版本 CentOS
1、禁止匿名访问
默认情况下匿名用户可以获取所有用户信息,甚至是密码字段,虽然密码字段是经过加密的那也很危险
创建disable_anon.ldif文件
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
导入配置
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f disable_anon.ldif
2、设置ACL
- 拒绝所有用户查看用户信息,并且添加有ldap管理账号
创建acl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword
by anonymous auth
by dn.base="cn=ldapadmin,ou=manage,dc=taovip,dc=com" write
by * none
olcAccess: to *
by anonymous auth
by dn.base="cn=ldapadmin,ou=manage,dc=taovip,dc=com" write
by dn.base="cn=ldapread,ou=manage,dc=taovip,dc=com" read
by * none
导入配置
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f acl.ldif
- 删除ACL
创建文件del_acl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f del_acl.ldif
3、本人实践说明:
ACL配置:
1. 如下设置:
只有管理员能修改密码,及管理员能查看所有目录
其他账号不能修改密码,不能查看所有目录
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword
by anonymous auth
by dn.base="cn=Manager-Fxd,dc=fxd-ldap,dc=com" write
by * none
olcAccess: to *
by anonymous auth
by dn.base="cn=Manager-Fxd,dc=fxd-ldap,dc=com" write
by dn.base="cn=Manager-Fxd,dc=fxd-ldap,dc=com" read
by * none
2. 如下配置:
所有用户需要权限校验
超管账号可以查看和编辑所有目录和属性
ou=People,dc=fxd-ldap,dc=com下的用户,可以查看除超管外的其他目录,查看不到密码属性
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword
by anonymous auth
by dn.base="cn=Manager-Fxd,dc=fxd-ldap,dc=com" write
by * none
olcAccess: to dn.base="cn=Manager-Fxd,dc=fxd-ldap,dc=com"
by anonymous auth
by self write
by self read
by * none
olcAccess: to *
by anonymous auth
by dn.subtree="ou=People,dc=fxd-ldap,dc=com" write
by dn.subtree="ou=People,dc=fxd-ldap,dc=com" read
by * none