openldap 为组添加 acl

tag-icon tag-icon openldap access-control-list ldif
openldap 为组添加 acl

这是我在 ldap 上的第一天,我已阅读了这些操作方法和帖子,但无法指出它!

https://superuser.com/questions/1122329/ldapadd-gives-syntax-errors-with-openldap
https://serverfault.com/questions/356912/ldap-add-error-80-olcmoduleload-handler-exited-with-1/357018#357018
https://blog.netways.de/2012/01/27/openldap-2-4-x-und-die-acl/
http://www.openldap.org/doc/admin24/access-control.html

我喜欢通过动态配置来管理此 ldap 版本上的 ldap 地址簿

root@vm-ldap:/etc/ldap/schema# /usr/sbin/slapd -VV
@(#) $OpenLDAP: slapd  (Ubuntu) (May 11 2016 16:12:05) $
        buildd@lgw01-10:/build/openldap-mF7Kfq/openldap-2.4.42+dfsg/debian/build/servers/slapd

我想为一个组设置 acl 来管理以下结构中的联系人条目

管理通讯簿的群组

有人可以告诉我如何通过 ldapmodify 和 ldif 设置 acl 吗?

外观{0}config.ldif

 {0}config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 5851d624
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: 06453e7c-b46e-1036-893d-e97cab33d7b8
creatorsName: cn=config
createTimestamp: 20170413082206Z
entryCSN: 20170413082206.197889Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170413082206Z

{1}mdb.ldif 是

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a5a00274
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
 e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: 06460820-b46e-1036-8945-e97cab33d7b8
creatorsName: cn=config
createTimestamp: 20170413082206Z
olcSuffix: dc=ac,dc=test
olcRootDN: cn=admin,dc=ac,dc=test
olcRootPW:: e1NTSEF9U1BXQXpDcVVPNERCbU15TkhGUXdtS3FVOHNFTUU0OW4=
entryCSN: 20170413092314.034244Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170413092314Z

更新 1

昨天我因为 memberOF 的错误配置破坏了数据库

更新 2

然后我尝试

add olcAccess:
 {3}to dn.subtree="ou=ab,l=ac,ou=ac-corp,dc=ac,dc=lan"
             by group(s)/groupOfNames/member="cn=ab-edit,ou=groups,dc=ac,dc=lan" manage


ldap_add: Object class violation (65)
        additional info: no objectClass attribute

答案1

您不能仅使用属性来ldapadd/ LDIF 文件。ldapmodify

在 LDIF 中您必须指定:

  • 您要编辑哪个条目:dn: olcDatabase={1}mdb,cn=config
  • 您要执行哪个操作:changetype: modify
  • 针对哪个属性以及如何:add: olcAccess
  • 其价值是:{3}to dn.subtree="ou=ab,l=ac,ou=ac-corp,dc=ac,dc=lan" by group(s)/groupOfNames/member="cn=ab-edit,ou=groups,dc=ac,dc=lan" manage

因此您应该尝试的 LDIFldapmodify必须看起来像这样:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.subtree="ou=ab,l=ac,ou=ac-corp,dc=ac,dc=lan"
 by group(s)/groupOfNames/member="cn=ab-edit,ou=groups,dc=ac,dc=lan" manage

相关内容