问题描述
我的公司中正在运行OpenLdap Server 2.4,我需要允许人们在我们的WebApplication之一中更改其图片.该功能已经存在. LDAP中的人员只是没有任何权利来编写自己的属性(特别是这里需要的"jpegPhoto" 属性).
I have an OpenLdap Server 2.4 running in my company and I need to permitt people to change their picture in one of our WebApplication.The function is already present. People in LDAP just don't have any rights to write their own attributes (specially here the "jpegPhoto" attribute needed).
我在文档中找到了
access to attrs=jpegPhoto
by self =xw
by * read
我不知道如何使用这些行.使用什么命令或其他命令.
I don't know how to use theses lines. What command to use or something else.
如果有人可以在处理方式上帮助我,那就太好了.
If someone could help me in the way to process it could be great.
谢谢
推荐答案
如果使用slapd.conf
作为服务器配置文件,则需要进行的修改很简单,如果使用新的配置,则要复杂一些cn=config
布局.无论如何,请注意:
The modifications you need to apply are simple, if you are using slapd.conf
as the server configuration file, and a bit more complicated if you are using the new cn=config
layout. Be careful, anyway, that:
如OpenLDAP 文档所述.
as stated in the OpenLDAP documentation.
您需要修改所用数据库的配置.您的OpenLDAP服务器可能包含多个数据库,但是您只对存储人员数据及其图片的数据库感兴趣.要列出所有可用的数据库,请使用:
You need to modify the configuration for the database you are using. Your OpenLDAP server may contain multiple databases, but you are interested only in the one that stores people data and their pictures. To list all your available databases, use:
slapcat -b cn=config
此命令必须从OpenLDAP服务器执行.它将在您的 slapd
配置目录中读取名为cn=config.ldif
的文件. .就我而言,它位于
This command must be executed from the OpenLDAP server. It will read the file named cn=config.ldif
in your slapd
configuration directory. In my case, it is located in
/usr/local/etc/openldap/slapd.d/cn=config.ldif
请注意,只有Shell用户可以读取此文件时,slapcat -b cn=config
才可以使用.就我而言,文件是
Be careful that slapcat -b cn=config
will work only if the shell user can read this file. In my case, the file is
-rw------- 1 ldap ldap 680 10 mar 21:04 /usr/local/etc/openldap/slapd.d/cn=config.ldif
它属于用户ldap
,组ldap
(它们是在OpenLDAP服务器安装期间创建的).我从未为用户ldap
设置密码,所以:
It belongs to user ldap
, group ldap
(they have been created during the OpenLDAP server installation). I have never set a password for user ldap
, so:
tl; dr 是一种读取此文件并成功运行slapcat -b cn=config
的方法,该方法是root
.
tl;dr a way to read this file and to successfully run slapcat -b cn=config
is to be root
.
slapcat -b cn=config
的输出很大,但是您只能考虑列出了您感兴趣的数据库的最后几行.例如,可能是
The output of slapcat -b cn=config
is huge, but you can consider the last lines only, where the database you are interested in is listed. For example, it could be
dn: olcDatabase={1}mdb,cn=config
例如,这是包含用户图片的数据库的专有名称(dn
).您要允许用户更改其图片.
This is, for example, the Distinguished Name (dn
) of the database containing users pictures. You want to allow users to change their pictures.
您可以修改正在运行的数据库配置(类似于上一种情况,您需要对文件cn=config.ldif
具有写权限,因此您可以像以前一样是root
):
You can modify the database configuration running (similarly to the previous case, you need write permissions on the file cn=config.ldif
, so you could be root
as before):
ldapmodify -f /path/to/yourfile -x -D "cn=config" -W
-
-f /path/to/yourfile
是您的配置文件(请参见下文); -
-x
是简单身份验证,如果您不使用SASL,则需要它; -
-D "cn=config"
是用于输入OpenLDAP数据库的用户名.通常,每个数据库都有一个超级用户(通常称为Manager
)和一个全局超级用户.名为cn=config
的用户是全局超级用户.您应该在OpenLDAP服务器安装过程中配置其密码;如果没有此密码,则可能无法修改数据库配置; -
-W
要求您键入用户cn=config
的密码. -f /path/to/yourfile
is your configuration file (see below);-x
is Simple Authentication, it is needed if you are not using SASL;-D "cn=config"
is the username you are using to enter the OpenLDAP database. There is usually a super-user for each single database (frequently calledManager
), and a global super-user. The user namedcn=config
is the global super-user. You should have configured its password during the OpenLDAP server installation; if you don't have this password, you could be not able to modify the databases configuration;-W
asks you to type the password for the usercn=config
.
位于/path/to/yourfile
中的配置文件必须是格式如下的纯文本文件:
The configuration file, located in /path/to/yourfile
, must be a plain text file formatted as follows:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=jpegPhoto
by self write
by * read
我建议您选择by self write
而不是by self =xw
(这将不允许用户阅读其图片).如此答案中所述,请小心在by
之前放置两个空格.
I would suggest to you to prefer by self write
instead of by self =xw
(which would not permit users to read their pictures). Be careful to put two spaces before by
, as stated in this answer.
您现在可以再次运行slapcat -b cn=config
来检查配置是否已被修改,以及olcAccess
语句的顺序是否正确.如果没有,您可以删除它们并再次添加它们,知道每个新的olcAccess
规范都会自动放在前面的规范之后.
You can now run again slapcat -b cn=config
to check if the configuration has been modified, and also if the olcAccess
statements are in the correct order. If not, you can delete them and add them again, knowing that each new olcAccess
specification will be automatically put after the preceeding ones.
如果使用的是旧的slapd.conf
配置文件,则只需要对其具有写权限.通常是:
If you are using the old slapd.conf
configuration file, you simply need the write permissions to it. Usually it is:
-rw------- 1 ldap ldap 2557 Dec 15 2016 slapd.conf
因此,您可以使用首选的文本编辑器以root
的形式打开它.标识您要修改的数据库部分(例如,以下部分开头:
So, you can open it as root
, with your preferred text editor. Identify the database section you want to modify (for example the one beginning with:
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
,只需在本节的底部添加行,请小心是否已经存在其他access
语句.同样,我建议使用by self write
而不是self =xw
.
and simply add your lines at the bottom of this section, being careful if other access
statements are already present. Again, I would suggest to use by self write
instead of self =xw
.
无论您进行何种配置,都需要在修改后重新启动OpenLDAP服务器(进程slapd
).
Regardless of your configuration, restart the OpenLDAP server (process slapd
) after your modifications.
如果您需要更多示例和/或说明,请考虑:
If you need further examples and/or clarifications, please consider:
- A
cn=config
配置示例; - 用于OpenLDAP数据库的访问控制;
- OpenLDAP网站,以及整个文档.
- A
cn=config
configuration example; - Access Control for OpenLDAP databases;
- the OpenLDAP site, with the wholedocumentation.
这篇关于在OpenLDAP 2.4中如何使用olcAccess向用户添加权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!