ldap_add:访问不足(50)

时间:2016-09-12 16:02:09

标签: openldap centos7

我正在尝试使用以下命令添加以下条目:

ldapadd -Y EXTERNAL -H ldapi:/// -f server5_ldap.ldif

server5_ldap.ldif的内容如下:

# Entry 31: cn=default,ou=pwpolicies,dc=example,dc=com
dn: cn=default,ou=pwpolicies,dc=example,dc=com
cn: default
objectclass: device
objectclass: top
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 2
pwdexpirewarning: 604800
pwdfailurecountinterval: 3600
pwdgraceauthnlimit: 0
pwdinhistory: 5
pwdlockout: TRUE
pwdlockoutduration: 900
pwdmaxage: 0
pwdmaxfailure: 5
pwdminage: 0
pwdminlength: 8
pwdmustchange: FALSE
pwdsafemodify: FALSE

我收到错误:

ldap_add: Insufficient access (50)
    additional info: no write access to parent

我的permissions.ldif如下所示:

#OlcAccess
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {1} to attrs=uid by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage  by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {2} to attrs=objectClass by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {3} to attrs=cn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {4} to attrs=sn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {5} to * by self write by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by users read by anonymous none
olcAccess: {6} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=pwpolicies,ou=PPS,dc=example,dc=com" write by * none

我是ldap的新手,我被这个问题阻止任何帮助都将受到高度赞赏。

1 个答案:

答案 0 :(得分:1)

如果要使用Unix域套接字认证(-Y EXTERNAL),则必须授予root对数据库的manage权限。通过Unix域套接字进行dn身份验证的root是:

gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

在Redhat和CentOS上,仅配置和监视器后端具有root权限。

# ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -o ldif-wrap=no -b cn=config '(objectClass=olcDatabaseConfig)' olcAccess 
dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none

dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by * none

dn: olcDatabase={2}hdb,cn=config

如果要以与配置管理相同的方式来管理数据库2,则必须向数据库2(配置后端)定义相同的olcAccess规则到数据库2。

to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
相关问题
最新问题