ldap服务器用户及权限管理控制

时间：2013-11-06 编辑：简简单单来源：一聚教程网

openldap默认的账户是cn=Manager,dc=361way,dc=com这样的一个账户，其写在配置文件/etc/openldap/slapd.conf文件中，但这样的一个账户就像linux下的root一样，虽然好用，不过权限太大。出于安全考量，我们需要根据具体应用的需要，建立只读账户或者可写用户。

一、新建管理账号

新建管理账户的方法很多，可以使用像诸如 ldapadmin、phpldapadmin、LDAP browser/editor等工具，也可以通过ldapadd 或slapadd这样的客户端工具（关于两者的区别可以参看IBM 技术网）。这里假设以ldapadd为例，具体做法如下:

1、新建一 ldif文件，具体内容类似下面的：

代码如下

复制代码

dn: cn=bbs,dc=361way,dc=com
objectClass: person
objectClass: shadowAccount
objectClass: top
cn: bbs
sn: bbs
uid: bbs
userPassword:: e1NTSEF9RHpONi9jM0xvaDRpd0RzN2ROVnVKZGdxYVJ0eUg1RGU=
structuralObjectClass: person
entryUUID: d08e9e12-a8c9-1032-9efa-9d41910b717f
creatorsName: cn=Manager,dc=361way,dc=com
createTimestamp: 20130903094905Z
entryCSN: 20130903094905Z#000001#00#000000
modifiersName: cn=Manager,dc=361way,dc=com
modifyTimestamp: 20130903094905Z

2、执行如下的命令操作导入：

代码如下	复制代码
ldapadd -x -W -D "cn=Manager,dc=361way,dc=com" -f test.ldif

注：如果条件允许，建议还是使用图形化的客户端去操作。如delphi写的LDAPadmin就非常好用。

二、给账号设置权限

默认新建的这个账号是没有管理任何用户的权限的，可以用这个新建的账号登陆客户端验证。

给新建的账户赋权限也是通过修改配置文件/etc/openldap/slapd.conf来实现，具体的增加的内容如下：

代码如下

复制代码

# Personal LDAP address book.
access to dn.regex="cn=[^,]+,mail=([^,]+)@([^,]+),ou=Users,domainName=([^,]+),o=domains,dc=361way,dc=com$"
    by anonymous                    none
    by self                         none
    by dn.exact="cn=bbs,dc=361way,dc=com"   read
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by dn.regex="mail=$1@$2,ou=Users,domainName=$3,o=domains,dc=361way,dc=com$" write
    by users                        none
# Allow users to change their own passwords and mail forwarding addresses.
access to attrs="userPassword,mailForwardingAddress"
    by anonymous    auth
    by self         write
    by dn.exact="cn=bbs,dc=361way,dc=com"   read
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by users        none
# Allow to read others public info.
access to attrs="cn,sn,gn,givenName,telephoneNumber"
    by anonymous    auth
    by self         write
    by dn.exact="cn=bbs,dc=361way,dc=com"   read
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by users        read
# Domain attrs.
access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber"
    by anonymous    auth
    by self         read
    by dn.exact="cn=bbs,dc=361way,dc=com"   read
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by users        read
access to attrs="domainAdmin,domainGlobalAdmin,domainSenderBccAddress,domainRecipientBccAddress"
    by anonymous    auth
    by self         read
    by dn.exact="cn=bbs,dc=361way,dc=com"   read
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by users        none
# User attrs.
access to attrs="employeeNumber,homeDirectory,mailMessageStore,mail,accountStatus,userSenderBccAddress,userRecipientBccAddress,mailQuota,backupMailAddress,shadowAddress"
    by anonymous    auth
    by self         read
    by dn.exact="cn=bbs,dc=361way,dc=com"   read
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by users        read
#
# Set ACL for bbs/bbsadmin.
#
access to dn="cn=bbs,dc=361way,dc=com"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by users                        none
access to dn="cn=bbsadmin,dc=361way,dc=com"
    by anonymous                    auth
    by self                         write
    by users                        none
#
# Allow users to access their own domain subtree.
# Allow domain admin to modify accounts under same domain.
#
access to dn.regex="domainName=([^,]+),o=domains,dc=361way,dc=com$"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=bbs,dc=361way,dc=com"   read
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=361way,dc=com$" write
    by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=361way,dc=com$" read
    by users                        none
#
# Grant correct privileges to bbs/bbsadmin.
#
access to dn.subtree="o=domains,dc=361way,dc=com"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=bbs,dc=361way,dc=com"   read
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=361way,dc=com$" read
    by users                        read
access to dn.subtree="o=domainAdmins,dc=361way,dc=com"
    by anonymous                    auth
    by self                         write
    by dn.exact="cn=bbs,dc=361way,dc=com"   read
    by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
    by users                        none
#
# Set permission for "cn=*,dc=361way,dc=com".
#
access to dn.regex="cn=[^,]+,dc=361way,dc=com"
    by anonymous                    auth
    by self                         write
    by users                        none
#
# Set default permission.
#
access to *
    by anonymous                    auth
    by self                         write
    by users                        read

如上面示例中就定义了两个用户，一个是只读用户cn=bbs,dc=361way,dc=com和一个可写用户cn=bbsadmin,dc=361way,dc=com 以及这两个用户对所列的字段、正则匹配的用户有相应的权限。

更改完该配置文件后重启ldap服务，再重新登陆查看，如下

以上这个只读账户如果想删除相应的内容就会提示没有权限：

上一个：编译安装php5.2 with php-fpm方法介绍
下一个： linux下去掉tppabs冗余代码

推荐专题

最新下载

热门教程

ldap服务器用户及权限管理控制

相关文章

热门栏目

php教程

asp.net教程

手机开发

css教程

网页制作

办公数码

jsp教程