首页 > 其他 > 详细

Openldap服务器日志及权限配置

时间:2015-11-12 21:58:09      阅读:526      评论:0      收藏:0      [点我收藏+]

一、openldap的日志产生及文件大小控制
1.1 ldap日志
1.1.1 日志配置
Create the file logging.ldif with the following contents:

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats

Implement the change:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
1.1.2 开启ldap日志
修改rsyslog文件,增加生成日志部分内容
Vim /etc/rsyslog.conf
# LDAP
local4.* /var/log/slapd/slapd.log

And then restart the rsyslog daemon:
sudo service rsyslog restart
1.2 限制日志文件大小
vim /etc/logrotate.d/slapd

/var/log/slapd/*log {
weekly
missingok
notifempty
size=100
rotate 5
postrotate
(/bin/systemctl reload slapd.service > /dev/null 2>/dev/null || true,此项可参考修改)
Systemctl restart slapd.service
Systemctl restart rsyslog.service
Systemctl restart firewalld.service
endscript
}
重启生效:
sudo service rsyslog restart

二、Openldap olcAccess权限控制
2.1 ldap user可修改自己的密码配置
此处可进一步研究:
slapd.conf中删除database config及其access配置项;
在/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif中,增加:
olcAccess: {0}to attrs=userPassword
by self write
by * read
olcAccess: {1}to *
by * read
# service slapd restart
2.2 配置匿名访问及其问题
2.2.1 配置
vim olcAccess.ldif

dn: cn=config
changetype: modify
replace: olcDisallows
olcDisallows: bind_anon

-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcRequires
olcRequires: authc

-
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=dcnet,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to * by dn="cn=Manager,dc=dcnet,dc=com" write by * read

ldapadd -Y EXTERNAL -H ldapi:/// -f olcAccess.ldif
2.2.2 配置匿名访问出现问题删除配置
Linux系统认证如发生问题,可删除相关配置项:
vim olcAccess-del.ldif

dn: cn=config
changetype: modify
delete: olcDisallows
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcRequires
-

dn: olcDatabase={2}bdb,cn=config
changetype: modify
delete: olcAccess

ldapadd -Y EXTERNAL -H ldapi:/// -f olcAccess-del.ldif
2.3 配置普通用户登录只能访问相应的ou=people
vim olcAccess.ldif

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=Manager,dc=dcnet,dc=com" write by self write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by * auth
olcAccess: {1}to dn.base="ou=people,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=people,dc=dcnet,dc=com" read by * auth
olcAccess: {2}to dn.base="ou=group,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=people,dc=dcnet,dc=com" read by * auth
olcAccess: {3}to dn.base="ou=HunandcPeople,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=HunandcPeople,dc=dcnet,dc=com" read by * auth
olcAccess: {4}to dn.base="ou=HunandcGroup,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=people,dc=dcnet,dc=com" read by * auth
olcAccess: {5}to dn.base="ou=CooperatorsPeople,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=CooperatorsPeople,dc=dcnet,dc=com" read by * auth
olcAccess: {6}to dn.base="cn=Manager,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="cn=Manager,dc=dcnet,dc=com" read by * auth
olcAccess: {7}to * by dn="cn=Manager,dc=dcnet,dc=com" write by * read

ldapadd -Y EXTERNAL -H ldapi:/// -f olcAccess.ldif
2.4 配置匿名禁读和全局只读用户
vim olcAccess.ldif

dn: cn=config
changetype: modify
replace: olcDisallows
olcDisallows: bind_anon
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcRequires
olcRequires: authc
-

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by * auth

Openldap服务器日志及权限配置

原文:http://www.cnblogs.com/donneyliu/p/Centos-Openldap-Server-Log-Anon-OlcAccess.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!