我正在使用具有複製功能的 OpenLDAP 伺服器,並且需要設定適當的 ACL 以使複製使用者能夠讀取來源主機中的所有內容。
看完之後本文建立了這套規則:
olcAccess: {0}to * by dn.base="cn=admin,dc=example,dc=com" manage
olcAccess: {1}to * by dn.base="uid=rpuser,dc=example,dc=com" read
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {3}to attrs=shadowLastChange by self write by * read
olcAccess: {4}to * by users read
我想要實現的是:
- 管理員可以做一切,沒有限制
- 複製用戶可以讀取所有內容
- 使用者可以更改密碼
- 只有登入使用者才可以對目錄進行任何訪問,不能進行匿名訪問。
將上述ACL設定到伺服器後,複製使用者根本無法登入。我不明白為什麼會發生這種情況,複製用戶 DN 是正確的,據我所知它應該匹配...
嘗試登入後伺服器記錄:
slapd[3475]: => access_allowed: result not in cache (userPassword)
slapd[3475]: => access_allowed: auth access to "uid=rpuser,dc=example,dc=com" "userPassword" requested
slapd[3475]: => acl_get: [1] attr userPassword
slapd[3475]: => acl_mask: access to entry "uid=rpuser,dc=example,dc=com", attr "userPassword" requested
slapd[3475]: => acl_mask: to value by "", (=0)
slapd[3475]: <= check a_dn_pat: cn=admin,dc=example,dc=com
slapd[3475]: <= acl_mask: no more <who> clauses, returning =0 (stop)
slapd[3475]: => slap_access_allowed: auth access denied by =0
slapd[3475]: => access_allowed: no more rules
如果我理解正確的話,只檢查第一個 ACL?
答案1
這些 ACL 未經測試,但應該可以工作:
olcAccess: {0}to * by dn.base="cn=admin,dc=example,dc=com" manage by * break
olcAccess: {1}to * by dn.base="uid=rpuser,dc=example,dc=com" read by * break
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {3}to attrs=shadowLastChange by self write by * read
olcAccess: {4}to * by users read
您將需要by * break前兩條規則,因此如果特定子句中沒有符合項,by則會檢查下一條規則。你不需要by * breakinattrs=userPassword或attrs=shadowLastChange- 不應該有後備to * by users read。