我正在尝试使用以下命令添加以下条目:
ldapadd -Y EXTERNAL -H ldapi:/// -f server5_ldap.ldif
server5_ldap.ldif 的内容如下:
# Entry 31: cn=default,ou=pwpolicies,dc=example,dc=com
dn: cn=default,ou=pwpolicies,dc=example,dc=com
cn: default
objectclass: device
objectclass: top
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 2
pwdexpirewarning: 604800
pwdfailurecountinterval: 3600
pwdgraceauthnlimit: 0
pwdinhistory: 5
pwdlockout: TRUE
pwdlockoutduration: 900
pwdmaxage: 0
pwdmaxfailure: 5
pwdminage: 0
pwdminlength: 8
pwdmustchange: FALSE
pwdsafemodify: FALSE
我收到错误:
ldap_add: Insufficient access (50)
additional info: no write access to parent
我的 permissions.ldif 如下:
#OlcAccess
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {1} to attrs=uid by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {2} to attrs=objectClass by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {3} to attrs=cn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {4} to attrs=sn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {5} to * by self write by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by users read by anonymous none
olcAccess: {6} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=pwpolicies,ou=PPS,dc=example,dc=com" write by * none
我是 ldap 的新手,我被这个问题阻止了任何帮助将不胜感激。
最佳答案
如果你想使用 Unix 域套接字认证(-Y EXTERNAL),那么你必须给 root manage 权限数据库。 root 通过 Unix 域套接字进行身份验证的 dn 是:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
在 Redhat 和 CentOS 上只有配置和监视器后端有 root 权限。
# ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -o ldif-wrap=no -b cn=config '(objectClass=olcDatabaseConfig)' olcAccess
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by * none
dn: olcDatabase={2}hdb,cn=config
如果您想以管理配置的相同方式管理数据库 2,则必须向数据库 2 添加相同的 olcAccess 规则,因为它是为数据库 0(配置后端)定义的.
to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
关于openldap - ldap_add : Insufficient access (50),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39454439/