dn: olcDatabase={1}hdb,cn=config objectclass: olcDatabaseConfig objectclass: olcHdbConfig olcaccess: {0}to dn.subtree="ou=subtree,dc=domain,dc=tld" by self write by dn="cn=subadmin,dc=domain,dc=tld" write by users read by anonymous none olcaccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=mpbteam,dc=de" write by * none olcaccess: {2}to dn.base="" by * read olcaccess: {3}to * by self write by dn="cn=admin,dc=domain,dc=tld" write by * read 我陷入了理解ACL顺序。 子树和dn:cn = subadmin,dc = domain,dc = tld的用户应该可以修改自己的密码,但是它们不属于这个规则集,因为subtree-admin不是,但是子树admin可以写新的dn 。 如果我删除ACL {0},用户可以再次修改,但我需要一个子树pipe理员与每个子树的写权限。
问候,
MAIK
ACL行的顺序很重要。
olcaccess: {0}to dn.subtree="ou=subtree,dc=domain,dc=tld" by self write by dn="cn=subadmin,dc=domain,dc=tld" write by users read by anonymous none olcaccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=mpbteam,dc=de" write by * none olcaccess: {2}to dn.base="" by * read olcaccess: {3}to * by self write by dn="cn=admin,dc=domain,dc=tld" write by * read
您可以删除{2},因为{3}中包含{2},您应该切换{1}和{0}。 这是因为属性是子树的一部分,并且您已经告诉LDAP该子树只能由用户读取。 尝试:
olcaccess: {0}to attrs=userPassword,shadowLastChange by self write by users write by anonymous auth by dn="cn=admin,dc=mpbteam,dc=de" write olcaccess: {1}to dn.subtree="ou=subtree,dc=domain,dc=tld" by self write by dn="cn=subadmin,dc=domain,dc=tld" write by users read by anonymous none olcaccess: {2}to * by self write by dn="cn=admin,dc=domain,dc=tld" write by * read
你也不需要by * none,这是隐含的。
当然,我还没有尝试过,因为目前我无法编辑我的configuration文件…请问您可以看看:
LDAP构build脚本在openLDAP-2.4.31上失败(ldapmodify -Y EXTERNAL -H ldapi:///)
为了我?