Openldap
openldap為組添加acl
這是我在 ldap 上的第一天,我已經閱讀了這些操作指南和文章,但無法指出!
https://superuser.com/questions/1122329/ldapadd-gives-syntax-errors-with-openldap https://serverfault.com/questions/356912/ldap-add-error-80-olcmoduleload-handler-exited-with-1/357018#357018 https://blog.netways.de/2012/01/27/openldap-2-4-x-und-die-acl/ http://www.openldap.org/doc/admin24/access-control.html
我喜歡通過動態配置在這個ldap版本上管理一個ldap地址簿
root@vm-ldap:/etc/ldap/schema# /usr/sbin/slapd -VV @(#) $OpenLDAP: slapd (Ubuntu) (May 11 2016 16:12:05) $ buildd@lgw01-10:/build/openldap-mF7Kfq/openldap-2.4.42+dfsg/debian/build/servers/slapd
我想為一個組設置acl來管理以下結構中的聯繫人條目
有人可以在這裡建議我如何通過 ldapmodify 和 ldif 設置 acl 嗎?
{0}config.ldif
外觀_{0}config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 5851d624 dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break structuralObjectClass: olcDatabaseConfig entryUUID: 06453e7c-b46e-1036-893d-e97cab33d7b8 creatorsName: cn=config createTimestamp: 20170413082206Z entryCSN: 20170413082206.197889Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20170413082206Z
{1}mdb.ldif 是
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 a5a00274 dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non e olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: 06460820-b46e-1036-8945-e97cab33d7b8 creatorsName: cn=config createTimestamp: 20170413082206Z olcSuffix: dc=ac,dc=test olcRootDN: cn=admin,dc=ac,dc=test olcRootPW:: e1NTSEF9U1BXQXpDcVVPNERCbU15TkhGUXdtS3FVOHNFTUU0OW4= entryCSN: 20170413092314.034244Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170413092314Z
更新 1
昨天我用 memberOF 的錯誤配置破壞了數據庫
更新 2
然後我嘗試了
add olcAccess: {3}to dn.subtree="ou=ab,l=ac,ou=ac-corp,dc=ac,dc=lan" by group(s)/groupOfNames/member="cn=ab-edit,ou=groups,dc=ac,dc=lan" manage
和
ldap_add: Object class violation (65) additional info: no objectClass attribute
您不能
ldapadd
/ldapmodify
僅具有屬性的 LDIF 文件。在 LDIF 中,您必須指定:
- 您要編輯的條目:
dn: olcDatabase={1}mdb,cn=config
- 您要執行的操作:
changetype: modify
- 針對哪個屬性以及如何:
add: olcAccess
- 這是價值:
{3}to dn.subtree="ou=ab,l=ac,ou=ac-corp,dc=ac,dc=lan" by group(s)/groupOfNames/member="cn=ab-edit,ou=groups,dc=ac,dc=lan" manage
所以你應該嘗試的 LDIF
ldapmodify
必須看起來像:dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcAccess olcAccess: {3}to dn.subtree="ou=ab,l=ac,ou=ac-corp,dc=ac,dc=lan" by group(s)/groupOfNames/member="cn=ab-edit,ou=groups,dc=ac,dc=lan" manage