每个用户的{LDAP}特定ACL

时间:2017-08-21 13:02:32

标签: linux ldap acl openldap

我正在寻找一种方法来允许LDAP用户写入具有其名称的分支。例如,我希望允许每个用户A,B,C写入cn = A,ou = foo,cn = B,ou = foo,cn = C,ou = foo ... 如果没有明确地写它,有没有办法做到这一点。

不是那样的:

access: to subtree="cn=A,ou=foo"
  by dn.exact="uid=A,ou=people" write
access: to subtree="cn=B,ou=foo"
  by dn.exact="uid=B,ou=people" write
...

有正则表达式吗?

3 个答案:

答案 0 :(得分:1)

这样的事情会起作用:

olcAccess: to dn.regex=".+,cn=([^,]+),ou=foo$"
  by dn.exact,expand="uid=$1,ou=people" write
  by users read
  by * none

每个用户都有对ou=foo的名称分支的写访问权。

答案 1 :(得分:0)

您无需为每个用户指定此项。你只需要

access: to * by self write

答案 2 :(得分:0)

我明白了。

目录架构:

cn=user2
gidNumber=235
homeDirectory=/home/user2
uid=user2
uidNumber=235
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top

cn=user1
gidNumber=234
homeDirectory=/home/user1
uid=user1
uidNumber=234
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top

用户:

access to dn.subtree="ou=nonprod,dc=myorg,dc=com"
    by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" manage
    by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" none

 access to dn.subtree="ou=prod,dc=myorg,dc=com"
    by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" none
    by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" manage

 access to dn.base="" by * read
 access to dn.base="cn=subschema" by * read

 access to *
    by self write
    by anonymous auth

的ACL:

{{1}}
相关问题
最新问题