我想在 LDAP 中创建一个通讯录(用于邮件客户端,这是我的 RoundCube 的第一步)。服务器是 Debian 7.9,slapd 2.4.31(OpenLDAP)。成功安装后,我为通讯录创建了一个子树:
dn: ou=rcabook,dc=mydomain,dc=com
ou: rcabook
objectClass: top
objectClass: organizationalUnit
dn: ou=public,ou=rcabook,dc=mydomain,dc=com
ou: public
objectClass: top
objectClass: organizationalUnit
dn: ou=private,ou=rcabook,dc=mydomain,dc=com
ou: private
objectClass: top
objectClass: organizationalUnit
以及 RoundCube 的常规用户:
dn: cn=rcuser,ou=rcabook,dc=mydomain,dc=com
cn: rcuser
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1f2g3....x3y2z1
但是当我想以 rcuser 身份创建新条目时,出现了以下错误:
ldapadd -f entry.ldif -D cn=rcuser,ou=rcabook,dc=mydomain,dc=com -W
Enter LDAP Password:
adding new entry "cn=DOMAIN IT,ou=public,ou=rcabook,dc=mydomain,dc=com"
ldap_add: Insufficient access (50)
additional info: no write access to parent
ou=public,ou=rcabook 子树在配置中具有特殊访问权限:
# slapcat -n0
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=mydomain,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=com" write by * read
olcAccess: {3}to dn.subtree="ou=public,ou=rcabook,dc=mydomain,dc=com" by users writ
e
olcLastMod: TRUE
...
我需要添加哪些权限,以便所有用户都可以将条目添加到子树?
谢谢,
A。
答案1
To add or delete an entry, the subject must have write access to
the entry's entry attribute AND must have write access to the
entry's parent's children attribute.
因此您需要授予对entry和children伪属性的访问权限:
olcAccess: {3}to dn.entry="ou=public,ou=rcabook,dc=mydomain,dc=com" by users write
olcAccess: {4}to dn.children="ou=public,ou=rcabook,dc=mydomain,dc=com" by users write
答案2
旁注:我不认为拥有用户可写的公共地址簿是一个好主意。
olcAccess: {2} 并且olcAccess: {3}需要重新排序。匹配所有尚未匹配的内容,这意味着to * by * read永远不会被评估。olcAccess: {2}olcAccess: {3}