LDAP server user and Rights management control

OpenLDAP default account is cn=manager,dc=361way,dc=com such an account, which is written in the configuration file/etc/openldap/ slapd.conf file, but such an account is like the root of Linux, although it works, but the permissions are too large. For security reasons, we need to set up a read-only account or a writable user, depending on the needs of the specific application.

First, new management account

There are a number of ways to create a new management account, such as tools such as Ldapadmin, Phpldapadmin, LDAP browser/editor, or client tools such as Ldapadd or Slapadd (see IBM for the difference between the two) Technology Network). This assumes Ldapadd as an example, as follows:

1, a new LDIF file, specific content similar to the following:

The code is as follows

Copy Code

Dn:cn=bbs,dc=361way,dc=com Objectclass:person Objectclass:shadowaccount Objectclass:top Cn:bbs Sn:bbs Uid:bbs UserPassword:: e1ntsef9rhponi9jm0xvadrpd0rzn2rovnvkzgdxyvj0eug1rgu= Structuralobjectclass:person entryuuid:d08e9e12-a8c9-1032-9efa-9d41910b717f Creatorsname:cn=manager,dc=361way,dc=com createtimestamp:20130903094905z entrycsn:20130903094905z#000001#00#000000 Modifiersname:cn=manager,dc=361way,dc=com modifytimestamp:20130903094905z

2, perform the following command operation import:

The code is as follows	Copy Code
Ldapadd-x-w-d "cn=manager,dc=361way,dc=com"-F test.ldif

Note: If conditions permit, it is recommended that you use a graphical client to operate. such as Delphi written ldapadmin is very easy to use.

Second, set permissions to the account

The default new account is not to manage any user's permissions, you can use this new account login client authentication.

Assigning permissions to a new account is also done by modifying the profile/etc/openldap/slapd.conf, which is added as follows:

The code is as follows

Copy Code

# Personal LDAP Address Book. Access to dn.regex= "cn=[^,]+,mail= ([^,]+) @ ([^,]+), ou=users,domainname= ([^,]+), o=domains,dc=361way,dc=com$" by Anonymous None by self None by dn.exact= "Cn=bbs,dc=361way,dc=com" read by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by dn.regex= "mail=$1@$2,ou=users,domainname=$3,o=domains,dc=361way,dc=com$" write by users None # Allow users to change their own passwords and mail forwarding addresses. Access to attrs= "Userpassword,mailforwardingaddress" by Anonymous Auth by self Write by dn.exact= "Cn=bbs,dc=361way,dc=com" read by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by users None # Allow to read others public info. Access to attrs= "Cn,sn,gn,givenname,telephonenumber" by Anonymous Auth by self Write by dn.exact= "Cn=bbs,dc=361way,dc=com" read by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by users Read # Domain Attrs. Access to attrs= "objectclass,domainname,mtatransport,enabledservice,domainsenderbccaddress, Domainrecipientbccaddress,domainbackupmx,domainmaxquotasize,domainmaxusernumber " by Anonymous Auth by self Read by dn.exact= "Cn=bbs,dc=361way,dc=com" read by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by users Read Access to attrs= "Domainadmin,domainglobaladmin,domainsenderbccaddress,domainrecipientbccaddress" by Anonymous Auth by self Read by dn.exact= "Cn=bbs,dc=361way,dc=com" read by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by users None # User Attrs. Access to attrs= "employeenumber,homedirectory,mailmessagestore,mail,accountstatus,usersenderbccaddress, Userrecipientbccaddress,mailquota,backupmailaddress,shadowaddress " by Anonymous Auth by self Read by dn.exact= "Cn=bbs,dc=361way,dc=com" read by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by users Read # # Set ACL for Bbs/bbsadmin. # Access to dn= "cn=bbs,dc=361way,dc=com" by Anonymous Auth by self Write by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by users None Access to dn= "cn=bbsadmin,dc=361way,dc=com" by Anonymous Auth by self Write by users None # # Allow users to access their own domain subtree. # Allow Domain Admin to modify accounts under same domain. # Access to dn.regex= "domainname= ([^,]+), o=domains,dc=361way,dc=com$" by Anonymous Auth by self Write by dn.exact= "Cn=bbs,dc=361way,dc=com" read by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by dn.regex= "mail=[^,]+@$1,o=domainadmins,dc=361way,dc=com$" write by dn.regex= "mail=[^,]+@$1,ou=users,domainname=$1,o=domains,dc=361way,dc=com$" read by users None # # Grant correct privileges to bbs/bbsadmin. # Access to dn.subtree= "o=domains,dc=361way,dc=com" by Anonymous Auth by self Write by dn.exact= "Cn=bbs,dc=361way,dc=com" read by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by dn.regex= "mail=[^,]+,ou=users,domainname=$1,o=domains,dc=361way,dc=com$" read by users Read Access to dn.subtree= "o=domainadmins,dc=361way,dc=com" by Anonymous Auth by self Write by dn.exact= "Cn=bbs,dc=361way,dc=com" read by dn.exact= "Cn=bbsadmin,dc=361way,dc=com" write by users None # # Set permission for ' cn=*,dc=361way,dc=com '. # Access to dn.regex= "cn=[^,]+,dc=361way,dc=com" by Anonymous Auth by self Write by users None # # Set default permission. # Access to * by Anonymous Auth by self Write by users Read

As in the example above, two users are defined, one is read-only user cn=bbs,dc=361way,dc=com and a writable user cn=bbsadmin,dc=361way,dc=com, and these two users have appropriate permissions for the listed fields, and for the matching users.

Restart the LDAP service after changing the profile, and then log back in to view the following

This read-only account if you want to delete the appropriate content, you will be prompted for no permissions: