LSAP HW3 - HackMD

# LSAP HW3 b13705029 蔡冠毅 ## LDAP directory service ### 1. Install Required Packages 1. 安裝slapd，並依據彈出視窗說明來設定LDAP directory admin密碼 ``` sudo apt install slapd ldap-utils -y ``` ### 2. Initial Configuration 1. 重新設定server ``` sudo dpkg-reconfigure slapd # 執行後各問題的回答： Omit OpenLDAP server configuration? <No> DNS domain name: im.ntu.edu.tw Organization name: b13705029 Administrator password: <自訂密碼> Remove database when slapd is purged? <No> Move old database? <Yes> ``` ![image](https://hackmd.io/_uploads/ByqEos20gg.png) ### 3. Create Organizational Units 1. 在`/etc/ldap/slapd.d`下建立`base.ldif`並新增以下內容 ``` dn: ou=People,dc=im,dc=ntu,dc=edu,dc=tw objectClass: organizationalUnit ou: People dn: ou=Groups,dc=im,dc=ntu,dc=edu,dc=tw objectClass: organizationalUnit ou: Groups ``` 2. `sudo ldapadd -x -D "cn=admin,dc=im,dc=ntu,dc=edu,dc=tw" -W -f base.ldif`匯入設定 ![image](https://hackmd.io/_uploads/r1kdson0ee.png) ### 4. Create Users and Groups 1. 在`/etc/ldap/slapd.d`下建立`user.ldif`並新增以下內容： ``` dn: uid=Kuan-Yi,ou=People,dc=im,dc=ntu,dc=edu,dc=tw objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Kuan-Yi sn: Kuan-Yi uid: Kuan-Yi uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/Kuan-Yi loginShell: /bin/bash userPassword: Kuan-Yi dn: uid=Tsai,ou=People,dc=im,dc=ntu,dc=edu,dc=tw objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Tsai sn: Tsai uid: Tsai uidNumber: 1002 gidNumber: 1001 homeDirectory: /home/Tsai loginShell: /bin/bash userPassword: Tsai dn: uid=b13705029,ou=People,dc=im,dc=ntu,dc=edu,dc=tw objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: b13705029 sn: b13705029 uid: b13705029 uidNumber: 1003 gidNumber: 1002 homeDirectory: /home/b13705029 loginShell: /bin/bash userPassword: b13705029 ``` 2. 在`/etc/ldap/slapd.d`下建立`group.ldif`並新增以下內容： ``` dn: cn=eng,ou=Groups,dc=im,dc=ntu,dc=edu,dc=tw objectClass: top objectClass: posixGroup cn: eng gidNumber: 1001 memberUid: Kuan-Yi memberUid: Tsai dn: cn=intern,ou=Groups,dc=im,dc=ntu,dc=edu,dc=tw objectClass: top objectClass: posixGroup cn: intern gidNumber: 1002 memberUid: b13705029 ``` 3. 匯入設定 ``` sudo ldapadd -x -D "cn=admin,dc=im,dc=ntu,dc=edu,dc=tw" -W -f user.ldif sudo ldapadd -x -D "cn=admin,dc=im,dc=ntu,dc=edu,dc=tw" -W -f group.ldif ``` ![image](https://hackmd.io/_uploads/rJLknsn0lx.png) ![image](https://hackmd.io/_uploads/rkWZno3Ree.png) ### 5. Generate a Certificate Authority (CA) 1. 建立CA ``` sudo mkdir -p /etc/ssl/ldap cd /etc/ssl/ldap # 建立 CA 私鑰 sudo openssl genrsa -out ca.key 4096 # 建立 CA 憑證，有效期 10 年 sudo openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=TW/ST=Taiwan/L=Taipei/O=IMLDAP/OU=CA/CN=im-ca" ``` ![image](https://hackmd.io/_uploads/H12G2ohCgx.png) ### 6. Generate Server Key & CSR 1. 利用`san.cnf`產生金鑰與CSR，內容： ``` # 在/etc/ssl/ldap/下建立san.cnf [ req ] default_bits = 4096 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = TW ST = Taiwan L = Taipei O = IMLDAP OU = Server CN = lsap2.lu.im.ntu.edu.tw [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = lsap2.lu.im.ntu.edu.tw DNS.2 = vm01 ``` 2. 產生金鑰與CSR ``` sudo openssl req -new -key server.key -out server.csr -config /etc/ssl/ldap/san.cnf ``` ![image](https://hackmd.io/_uploads/B1sNhi2Rge.png) ### 7. Sign the Server Certificate 1. 簽發證書 ``` sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 ``` ![image](https://hackmd.io/_uploads/r1EOho2Agx.png) ### 8. Enable LDAPS and Trust Your CA Locally 1. 先調整權限讓openldap能夠讀取 ``` sudo chown -R openldap:openldap /etc/ssl/ldap sudo chmod 600 /etc/ssl/ldap/server.key ``` 2. 