每个用户的 LDAP 特定 ACL
LDAP specific ACL for each users
我正在寻找一种允许 LDAP 用户写入具有他们名字的分支的方法。例如,我希望每个用户 A、B、C 允许写入 cn=A,ou=foo, cn=B,ou=foo, cn=C,ou=foo ...
有没有办法在不显式编写的情况下做到这一点。
不是这样的:
access: to subtree="cn=A,ou=foo"
by dn.exact="uid=A,ou=people" write
access: to subtree="cn=B,ou=foo"
by dn.exact="uid=B,ou=people" write
...
也许用正则表达式?
您不需要为每个用户指定此项。你只需要
access: to * by self write
我成功了。
目录架构:
-dc=myorg,dc=com
-ou=nonprod
-ou=hostdefinitions
-ou=people
-cn=user1
-cn=user2
-ou=prod
-ou=hostdefinitions
用户:
cn=user2
gidNumber=235
homeDirectory=/home/user2
uid=user2
uidNumber=235
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top
cn=user1
gidNumber=234
homeDirectory=/home/user1
uid=user1
uidNumber=234
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top
ACL:
access to dn.subtree="ou=nonprod,dc=myorg,dc=com"
by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" manage
by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" none
access to dn.subtree="ou=prod,dc=myorg,dc=com"
by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" none
by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" manage
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read
access to *
by self write
by anonymous auth
类似的东西会起作用:
olcAccess: to dn.regex=".+,cn=([^,]+),ou=foo$"
by dn.exact,expand="uid=,ou=people" write
by users read
by * none
每个用户都可以在 ou=foo
.
中以他们的名字写分支
我正在寻找一种允许 LDAP 用户写入具有他们名字的分支的方法。例如,我希望每个用户 A、B、C 允许写入 cn=A,ou=foo, cn=B,ou=foo, cn=C,ou=foo ... 有没有办法在不显式编写的情况下做到这一点。
不是这样的:
access: to subtree="cn=A,ou=foo"
by dn.exact="uid=A,ou=people" write
access: to subtree="cn=B,ou=foo"
by dn.exact="uid=B,ou=people" write
...
也许用正则表达式?
您不需要为每个用户指定此项。你只需要
access: to * by self write
我成功了。
目录架构:
-dc=myorg,dc=com -ou=nonprod -ou=hostdefinitions -ou=people -cn=user1 -cn=user2 -ou=prod -ou=hostdefinitions
用户:
cn=user2
gidNumber=235
homeDirectory=/home/user2
uid=user2
uidNumber=235
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top
cn=user1
gidNumber=234
homeDirectory=/home/user1
uid=user1
uidNumber=234
userPassword={SSHA hashed password}
cn=user1,ou=People,dc=myorg,dc=com
objectClass=account,extensibleObject,posixAccount,shadowAccount,top
ACL:
access to dn.subtree="ou=nonprod,dc=myorg,dc=com"
by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" manage
by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" none
access to dn.subtree="ou=prod,dc=myorg,dc=com"
by dn.exact="cn=user1,ou=People,dc=myorg,dc=com" none
by dn.exact="cn=user2,ou=People,dc=myorg,dc=com" manage
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read
access to *
by self write
by anonymous auth
类似的东西会起作用:
olcAccess: to dn.regex=".+,cn=([^,]+),ou=foo$"
by dn.exact,expand="uid=,ou=people" write
by users read
by * none
每个用户都可以在 ou=foo
.