©2010-2026 宁波自信网络信息技术有限公司 版权所有
客服电话:0574-28810668 投诉电话:18658249818
浙ICP备2021020529号-1 | 浙B2-20240490
关注我们 :
1、ldap效劳器用户及权限管理控制linux操作系统 电脑资料 ldap效劳器可能使用的用户比拟少,但自己就要去用在百度找了N久没找到什么可用的内容,就只在看英文了,下面我来给大家介绍ldap效劳器用户及权限控制,希望此文章对大家有帮助, openldap默认的账户是=Manager,dc=361way,dc=这样的一个账户 ,其写在配置文件/etc/openldap/slapd.conf文件中,但这样的一个账户就像linux下的root一样,虽然好用,不过权限太大 。出于平安考量,我们需要根据具体应用的需要,建立只读账户或者可写用户。 一、新建管理账号 新建管理账户的方法很多,
2、可以使用像诸如 ldapadmin、phpldapadmin、LDAP browser/editor等工具,也可以通过ldapadd 或slapadd这样的客户端工具(关于两者的区别可以参看IBM 技术网)。这里假设以ldapadd为例,具体做法如下: 1、新建一 ldif文件,具体内容类似下面的: dn: =bbs,dc=361way,dc= objectClass: person objectClass: shadowAount objectClass: top : bbs sn: bbs uid: bbs userPassword:: e1NTSEF9
3、RHpONi9jM0xvaDRpd0RzN2ROVnVKZGdxYVJ0eUg1RGU= structuralObjectClass: person entryUUID: d08e9e12-a8c9-1032-9efa-9d41910b717f creatorsName: =Manager,dc=361way,dc= createTimestamp: xx0903094905Z entryCSN: xx0903094905Z#000001#00#000000 modifiersName: =Manager,dc=361way,dc= modifyTimestamp:
4、 xx0903094905Z 2、执行如下的命令操作导入: ldapadd -x -W -D "=Manager,dc=361way,dc=" -f test.ldif 注:如果条件允许,建议还是使用图形化的客户端去操作。如delphi写的LDAPadmin就非常好用。 二、给账号设置权限 默认新建的这个账号是没有管理任何用户的权限的 ,可以用这个新建的账号登陆客户端验证。 给新建的账户赋权限也是通过修改配置文件/etc/openldap/slapd.conf来实现,具体的增加的内容如下: aess to dn.regex="=[^,]+,mail=([^,]+)@
5、[^,]+),ou=Users,domainName=([^,]+),o=domains,dc=361way,dc=$" by anonymous none by self none by dn.exact="=bbs,dc=361way,dc=" read by dn.exact="=bbsadmin,dc=361way,dc=" write by dn.regex="mail=$1@$2,ou=Users,domainName=$3,o=domains,dc=361way,dc=$" write by users none # Allow users to c
6、hange their own passwords and mail forwarding addresses. aess to attrs="userPassword,mailForwardingAddress" by anonymous auth by self write by dn.exact="=bbs,dc=361way,dc=" read by dn.exact="=bbsadmin,dc=361way,dc=" write by users none # Allow to read others public info. aess to attr
7、s=",sn,gn,givenName,telephoneNumber" by anonymous auth by self write by dn.exact="=bbs,dc=361way,dc=" read by dn.exact="=bbsadmin,dc=361way,dc=" write by users read # Domain attrs. aess to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBAddress,domainRecipientBAd
8、dress,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber" by anonymous auth by self read by dn.exact="=bbs,dc=361way,dc=" read by dn.exact="=bbsadmin,dc=361way,dc=" write by users read aess to attrs="domainAdmin,domainGlobalAdmin,domainSenderBAddress,domainRecipientBAddress" by anon
9、ymous auth by self read by dn.exact="=bbs,dc=361way,dc=" read by dn.exact="=bbsadmin,dc=361way,dc=" write by users none # User attrs. aess to attrs="employeeNumber,homeDirectory,mailMessageStore,mail,aountStatus,userSenderBAddress,userRecipientBAddress,mailQuota,backupMailAddress,shadowA
10、ddress" by anonymous auth by self read by dn.exact="=bbs,dc=361way,dc=" read by dn.exact="=bbsadmin,dc=361way,dc=" write by users read # # Set ACL for bbs/bbsadmin. # aess to dn="=bbs,dc=361way,dc=" by anonymous auth by self write by dn.exact="=bbsadmin,dc=361way,dc=" write
11、 by users none aess to dn="=bbsadmin,dc=361way,dc=" by anonymous auth by self write by users none # # Allow users to aess their own domain subtree. # Allow domain admin to modify aounts under same domain. # aess to dn.regex="domainName=([^,]+),o=domains,dc=361way,dc=$" by anonymo
12、us auth by self write by dn.exact="=bbs,dc=361way,dc=" read by dn.exact="=bbsadmin,dc=361way,dc=" write by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=361way,dc=$" write by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=361way,dc=$" read by users none # # Grant correct pri
13、vileges to bbs/bbsadmin. # aess to dn.subtree="o=domains,dc=361way,dc=" by anonymous auth by self write by dn.exact="=bbs,dc=361way,dc=" read by dn.exact="=bbsadmin,dc=361way,dc=" write by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=361way,dc=$" read by users read aess
14、 to dn.subtree="o=domainAdmins,dc=361way,dc=" by anonymous auth by self write by dn.exact="=bbs,dc=361way,dc=" read by dn.exact="=bbsadmin,dc=361way,dc=" write by users none # # Set permission for "=*,dc=361way,dc=". # aess to dn.regex="=[^,]+,dc=361way,dc=" by anonymous auth b
15、y self write by users none # # Set default permission. # aess to * by anonymous auth by self write by users read 如上面例如中就定义了两个用户,一个是只读用户=bbs,dc=361way,dc=和一个可写用户=bbsadmin,dc=361way,dc= 以及这两个用户对所列的字段、正那么匹配的用户有相应的权限 , 更改完该配置文件后重启ldap效劳,再重新登陆查看,如下 以上这个只读账户如果想删除相应的内容就会提示没有权限 :
©2010-2026 宁波自信网络信息技术有限公司 版权所有
客服电话:0574-28810668 投诉电话:18658249818
浙ICP备2021020529号-1 | 浙B2-20240490
关注我们 :
