OpenLDAP 监控访问 ACL 不起作用

tag-icon tag-icon ldap centos7 openldap
OpenLDAP 监控访问 ACL 不起作用

我无法使用在 CentOS 7 上运行的 OpenLDAP 检索监视器信息。为了设置好一切,我按照文档中的步骤进行操作这里

$ cat module_monitor.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {2}back_monitor

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f module_monitor.ldif

确认它有效:

 $ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=module{0},cn=config"
 SASL/EXTERNAL authentication started
 SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 SASL SSF: 0
 # extended LDIF
 #
 # LDAPv3
 # base <cn=module{0},cn=config> with scope subtree
 # filter: (objectclass=*)
 # requesting: ALL
 #

 # module{0}, config
 dn: cn=module{0},cn=config
 objectClass: olcModuleList
 cn: module{0}
 olcModulePath: /usr/lib64/openldap
 olcModuleLoad: {0}memberof
 olcModuleLoad: {1}refint
 olcModuleLoad: {2}back_monitor
 <...>

下一步添加监视器帐户:

$ cat cn_monitor.ldif 
dn: cn=monitor,dc=company,dc=de
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: monitor
description: LDAP monitor
userPassword: {CRYPT}REDACTED

$ ldapadd -x -D "cn=admin,dc=company,dc=de" -W -f cn_monitor.ldif -ZZ -H ldap://openldap.internal.company.de

最后配置 ACL:

$ cat database_monitor.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=company,dc=de" read by * none

$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f database_monitor.ldif

确认它有效:

$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={1}monitor,cn=config"

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={1}monitor,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# {1}monitor, config
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth" read by dn.base="cn=manager,dc=company,dc=de" read by * none

现在我可以使用 sudo 的 EXTERNAL 身份验证检索监视器信息:

$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=monitor"
<...>
# numResponses: 67
# numEntries: 66

不幸的是,我无法实现同样的效果监视器用户:

$ ldapsearch -D "cn=monitor,dc=company,dc=de" -H ldap://openldap.internal.company.de -W -ZZ  -b "cn=monitor"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=monitor> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 3
result: 32 No such object

# numResponses: 1

我在这里遗漏了什么?

答案1

您的访问列表不包括cn=monitor,dc=company,dc=de。因此,您尝试使用的 dn 被 olcAccess 规则的一部分捕获by * none。(如果没有此部分,同样的事情就会隐式发生,而不是显式发生。)

以下 ldif 应该可以按预期工作:

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
  by dn.base="cn=manager,dc=company,dc=de" read
  by dn.base="cn=monitor,dc=company,dc=de" read
  by * none

相关内容