如何在 OpenLDAP 2.4 中使用 olcAccess 向用户添加权限 [英] How to add rights to an user with olcAccess, in an OpenLDAP 2.4
问题描述
我的公司中有一个 OpenLdap Server 2.4 正在运行,我需要允许人们在我们的一个 WebApplication 中更改他们的图片.该功能已经存在.LDAP 中的人只是没有任何权限来编写他们自己的属性(特别是这里需要 "jpegPhoto" 属性).
我在文档中找到了这个
访问 attrs=jpegPhoto自我=xw通过 * 阅读
我不知道如何使用这些行.使用什么命令或者别的什么.
如果有人可以在处理过程中帮助我,那就太好了.
谢谢
如果您使用 slapd.conf
作为服务器配置文件,您需要应用的修改很简单,还有更多如果您使用的是新的 cn=config
布局,这会很复杂.无论如何,要小心:
仍然支持旧样式的 slapd.conf(5) 文件,但不推荐使用它,并且在未来的 OpenLDAP 版本中将取消对它的支持.
如 OpenLDAP 文档中所述.
1) cn=config 布局
您需要修改正在使用的数据库的配置.您的 OpenLDAP 服务器可能包含多个数据库,但您只对存储人员数据及其图片的数据库感兴趣.要列出所有可用的数据库,请使用:
slapcat -b cn=config
此命令必须从 OpenLDAP 服务器执行.它将读取您的 slapd
配置目录.就我而言,它位于
/usr/local/etc/openldap/slapd.d/cn=config.ldif
请注意,slapcat -b cn=config
只有在 shell 用户可以读取此文件时才能工作.就我而言,该文件是
-rw-----1 ldap ldap 680 10 mar 21:04/usr/local/etc/openldap/slapd.d/cn=config.ldif
它属于用户 ldap
,组 ldap
(它们是在 OpenLDAP 服务器安装期间创建的).我从来没有为用户 ldap
设置过密码,所以:
tl;dr 读取此文件并成功运行 slapcat -b cn=config
的方法是成为 root
.p>
slapcat -b cn=config
的输出很大,但您可以只考虑最后几行,其中列出了您感兴趣的数据库.例如,它可能是
dn: olcDatabase={1}mdb,cn=config
例如,这是包含用户图片的数据库的专有名称 (dn
).您希望允许用户更改他们的图片.
你可以修改数据库运行的配置(和前面的情况类似,你需要cn=config.ldif
文件有写权限,所以你可以root
为之前):
ldapmodify -f/path/to/yourfile -x -D "cn=config" -W
-f/path/to/yourfile
是你的配置文件(见下文);-x
为Simple Authentication,不使用SASL时需要;-D "cn=config"
是您用于进入 OpenLDAP 数据库的用户名.每个单独的数据库通常都有一个超级用户(通常称为Manager
)和一个全局超级用户.名为cn=config
的用户是 全局超级用户.您应该在 OpenLDAP 服务器安装期间配置了它的密码;如果您没有此密码,您将无法修改数据库配置;-W
要求您输入用户cn=config
的密码.
配置文件位于/path/to/yourfile
,必须是纯文本文件,格式如下:
dn: olcDatabase={1}mdb,cn=config更改类型:修改添加:olcAccessolcAccess: 到 attrs=jpegPhoto自写通过 * 阅读
我建议您更喜欢 by self write
而不是 by self =xw
(这将不允许用户阅读他们的图片).请注意在 by
之前放置 两个 空格,如 this answer 中所述.
您现在可以再次运行 slapcat -b cn=config
来检查配置是否已被修改,以及 olcAccess
语句的顺序是否正确.如果没有,您可以删除它们并重新添加它们,因为每个新的 olcAccess
规范都会自动放在前面的规范之后.
2) slapd.conf 布局
如果您使用旧的 slapd.conf
配置文件,您只需要对它的写入权限.通常是:
-rw------- 1 ldap ldap 2557 2016 年 12 月 15 日 slapd.conf
因此,您可以使用您喜欢的文本编辑器以 root
身份打开它.确定要修改的数据库部分(例如以:
数据库 mdb最大尺寸 1073741824后缀dc=example,dc=com"rootdn "cn=Manager,dc=example,dc=com"
只需在本节的底部添加您的行,如果其他 access
语句已经存在,请小心.同样,我建议使用 by self write
而不是 self =xw
.
