你好,我一直试图实现管理员和操作员级别的 ACL,但没有成功。到目前为止,我已经
access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by set="[cn=Administrators,ou=group,dc=company,dc=com]/member* & user" manage
by set="[cn=Domain Admins,ou=groups,dc=company,dc=com]/memberUid* & user" manage
by set="[cn=Operators,ou=groups,dc=company,dc=com]/member* & user" read
by * none
access to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,displayName,description,givenName
by anonymous auth
by self =rwdx
by set="[cn=Administrators,ou=group,dc=company,dc=com]/member* & user" manage
by set="[cn=Domain Admins,ou=groups,dc=company,dc=com]/memberUid* & user" manage
by set="[cn=Operators,ou=groups,dc=company,dc=com]/member* & user" read
access to dn.subtree="dc=company,dc=com"
by self =rwdx
by set="[cn=Administrators,ou=groups,dc=company,dc=com]/member* & user" manage
by set="[cn=Domain Admins,ou=groups,dc=company,dc=com]/memberUid* & user" manage
by set="[cn=Operators,ou=groups,dc=company,dc=com]/member* & user" read
by * break
我需要授予管理员和域管理员完全权限和操作员读取权限,通过上述设置甚至管理员也可以获得读取权限。
有什么想法吗?谢谢
答案1
我已将配置更改为以下内容,目前看来可以正常工作
access to attrs=userPassword,sambaNTPassword,shadowLastChange
by anonymous auth
by self write
by group.exact="cn=Administrators,ou=groups,dc=company,dc=com" manage
by group.exact="cn=Operators,ou=groups,dc=company,dc=com" read
access to *
by self write
by dn.exact="uid=austek,ou=Technical,ou=people,dc=company,dc=com" manage
by group.exact="cn=Administrators,ou=groups,dc=company,dc=com" manage
by group.exact="cn=Operators,ou=groups,dc=company,dc=com" read
by * break