LDAP server user and Rights management control

Source: Internet
Author: User
Tags anonymous auth ldap openldap

OpenLDAP default account is cn=manager,dc=361way,dc=com such an account, which is written in the configuration file/etc/openldap/ slapd.conf file, but such an account is like the root of Linux, although it works, but the permissions are too large. For security reasons, we need to set up a read-only account or a writable user, depending on the needs of the specific application.

First, new management account

There are a number of ways to create a new management account, such as tools such as Ldapadmin, Phpldapadmin, LDAP browser/editor, or client tools such as Ldapadd or Slapadd (see IBM for the difference between the two) Technology Network). This assumes Ldapadd as an example, as follows:

1, a new LDIF file, specific content similar to the following:

The code is as follows Copy Code

Dn:cn=bbs,dc=361way,dc=com
Objectclass:person
Objectclass:shadowaccount
Objectclass:top
Cn:bbs
Sn:bbs
Uid:bbs
UserPassword:: e1ntsef9rhponi9jm0xvadrpd0rzn2rovnvkzgdxyvj0eug1rgu=
Structuralobjectclass:person
entryuuid:d08e9e12-a8c9-1032-9efa-9d41910b717f
Creatorsname:cn=manager,dc=361way,dc=com
createtimestamp:20130903094905z
entrycsn:20130903094905z#000001#00#000000
Modifiersname:cn=manager,dc=361way,dc=com
modifytimestamp:20130903094905z

2, perform the following command operation import:

The code is as follows Copy Code

Ldapadd-x-w-d "cn=manager,dc=361way,dc=com"-F test.ldif

Note: If conditions permit, it is recommended that you use a graphical client to operate. such as Delphi written ldapadmin is very easy to use.

Second, set permissions to the account

The default new account is not to manage any user's permissions, you can use this new account login client authentication.

Assigning permissions to a new account is also done by modifying the profile/etc/openldap/slapd.conf, which is added as follows:

The code is as follows Copy Code
# Personal LDAP Address Book.
Access to dn.regex= "cn=[^,]+,mail= ([^,]+) @ ([^,]+), ou=users,domainname= ([^,]+), o=domains,dc=361way,dc=com$"
by Anonymous None
by self None
by dn.exact= "Cn=bbs,dc=361way,dc=com" read
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by dn.regex= "mail=$1@$2,ou=users,domainname=$3,o=domains,dc=361way,dc=com$" write
by users None
# Allow users to change their own passwords and mail forwarding addresses.
Access to attrs= "Userpassword,mailforwardingaddress"
by Anonymous Auth
by self Write
by dn.exact= "Cn=bbs,dc=361way,dc=com" read
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by users None
# Allow to read others public info.
Access to attrs= "Cn,sn,gn,givenname,telephonenumber"
by Anonymous Auth
by self Write
by dn.exact= "Cn=bbs,dc=361way,dc=com" read
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by users Read
# Domain Attrs.
Access to attrs= "objectclass,domainname,mtatransport,enabledservice,domainsenderbccaddress, Domainrecipientbccaddress,domainbackupmx,domainmaxquotasize,domainmaxusernumber "
by Anonymous Auth
by self Read
by dn.exact= "Cn=bbs,dc=361way,dc=com" read
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by users Read
Access to attrs= "Domainadmin,domainglobaladmin,domainsenderbccaddress,domainrecipientbccaddress"
by Anonymous Auth
by self Read
by dn.exact= "Cn=bbs,dc=361way,dc=com" read
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by users None
# User Attrs.
Access to attrs= "employeenumber,homedirectory,mailmessagestore,mail,accountstatus,usersenderbccaddress, Userrecipientbccaddress,mailquota,backupmailaddress,shadowaddress "
by Anonymous Auth
by self Read
by dn.exact= "Cn=bbs,dc=361way,dc=com" read
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by users Read
#
# Set ACL for Bbs/bbsadmin.
#
Access to dn= "cn=bbs,dc=361way,dc=com"
by Anonymous Auth
by self Write
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by users None
Access to dn= "cn=bbsadmin,dc=361way,dc=com"
by Anonymous Auth
by self Write
by users None
#
# Allow users to access their own domain subtree.
# Allow Domain Admin to modify accounts under same domain.
#
Access to dn.regex= "domainname= ([^,]+), o=domains,dc=361way,dc=com$"
by Anonymous Auth
by self Write
by dn.exact= "Cn=bbs,dc=361way,dc=com" read
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by dn.regex= "mail=[^,]+@$1,o=domainadmins,dc=361way,dc=com$" write
by dn.regex= "mail=[^,]+@$1,ou=users,domainname=$1,o=domains,dc=361way,dc=com$" read
by users None
#
# Grant correct privileges to bbs/bbsadmin.
#
Access to dn.subtree= "o=domains,dc=361way,dc=com"
by Anonymous Auth
by self Write
by dn.exact= "Cn=bbs,dc=361way,dc=com" read
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by dn.regex= "mail=[^,]+,ou=users,domainname=$1,o=domains,dc=361way,dc=com$" read
by users Read
Access to dn.subtree= "o=domainadmins,dc=361way,dc=com"
by Anonymous Auth
by self Write
by dn.exact= "Cn=bbs,dc=361way,dc=com" read
by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write
by users None
#
# Set permission for ' cn=*,dc=361way,dc=com '.
#
Access to dn.regex= "cn=[^,]+,dc=361way,dc=com"
by Anonymous Auth
by self Write
by users None
#
# Set default permission.
#
Access to *
by Anonymous Auth
by self Write
by users Read

As in the example above, two users are defined, one is read-only user cn=bbs,dc=361way,dc=com and a writable user cn=bbsadmin,dc=361way,dc=com, and these two users have appropriate permissions for the listed fields, and for the matching users.

Restart the LDAP service after changing the profile, and then log back in to view the following


This read-only account if you want to delete the appropriate content, you will be prompted for no permissions:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.