ACL - 子树管理员应该能够修改密码以及用户本身

ACL - 子树管理员应该能够修改密码以及用户本身
dn: olcDatabase={1}hdb,cn=config
objectclass: olcDatabaseConfig
objectclass: olcHdbConfig
olcaccess: {0}to dn.subtree="ou=subtree,dc=domain,dc=tld" by self write by dn="cn=subadmin,dc=domain,dc=tld" write by users read by anonymous none
olcaccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=mpbteam,dc=de" write by * none
olcaccess: {2}to dn.base="" by * read
olcaccess: {3}to * by self write by dn="cn=admin,dc=domain,dc=tld" write by * read

我对 ACL-Order 的理解有些困惑。子树dn:cn=subadmin,dc=域,dc=tld应该能够修改自己的密码,但他们不能使用此规则集,因为子树管理员不能,但子树管理员可以写入新的 dn。如果我删除 ACL {0},用户可以再次修改,但我需要一个对每个子树具有写访问权限的子树管理员。

问候,

麦克

答案1

ACL 行的顺序很重要。

olcaccess: {0}to dn.subtree="ou=subtree,dc=domain,dc=tld" by self write by dn="cn=subadmin,dc=domain,dc=tld" write by users read by anonymous none olcaccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=mpbteam,dc=de" write by * none olcaccess: {2}to dn.base="" by * read olcaccess: {3}to * by self write by dn="cn=admin,dc=domain,dc=tld" write by * read

您可以删除 {2},因为它已包含在 {3} 中,并且您应该切换 {1} 和 {0}。这是因为属性是子树的一部分,并且您已告知 LDAP 子树仅可由用户读取。尝试:

olcaccess: {0}to attrs=userPassword,shadowLastChange by self write by users write by anonymous auth by dn="cn=admin,dc=mpbteam,dc=de" write olcaccess: {1}to dn.subtree="ou=subtree,dc=domain,dc=tld" by self write by dn="cn=subadmin,dc=domain,dc=tld" write by users read by anonymous none olcaccess: {2}to * by self write by dn="cn=admin,dc=domain,dc=tld" write by * read

您也不需要 by * none,它是隐含的。

当然,我还没有尝试过这个,因为我现在根本无法编辑我的配置……你能看看:

LDAP 构建脚本在 openLDAP-2.4.31 上失败( ldapmodify -Y EXTERNAL -H ldapi:/// )

为我?

相关内容