您的位置: 首页  >  技术问答  >  如何正确允许特定用户访问上的OpenLDAP

如何正确允许特定用户访问上的OpenLDAP

分类: 技术问答 2022-06-07 18:27:11
问题描述:

我一直想这个DLIF适用于我的OpenLDAP服务器更新记录:如何正确允许特定用户访问上的OpenLDAP

$ cat acl.ldif 
dn: olcDatabase={1}hdb,cn=config 
changetype: modify 
add: olcAccess 
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="[email protected],ou=people,dc=thedomain,dc=com" write by * read

我相信这应该允许与DN用户:"[email protected],ou=people,dc=thedomain,dc=com"更新属性ipServicePort和描述上"cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com"

这似乎罚款适用于:

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif 
SASL/EXTERNAL authentication started 
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 
SASL SSF: 0 
modifying entry "olcDatabase={1}hdb,cn=config"

当我搜索它,我可以找到我的更新Ë n尝试:

$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config 'olcDatabase={1}hdb' 
SASL/EXTERNAL authentication started 
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 
SASL SSF: 0 
# extended LDIF 
# 
# LDAPv3 
# base <cn=config> with scope subtree 
# filter: olcDatabase={1}hdb 
# requesting: ALL 
# 
# {1}hdb, config 
dn: olcDatabase={1}hdb,cn=config 
objectClass: olcDatabaseConfig 
objectClass: olcHdbConfig 
olcDatabase: {1}hdb 
olcDbDirectory: /var/lib/ldap 
olcSuffix: dc=thedomain,dc=com 
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou 
s auth by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" write by * n 
one 
olcAccess: {1}to dn.base="" by * read 
olcAccess: {2}to * by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" w 
rite by * read 
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain, 
dc=com" attrs="ipServicePort,description" by dn="[email protected],ou=p 
eople,dc=thedomain,dc=com" write by * read 
olcLastMod: TRUE 
olcRootDN: cn=admin,dc=thedomain,dc=com 
olcRootPW: {SSHA}HASHEDPW 
olcSyncrepl: {0}rid=003 provider=ldap://ldap.city.thedomain.com binddn="cn 
=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2nU s 
earchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:10 re 
try="5 5 300 5" timeout=1 
olcSyncrepl: {1}rid=004 provider=ldap://ldap1.domain.ie.aws.thedomain.net binddn 
="cn=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2 
nU searchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:1 
0 retry="5 5 300 5" timeout=1 
olcMirrorMode: TRUE 
olcDbCheckpoint: 512 30 
olcDbConfig: {0}set_cachesize 0 2097152 0 
olcDbConfig: {1}set_lk_max_objects 1500 
olcDbConfig: {2}set_lk_max_locks 1500 
olcDbConfig: {3}set_lk_max_lockers 1500 
olcDbIndex: objectClass eq 
olcDbIndex: entryCSN eq 
olcDbIndex: entryUUID eq 
# search result 
search: 2 
result: 0 Success 
# numResponses: 2 
# numEntries: 1

然而,当我尝试使用这些凭据来做出改变,它仍然失败:

$ cat /tmp/modify.ldif 
dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com 
changetype: modify 
replace: ipServicePort 
ipServicePort: 1485176342 

dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com 
changetype: modify 
replace: description 
description: Updated by ldap.city.thedomain.com on Mon Jan 23 12:59:02 UTC 2017

运行:

$ ldapmodify -H ldap://localhost -w PASSWORD -D "[email protected],ou=people,dc=thedomain,dc=com" -f /tmp/modify.ldif   
modifying entry "cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" 
ldap_modify: Insufficient access (50)

我也试图让我的ACL略少限制试图了解什么是不工作,我已经尝试了以下acl.ldif文件:

dn: olcDatabase={1}hdb,cn=config 
changetype: modify 
add: olcAccess 
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="[email protected],ou=people,dc=thedomain,dc=com" write by * read

结果是一样的

dn: olcDatabase={1}hdb,cn=config 
changetype: modify 
add: olcAccess 
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" by dn="[email protected],ou=people,dc=thedomain,dc=com" write by * read

结果是一样的

dn: olcDatabase={1}hdb,cn=config 
changetype: modify 
add: olcAccess 
olcAccess: {3}to * by dn="[email protected],ou=people,dc=thedomain,dc=com" write by * read

结果是我没有尝试又是同一

的唯一的事情,我希望避免即使在测试期间,使db不安全,也是允许*写这个记录,或者*写入所有记录。

我已经采取了我想允许从Apache目录工作室,这说明我对编辑的记录的DN:

DN: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com

而且我的用户DN从相同的:

DN: [email protected],ou=people,dc=thedomain,dc=com

我确信我正在做一些明显愚蠢的事情,因为我对ldap的知识很差,阅读文档对我来说是痛苦的。我希望有人能够发现我的明显错误,并提出修正意见,因为经过大量小时的修补后,我无法看到自己做错了什么。

谢谢你在#openldap IRC中的JoBbZ。这是我的一个简单的误解。顺序在ACL规则中很重要。 LDAP将停止查看第一场比赛,所以我需要将我的olcAccess保存为2而不是3

相关推荐