我正在寻找一种方法来允许LDAP用户写入具有其名称的分支。例如,我希望允许每个用户A,B,C写入cn = A,ou = foo,cn = B,ou = foo,cn = C,ou = foo ... 如果没有明确地写它,有没有办法做到这一点。
不是那样的:
access: to subtree="cn=A,ou=foo"
by dn.exact="uid=A,ou=people" write
access: to subtree="cn=B,ou=foo"
by dn.exact="uid=B,ou=people" write
...
有正则表达式吗?
答案 0 :(得分:1)
这样的事情会起作用:
olcAccess: to dn.regex=".+,cn=([^,]+),ou=foo$"
by dn.exact,expand="uid=$1,ou=people" write
by users read
by * none
每个用户都有对ou=foo的名称分支的写访问权。
答案 1 :(得分:0)
您无需为每个用户指定此项。你只需要
access: to * by self write
答案 2 :(得分:0)
我明白了。
目录架构:
cn=user2 gidNumber=235 homeDirectory=/home/user2 uid=user2 uidNumber=235 userPassword={SSHA hashed password} cn=user1,ou=People,dc=myorg,dc=com objectClass=account,extensibleObject,posixAccount,shadowAccount,top cn=user1 gidNumber=234 homeDirectory=/home/user1 uid=user1 uidNumber=234 userPassword={SSHA hashed password} cn=user1,ou=People,dc=myorg,dc=com objectClass=account,extensibleObject,posixAccount,shadowAccount,top
用户:
access to dn.subtree="ou=nonprod,dc=myorg,dc=com"
by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" manage
by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" none
access to dn.subtree="ou=prod,dc=myorg,dc=com"
by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" none
by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" manage
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read
access to *
by self write
by anonymous auth
的ACL:
{{1}}