我有一个使用 OpenLDAP 作为后端的正常运行的 Samba PDC。我即将设置 Samba 代理用户,但在编写正确的安全 ACL 时遇到了问题。
我使用了这个 acl:
{0}to * by group.exact="cn=ldap.admins,ou=groups,dc=example,dc=com" write by * break
{1}to dn.one="dc=example,dc=com" filter=(objectClass=sambaDomain) by group.exact="cn=samba.admins,ou=groups,dc=example,dc=com" write by * break
{2}to attrs=@sambaSamAccount,userPassword by group.exact="cn=samba.admins,ou=groups,dc=example,dc=com" write by * break
{3}to dn.subtree="ou=people,dc=example,dc=com" attrs=userPassword by self write by * break
{4}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by self read by anonymous auth by * none
{5}to * by users read
(在此处找到:http://blogger.ziesemer.com/2011/01/ldap-authentication-for-samba.html)
我无法从 Windows 登录(Windows 说密码或用户名不正确。
当我插入新的 olcAccess 行作为规则号 0 时,一切都很完美:
olcAccess: {0}to * by * read
我思考此行为是由于在身份验证过程的中间,samba 重新绑定到 OpenLDAP:使用代理用户的 samba 连接被断开,并且启动匿名绑定。
在日志中你会看到如下行:
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 fd=48 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 op=0 BIND dn="" method=128
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 op=0 RESULT tag=97 err=0 text=
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=suser2))"
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jul 6 12:06:06 ubuserver slapd[1088]: => access_allowed: search access to "dc=itthon,dc=cucc" "entry" requested
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_get: [1] attr entry
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_mask: to all values by "", (=0)
Jul 6 12:06:06 ubuserver slapd[1088]: <= check a_dn_pat: *
Jul 6 12:06:06 ubuserver slapd[1088]: <= acl_mask: [2] applying +0 (break)
Jul 6 12:06:06 ubuserver slapd[1088]: <= acl_mask: [2] mask: =0
Jul 6 12:06:06 ubuserver slapd[1088]: => dn: [2] dc=example,dc=com
Jul 6 12:06:06 ubuserver slapd[1088]: => dn: [4] ou=people,dc=example,dc=com
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_get: [6] attr entry
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_mask: to all values by "", (=0)
Jul 6 12:06:06 ubuserver slapd[1088]: <= check a_dn_pat: users
Jul 6 12:06:06 ubuserver slapd[1088]: <= acl_mask: no more <who> clauses, returning =0 (stop)
问题:
- 我是否理解正确,该问题是由匿名重新绑定引起的?
ldap admin dn有没有办法告诉 Samba 始终与代理用户(在中指定的用户smb.conf)绑定?- 如果没有,那么有没有办法设置安全 ACL,即不给每个人读取权限?
(系统是Ubuntu 12.04)
答案1
问题是 samba 将工作交给了 PAM,而我在 /etc/ldap.conf 中忘记填写绑定用户和绑定密码。因此 PAM 以匿名身份绑定到 LDAP,并且无权读取这些属性。