主页 / server / 问题 / 770553
Accepted
fghj
Asked: 2016-04-16 02:03:30 +0800 CST

openldap 授予组对子树的写访问权限

  • 772

我有

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

和它的管理员组:

dn: cn=people-admins,ou=groups,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: admins of people group
uniqueMember: uid=admin1,ou=people,dc=example,dc=com

我添加了这样的规则以允许people-admins添加/删除/修改people组中的用户

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=com" write by anonymous auth by * none
olcAccess: to dn.one="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to dn.base="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to dn.children="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to dn.subtree="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: to * by self write by dn="cn=admin,dc=example,dc=com" write by * none

然后我尝试people使用 admin1 的凭据将新用户添加到组中,并得到了这个:

ldapadd -x -H ldap://127.0.0.1:3000/  -D "uid=admin1,ou=people,dc=example,dc=com" -W
dn: uid=test1,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
uid: test1
sn: test
givenName: test1
cn: test test1
displayName: Test1
userPassword: test1
adding new entry "uid=test1,ou=people,dc=example,dc=com"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

这里类似的问题,但它收到错误的答案,因为dn.entry在openldap中不存在。

ldap openldap access-control-list

2 个回答

  1. Best Answer

    问题是group.exact不能与groupOfUniqueNames. 我通过更改此规则解决了它:

    by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write

    这条规则:

    by group/groupOfUniqueNames/uniqueMember=cn=people-admins,ou=groups,dc=example,dc=com write
    • 2

  2. 如果您刚刚开始,我建议切换到 usinggroupOfNames而不是groupOfUniqueNames.

    大多数与 OpenLDAP 交互以获得组成员身份的系统默认需要 groupOfNames,包括 OpenLDAP 本身。虽然它们通常可以修改为使用 groupOfUniqueNames/uniqueMember(例如,或者您自己在 OpenLDAP 的 olcAccess 中使用),但这将使您不必调整默认值。sssd-ldap ldap_group_member

    distinguishedNameMatch, used bymemberuniqueMemberMatchused by之间有区别uniqueMember,但前者通常就足够了。

    $ ldapadd <<EOF
dn: cn=testgroup,ou=groups,dc=example,dc=com
> objectclass: groupofnames
> member: uid=testuser,ou=people,dc=example,dc=com
> member: uid=testuser,ou=people,dc=example,dc=com
> EOF
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
adding new entry "cn=testgroup,ou=groups,dc=example,dc=com"
ldap_add: Type or value exists (20)
    additional info: member: value #0 provided more than once



$ ldapsearch cn=testgroup
dn: cn=testgroup,ou=groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: posixGroup
cn: testgroup
gidNumber: 12345
member: uid=testuser,ou=people,dc=example,dc=com

$ ldapmodify <<EOF
dn: cn=testgroup,ou=groups,dc=example,dc=com
add: member
member: uid=testuser,ou=people,dc=example,dc=com
EOF

SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
modifying entry "cn=testgroup,ou=groups,dc=example,dc=com"
ldap_modify: Type or value exists (20)
    additional info: modify/add: member: value #0 already exists
    • 1

相关问题