如何在 OpenLDAP 2.4 中使用 olcAccess 向用户添加权限 [英] How to add rights to an user with olcAccess, in an OpenLDAP 2.4

问题描述

我的公司中有一个 OpenLdap Server 2.4 正在运行，我需要允许人们在我们的一个 WebApplication 中更改他们的图片.该功能已经存在.LDAP 中的人只是没有任何权限来编写他们自己的属性(特别是这里需要 "jpegPhoto" 属性).

我在文档中找到了这个

访问 attrs=jpegPhoto自我=xw通过 * 阅读

我不知道如何使用这些行.使用什么命令或者别的什么.

如果有人可以在处理过程中帮助我，那就太好了.

谢谢

解决方案

如果您使用 slapd.conf 作为服务器配置文件，您需要应用的修改很简单，还有更多如果您使用的是新的 cn=config 布局，这会很复杂.无论如何，要小心:

<块引用>

仍然支持旧样式的 slapd.conf(5) 文件，但不推荐使用它，并且在未来的 OpenLDAP 版本中将取消对它的支持.

如 OpenLDAP 文档中所述.

1) cn=config 布局

您需要修改正在使用的数据库的配置.您的 OpenLDAP 服务器可能包含多个数据库，但您只对存储人员数据及其图片的数据库感兴趣.要列出所有可用的数据库，请使用:

slapcat -b cn=config

此命令必须从 OpenLDAP 服务器执行.它将读取您的 slapd 配置目录.就我而言，它位于

/usr/local/etc/openldap/slapd.d/cn=config.ldif

请注意，slapcat -b cn=config 只有在 shell 用户可以读取此文件时才能工作.就我而言，该文件是

-rw-----1 ldap ldap 680 10 mar 21:04/usr/local/etc/openldap/slapd.d/cn=config.ldif

它属于用户 ldap，组 ldap(它们是在 OpenLDAP 服务器安装期间创建的).我从来没有为用户 ldap 设置过密码，所以:

tl;dr 读取此文件并成功运行 slapcat -b cn=config 的方法是成为 root.p>

slapcat -b cn=config 的输出很大，但您可以只考虑最后几行，其中列出了您感兴趣的数据库.例如，它可能是

dn: olcDatabase={1}mdb,cn=config

例如，这是包含用户图片的数据库的专有名称 (dn).您希望允许用户更改他们的图片.

你可以修改数据库运行的配置(和前面的情况类似，你需要cn=config.ldif文件有写权限，所以你可以root为之前):

ldapmodify -f/path/to/yourfile -x -D "cn=config" -W

• -f/path/to/yourfile 是你的配置文件(见下文)；
• -x为Simple Authentication，不使用SASL时需要；
• -D "cn=config" 是您用于进入 OpenLDAP 数据库的用户名.每个单独的数据库通常都有一个超级用户(通常称为 Manager)和一个全局超级用户.名为 cn=config 的用户是 全局超级用户.您应该在 OpenLDAP 服务器安装期间配置了它的密码；如果您没有此密码，您将无法修改数据库配置；
• -W 要求您输入用户 cn=config 的密码.

配置文件位于/path/to/yourfile，必须是纯文本文件，格式如下:

dn: olcDatabase={1}mdb,cn=config更改类型:修改添加:olcAccessolcAccess: 到 attrs=jpegPhoto自写通过 * 阅读

我建议您更喜欢 by self write 而不是 by self =xw(这将不允许用户阅读他们的图片).请注意在 by 之前放置 两个 空格，如 this answer 中所述.

您现在可以再次运行 slapcat -b cn=config 来检查配置是否已被修改，以及 olcAccess 语句的顺序是否正确.如果没有，您可以删除它们并重新添加它们，因为每个新的 olcAccess 规范都会自动放在前面的规范之后.

2) slapd.conf 布局

如果您使用旧的 slapd.conf 配置文件，您只需要对它的写入权限.通常是:

-rw------- 1 ldap ldap 2557 2016 年 12 月 15 日 slapd.conf

因此，您可以使用您喜欢的文本编辑器以 root 身份打开它.确定要修改的数据库部分(例如以:

开头的部分

数据库 mdb最大尺寸 1073741824后缀dc=example,dc=com"rootdn "cn=Manager,dc=example,dc=com"

只需在本节的底部添加您的行，如果其他 access 语句已经存在，请小心.同样，我建议使用 by self write 而不是 self =xw.

