我尝试通过删除当前规则并使用以下命令通过新的 acl.ldif 文件用新规则更新它来修改 openldap 中的当前 ACL 规则。
ldapmodify -xWD cn=admin,cn=config -f acl.ldif
但是我在执行时出现以下错误。
modifying entry "olcDatabase={1}hdb,cn=config"
ldap_modify: Object class violation (65)
additional info: attribute 'olcOverlay' not allowed
这是我当前的 olcdatabase 文件。
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=test,dc=test1,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="ou=admin,dc=test,dc=test1,dc=com" write by * read
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=test,dc=test1,dc=com" w
rite by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=test,dc=test1,dc=com
olcRootPW:: e1Nb01QN3Mrckk=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: entryCSN,entryUUID eq
structuralObjectClass: olcHdbConfig
entryUUID: 372c8246-a1b5-1031-9131-6b135443c1be
creatorsName: cn=admin,cn=config
createTimestamp: 20121003144902Z
entryCSN: 20121003144902.063840Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20121003144902Z
olcOverlay: syncprov
olcSpCheckPoint: 50 10
olcSpSessionlog: 100
下面提供的是我的 acl.ldif 文件。
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
-
# Then add a new ACL at position {0}.
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="ou=Users,dc=test,dc=test1,dc=com" write by * read
答案1
您当前的数据库配置可能无效。除非您对架构做了一些不寻常的事情,否则olcOverlay配置条目中的任何 objectClasses 都不会提供该属性的使用。错误消息不是关于您正在尝试做什么,而是关于您已经做过的事情。
这是一种更常见的结构:
$ ldapsearch -b olcDatabase={1}hdb,cn=config objectClass @olcSyncProvConfig
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
dn: olcOverlay={1}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: {1}memberof
# find /etc/openldap/slapd.d/
/etc/openldap/slapd.d/
/etc/openldap/slapd.d/cn=config
/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={0}config
/etc/openldap/slapd.d/cn=config/olcDatabase={0}config/olcOverlay={0}syncprov.ldif
/etc/openldap/slapd.d/cn=config/cn=schema.ldif
/etc/openldap/slapd.d/cn=config/cn=module{0}.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb
/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={0}syncprov.ldif
/etc/openldap/slapd.d/cn=config/cn=schema
/etc/openldap/slapd.d/cn=config/cn=schema/cn={7}openssh-lpk.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={3}rfc2307bis.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={8}sudo.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={2}inetorgperson.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={4}misc.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={6}kerberos.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={5}dhcp.ldif
/etc/openldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb
/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb/olcOverlay={1}memberof.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb/olcOverlay={0}syncprov.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif
/etc/openldap/slapd.d/cn=config.ldif