ldap是企业基础设施,我对其配置一直很感兴趣。
今天读了一篇网上的“陈云川的OPENLDAP系列",对其有了基本的认识,结合公司的ldap,尝试了一下:
ldapsearch -h 192.168.1.10 -D "uid=enlaizhou,ou=People,dc=example,dc=com" -W -b "ou=People,dc=example,dc=com"
ldapmodify -a -f /tmp/c -h 192.168.1.10 -D "uid=enlaizhou,ou=People,dc=example,dc=com" -W
另外libnss-ldap提供了示例的ldap配置文件:
/usr/share/doc/libnss-ldap/examples/groups.ldif
/usr/share/doc/libnss-ldap/examples/people.ldif
关于其中的权限配置我还是不大清楚。以下是acl.ldif:
# Allow LdapUserAdmin Group to change anyone's password
olcAccess: to attrs=userPassword
by self write
by anonymous auth
by dn.base="uid=admin,ou=People,dc=example,dc=com" write
by set="[cn=LdapUserAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write
by * none
# Allow LdapGroupAdmin Group to change membership & main group
olcAccess: to attrs=memberUid,gidNumber
by set="[cn=LdapGroupAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write
by * read
# Allow LdapUserAdmin Group to create/delete user
olcAccess: to dn="ou=People,dc=example,dc=com" attrs=children
by set="[cn=LdapUserAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write
by * break
olcAccess: to dn.subtree="ou=People,dc=example,dc=com" attrs=entry
by set="[cn=LdapUserAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write
by * break
# Allow LdapGroupAdmin Group to create/delete group
olcAccess: to dn="ou=Group,dc=example,dc=com" attrs=children
by set="[cn=LdapGroupAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write
by * break
olcAccess: to dn.subtree="ou=Group,dc=example,dc=com" attrs=entry
by set="[cn=LdapGroupAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write
by * break
# Allow UserInfoMgmt Group to modify user info
# Allow users to change their own record
olcAccess: to attrs=sn,gn,mail,mobile,manager,title,telephoneNumber,homePhone,pager
by set="[cn=UserInfoMgmt,ou=Group,dc=example,dc=com]/memberUid & user/uid" write
by self write
by * read
# Allow anyone to read directory
olcAccess: to *
by self write
by dn.base="uid=admin,ou=People,dc=example,dc=com" write
by * read