nethserver作为ldap server配置方案

nethserver是基于centos的服务器版本，事先制定了若干服务，其中包括LDAP server。出于安全考虑，访问控制比较严格，因此欲作为第三方ldap server 需要放宽访问控制

1、关闭shorewall,打开firewalld

systemctl stop shorewall
systemctl disable shorewall
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-port=980/tcp --permanent
firewall-cmd --add-port=9090/tcp --permanent
firewall-cmd --add-service=ldap --permanent
firewall-cmd --add-service=ldaps --permanent

2、改变ldap访问控制

a. vi acl.ldif

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write by self write by * auth by users read 
#olcAccess: {0}to attrs=userPassword by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write by self write by * peername.ip="127.0.0.1" auth by * ssf=71 auth by * none 
olcAccess: {1}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.exact="cn=libuser,dc=directory,dc=nh"  write by * read 
#olcAccess: {1}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.exact="cn=libuser,dc=directory,dc=nh" peername.ip="127.0.0.1" write by * read 

b. 修改访问控制

ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif 

注意：

系统update之后，需重新进行相应修改