配置 – openldap代理授权
我在使用代理授权进行更新时遇到了一些麻烦.我正在使用UnboundID的LDAP SDK连接到OpenLDAP,并使用更新发送
ProxiedAuthorizationV2RequestControl for dn:uid = me,dc = People,dc = example,dc = com.我已经测试并验证了目标用户有权执行操作,但我得到了
当我尝试通过代理身份验证时. 我在原始用户的cn = config和authzTo = {0} ldap:/// dc = people,dc = com ?? subordinate?(objectClass = inetOrgPerson)中配置了olcAuthzPolicy =两者. authzTo似乎正在起作用;当我改变它时,我得到了
当我尝试更新(也用于搜索). 我有这个ldapwhoami -U门户-Y DIGEST-MD5 -X u:mace -H ldap:// yorktown -Z现在没有saslauthd工作.我只需要将代理用户(门户网站)的密码存储为纯文本.但是当我尝试更新任何内容时,我仍然获得“访问权限不足”. 代理用户 dn: uid=portal,ou=Special Accounts,dc=example,dc=com objectClass: inetOrgPerson cn: portal sn: portal uid: portal userPassword: test authzTo: {0}ldap:///dc=People,dc=com??sub?(objectClass=inetOrgPerson) 有效用户: dn: employeeNumber=1400,dc=People,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount objectClass: shadowAccount uid: mace ... 这是更新尝试的日志,尝试将employeeNumber = 1385添加为cn = Data Management的成员.它似乎正在正确地查看嵌套组,但似乎它应该在cn = administrators中获得employeeNumber = 1400后表示匹配. op tag 0x66,time 1299022001 conn=31595 op=2 do_modify conn=31595 op=2 do_modify: dn (cn=Data Management,dc=Roles,dc=com) >>> dnPrettyNormal: <cn=Data Management,dc=com> <<< dnPrettyNormal: <cn=Data Management,dc=com>,<cn=data management,dc=roles,dc=com> conn=31595 op=2 modifications: replace: member multiple values conn=31595 op=2 MOD dn="cn=Data Management,dc=com" conn=31595 op=2 MOD attr=member >>> dnPretty: <employeeNumber=1020,dc=com> <<< dnPretty: <employeeNumber=1020,dc=com> >>> dnPretty: <employeeNumber=1385,dc=com> <<< dnPretty: <employeeNumber=1385,dc=com> >>> dnNormalize: <employeeNumber=1020,dc=com> <<< dnNormalize: <employeeNumber=1020,dc=people,dc=com> >>> dnNormalize: <employeeNumber=1385,dc=com> <<< dnNormalize: <employeeNumber=1385,dc=com> dnMatch -1 "employeeNumber=1020,dc=com" "employeeNumber=1385,dc=com" bdb_dn2entry("cn=data management,dc=com") ==> unique_modify <cn=Data Management,dc=com> bdb_modify: cn=Data Management,dc=com bdb_dn2entry("cn=data management,dc=com") bdb_modify_internal: 0x00000043: cn=Data Management,dc=com >>> dnNormalize: <cn=Administrators,ou=LDAP,dc=Applications,dc=com> <<< dnNormalize: <cn=administrators,ou=ldap,dc=applications,dc=com> => bdb_entry_get: ndn: "cn=administrators,dc=com" => bdb_entry_get: oc: "(null)",at: "member" bdb_dn2entry("cn=administrators,dc=com") bdb_entry_get: rc=0 >>> dnNormalize: <cn=system administrators,dc=com> <<< dnNormalize: <cn=system administrators,dc=com> => bdb_entry_get: ndn: "cn=system administrators,at: "member" bdb_dn2entry("cn=system administrators,dc=com") bdb_entry_get: rc=0 >>> dnNormalize: <employeeNumber=1306,dc=com> <<< dnNormalize: <employeeNumber=1306,dc=com> => bdb_entry_get: ndn: "employeeNumber=1306,at: "member" bdb_dn2entry("employeeNumber=1306,dc=com") bdb_entry_get: rc=16 >>> dnNormalize: <employeeNumber=1329,dc=com> <<< dnNormalize: <employeeNumber=1329,dc=com> => bdb_entry_get: ndn: "employeeNumber=1329,at: "member" bdb_dn2entry("employeeNumber=1329,dc=com") bdb_entry_get: rc=16 >>> dnNormalize: <employeeNumber=1401,dc=com> <<< dnNormalize: <employeeNumber=1401,dc=com> => bdb_entry_get: ndn: "employeeNumber=1401,at: "member" bdb_dn2entry("employeeNumber=1401,dc=com") bdb_entry_get: rc=16 >>> dnNormalize: <employeeNumber=1400,dc=com> <<< dnNormalize: <employeeNumber=1400,dc=com> => bdb_entry_get: ndn: "employeeNumber=1400,at: "member" bdb_dn2entry("employeeNumber=1400,dc=com") bdb_entry_get: rc=16 bdb_modify: modify failed (50) send_ldap_result: conn=31595 op=2 p=3 send_ldap_result: err=50 matched="" text="" send_ldap_response: msgid=3 tag=103 err=50 conn=31595 op=2 RESULT tag=103 err=50 text=
我在大约一年前经历过,代理授权用来让我发疯.所以我可能没有明确的答案,但也许我可以提供帮助.
首先:增加slapd的loglevel!它很冗长,但它有所帮助. # ldapwhoami -U proxyuser -Y DIGEST-MD5 -X u:targetuser -H ldap://localhost 您应该在配置中启用两个参数. olcAuthzPolicy(您有)和olcAuthzRegexp(用于构建SASL身份验证字符串). olcAuthzRegexp: "^uid=([^,]+).*,cn=[^,]*,cn=auth$" "ldap:///dc=example,dc=net??sub?(uid=$1)" olcAuthzPolicy: to 最后,正如您所说,您的proxyuser应具有authzTo属性.以下是我的代理用户之一的定义: dn: cn=proxyuser,dc=net uid: proxyuser mail: proxyuser@example.net sn: proxyuser cn: proxyuser objectClass: inetOrgPerson objectClass: top structuralObjectClass: inetOrgPerson authzTo: {0}ldap:///dc=example,dc=net??sub?(objectClass=inetOrgPerson) userPassword:: iodqwhdowihw0123hef92e= 现在这应该足以使代理授权工作(再一次,用ldapwhoami测试它). (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |