OpenLDAP - ACL 规则更改后用户无法登录

tag-icon tag-icon openldap
OpenLDAP - ACL 规则更改后用户无法登录

我正在使用具有复制功能的 OpenLDAP 服务器,需要设置适当的 ACL 以允许复制用户读取源主机中的所有内容。

看完之后本文制定了以下规则:

olcAccess: {0}to * by dn.base="cn=admin,dc=example,dc=com" manage
olcAccess: {1}to * by dn.base="uid=rpuser,dc=example,dc=com" read
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {3}to attrs=shadowLastChange by self write by * read
olcAccess: {4}to * by users read

我想要实现的目标是:

  1. 管理员可以做任何事情,没有限制
  2. 复制用户可以读取所有内容
  3. 用户可以更改密码
  4. 只有登录用户可以访问目录,不允许匿名访问。

将上述 ACL 设置为服务器后,复制用户根本无法登录。我不明白为什么会发生这种情况,复制用户 DN 是正确的,据我所知它应该匹配...

登录尝试后服务器记录:

slapd[3475]: => access_allowed: result not in cache (userPassword)
slapd[3475]: => access_allowed: auth access to "uid=rpuser,dc=example,dc=com" "userPassword" requested
slapd[3475]: => acl_get: [1] attr userPassword
slapd[3475]: => acl_mask: access to entry "uid=rpuser,dc=example,dc=com", attr "userPassword" requested
slapd[3475]: => acl_mask: to value by "", (=0)
slapd[3475]: <= check a_dn_pat: cn=admin,dc=example,dc=com
slapd[3475]: <= acl_mask: no more <who> clauses, returning =0 (stop)
slapd[3475]: => slap_access_allowed: auth access denied by =0
slapd[3475]: => access_allowed: no more rules

如果我理解正确的话,只检查第一个 ACL?

答案1

这些 ACL 尚未测试但应该可以工作:

olcAccess: {0}to * by dn.base="cn=admin,dc=example,dc=com" manage by * break
olcAccess: {1}to * by dn.base="uid=rpuser,dc=example,dc=com" read by * break
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {3}to attrs=shadowLastChange by self write by * read
olcAccess: {4}to * by users read

您需要by * break在前两个规则中,因此如果特定子句中没有匹配项,by则会检查下一个规则。您不需要by * breakattrs=userPassword或中attrs=shadowLastChange——不应回退到to * by users read

相关内容