-1

我为应用服务构建了几个 OpenLDAP 服务器。两台服务器在配置方面似乎都很好,我可以使用 Apache Directory Studio 来管理这些服务器RootDN cn=admin,dc=somedomain,dc=com。并且复制也在它们之间起作用。这些是通过编译 OpenLDAP 源代码在 RHEL8 上构建的,因为不再提供 OpenLDAP 服务器包。OpenLDAP 版本是 2.4.52。

我可以通过 Directory Studio 创建 OU 和用户,并在应用程序中使用其中一个作为服务帐户进行身份验证。在这种情况下,用户是uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com并且 OU 如下:

  • ou=Admins,ou=People,dc=somedomain,dc=com
  • ou=读者,ou=人,dc=somedomain,dc=com
  • ou=用户,ou=人,dc=somedomain,dc=com

现在的要求是用户svc-admin应该对上述 OU 具有写入/完全权限,因为该应用程序旨在配置新用户,并且它将使用 svc-admin 作为服务帐户写入上述 OU。它应该能够创建用户并修改他们的属性。

我创建了一个 ACL 并能够使用 ldapmodify 应用它,但是,当我作为 Apache DS 上的 svc-admin 连接到 LDAP 服务器时,我可以读取但无法修改或创建新用户。当我这样做时,我通过 Apache DS 和 shell 都得到一个错误。权限不足 - 错误 50 - 没有对 parent 的写访问权

这是我使用的 ACL:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to dn.subtree="ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: to dn.subtree="ou=Users,ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: to dn.subtree="ou=Readers,ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write

它不工作。这是我的olcDatabase={1}mdbolcDatabase={0} 配置文件。我清理了 ACL,因为它们没有任何好处

olcDatabase={1}mdb

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 54063f10
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/openldap
olcSuffix: dc=somedomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self wr
 ite by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn
 =external,cn=auth" manage  by * none
olcAccess: {1}to dn.subtree="dc=somedomain,dc=com" by dn.subtree="gidNumber=
 0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * re
 ad
olcRootDN: cn=admin,dc=somedomain,dc=com
olcRootPW:: e1NTSEF9dkc0ZkIyYkZrYVduNU1BbTdkAHQ5ZXE0WlFEUHBSSGk=
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn pres,eq,approx,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: objectClass pres,eq
olcDbIndex: loginShell pres,eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbMaxSize: 42949672960
structuralObjectClass: olcMdbConfig
entryUUID: 3b57a8aa-b1d8-103a-87d6-7198db52aeab
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20201103042439Z
olcSyncrepl: {0}rid=003 provider=ldaps://ldapserver01.somedomain.com binddn="
 cn=admin,dc=somedomain,dc=com" bindmethod=simple credentials="TestCreds" s
 earchbase="dc=somedomain,dc=com" type=refreshAndPersist timeout=0 network-t
 imeout=0 retry="30 5 300 +"
olcSyncrepl: {1}rid=004 provider=ldaps://ldapserver02.somedomain.com binddn="
 cn=admin,dc=somedomain,dc=com" bindmethod=simple credentials="TestCreds" s
 earchbase="dc=somedomain,dc=com" type=refreshAndPersist timeout=0 network-t
 imeout=0 retry="30 5 300 +"
olcMirrorMode: TRUE
entryCSN: 20210202222100.054442Z#000000#001#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210202222100Z

olcDatabase={0}配置:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 f2b26838
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=Subschema" by * read
olcAccess: {2}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=exter
 nal,cn=auth" manage  by self write by users read by anonymous auth
olcRootDN: cn=config
structuralObjectClass: olcDatabaseConfig
entryUUID: f1608708-b1d7-103a-8934-b724f0ebd8c8
creatorsName: cn=config
createTimestamp: 20201103042234Z
olcRootPW:: e1NTSEF9dkc0ZkIyYkZrYVduNU1BbTdkAHQ5ZXE0WlFEUHBSSGk=
olcSyncrepl: {0}rid=001 provider=ldaps://ldapserver01.ugo-wallet.com binddn="
 cn=config" bindmethod=simple credentials="TestCreds" searchbase="cn=config
 " type=refreshAndPersist timeout=0 network-timeout=0 retry="30 5 300 +"
olcSyncrepl: {1}rid=002 provider=ldaps://ldapserver02.ugo-wallet.com binddn="
 cn=config" bindmethod=simple credentials="TestCreds" searchbase="cn=config
 " type=refreshAndPersist timeout=0 network-timeout=0 retry="30 5 300 +"
olcMirrorMode: TRUE
entryCSN: 20210202221926.832349Z#000000#001#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210202221926Z

我该如何解决这个问题。非常感谢解决此问题的任何帮助。

4

1 回答 1

0

我认为这可能不是合适的方法,但它对我有用。我从olcDatabase={1}mdb中删除了以下 ACL ..

olcAccess: {0}to attrs=userPassword,shadowLastChange,shadowExpire by self wr
 ite by anonymous auth by dn.subtree="gidNumber=0+uidNumber=0,cn=peercred,cn
 =external,cn=auth" manage  by * none
olcAccess: {1}to dn.subtree="dc=somedomain,dc=com" by dn.subtree="gidNumber=
 0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by users read by * re
 ad

..并在 LDIF 文件中添加以下内容,现在用户帐户 svc-admin 可以执行该应用程序中希望它执行的所有操作。

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword by self write by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write by * read
olcAccess: {2}to dn.subtree="ou=People,dc=somedomain,dc=com" by dn.exact="uid=svc-admin,ou=Admins,ou=People,dc=somedomain,dc=com" write
olcAccess: {3}to * by * read
于 2021-02-03T22:06:04.743 回答