在OpenLDAP 2.4中如何使用olcAccess向用户添加权限 [英] How to add rights to an user with olcAccess, in an OpenLDAP 2.4

问题描述

我的公司中正在运行OpenLdap Server 2.4，我需要允许人们在我们的WebApplication之一中更改其图片. 该功能已经存在. LDAP中的人员只是没有任何权利来编写自己的属性(特别是这里需要的"jpegPhoto" 属性).

I have an OpenLdap Server 2.4 running in my company and I need to permitt people to change their picture in one of our WebApplication. The function is already present. People in LDAP just don't have any rights to write their own attributes (specially here the "jpegPhoto" attribute needed).

我在文档中找到了

access to attrs=jpegPhoto
    by self =xw
    by * read

我不知道如何使用这些行.使用什么命令或其他命令.

I don't know how to use theses lines. What command to use or something else.

如果有人可以在处理方式上帮助我，那就太好了.

If someone could help me in the way to process it could be great.

谢谢

推荐答案

如果使用slapd.conf作为服务器配置文件，则需要进行的修改很简单，如果使用新的配置，则要复杂一些cn=config布局.无论如何，请注意:

The modifications you need to apply are simple, if you are using slapd.conf as the server configuration file, and a bit more complicated if you are using the new cn=config layout. Be careful, anyway, that:

仍支持较早版本的slapd.conf(5)文件，但已弃用该文件，并且在将来的OpenLDAP版本中将不再支持该文件.

The older style slapd.conf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future OpenLDAP release.

如OpenLDAP 文档所述.

as stated in the OpenLDAP documentation.

您需要修改所用数据库的配置.您的OpenLDAP服务器可能包含多个数据库，但是您只对存储人员数据及其图片的数据库感兴趣.要列出所有可用的数据库，请使用:

You need to modify the configuration for the database you are using. Your OpenLDAP server may contain multiple databases, but you are interested only in the one that stores people data and their pictures. To list all your available databases, use:

slapcat -b cn=config

此命令必须从OpenLDAP服务器执行.它将在您的 slapd 配置目录中读取名为cn=config.ldif的文件. .就我而言，它位于

This command must be executed from the OpenLDAP server. It will read the file named cn=config.ldif in your slapd configuration directory. In my case, it is located in

/usr/local/etc/openldap/slapd.d/cn=config.ldif

请注意，只有Shell用户可以读取此文件时，slapcat -b cn=config才可以使用.就我而言，文件是

Be careful that slapcat -b cn=config will work only if the shell user can read this file. In my case, the file is

-rw-------  1 ldap  ldap  680 10 mar 21:04 /usr/local/etc/openldap/slapd.d/cn=config.ldif

它属于用户ldap，组ldap(它们是在OpenLDAP服务器安装期间创建的).我从未为用户ldap设置密码，所以:

It belongs to user ldap, group ldap (they have been created during the OpenLDAP server installation). I have never set a password for user ldap, so:

tl; dr 是一种读取此文件并成功运行slapcat -b cn=config的方法，该方法是root.

tl;dr a way to read this file and to successfully run slapcat -b cn=config is to be root.

slapcat -b cn=config的输出很大，但是您只能考虑列出了您感兴趣的数据库的最后几行.例如，可能是

The output of slapcat -b cn=config is huge, but you can consider the last lines only, where the database you are interested in is listed. For example, it could be

dn: olcDatabase={1}mdb,cn=config

例如，这是包含用户图片的数据库的专有名称(dn).您要允许用户更改其图片.

This is, for example, the Distinguished Name (dn) of the database containing users pictures. You want to allow users to change their pictures.

您可以修改正在运行的数据库配置(类似于上一种情况，您需要对文件cn=config.ldif具有写权限，因此您可以像以前一样是root):

You can modify the database configuration running (similarly to the previous case, you need write permissions on the file cn=config.ldif, so you could be root as before):

ldapmodify -f /path/to/yourfile -x -D "cn=config" -W

• -f /path/to/yourfile是您的配置文件(请参见下文)；
• -x是简单身份验证，如果您不使用SASL，则需要它；
• -D "cn=config"是用于输入OpenLDAP数据库的用户名.通常，每个数据库都有一个超级用户(通常称为Manager)和一个全局超级用户.名为cn=config的用户是全局超级用户.您应该在OpenLDAP服务器安装过程中配置其密码；如果没有此密码，则可能无法修改数据库配置；
• -W要求您键入用户cn=config的密码.
• -f /path/to/yourfile is your configuration file (see below);
• -x is Simple Authentication, it is needed if you are not using SASL;
• -D "cn=config" is the username you are using to enter the OpenLDAP database. There is usually a super-user for each single database (frequently called Manager), and a global super-user. The user named cn=config is the global super-user. You should have configured its password during the OpenLDAP server installation; if you don't have this password, you could be not able to modify the databases configuration;
• -W asks you to type the password for the user cn=config.

位于/path/to/yourfile中的配置文件必须是格式如下的纯文本文件:

The configuration file, located in /path/to/yourfile, must be a plain text file formatted as follows:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=jpegPhoto
  by self write
  by * read

我建议您选择by self write而不是by self =xw(这将不允许用户阅读其图片).如此答案中所述，请小心在by之前放置两个空格.

I would suggest to you to prefer by self write instead of by self =xw (which would not permit users to read their pictures). Be careful to put two spaces before by, as stated in this answer.

您现在可以再次运行slapcat -b cn=config来检查配置是否已被修改，以及olcAccess语句的顺序是否正确.如果没有，您可以删除它们并再次添加它们，知道每个新的olcAccess规范都会自动放在前面的规范之后.

You can now run again slapcat -b cn=config to check if the configuration has been modified, and also if the olcAccess statements are in the correct order. If not, you can delete them and add them again, knowing that each new olcAccess specification will be automatically put after the preceeding ones.

如果使用的是旧的slapd.conf配置文件，则只需要对其具有写权限.通常是:

If you are using the old slapd.conf configuration file, you simply need the write permissions to it. Usually it is:

-rw-------  1 ldap  ldap   2557 Dec  15  2016 slapd.conf

因此，您可以使用首选的文本编辑器以root的形式打开它.标识您要修改的数据库部分(例如，以下部分开头:

So, you can open it as root, with your preferred text editor. Identify the database section you want to modify (for example the one beginning with:

database        mdb
maxsize         1073741824
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"

，只需在本节的底部添加行，请小心是否已经存在其他access语句.同样，我建议使用by self write而不是self =xw.

and simply add your lines at the bottom of this section, being careful if other access statements are already present. Again, I would suggest to use by self write instead of self =xw.

无论您进行何种配置，都需要在修改后重新启动OpenLDAP服务器(进程slapd).

Regardless of your configuration, restart the OpenLDAP server (process slapd) after your modifications.

如果您需要更多示例和/或说明，请考虑:

If you need further examples and/or clarifications, please consider:

• A cn=config 配置示例;
• 用于OpenLDAP数据库的访问控制；
• OpenLDAP网站，以及整个 文档.
• A cn=config configuration example;
• Access Control for OpenLDAP databases;
• the OpenLDAP site, with the whole documentation.

这篇关于在OpenLDAP 2.4中如何使用olcAccess向用户添加权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！