我在debian上运行ldap 2.4.40并且我在openldap中配置新的acl时遇到问题。以下是我配置的acls:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="c
n=admin,dc=xxxxx,dc=xx" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=xxxxx,dc=cc" write by * read
olcAccess: {4}to attrs=userPassword by dn="cn=extra,ou=system,dc=xxxxx
,dc=xx" write
olcAccess: {5}to * by dn="cn=extra,ou=system,dc=xxxxx,dc=xx" write
这是我执行slapadd时的调试跟踪:
57271dfe => acl_get: [4] attr children
57271dfe => acl_mask: access to entry "dc=test,dc=com,ou=accounts,dc=xxxxxx,dc=xx", attr "children" requested
57271dfe => acl_mask: to all values by "cn=extra,ou=system,dc=xxxxx,dc=xx", (=0)
57271dfe <= check a_dn_pat: self
57271dfe <= check a_dn_pat: cn=admin,dc=xxxxx,dc=xx
57271dfe <= check a_dn_pat: *
57271dfe <= acl_mask: [3] applying read(=rscxd) (stop)
57271dfe <= acl_mask: [3] mask: read(=rscxd)
57271dfe => slap_access_allowed: add access denied by read(=rscxd)
57271dfe => access_allowed: no more rules
似乎没有阅读我的所有内容?可以 ?
如果是这样的话,应该允许用alc#4 et#5(带写访问权限)添加一个带有“额外”用户的对象,对吗?
答案 0 :(得分:0)
这涵盖了 - 我相信 - 在OpenLDAP FAQ。摘录:
订购在这里非常重要。一旦主题匹配发生, 面具将被确定,决议将停止。
调试消息很明显,在规则#3中,存在匹配。规则3中的write by * read组件与请求者(cn=extra,ou=system,dc=xxxxx,dc=xx)匹配,因此处理停止。这意味着您需要将当前规则5置于规则3之前。