ldap命令初試

ldap命令初試 ldapsearch -h 192.168.1.10 -D "uid=enlaizhou,ou=People,dc=example,dc=com" -W -b "ou=People,dc=example,dc=com" ldapmodify -a -f /tmp/c -h 192.168.1.10 -D "uid=enlaizhou,ou=People,dc=example,dc=com" -W  另外libnss-ldap提供了樣本的ldap設定檔: /usr/share/doc/libnss-ldap/examples/groups.ldif/usr/share/doc/libnss-ldap/examples/people.ldif 關於其中的許可權配置我還是不大清楚。以下是acl.ldif: # Allow LdapUserAdmin Group to change anyone's passwordolcAccess: to attrs=userPassword  by self write  by anonymous auth  by dn.base="uid=admin,ou=People,dc=example,dc=com" write  by set="[cn=LdapUserAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write  by * none# Allow LdapGroupAdmin Group to change membership & main groupolcAccess: to attrs=memberUid,gidNumber  by set="[cn=LdapGroupAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write  by * read# Allow LdapUserAdmin Group to create/delete userolcAccess: to dn="ou=People,dc=example,dc=com" attrs=children  by set="[cn=LdapUserAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write  by * breakolcAccess: to dn.subtree="ou=People,dc=example,dc=com" attrs=entry  by set="[cn=LdapUserAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write  by * break# Allow LdapGroupAdmin Group to create/delete groupolcAccess: to dn="ou=Group,dc=example,dc=com" attrs=children  by set="[cn=LdapGroupAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write  by * breakolcAccess: to dn.subtree="ou=Group,dc=example,dc=com" attrs=entry  by set="[cn=LdapGroupAdmin,ou=Group,dc=example,dc=com]/memberUid & user/uid" write  by * break# Allow UserInfoMgmt Group to modify user info# Allow users to change their own recordolcAccess: to attrs=sn,gn,mail,mobile,manager,title,telephoneNumber,homePhone,pager  by set="[cn=UserInfoMgmt,ou=Group,dc=example,dc=com]/memberUid & user/uid" write  by self write  by * read# Allow anyone to read directoryolcAccess: to *  by self write  by dn.base="uid=admin,ou=People,dc=example,dc=com" write  by * read