未读取 openldap ACL
openldap ACLs not read
我是 运行 debian 上的 ldap 2.4.40,我在 openldap 中配置新的 acl 时遇到问题。这是我配置的 ACLS:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="c
n=admin,dc=xxxxx,dc=xx" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=xxxxx,dc=cc" write by * read
olcAccess: {4}to attrs=userPassword by dn="cn=extra,ou=system,dc=xxxxx
,dc=xx" write
olcAccess: {5}to * by dn="cn=extra,ou=system,dc=xxxxx,dc=xx" write
这是我执行 slapadd 时的调试跟踪:
57271dfe => acl_get: [4] attr children
57271dfe => acl_mask: access to entry "dc=test,dc=com,ou=accounts,dc=xxxxxx,dc=xx", attr "children" requested
57271dfe => acl_mask: to all values by "cn=extra,ou=system,dc=xxxxx,dc=xx", (=0)
57271dfe <= check a_dn_pat: self
57271dfe <= check a_dn_pat: cn=admin,dc=xxxxx,dc=xx
57271dfe <= check a_dn_pat: *
57271dfe <= acl_mask: [3] applying read(=rscxd) (stop)
57271dfe <= acl_mask: [3] mask: read(=rscxd)
57271dfe => slap_access_allowed: add access denied by read(=rscxd)
57271dfe => access_allowed: no more rules
它似乎没有读取我所有的 acls?可以 ?
如果是这样,应该允许通过 alc #4 et #5(具有写入权限)添加具有 "extra" 用户的对象,对吗?
我相信在 OpenLDAP FAQ 中涵盖了这一点。摘录:
Ordering is very important here. As soon as a subject match occurs,
the mask will be determined and resolution will stop.
调试消息很清楚,规则 #3 匹配。规则 3 中的 write by * read 组件与请求者 (cn=extra,ou=system,dc=xxxxx,dc=xx) 匹配,因此处理停止。这意味着您需要将当前规则 5 放在规则 3 之前。
我是 运行 debian 上的 ldap 2.4.40,我在 openldap 中配置新的 acl 时遇到问题。这是我配置的 ACLS:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="c
n=admin,dc=xxxxx,dc=xx" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=xxxxx,dc=cc" write by * read
olcAccess: {4}to attrs=userPassword by dn="cn=extra,ou=system,dc=xxxxx
,dc=xx" write
olcAccess: {5}to * by dn="cn=extra,ou=system,dc=xxxxx,dc=xx" write
这是我执行 slapadd 时的调试跟踪:
57271dfe => acl_get: [4] attr children
57271dfe => acl_mask: access to entry "dc=test,dc=com,ou=accounts,dc=xxxxxx,dc=xx", attr "children" requested
57271dfe => acl_mask: to all values by "cn=extra,ou=system,dc=xxxxx,dc=xx", (=0)
57271dfe <= check a_dn_pat: self
57271dfe <= check a_dn_pat: cn=admin,dc=xxxxx,dc=xx
57271dfe <= check a_dn_pat: *
57271dfe <= acl_mask: [3] applying read(=rscxd) (stop)
57271dfe <= acl_mask: [3] mask: read(=rscxd)
57271dfe => slap_access_allowed: add access denied by read(=rscxd)
57271dfe => access_allowed: no more rules
它似乎没有读取我所有的 acls?可以 ?
如果是这样,应该允许通过 alc #4 et #5(具有写入权限)添加具有 "extra" 用户的对象,对吗?
我相信在 OpenLDAP FAQ 中涵盖了这一点。摘录:
Ordering is very important here. As soon as a subject match occurs, the mask will be determined and resolution will stop.
调试消息很清楚,规则 #3 匹配。规则 3 中的 write by * read 组件与请求者 (cn=extra,ou=system,dc=xxxxx,dc=xx) 匹配,因此处理停止。这意味着您需要将当前规则 5 放在规则 3 之前。