<小时>

无论您的配置如何，在您修改后重新启动 OpenLDAP 服务器(进程 slapd).

<小时>

如果您需要更多示例和/或说明，请考虑:

• 一个cn=config 配置示例;
• 访问控制用于 OpenLDAP 数据库；
• OpenLDAP 站点，与整个文档.

I have an OpenLdap Server 2.4 running in my company and I need to permitt people to change their picture in one of our WebApplication. The function is already present. People in LDAP just don't have any rights to write their own attributes (specially here the "jpegPhoto" attribute needed).

I found this in the Documentation

access to attrs=jpegPhoto
    by self =xw
    by * read

I don't know how to use theses lines. What command to use or something else.

If someone could help me in the way to process it could be great.

Thanks

解决方案

The modifications you need to apply are simple, if you are using slapd.conf as the server configuration file, and a bit more complicated if you are using the new cn=config layout. Be careful, anyway, that:

The older style slapd.conf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future OpenLDAP release.

as stated in the OpenLDAP documentation.

1) cn=config layout

You need to modify the configuration for the database you are using. Your OpenLDAP server may contain multiple databases, but you are interested only in the one that stores people data and their pictures. To list all your available databases, use:

slapcat -b cn=config

This command must be executed from the OpenLDAP server. It will read the file named cn=config.ldif in your slapd configuration directory. In my case, it is located in

/usr/local/etc/openldap/slapd.d/cn=config.ldif

Be careful that slapcat -b cn=config will work only if the shell user can read this file. In my case, the file is

-rw-------  1 ldap  ldap  680 10 mar 21:04 /usr/local/etc/openldap/slapd.d/cn=config.ldif

It belongs to user ldap, group ldap (they have been created during the OpenLDAP server installation). I have never set a password for user ldap, so:

tl;dr a way to read this file and to successfully run slapcat -b cn=config is to be root.

The output of slapcat -b cn=config is huge, but you can consider the last lines only, where the database you are interested in is listed. For example, it could be

dn: olcDatabase={1}mdb,cn=config

This is, for example, the Distinguished Name (dn) of the database containing users pictures. You want to allow users to change their pictures.

You can modify the database configuration running (similarly to the previous case, you need write permissions on the file cn=config.ldif, so you could be root as before):

ldapmodify -f /path/to/yourfile -x -D "cn=config" -W

• -f /path/to/yourfile is your configuration file (see below);
• -x is Simple Authentication, it is needed if you are not using SASL;
• -D "cn=config" is the username you are using to enter the OpenLDAP database. There is usually a super-user for each single database (frequently called Manager), and a global super-user. The user named cn=config is the global super-user. You should have configured its password during the OpenLDAP server installation; if you don't have this password, you could be not able to modify the databases configuration;
• -W asks you to type the password for the user cn=config.

The configuration file, located in /path/to/yourfile, must be a plain text file formatted as follows:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=jpegPhoto
  by self write
  by * read

I would suggest to you to prefer by self write instead of by self =xw (which would not permit users to read their pictures). Be careful to put two spaces before by, as stated in this answer.

You can now run again slapcat -b cn=config to check if the configuration has been modified, and also if the olcAccess statements are in the correct order. If not, you can delete them and add them again, knowing that each new olcAccess specification will be automatically put after the preceeding ones.

2) slapd.conf layout

If you are using the old slapd.conf configuration file, you simply need the write permissions to it. Usually it is:

-rw-------  1 ldap  ldap   2557 Dec  15  2016 slapd.conf

So, you can open it as root, with your preferred text editor. Identify the database section you want to modify (for example the one beginning with:

database        mdb
maxsize         1073741824
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"

and simply add your lines at the bottom of this section, being careful if other access statements are already present. Again, I would suggest to use by self write instead of self =xw.

---

Regardless of your configuration, restart the OpenLDAP server (process slapd) after your modifications.

---

If you need further examples and/or clarifications, please consider:

• A cn=config configuration example;
• Access Control for OpenLDAP databases;
• the OpenLDAP site, with the whole documentation.

这篇关于如何在 OpenLDAP 2.4 中使用 olcAccess 向用户添加权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！