Ldap
OpenLDAP 監控訪問 ACL 不起作用
我無法使用在 CentOS 7 上執行的 OpenLDAP 檢索監視器資訊。為了設置所有內容,我已按照此處記錄的步驟進行操作:
$ cat module_monitor.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {2}back_monitor $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f module_monitor.ldif
確認它有效:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=module{0},cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=module{0},cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # module{0}, config dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap olcModuleLoad: {0}memberof olcModuleLoad: {1}refint olcModuleLoad: {2}back_monitor <...>
接下來添加監控帳戶:
$ cat cn_monitor.ldif dn: cn=monitor,dc=company,dc=de objectClass: simpleSecurityObject objectClass: organizationalRole cn: monitor description: LDAP monitor userPassword: {CRYPT}REDACTED $ ldapadd -x -D "cn=admin,dc=company,dc=de" -W -f cn_monitor.ldif -ZZ -H ldap://openldap.internal.company.de
最後配置 ACL:
$ cat database_monitor.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=company,dc=de" read by * none $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f database_monitor.ldif
確認它有效:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={1}monitor,cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <olcDatabase={1}monitor,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # {1}monitor, config dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=manager,dc=company,dc=de" read by * none
現在我可以通過 sudo 使用 EXTERNAL 身份驗證來檢索監視器資訊:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=monitor" <...> # numResponses: 67 # numEntries: 66
不幸的是,我無法與監視器使用者實現相同的效果:
$ ldapsearch -D "cn=monitor,dc=company,dc=de" -H ldap://openldap.internal.company.de -W -ZZ -b "cn=monitor" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=monitor> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1
我在這裡想念什麼?
您的訪問列表不包括
cn=monitor,dc=company,dc=de
。因此,您嘗試使用的 dn 被by * none
您的 olcAccess 規則的一部分擷取。(如果沒有本節,同樣的事情會隱式而不是顯式地發生。)以下 ldif 應按需要工作:
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=company,dc=de" read by dn.base="cn=monitor,dc=company,dc=de" read by * none