Openldap

openldap為組添加acl

  • May 11, 2017

這是我在 ldap 上的第一天,我已經閱讀了這些操作指南和文章,但無法指出!

https://superuser.com/questions/1122329/ldapadd-gives-syntax-errors-with-openldap
https://serverfault.com/questions/356912/ldap-add-error-80-olcmoduleload-handler-exited-with-1/357018#357018
https://blog.netways.de/2012/01/27/openldap-2-4-x-und-die-acl/
http://www.openldap.org/doc/admin24/access-control.html

我喜歡通過動態配置在這個ldap版本上管理一個ldap地址簿

root@vm-ldap:/etc/ldap/schema# /usr/sbin/slapd -VV
@(#) $OpenLDAP: slapd  (Ubuntu) (May 11 2016 16:12:05) $
       buildd@lgw01-10:/build/openldap-mF7Kfq/openldap-2.4.42+dfsg/debian/build/servers/slapd

我想為一個組設置acl來管理以下結構中的聯繫人條目

組來管理地址簿

有人可以在這裡建議我如何通過 ldapmodify 和 ldif 設置 acl 嗎?

{0}config.ldif外觀_

{0}config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 5851d624
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: 06453e7c-b46e-1036-893d-e97cab33d7b8
creatorsName: cn=config
createTimestamp: 20170413082206Z
entryCSN: 20170413082206.197889Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170413082206Z

{1}mdb.ldif 是

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a5a00274
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: 06460820-b46e-1036-8945-e97cab33d7b8
creatorsName: cn=config
createTimestamp: 20170413082206Z
olcSuffix: dc=ac,dc=test
olcRootDN: cn=admin,dc=ac,dc=test
olcRootPW:: e1NTSEF9U1BXQXpDcVVPNERCbU15TkhGUXdtS3FVOHNFTUU0OW4=
entryCSN: 20170413092314.034244Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170413092314Z

更新 1

昨天我用 memberOF 的錯誤配置破壞了數據庫

更新 2

然後我嘗試了

add olcAccess:
{3}to dn.subtree="ou=ab,l=ac,ou=ac-corp,dc=ac,dc=lan"
            by group(s)/groupOfNames/member="cn=ab-edit,ou=groups,dc=ac,dc=lan" manage

ldap_add: Object class violation (65)
       additional info: no objectClass attribute 

您不能ldapadd/ldapmodify僅具有屬性的 LDIF 文件。

在 LDIF 中,您必須指定:

  • 您要編輯的條目:dn: olcDatabase={1}mdb,cn=config
  • 您要執行的操作:changetype: modify
  • 針對哪個屬性以及如何:add: olcAccess
  • 這是價值:{3}to dn.subtree="ou=ab,l=ac,ou=ac-corp,dc=ac,dc=lan" by group(s)/groupOfNames/member="cn=ab-edit,ou=groups,dc=ac,dc=lan" manage

所以你應該嘗試的 LDIFldapmodify必須看起來像:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.subtree="ou=ab,l=ac,ou=ac-corp,dc=ac,dc=lan"
by group(s)/groupOfNames/member="cn=ab-edit,ou=groups,dc=ac,dc=lan" manage

引用自:https://serverfault.com/questions/845462