (mail) $B$b(B jail (ldap)$B$HO"7H$7$FG'>ZE}9g$7$?$$$J$H9M$($^$7$F!$(B
jail (mail) $B$G0J2<$N$h$&$J<j=g$rF'$_$^$7$?(B

1. ports $B$+$i(B security/pam_ldap $B$H(B net/nss_ldap $B$r%$%s%9%H!<%k(B
   (security/pam_ldap $B$N%$%s%9%H!<%k$G(B net/openldap23-client $B$b%$%s(B
    $B%9%H!<%k$5$l$k!%(B)

2. /usr/local/etc $B0J2<$K%$%s%9%H!<%k$5$l$?(B ldap.conf.dist $B$+$i(B
   /usr/local/etc/ldap.conf $B$r:n$j!$$5$i$K(B nss_ldap.conf $B$X$N%7%s%\(B
   $B%j%C%/%j%s%/$rD%$k!%(B
   ldap.conf $B$NFbMF$GDI2C2U=j$O0J2<$NDL$j(B

     host 192.168.0.22
     base hoge
     
     pam_filter objectclass=posixAccount

3. /etc/nsswitch.conf $B$NFbMF$rJQ99(B
     group: compat
     group_compat: nis
     hosts: files dns
     networks: files
     passwd: compat
     passwd_compat: ldap
     shells: files

4. /etc/passwd, /etc/group $B$NFbMF$rJQ99(B
     +:*::::: $B$*$h$S(B +:*:: $B$rKvHx$KDI2C(B


$B$G!$(Bid reo $B$H$+$7$^$9$H(B

  mail# id reo
  id: reo: no such user

$B$H$$$C$?>u67$G$9!%$5$/$C$H%l%9%]%s%9$,Mh$^$9!%(B
$B$A$J$_$KB>%[%9%H$G$9$H(B

  ldap# id reo
  uid=1001(reo) gid=0(wheel) groups=0(wheel)

  host% id reo
  uid=1001(reo) gid=0(wheel) groups=0(wheel)

$B$H$$$C$?6q9g$G!$(Bldap $B%5!<%PK\BN$+$i$O@\B32DG=!$%[%9%H$+$i$b@\B32DG=!%(B
pf $B$N@_Dj$GDL?.$,$&$^$/$$$C$F$$$J$$$N$+$H$b;W$C$?$N$G$9$,!$(B

   mail# telnet 192.168.0.22 389
   Trying 192.168.0.22...
   Connected to 192.168.0.22.
   Escape character is '^]'.
   ^]
   telnet> quit
   Connection closed.
   mail# ldapsearch -h 192.168.0.22
   # extended LDIF
   #
   # LDAPv3
   # base <> with scope subtree
   # filter: (objectclass=*)
   # requesting: ALL
   #
   
   # search result
   search: 2
   result: 32 No such object
   
   # numResponses: 1

$B$H$$$C$?>uBV$GDL?.$O2DG=$J$h$&$G$9!%(B

$BDs<($7$F$$$k>pJs$,$+$J$j;uH4$1$J46$8$b$"$j$^$9$,!$$3$s$J>uBV$G3'MM$K(B
$B$*$+$l$^$7$F$O$I$N$h$&$J!V<!$O$3$3$rD4$Y$k!W$H$$$&0l<j$rBG$?$l$^$9$G(B
$B$7$g$&$+!%>pJs$r$*4s$;D:$1$l$P9,$$$G$9!%(B/var/log/debug $B$+$J$"!%(B

-- 
$BGp:j(B $BNi@8(B (Hiroki Kashiwazaki)@HUIST
Assistant Professor @ Graduate School of Information Science and
Technology, Hokkaido University
mailto:reo@iic.hokudai.ac.jp
Tel:+81-11-706-2056 (Office), +81-11-706-2998 (Takai Lab.)
