LDAP 密码信息更新失败:访问权限不足(50)

tag-icon tag-icon ldap openldap
LDAP 密码信息更新失败:访问权限不足(50)

这个问题类似于,但在这种情况下,它不起作用。:(

到目前为止,我已将其设置为 ACL:

access to attrs=userPassword,shadowLastChange,shadowMin,shadowMax,shadowWarning,loginShell,shadowLastChange
    by anonymous auth
    by self write
    by users read 
    by * none

access to *
    by self write
    by users read
    by * none

我可以以 root 身份更改密码:

[root@sl6 openldap]# ldappasswd -D 'cn=root,dc=monzell,dc=com' -W -S 'uid=monzell,ou=People,dc=monzell,dc=com'
New password: 
Re-enter new password: 
Enter LDAP Password: 
[root@sl6 openldap]#

但作为用户则不然:

[root@sl6 openldap]# ldappasswd -D 'uid=monzell,ou=People,dc=monzell,dc=com' -W -S 'uid=monzell,ou=People,dc=monzell,dc=com'
New password: 
Re-enter new password: 
Enter LDAP Password: 
Result: Insufficient access (50)

顺便说一下,这是我的用户模式:

# monzell, People, monzell.com
dn: uid=monzell,ou=People,dc=monzell,dc=com
uid: monzell
cn: monzell
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 15192
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/users/monzell
userPassword:: (REDACTED)

以及我的基本 DN:

dn: dc=monzell,dc=com
dc: monzell
objectClass: top
objectClass: domain

dn: ou=People,dc=monzell,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=monzell,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

我正在运行科学版 Linux 6.1,带有 OpenLDAP 2.4.23-15。

(顺便说一下,设置基于页面这里

ldappasswd 的日志输出返回以下内容:

Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 fd=24 ACCEPT from IP=127.0.0.1:50252 (IP=0.0.0.0:389)
Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=0 BIND dn="uid=monzell,ou=People,dc=monzell,dc=com" method=128
Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=0 BIND dn="uid=monzell,ou=People,dc=monzell,dc=com" mech=SIMPLE ssf=0
Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=0 RESULT tag=97 err=0 text=
Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=1 PASSMOD id="uid=monzell,ou=People,dc=monzell,dc=com" new
Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=1 RESULT oid= err=50 text=
Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=2 UNBIND
Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 fd=24 closed

这是配置文件:

include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema
pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/ssl/cert.crt
TLSCertificateKeyFile /etc/openldap/ssl/private.key
database    bdb
suffix "dc=monzell,dc=com"
checkpoint  1024 15
rootdn "cn=root,dc=monzell,dc=com"
rootpw <REDACTED
directory   /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
database monitor
access to attrs=userPassword 
 by self write
 by users read 
 by * none
access to *
 by self write
 by users read
 by * none

编辑:现在这很有趣。当我将日志级别设置为 128 时,我在日志文件中看到以下内容:

Aug 20 12:27:54 sl6 slapd[2692]: /etc/openldap/slapd.conf: line 139: warning: cannot assess the validity of the ACL scope within backend naming context
Aug 20 12:27:54 sl6 slapd[2692]: /etc/openldap/slapd.conf: line 144: warning: cannot assess the validity of the ACL scope within backend naming context
Aug 20 12:27:54 sl6 slapd[2693]: config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
Aug 20 12:27:54 sl6 slapd[2693]: slapd starting

编辑:当我尝试重置密码时,我看到了以下内容:

Aug 20 12:32:47 sl6 slapd[2868]: => access_allowed: result not in cache (userPassword)
Aug 20 12:32:47 sl6 slapd[2868]: => access_allowed: auth access to "uid=monzell,ou=People,dc=monzell,dc=com" "userPassword" requested
Aug 20 12:32:47 sl6 slapd[2868]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Aug 20 12:32:47 sl6 slapd[2868]: => access_allowed: auth access granted by read(=rscxd)
Aug 20 12:32:47 sl6 slapd[2868]: => access_allowed: backend default write access denied to "uid=monzell,ou=People,dc=monzell,dc=com"

答案1

我建议您启用 LDAP 日志并查看此内容。在基于 Red Hat 的发行版上,您可以按照以下步骤执行此操作:

  1. 设置系统日志设施:

    cat /etc/sysconfig/ldap 
SLAPD_OPTIONS="-l local4"

  2. 在以下位置指定 OpenLDAP 的日志文件/etc/syslog.conf

    # OpenLDAP log
local4.*            /var/log/ldap.log
  3. touch /var/log/ldap.log并重新启动 syslogd

在其他发行版中,在第一步中,只需将其添加-l local4到初始化脚本中的 start() 函数中。

编辑

设置loglevel为 128(ACL 处理)并重试。

编辑2

无法评估后端命名上下文中 ACL 范围的有效性

将 ACL 放在后端上下文之前:

access to attrs=userPassword 
 by self write
 by users read 
 by * none
access to *
 by self write
 by users read
 by * none

database    bdb
suffix "dc=monzell,dc=com"
checkpoint  1024 15
rootdn "cn=root,dc=monzell,dc=com"
rootpw <REDACTED
directory   /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
database monitor

相关内容