我想阻止用户访问自己数据以外的任何内容。
我尝试实现以下简单的 acl (ldif):
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by self read by * none
olcAccess: {2}to * by self read by * none
当我应用这个ldif时,我不再查询(objectClass=posixAccount)。如果我将最后一个 acl 更改为to * by * read,查询将返回所有用户。
我缺少什么?
答案1
我发现为了访问记录,必须具有“搜索”权限。我将 ACL 更改为:
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by self read by * none
olcAccess: {2}to * by self read by * search
使用它,我可以(objectClass=posixAccount)在不显示其他帐户的情况下进行查询。