我无法通过在CentOS 7上运行的OpenLDAP来检索显示器信息。为了设置一切,我按照以下步骤进行了操作 :
$ cat module_monitor.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {2}back_monitor $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f module_monitor.ldif 确认它的工作:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=module{0},cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=module{0},cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # module{0}, config dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap olcModuleLoad: {0}memberof olcModuleLoad: {1}refint olcModuleLoad: {2}back_monitor <...>
接下来添加监控帐号:
$ cat cn_monitor.ldif dn: cn=monitor,dc=company,dc=de objectClass: simpleSecurityObject objectClass: organizationalRole cn: monitor description: LDAP monitor userPassword: {CRYPT}REDACTED $ ldapadd -x -D "cn=admin,dc=company,dc=de" -W -f cn_monitor.ldif -ZZ -H ldap://openldap.internal.company.de
最后configurationACL:
$ cat database_monitor.ldif dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=company,dc=de" read by * none $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f database_monitor.ldif
确认它的工作:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "olcDatabase={1}monitor,cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <olcDatabase={1}monitor,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # {1}monitor, config dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=manager,dc=company,dc=de" read by * none
现在我可以使用sudo使用EXTERNAL身份validation来检索显示器信息:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=monitor" <...> # numResponses: 67 # numEntries: 66
不幸的是,我无法与监视器用户达到同样的效果:
$ ldapsearch -D "cn=monitor,dc=company,dc=de" -H ldap://openldap.internal.company.de -W -ZZ -b "cn=monitor" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=monitor> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 32 No such object # numResponses: 1
我在这里错过了什么?
您的访问列表不包括cn=monitor,dc=company,dc=de 。 因此,您尝试使用的dn正被olcAccess规则的by * none部分所捕获。 (如果没有这个部分,同样的事情就会发生,而不是明确的。)
以下ldif应该按照需要工作:
dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=manager,dc=company,dc=de" read by dn.base="cn=monitor,dc=company,dc=de" read by * none