每个需要访问的服务都必须经过身份验证才能访问用户信息,例如以下服务:
dn: cn=grafana,ou=services,dc=foo,dc=bar
objectClass: person
cn: myservice
sn: My Service
userPassword: {SSHA}QemMa...
可以访问以下用户:
dn: cn=kartoch,ou=users,dc=foo,dc=bar
objectClass: person
objectClass: inetOrgPerson
cn: kartoch
sn: Kartoch
userPassword: {SSHA}kk/ll...
mail: kartoch@foo.bar
displayName: Kartoch
givenName: Kartoch
但是以下访问控制定义拒绝myservice对kartoch的访问:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to dn.subtree="ou=users,dc=foo,dc=bar"
attrs=cn,sn,mail,displayName,givenName
by dn.subtree="ou=services,dc=foo,dc=bar" read
olcAccess: {1}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
olcAccess: {2}to *
by self read
使用myservice帐户访问kartoch用户时:
$ ldapsearch -x -H ldap://localhost -b cn=kartoch,ou=users,dc=foo,dc=bar -D "cn=myservice,ou=services,dc=foo,dc=bar" -w mypasswordfor my service
日志显示服务身份验证正确,但是拒绝了对用户的访问:
5cd30db9 conn=1004 fd=15 ACCEPT from IP=127.0.0.1:52608 (IP=0.0.0.0:389)
5cd30db9 conn=1004 op=0 BIND dn="cn=myservice,ou=services,dc=foo,dc=bar" method=128
5cd30db9 conn=1004 op=0 BIND dn="cn=myservice,ou=services,dc=foo,dc=bar" mech=SIMPLE ssf=0
5cd30db9 conn=1004 op=0 RESULT tag=97 err=0 text=
5cd30db9 conn=1004 op=1 SRCH base="cn=kartoch,ou=users,dc=foo,dc=bar" scope=2 deref=0 filter="(objectClass=*)"
5cd30db9 conn=1004 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
5cd30db9 conn=1004 op=2 UNBIND
5cd30db9 conn=1004 fd=15 closed