我有一个将用户添加到 slapd 的 spring 应用程序。用户被添加并关联到一个组。该应用程序是模块化的,并且不同的模块能够创建要添加到 slapd 的用户。最初的开发人员没有考虑到该组,其中两个模块会创建一个无法登录到第三个模块的用户。一旦我纠正了这个问题,我看到 slapd 正在搜索组中的所有 dn:
conn=1020 op=1 SRCH base="ou=groups,dc=example,dc=com" scope=1 deref=3 filter="(member=uid=hack-a-tack,ou=users,dc=example,dc=com)"
然后,此搜索会遍历组中的每个用户,而不仅仅是过滤器中的用户。
Jun 12 10:07:16 cm-coret1 slapd[8145]: conn=1020 op=1 SRCH base="ou=groups,dc=example,dc=com" scope=1 deref=3 filter="(member=uid=hack-a-tack,ou=users,dc=example,dc=com)"
Jun 12 10:07:16 cm-coret1 slapd[8145]: conn=1020 op=1 SRCH attr=cn
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access to "ou=groups,dc=example,dc=com" "entry" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => dn: [2] ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_get: [3] attr entry
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: access to entry "ou=groups,dc=example,dc=com", attr "entry" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: to all values by "cn=manager,ou=users,dc=example,dc=com", (=0)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=manager,ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] applying write(=wrscxd) (stop)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] mask: write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => slap_access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_filter_candidates
Jun 12 10:07:16 cm-coret1 slapd[8145]: #011EQUALITY
Jun 12 10:07:16 cm-coret1 slapd[8145]: bdb_idl_fetch_key: [01872a84]
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_filter_candidates: id=0 first=0 last=0
Jun 12 10:07:16 cm-coret1 slapd[8145]: bdb_idl_fetch_key: %ou=groups,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_filter_candidates
Jun 12 10:07:16 cm-coret1 slapd[8145]: #011AND
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_list_candidates 0xa0
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_filter_candidates
Jun 12 10:07:16 cm-coret1 slapd[8145]: #011EQUALITY
Jun 12 10:07:16 cm-coret1 slapd[8145]: bdb_idl_fetch_key: [757973d2]
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_filter_candidates: id=1 first=6 last=6
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_list_candidates: id=1 first=6 last=6
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_filter_candidates: id=1 first=6 last=6
Jun 12 10:07:16 cm-coret1 slapd[8145]: => test_filter
Jun 12 10:07:16 cm-coret1 slapd[8145]: EQUALITY
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access to "cn=USER,ou=groups,dc=example,dc=com" "member" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => dn: [2] ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_get: [3] attr member
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: access to entry "cn=USER,ou=groups,dc=example,dc=com", attr "member" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: to value by "cn=manager,ou=users,dc=example,dc=com", (=0)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=manager,ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] applying write(=wrscxd) (stop)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] mask: write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => slap_access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: dnMatch -3#012#011"uid=redients,ou=users,dc=example,dc=com"#012#011"uid=hack-a-tack,ou=users,dc=example,dc=com"
........> just continues to loop after this
然后,这会阻止所有其他尝试进行任何类型的搜索或更新的连接。有谁知道我是否可以配置 SLAPD.conf 来发送这个搜索?