我正在使用具有复制功能的 OpenLDAP 服务器,需要设置适当的 ACL 以允许复制用户读取源主机中的所有内容。
看完之后本文制定了以下规则:
olcAccess: {0}to * by dn.base="cn=admin,dc=example,dc=com" manage
olcAccess: {1}to * by dn.base="uid=rpuser,dc=example,dc=com" read
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {3}to attrs=shadowLastChange by self write by * read
olcAccess: {4}to * by users read
我想要实现的目标是:
- 管理员可以做任何事情,没有限制
- 复制用户可以读取所有内容
- 用户可以更改密码
- 只有登录用户可以访问目录,不允许匿名访问。
将上述 ACL 设置为服务器后,复制用户根本无法登录。我不明白为什么会发生这种情况,复制用户 DN 是正确的,据我所知它应该匹配...
登录尝试后服务器记录:
slapd[3475]: => access_allowed: result not in cache (userPassword)
slapd[3475]: => access_allowed: auth access to "uid=rpuser,dc=example,dc=com" "userPassword" requested
slapd[3475]: => acl_get: [1] attr userPassword
slapd[3475]: => acl_mask: access to entry "uid=rpuser,dc=example,dc=com", attr "userPassword" requested
slapd[3475]: => acl_mask: to value by "", (=0)
slapd[3475]: <= check a_dn_pat: cn=admin,dc=example,dc=com
slapd[3475]: <= acl_mask: no more <who> clauses, returning =0 (stop)
slapd[3475]: => slap_access_allowed: auth access denied by =0
slapd[3475]: => access_allowed: no more rules
如果我理解正确的话,只检查第一个 ACL?
答案1
这些 ACL 尚未测试但应该可以工作:
olcAccess: {0}to * by dn.base="cn=admin,dc=example,dc=com" manage by * break
olcAccess: {1}to * by dn.base="uid=rpuser,dc=example,dc=com" read by * break
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {3}to attrs=shadowLastChange by self write by * read
olcAccess: {4}to * by users read
您需要by * break
在前两个规则中,因此如果特定子句中没有匹配项,by
则会检查下一个规则。您不需要by * break
在attrs=userPassword
或中attrs=shadowLastChange
——不应回退到to * by users read
。