ldap管理linux用户,ldap服务器用户及权限管理控制linux操作系统 -电脑资料

ldap服务器可能使用的用户比较少，但自己就要去用在百度找了N久没找到什么可用的内容，就只在看英文了，下面我来给大家介绍ldap服务器用户及权限管理控制，希望此文章对大家有帮助，

openldap默认的账户是cn=Manager,dc=361way,dc=com这样的一个账户 ，其写在配置文件/etc/openldap/slapd.conf文件中，但这样的一个账户就像linux下的root一样，虽然好用，不过权限太大 。出于安全考量，我们需要根据具体应用的需要，建立只读账户或者可写用户。

一、新建管理账号

新建管理账户的方法很多，可以使用像诸如 ldapadmin、phpldapadmin、LDAP browser/editor等工具，也可以通过ldapadd 或slapadd这样的客户端工具(关于两者的区别可以参看IBM 技术网)。这里假设以ldapadd为例，具体做法如下:

1、新建一 ldif文件，具体内容类似下面的：代码如下复制代码

dn: cn=bbs,dc=361way,dc=com

objectClass: person

objectClass: shadowAccount

objectClass: top

cn: bbs

sn: bbs

uid: bbs

userPassword:: e1NTSEF9RHpONi9jM0xvaDRpd0RzN2ROVnVKZGdxYVJ0eUg1RGU=

structuralObjectClass: person

entryUUID: d08e9e12-a8c9-1032-9efa-9d41910b717f

creatorsName: cn=Manager,dc=361way,dc=com

createTimestamp: 20130903094905Z

entryCSN: 20130903094905Z#000001#00#000000

modifiersName: cn=Manager,dc=361way,dc=com

modifyTimestamp: 20130903094905Z

2、执行如下的命令操作导入：代码如下复制代码

ldapadd -x -W -D "cn=Manager,dc=361way,dc=com" -f test.ldif

注：如果条件允许，建议还是使用图形化的客户端去操作。如delphi写的LDAPadmin就非常好用。

二、给账号设置权限

默认新建的这个账号是没有管理任何用户的权限的 ，可以用这个新建的账号登陆客户端验证。

给新建的账户赋权限也是通过修改配置文件/etc/openldap/slapd.conf来实现，具体的增加的内容如下：代码如下复制代码# Personal LDAP address book.

access to dn.regex="cn=[^,]+,mail=([^,]+)@([^,]+),ou=Users,domainName=([^,]+),o=domains,dc=361way,dc=com$"

by anonymous                   none

by self                        none

by dn.exact="cn=bbs,dc=361way,dc=com"  read

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by dn.regex="mail=$1@$2,ou=Users,domainName=$3,o=domains,dc=361way,dc=com$" write

by users                       none

# Allow users to change their own passwords and mail forwarding addresses.

access to attrs="userPassword,mailForwardingAddress"

by anonymous   auth

by self        write

by dn.exact="cn=bbs,dc=361way,dc=com"  read

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by users       none

# Allow to read others public info.

access to attrs="cn,sn,gn,givenName,telephoneNumber"

by anonymous   auth

by self        write

by dn.exact="cn=bbs,dc=361way,dc=com"  read

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by users       read

# Domain attrs.

access to attrs="objectclass,domainName,mtaTransport,enabledService,domainSenderBccAddress,domainRecipientBccAddress,domainBackupMX,domainMaxQuotaSize,domainMaxUserNumber"

by anonymous   auth

by self        read

by dn.exact="cn=bbs,dc=361way,dc=com"  read

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by users       read

access to attrs="domainAdmin,domainGlobalAdmin,domainSenderBccAddress,domainRecipientBccAddress"

by anonymous   auth

by self        read

by dn.exact="cn=bbs,dc=361way,dc=com"  read

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by users       none

# User attrs.

access to attrs="employeeNumber,homeDirectory,mailMessageStore,mail,accountStatus,userSenderBccAddress,userRecipientBccAddress,mailQuota,backupMailAddress,shadowAddress"

by anonymous   auth

by self        read

by dn.exact="cn=bbs,dc=361way,dc=com"  read

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by users       read

#

# Set ACL for bbs/bbsadmin.

#

access to dn="cn=bbs,dc=361way,dc=com"

by anonymous                   auth

by self                        write

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by users                       none

access to dn="cn=bbsadmin,dc=361way,dc=com"

by anonymous                   auth

by self                        write

by users                       none

#

# Allow users to access their own domain subtree.

# Allow domain admin to modify accounts under same domain.

#

access to dn.regex="domainName=([^,]+),o=domains,dc=361way,dc=com$"

by anonymous                   auth

by self                        write

by dn.exact="cn=bbs,dc=361way,dc=com"  read

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by dn.regex="mail=[^,]+@$1,o=domainAdmins,dc=361way,dc=com$" write

by dn.regex="mail=[^,]+@$1,ou=Users,domainName=$1,o=domains,dc=361way,dc=com$" read

by users                       none

#

# Grant correct privileges to bbs/bbsadmin.

#

access to dn.subtree="o=domains,dc=361way,dc=com"

by anonymous                   auth

by self                        write

by dn.exact="cn=bbs,dc=361way,dc=com"  read

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=361way,dc=com$" read

by users                       read

access to dn.subtree="o=domainAdmins,dc=361way,dc=com"

by anonymous                   auth

by self                        write

by dn.exact="cn=bbs,dc=361way,dc=com"  read

by dn.exact="cn=bbsadmin,dc=361way,dc=com" write

by users                       none

#

# Set permission for "cn=*,dc=361way,dc=com".

#

access to dn.regex="cn=[^,]+,dc=361way,dc=com"

by anonymous                   auth

by self                        write

by users                       none

#

# Set default permission.

#

access to *

by anonymous                   auth

by self                        write

by users                       read

如上面示例中就定义了两个用户，一个是只读用户cn=bbs,dc=361way,dc=com和一个可写用户cn=bbsadmin,dc=361way,dc=com 以及这两个用户对所列的字段、正则匹配的用户有相应的权限 ，ldap服务器用户及权限管理控制linux操作系统》(https://www.unjs.com)。

更改完该配置文件后重启ldap服务，再重新登陆查看，如下

以上这个只读账户如果想删除相应的内容就会提示没有权限 ：