创建ldap只读帐号
-
生成只读文件 readOnly.ldif
1
2
3
4
5
6
7
8
9
10
11
12
13
|
#密码
LDAP_READONLY_USER_PW='passwd'
#Base DN
LDAP_BASE_DN='dc=example,dc=org'
cat <<EOF > ./readOnly.ldif
dn: cn=readonly,${LDAP_BASE_DN}
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP read only user
userPassword: ${LDAP_READONLY_USER_PW}
EOF
|
-
将只读文件添加到 ldap
1
|
ldapadd -x -D cn=Manager,dc=example,dc=org -w 'passwd' -f ./readOnly.ldif
|
配置只读帐号权限
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
LDAP_BASE_DN='dc=example,dc=org'
cat <<EOF > readonly-user-acl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn="cn=Manager,dc=example,dc=org" write
by anonymous auth
by self write
by dn="cn=readonly,dc=example,dc=org" read
by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=org" write by * read
EOF
|
1
|
ldapmodify -Y EXTERNAL -H ldapi:/// -f readonly-user-acl.ldif
|
参考:
https://www.cnblogs.com/husbandmen/p/13307381.html