我在使用代理授权进行更新时遇到了一些麻烦.我正在使用UnboundID的LDAP SDK连接到OpenLDAP,并使用更新发送
ProxiedAuthorizationV2RequestControl for dn:uid = me,dc = People,dc = example,dc = com.我已经测试并验证了目标用户有权执行操作,但我得到了
insufficient access rights
当我尝试通过代理身份验证时.
我在原始用户的cn = config和authzTo = {0} ldap:/// dc = people,dc = com ?? subordinate?(objectClass = inetOrgPerson)中配置了olcAuthzPolicy =两者. authzTo似乎正在起作用;当我改变它时,我得到了
not authorized to assume identity
当我尝试更新(也用于搜索).
我有这个ldapwhoami -U门户-Y DIGEST-MD5 -X u:mace -H ldap:// yorktown -Z现在没有saslauthd工作.我只需要将代理用户(门户网站)的密码存储为纯文本.但是当我尝试更新任何内容时,我仍然获得“访问权限不足”.
代理用户
dn: uid=portal,ou=Special Accounts,dc=example,dc=com
objectClass: inetOrgPerson
cn: portal
sn: portal
uid: portal
userPassword: test
authzTo: {0}ldap:///dc=People,dc=com??sub?(objectClass=inetOrgPerson)
有效用户:
dn: employeeNumber=1400,dc=People,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount objectClass: shadowAccount uid: mace ...
这是更新尝试的日志,尝试将employeeNumber = 1385添加为cn = Data Management的成员.它似乎正在正确地查看嵌套组,但似乎它应该在cn = administrators中获得employeeNumber = 1400后表示匹配.
op tag 0x66,time 1299022001
conn=31595 op=2 do_modify
conn=31595 op=2 do_modify: dn (cn=Data Management,dc=Roles,dc=com)
>>> dnPrettyNormal: <cn=Data Management,dc=com>
<<< dnPrettyNormal: <cn=Data Management,dc=com>,<cn=data management,dc=roles,dc=com>
conn=31595 op=2 modifications:
replace: member
multiple values
conn=31595 op=2 MOD dn="cn=Data Management,dc=com"
conn=31595 op=2 MOD attr=member
>>> dnPretty: <employeeNumber=1020,dc=com>
<<< dnPretty: <employeeNumber=1020,dc=com>
>>> dnPretty: <employeeNumber=1385,dc=com>
<<< dnPretty: <employeeNumber=1385,dc=com>
>>> dnNormalize: <employeeNumber=1020,dc=com>
<<< dnNormalize: <employeeNumber=1020,dc=people,dc=com>
>>> dnNormalize: <employeeNumber=1385,dc=com>
<<< dnNormalize: <employeeNumber=1385,dc=com>
dnMatch -1 "employeeNumber=1020,dc=com" "employeeNumber=1385,dc=com"
bdb_dn2entry("cn=data management,dc=com")
==> unique_modify <cn=Data Management,dc=com>
bdb_modify: cn=Data Management,dc=com
bdb_dn2entry("cn=data management,dc=com")
bdb_modify_internal: 0x00000043: cn=Data Management,dc=com
>>> dnNormalize: <cn=Administrators,ou=LDAP,dc=Applications,dc=com>
<<< dnNormalize: <cn=administrators,ou=ldap,dc=applications,dc=com>
=> bdb_entry_get: ndn: "cn=administrators,dc=com"
=> bdb_entry_get: oc: "(null)",at: "member"
bdb_dn2entry("cn=administrators,dc=com")
bdb_entry_get: rc=0
>>> dnNormalize: <cn=system administrators,dc=com>
<<< dnNormalize: <cn=system administrators,dc=com>
=> bdb_entry_get: ndn: "cn=system administrators,at: "member"
bdb_dn2entry("cn=system administrators,dc=com")
bdb_entry_get: rc=0
>>> dnNormalize: <employeeNumber=1306,dc=com>
<<< dnNormalize: <employeeNumber=1306,dc=com>
=> bdb_entry_get: ndn: "employeeNumber=1306,at: "member"
bdb_dn2entry("employeeNumber=1306,dc=com")
bdb_entry_get: rc=16
>>> dnNormalize: <employeeNumber=1329,dc=com>
<<< dnNormalize: <employeeNumber=1329,dc=com>
=> bdb_entry_get: ndn: "employeeNumber=1329,at: "member"
bdb_dn2entry("employeeNumber=1329,dc=com")
bdb_entry_get: rc=16
>>> dnNormalize: <employeeNumber=1401,dc=com>
<<< dnNormalize: <employeeNumber=1401,dc=com>
=> bdb_entry_get: ndn: "employeeNumber=1401,at: "member"
bdb_dn2entry("employeeNumber=1401,dc=com")
bdb_entry_get: rc=16
>>> dnNormalize: <employeeNumber=1400,dc=com>
<<< dnNormalize: <employeeNumber=1400,dc=com>
=> bdb_entry_get: ndn: "employeeNumber=1400,at: "member"
bdb_dn2entry("employeeNumber=1400,dc=com")
bdb_entry_get: rc=16
bdb_modify: modify Failed (50)
send_ldap_result: conn=31595 op=2 p=3
send_ldap_result: err=50 matched="" text=""
send_ldap_response: msgid=3 tag=103 err=50
conn=31595 op=2 RESULT tag=103 err=50 text=
我在大约一年前经历过,代理授权用来让我发疯.所以我可能没有明确的答案,但也许我可以提供帮助.
原文链接:https://www.f2er.com/bash/385286.html首先:增加slapd的loglevel!它很冗长,但它有所帮助.
第二:使用ldapwhoami来测试代理授权.您可以使用-X选项指定目标用户,使用-U指定代理用户.
# ldapwhoami -U proxyuser -Y DIGEST-MD5 -X u:targetuser -H ldap://localhost
您应该在配置中启用两个参数. olcAuthzPolicy(您有)和olcAuthzRegexp(用于构建SASL身份验证字符串).
这是我在配置中的内容:
olcAuthzRegexp: "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
"ldap:///dc=example,dc=net??sub?(uid=$1)"
olcAuthzPolicy: to
最后,正如您所说,您的proxyuser应具有authzTo属性.以下是我的代理用户之一的定义:
dn: cn=proxyuser,dc=net
uid: proxyuser
mail: proxyuser@example.net
sn: proxyuser
cn: proxyuser
objectClass: inetOrgPerson
objectClass: top
structuralObjectClass: inetOrgPerson
authzTo: {0}ldap:///dc=example,dc=net??sub?(objectClass=inetOrgPerson)
userPassword:: iodqwhdowihw0123hef92e=
现在这应该足以使代理授权工作(再一次,用ldapwhoami测试它).
我在我的wiki(SASL和代理授权)上写了一章,因为我需要它从cyrus-imapd和postfix连接到openldap.
有关更多信息,请查看它:http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:openldap:openldap_debian#sasl