使用ldif檔案讓slapd使用`server.crt`,`server.key`, `ca.crt` ``` sudo nano /etc/ssl/ldap/ssl-config.ldif # 內容如下 dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/ldap/ca.crt - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/ldap/server.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/ldap/server.key ``` 3. 套用變更 ``` sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/ldap/ssl-config.ldif ``` 4. 啟用LDAPS ``` sudo nano /etc/default/slapd # 把SLAPD_SERVICES的內容改成： SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" ``` 5. 重新啟動slapd服務 ``` sudo systemctl restart slapd ``` 6. 讓LDAP信任我的CA ``` sudo cp /etc/ssl/ldap/ca.crt /usr/local/share/ca-certificates/myldapCA.crt sudo update-ca-certificates ``` ![image](https://hackmd.io/_uploads/SkGcnjh0ee.png) ### 9. GUI Verification (Apache Directory Studio) 1. 至 https://directory.apache.org/studio/downloads.html 安裝 Apache Directory Studio 2. 至 https://www.oracle.com/java/technologies/downloads/ 下載java並且修改檔案`ApacheDirectoryStudio.ini` ``` # 把以下兩行的註解拿掉並且把路徑改成第1步安裝的java bin路徑 -vm C:\Program Files\Java\jdk-25\bin ``` 3. 開啟apache directory studio ``` 上方欄位選LDAP，並新增連線 (New Connection) Connection name: IM LDAP Hostname: lsap2.lu.im.ntu.edu.tw Port: 63633 Encryption method: Use SSL encryption (ldaps://) 按「Check Network Parameter」→ 顯示Connection successful 就可以下一步 ``` 4. 認證 ``` Bind DN or user: cn=admin,dc=im,dc=ntu,dc=edu,dc=tw Bind password: <我在 dpkg-reconfigure slapd 時設定的密碼> Authentication method: Simple 按「Check Authentication」→ 顯示成功就沒問題 ``` ![螢幕擷取畫面 2025-10-27 154554](https://hackmd.io/_uploads/SkNfRs3Rxg.png) ## Custom APT Repository 1. 下載必要套件 ``` sudo apt update sudo apt install -y build-essential gcc g++ make cmake sudo apt install -y debhelper devscripts dh-make sudo apt install -y dpkg-dev apt-utils gnupg2 ``` 2. 建置檔案結構如下(各檔案內容如附檔) ``` ~/b13705029-image-processing/ ├── src/ │ └── gaussian_blur.cpp # 主程式 ├── debian/ │ ├── control # Package metadata │ ├── rules # Build rules │ ├── changelog # Version history │ └── compat # Debhelper compatibility level └── Makefile # Build instructions # 注意需要讓rules是executable chmod +x debian/rules ``` 3. 產生GPG key ``` gpg --full-generate-key # 選擇: (1) RSA and RSA, 4096 bits, no expiration # 顯示key ID gpg --list-secret-keys --keyid-format=long gpg --armor --export <我的郵件地址> > ~/imcorp-repo-key.gpg ``` 4. 打包成deb檔 ``` cd ~/b13705029-image-processing/ dpkg-buildpackage -us -uc -b ``` 5. custom APT repository ``` sudo apt install -y reprepro mkdir -p ~/imcorp-repo/conf GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format=long | grep sec | awk '{print $2}' | cut -d'/' -f2 | head -n1) echo "Your GPG Key ID: $GPG_KEY_ID" cat > ~/imcorp-repo/conf/distributions <<EOF Origin: IM Corp Label: IM Corp Repository Codename: stable Architectures: amd64 arm64 i386 Components: main Description: IM Corp Custom APT Repository SignWith: $GPG_KEY_ID EOF ``` 6. 把package加進repository ``` # 調整權限 sudo chown -R $USER:$USER ~/imcorp-repo cd ~/imcorp-repo reprepro includedeb stable ~/b13705029-image-processing_1.0.0_*.deb ``` 7. export並且install GPG key ``` chmod 755 ~ chmod -R 755 ~/imcorp-repo gpg --armor --export $GPG_KEY_ID > ~/imcorp-repo/imcorp-key.gpg sudo mkdir -p /usr/share/keyrings sudo gpg --dearmor < ~/imcorp-repo/imcorp-key.gpg > /usr/share/keyrings/imcorp-archive-keyring.gpg ``` 8. 把local repository 加入APT source並下載 ``` echo "deb [signed-by=/usr/share/keyrings/imcorp-archive-keyring.gpg] file://$HOME/imcorp-repo stable main" | sudo tee /etc/apt/sources.list.d/imcorp.list sudo apt update sudo apt install b13705029-image-processing ``` 執行`b13705029-blur --help` ![image](https://hackmd.io/_uploads/H1dXM6hCgg.png)