我有
dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people 和一组pipe理员为它:
dn: cn=people-admins,ou=groups,dc=example,dc=com objectClass: groupOfUniqueNames cn: admins of people group uniqueMember: uid=admin1,ou=people,dc=example,dc=com
我添加这样的规则允许people-admins添加/删除/修改用户组中的用户
dn: olcDatabase={1}hdb,cn=config changetype: modify delete: olcAccess - add: olcAccess olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=example,dc=com" write by anonymous auth by * none olcAccess: to dn.one="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none olcAccess: to dn.base="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none olcAccess: to dn.children="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none olcAccess: to dn.subtree="ou=people,dc=example,dc=com" by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write by self write by dn="cn=admin,dc=example,dc=com" write by * none olcAccess: to * by self write by dn="cn=admin,dc=example,dc=com" write by * none
然后我尝试使用admin1的凭据将新用户添加到people组中,并得到以下结果:
ldapadd -x -H ldap://127.0.0.1:3000/ -D "uid=admin1,ou=people,dc=example,dc=com" -W dn: uid=test1,ou=people,dc=example,dc=com objectClass: inetOrgPerson uid: test1 sn: test givenName: test1 cn: test test1 displayName: Test1 userPassword: test1 adding new entry "uid=test1,ou=people,dc=example,dc=com" ldap_add: Insufficient access (50) additional info: no write access to parent
在这里类似的问题,但它收到错误的答案,因为dn.entry不存在于openldap。
问题在于group.exact与groupOfUniqueNames group.exact 。 我通过改变这个规则来解决它:
by group.exact=cn=people-admins,ou=groups,dc=example,dc=com write
遵循这个规则:
by group/groupOfUniqueNames/uniqueMember=cn=people-admins,ou=groups,dc=example,dc=com write
如果刚刚开始,我build议切换到使用groupOfNames而不是groupOfUniqueNames 。
与OpenLDAP进行交互的大多数与组成员身份相关的系统都默认使用groupOfNames,包括OpenLDAP本身。 虽然通常可以修改它们以使用groupOfUniqueNames / uniqueMember(例如sssd-ldap ldap_group_member或您自己在OpenLDAP的olcAccess中的使用),但这将使您无需调整默认设置。
uniqueMemberMatch由member和uniqueMemberMatch使用的uniqueMember之间存在差异,但前者通常是足够的。
$ ldapadd <<EOF dn: cn=testgroup,ou=groups,dc=example,dc=com > objectclass: groupofnames > member: uid=testuser,ou=people,dc=example,dc=com > member: uid=testuser,ou=people,dc=example,dc=com > EOF SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. adding new entry "cn=testgroup,ou=groups,dc=example,dc=com" ldap_add: Type or value exists (20) additional info: member: value #0 provided more than once $ ldapsearch cn=testgroup dn: cn=testgroup,ou=groups,dc=example,dc=com objectClass: groupOfNames objectClass: posixGroup cn: testgroup gidNumber: 12345 member: uid=testuser,ou=people,dc=example,dc=com $ ldapmodify <<EOF dn: cn=testgroup,ou=groups,dc=example,dc=com add: member member: uid=testuser,ou=people,dc=example,dc=com EOF SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. modifying entry "cn=testgroup,ou=groups,dc=example,dc=com" ldap_modify: Type or value exists (20) additional info: modify/add: member: value #0 already exists