Openldap-ldap 用户无法添加条目:访问权限不足(对父级没有写访问权限)

Openldap-ldap 用户无法添加条目:访问权限不足(对父级没有写访问权限)

我想在 LDAP 中创建一个通讯录(用于邮件客户端,这是我的 RoundCube 的第一步)。服务器是 Debian 7.9,slapd 2.4.31(OpenLDAP)。成功安装后,我为通讯录创建了一个子树:

dn: ou=rcabook,dc=mydomain,dc=com
ou: rcabook
objectClass: top
objectClass: organizationalUnit

dn: ou=public,ou=rcabook,dc=mydomain,dc=com
ou: public
objectClass: top
objectClass: organizationalUnit

dn: ou=private,ou=rcabook,dc=mydomain,dc=com
ou: private
objectClass: top
objectClass: organizationalUnit

以及 RoundCube 的常规用户:

dn: cn=rcuser,ou=rcabook,dc=mydomain,dc=com
cn: rcuser
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1f2g3....x3y2z1

但是当我想以 rcuser 身份创建新条目时,出现了以下错误:

ldapadd -f entry.ldif -D cn=rcuser,ou=rcabook,dc=mydomain,dc=com -W
Enter LDAP Password: 
adding new entry "cn=DOMAIN IT,ou=public,ou=rcabook,dc=mydomain,dc=com"
ldap_add: Insufficient access (50)
    additional info: no write access to parent

ou=public,ou=rcabook 子树在配置中具有特殊访问权限:

# slapcat -n0
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=mydomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=mydomain,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=com" write by * read
olcAccess: {3}to dn.subtree="ou=public,ou=rcabook,dc=mydomain,dc=com" by users writ
 e
olcLastMod: TRUE
...

我需要添加哪些权限,以便所有用户都可以将条目添加到子树?

谢谢,

A。

答案1

OpenLDAP ACL 文档

To add or delete an entry, the subject must have write access to 
the entry's entry attribute AND must have write access to the 
entry's parent's children attribute.

因此您需要授予对entrychildren伪属性的访问权限:

olcAccess: {3}to dn.entry="ou=public,ou=rcabook,dc=mydomain,dc=com" by users write
olcAccess: {4}to dn.children="ou=public,ou=rcabook,dc=mydomain,dc=com" by users write

答案2

旁注:我不认为拥有用户可写的公共地址簿是一个好主意。

olcAccess: {2} 并且olcAccess: {3}需要重新排序。匹配所有尚未匹配的内容,这意味着to * by * read永远不会被评估。olcAccess: {2}olcAccess: {3}

相关内容