一、openldap的日志产生及文件大小控制
1.1 ldap日志
1.1.1 日志配置
Create the file logging.ldif with the following contents:
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
Implement the change:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
1.1.2 开启ldap日志
修改rsyslog文件,增加生成日志部分内容
Vim /etc/rsyslog.conf
# LDAP
local4.* /var/log/slapd/slapd.log
And then restart the rsyslog daemon:
sudo service rsyslog restart
1.2 限制日志文件大小
vim /etc/logrotate.d/slapd
/var/log/slapd/*log {
weekly
missingok
notifempty
size=100
rotate 5
postrotate
(/bin/systemctl reload slapd.service > /dev/null 2>/dev/null || true,此项可参考修改)
Systemctl restart slapd.service
Systemctl restart rsyslog.service
Systemctl restart firewalld.service
endscript
}
重启生效:
sudo service rsyslog restart
二、Openldap olcAccess权限控制
2.1 ldap user可修改自己的密码配置
此处可进一步研究:
slapd.conf中删除database config及其access配置项;
在/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif中,增加:
olcAccess: {0}to attrs=userPassword
by self write
by * read
olcAccess: {1}to *
by * read
# service slapd restart
2.2 配置匿名访问及其问题
2.2.1 配置
vim olcAccess.ldif
dn: cn=config
changetype: modify
replace: olcDisallows
olcDisallows: bind_anon
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcRequires
olcRequires: authc
-
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=dcnet,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to * by dn="cn=Manager,dc=dcnet,dc=com" write by * read
ldapadd -Y EXTERNAL -H ldapi:/// -f olcAccess.ldif
2.2.2 配置匿名访问出现问题删除配置
Linux系统认证如发生问题,可删除相关配置项:
vim olcAccess-del.ldif
dn: cn=config
changetype: modify
delete: olcDisallows
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcRequires
-
dn: olcDatabase={2}bdb,cn=config
changetype: modify
delete: olcAccess
ldapadd -Y EXTERNAL -H ldapi:/// -f olcAccess-del.ldif
2.3 配置普通用户登录只能访问相应的ou=people
vim olcAccess.ldif
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=Manager,dc=dcnet,dc=com" write by self write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by * auth
olcAccess: {1}to dn.base="ou=people,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=people,dc=dcnet,dc=com" read by * auth
olcAccess: {2}to dn.base="ou=group,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=people,dc=dcnet,dc=com" read by * auth
olcAccess: {3}to dn.base="ou=HunandcPeople,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=HunandcPeople,dc=dcnet,dc=com" read by * auth
olcAccess: {4}to dn.base="ou=HunandcGroup,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=people,dc=dcnet,dc=com" read by * auth
olcAccess: {5}to dn.base="ou=CooperatorsPeople,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=CooperatorsPeople,dc=dcnet,dc=com" read by * auth
olcAccess: {6}to dn.base="cn=Manager,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="cn=Manager,dc=dcnet,dc=com" read by * auth
olcAccess: {7}to * by dn="cn=Manager,dc=dcnet,dc=com" write by * read
ldapadd -Y EXTERNAL -H ldapi:/// -f olcAccess.ldif
2.4 配置匿名禁读和全局只读用户
vim olcAccess.ldif
dn: cn=config
changetype: modify
replace: olcDisallows
olcDisallows: bind_anon
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcRequires
olcRequires: authc
-
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by * auth
8036
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