无论您的配置如何,在您修改后重新启动 OpenLDAP 服务器(进程 slapd
).
如果您需要更多示例和/或说明,请考虑:
- 一个
cn=config
配置示例; - 访问控制用于 OpenLDAP 数据库;
- OpenLDAP 站点,与整个文档.
I have an OpenLdap Server 2.4 running in my company and I need to permitt people to change their picture in one of our WebApplication. The function is already present. People in LDAP just don't have any rights to write their own attributes (specially here the "jpegPhoto" attribute needed).
I found this in the Documentation
access to attrs=jpegPhoto
by self =xw
by * read
I don't know how to use theses lines. What command to use or something else.
If someone could help me in the way to process it could be great.
Thanks
The modifications you need to apply are simple, if you are using slapd.conf
as the server configuration file, and a bit more complicated if you are using the new cn=config
layout. Be careful, anyway, that:
The older style slapd.conf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future OpenLDAP release.
as stated in the OpenLDAP documentation.
1) cn=config layout
You need to modify the configuration for the database you are using. Your OpenLDAP server may contain multiple databases, but you are interested only in the one that stores people data and their pictures. To list all your available databases, use:
slapcat -b cn=config
This command must be executed from the OpenLDAP server. It will read the file named cn=config.ldif
in your slapd
configuration directory. In my case, it is located in
/usr/local/etc/openldap/slapd.d/cn=config.ldif
Be careful that slapcat -b cn=config
will work only if the shell user can read this file. In my case, the file is
-rw------- 1 ldap ldap 680 10 mar 21:04 /usr/local/etc/openldap/slapd.d/cn=config.ldif
It belongs to user ldap
, group ldap
(they have been created during the OpenLDAP server installation). I have never set a password for user ldap
, so:
tl;dr a way to read this file and to successfully run slapcat -b cn=config
is to be root
.
The output of slapcat -b cn=config
is huge, but you can consider the last lines only, where the database you are interested in is listed. For example, it could be
dn: olcDatabase={1}mdb,cn=config
This is, for example, the Distinguished Name (dn
) of the database containing users pictures. You want to allow users to change their pictures.
You can modify the database configuration running (similarly to the previous case, you need write permissions on the file cn=config.ldif
, so you could be root
as before):
ldapmodify -f /path/to/yourfile -x -D "cn=config" -W
-f /path/to/yourfile
is your configuration file (see below);-x
is Simple Authentication, it is needed if you are not using SASL;-D "cn=config"
is the username you are using to enter the OpenLDAP database. There is usually a super-user for each single database (frequently calledManager
), and a global super-user. The user namedcn=config
is the global super-user. You should have configured its password during the OpenLDAP server installation; if you don't have this password, you could be not able to modify the databases configuration;-W
asks you to type the password for the usercn=config
.
The configuration file, located in /path/to/yourfile
, must be a plain text file formatted as follows:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=jpegPhoto
by self write
by * read
I would suggest to you to prefer by self write
instead of by self =xw
(which would not permit users to read their pictures). Be careful to put two spaces before by
, as stated in this answer.
You can now run again slapcat -b cn=config
to check if the configuration has been modified, and also if the olcAccess
statements are in the correct order. If not, you can delete them and add them again, knowing that each new olcAccess
specification will be automatically put after the preceeding ones.
2) slapd.conf layout
If you are using the old slapd.conf
configuration file, you simply need the write permissions to it. Usually it is:
-rw------- 1 ldap ldap 2557 Dec 15 2016 slapd.conf
So, you can open it as root
, with your preferred text editor. Identify the database section you want to modify (for example the one beginning with:
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
and simply add your lines at the bottom of this section, being careful if other access
statements are already present. Again, I would suggest to use by self write
instead of self =xw
.
Regardless of your configuration, restart the OpenLDAP server (process slapd
) after your modifications.
If you need further examples and/or clarifications, please consider:
- A
cn=config
configuration example; - Access Control for OpenLDAP databases;
- the OpenLDAP site, with the whole documentation.
这篇关于如何在 OpenLDAP 2.4 中使用 olcAccess 向用户添加权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!