一、openldap的日志產生及文件大小控制
1.1 ldap日志
1.1.1 日志配置
Create the file logging.ldif with the following contents:
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
Implement the change:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
1.1.2 開啟ldap日志
修改rsyslog文件,增加生成日志部分內容
Vim /etc/rsyslog.conf
# LDAP
local4.* /var/log/slapd/slapd.log
And then restart the rsyslog daemon:
sudo service rsyslog restart
1.2 限制日志文件大小
vim /etc/logrotate.d/slapd
/var/log/slapd/*log {
weekly
missingok
notifempty
size=100
rotate 5
postrotate
(/bin/systemctl reload slapd.service > /dev/null 2>/dev/null || true,此項可參考修改)
Systemctl restart slapd.service
Systemctl restart rsyslog.service
Systemctl restart firewalld.service
endscript
}
重啟生效:
sudo service rsyslog restart
二、Openldap olcAccess權限控制
2.1 ldap user可修改自己的密碼配置
此處可進一步研究:
slapd.conf中刪除database config及其access配置項;
在/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif中,增加:
olcAccess: {0}to attrs=userPassword
by self write
by * read
olcAccess: {1}to *
by * read
# service slapd restart
2.2 配置匿名訪問及其問題
2.2.1 配置
vim olcAccess.ldif
dn: cn=config
changetype: modify
replace: olcDisallows
olcDisallows: bind_anon
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcRequires
olcRequires: authc
-
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=dcnet,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to * by dn="cn=Manager,dc=dcnet,dc=com" write by * read
ldapadd -Y EXTERNAL -H ldapi:/// -f olcAccess.ldif
2.2.2 配置匿名訪問出現問題刪除配置
Linux系統認證如發生問題,可刪除相關配置項:
vim olcAccess-del.ldif
dn: cn=config
changetype: modify
delete: olcDisallows
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcRequires
-
dn: olcDatabase={2}bdb,cn=config
changetype: modify
delete: olcAccess
ldapadd -Y EXTERNAL -H ldapi:/// -f olcAccess-del.ldif
2.3 配置普通用戶登錄只能訪問相應的ou=people
vim olcAccess.ldif
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=Manager,dc=dcnet,dc=com" write by self write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by * auth
olcAccess: {1}to dn.base="ou=people,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=people,dc=dcnet,dc=com" read by * auth
olcAccess: {2}to dn.base="ou=group,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=people,dc=dcnet,dc=com" read by * auth
olcAccess: {3}to dn.base="ou=HunandcPeople,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=HunandcPeople,dc=dcnet,dc=com" read by * auth
olcAccess: {4}to dn.base="ou=HunandcGroup,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=people,dc=dcnet,dc=com" read by * auth
olcAccess: {5}to dn.base="ou=CooperatorsPeople,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="ou=CooperatorsPeople,dc=dcnet,dc=com" read by * auth
olcAccess: {6}to dn.base="cn=Manager,dc=dcnet,dc=com" by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by dn.children="cn=Manager,dc=dcnet,dc=com" read by * auth
olcAccess: {7}to * by dn="cn=Manager,dc=dcnet,dc=com" write by * read
ldapadd -Y EXTERNAL -H ldapi:/// -f olcAccess.ldif
2.4 配置匿名禁讀和全局只讀用戶
vim olcAccess.ldif
dn: cn=config
changetype: modify
replace: olcDisallows
olcDisallows: bind_anon
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcRequires
olcRequires: authc
-
dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn="cn=Manager,dc=dcnet,dc=com" write by dn="cn=info,cn=Manager,dc=dcnet,dc=com" read by * auth