我运行的openldap是2.4.40,并且已经应用了以下ACL:
olcAccess:{0}到*
由自己写
由dn =“cn = Manager,dc = sample,dc = com”写入
通过*阅读
olcAccess:{1}到dn.children =“ou = sysUsers,dc = sample,dc = com”
ATTRS =的userPassword,shadowLastChange介绍sshPublicKey
由自己写
由dn =“cn = Manager,dc = sample,dc = com”写入
由匿名authentication
由*无
我想通过用户(sysUsers)来更改userPassword,shadowLastChange,description,sshPublicKey。 但是它给我的权限错误,不写权限。
#slapacl -D''-b'uid = user1,ou = sysUsers,dc = sample,dc = com' authcDN:“” 条目:read(= rscxd) children:read(= rscxd) gidNumber = 1000:read(= rscxd) homeDirectory = / home / user1:read(= rscxd) : cn = user1:read(= rscxd) sshPublicKey = ssh-rsa AAAAB3Nza ... cGWliPbw == [email protected]:read(= rscxd) userPassword = ****:read(= rscxd) description = test user1:read(= rscxd) : modifyTimestamp = 20161025074434Z:read(= rscxd)
LDAP响应:访问不足 错误号:0x32(LDAP_INSUFFICIENT_ACCESS) 说明:您没有足够的权限执行该操作。
我尝试修改描述由用户uid = user1,ou = sysUsers,dc =样品,dc = com,但失败。
uid = Manager,ou = sysUsers,dc = sample,dc = com可以修改。
我究竟做错了什么? 我怀疑ACL的问题?
olcAccess: {0}to * by self write by dn="cn=Manager,dc=sample,dc=com" write by * read olcAccess: {1}to dn.children="ou=sysUsers,dc=sample,dc=com" attrs=userPassword,shadowLastChange,description,sshPublicKey by self write by dn="cn=Manager,dc=sample,dc=com" write by anonymous auth by * none
首先你给出的ACL序列是不正确的,在这种情况下,所有的东西都会匹配到第一个指令,因为它有“*”,匹配所有的东西,而且它永远不会去ACL的第二条规则。
其次,您用于检查ACL权限的命令不正确,您已经使用了:
slapacl -D '' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com'
哪个不正确-D是要检查权限的DN , -b是要检查权限的baseDN。
所以正确的命令应该检查自己的权限:
slapacl -D 'uid=user1,ou=sysUsers,dc=sample,dc=com' -b 'uid=user1,ou=sysUsers,dc=sample,dc=com'
编辑后你的发现 :你已经应用的ACL为Dn:olcDatabase = {0}configuration,cn =configuration,而它应该应用于数据库DN DN:olcDatabase = {2} bdb,cn =configuration
我很确定你要做的就是改变DN的描述:“uid = Manager,ou = sysUsers,dc = sample,dc = com”哪个课程根据ACL任何其他将不能做的除DN :“uid = Manager,ou = sysUsers,dc = sample,dc = com”本身或DN:“cn = Manager,dc = sample,dc = com”。
希望这可以帮助! 如果答案是肯定的,请将答案标为帮助或回答。
至。 Anirudh Malhotra谢谢回答。
我试过改变ALC。
[root @ evolable-ldap-01 cn = config]#cat olcDatabase \ = \ {0 \} config.ldif
#自动生成的文件 - 不要编辑! 使用ldapmodify。
#CRC32 57182ee5
dn:olcDatabase = {0} config
objectClass:olcDatabaseConfig
olcDatabase:{0} config
olcAddContentAcl:TRUE
olcLastMod:TRUE
olcMaxDerefDepth:15
olcReadOnly:FALSE
olcRootDN:cn = config
olcSyncUseSubentry:FALSE
olcMonitoring:FALSE
structuralObjectClass:olcDatabaseConfig
entryUUID:af419f18-0036-1035-8ba5-452a6aebab7f
creatorsName:cn = config
createTimestamp:20151006052730Z
olcAccess:{0}到dn.children =“ou = sysUsers,dc = evolableasia,dc = net”
ATTRS =的userPassword,shadowLastChange介绍sshPublicKey
由dn =“uid = user1,ou = sysUsers,dc = sample,dc = com”写入
由自己写
由dn =“cn = Manager,dc = sample,dc = com”写入
由*无
olcAccess:{1}到*
由自己写
由dn =“cn = Manager,dc = sample,dc = com”写入
由匿名authentication
通过*阅读
entryCSN:20161026004145.362887Z#000000#000#000000
modifiersName:cn = manager,dc = sample,dc = com
modifyTimestamp:20161026004145Z
但是,slapacl没有改变。
#slapacl -D''-b'uid = user1,ou = sysUsers,dc = sample,dc = com' authcDN:“uid = user1,ou = sysusers,dc = sample,dc = com” 条目:read(= rscxd) children:read(= rscxd) gidNumber = 1000:read(= rscxd) homeDirectory = / home / user1:read(= rscxd) : cn = user1:read(= rscxd) sshPublicKey = ssh-rsa AAAAB3Nza ... cGWliPbw == [email protected]:read(= rscxd) userPassword = ****:read(= rscxd) description = test user1:read(= rscxd) : modifyTimestamp = 20161025074434Z:read(= rscxd)