时间戳

首页 > 解决方案 > docker osxia LDAP 中的访问权限

docker - docker osxia LDAP 中的访问权限

问题描述

我有一个使用 LDIF 初始化的有效 OpenLDAP 安装。我想在osixia/docker-openldap中填充相同的数据。数据已加载,但只有管理员可以看到它们。来自 LDIF 的用户看不到他们自己的分支。

扩展 osixia-openldap\environment\my-env.startup.yaml

LDAP_DOMAIN: centaur.tld

扩展 osixia-openldap\bootstrap\ldif\demo_data.ldif

dn: cn=ldapadm,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
cn: ldapadm
sn: LDAP Manager
userpassword: VerySecret

dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: {0}to *
              by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
              by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange
              by self                               write
              by dn="cn=ldapadm,dc=centaur,dc=TLD" write
              by anonymous                          auth
              by *                                  none
olcAccess: {2}to *
              by self                               read
              by *                                  read

dn: ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: ABC

dn: ou=people,ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: people

dn: cn=manager,ou=people,ou=ABC,dc=centaur,dc=tld
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: manager
sn: Manager
userpassword: VerySecret


>docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b ou=people,ou=ABC,dc=centaur,dc=TLD -D "cn=manager,ou=people,ou=ABC,dc=centaur,dc=TLD" -w VerySecret
# search result
search: 2
result: 32 No such object

>docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b ou=people,ou=ABC,dc=centaur,dc=TLD -D "cn=admin,dc=centaur,dc=TLD" -w admin
# search result
search: 2
result: 0 Success
# numResponses: 11
# numEntries: 10

此配置也不起作用:

olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: to attrs=userPassword,shadowLastChange by self write by  dn="cn=ldapadm,dc=centaur,dc=TLD" write by anonymous auth by * none
olcAccess: to * by self read by dn="cn=ldapadm,dc=centaur,dc=TLD" write by * none
olcAccess: to * by self write by * read

如何配置此图像以便新用户可以浏览其内容?

更新

似乎我的配置未应用:

docker exec %CONTAINER% ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"

olcSuffix: dc=centaur,dc=TLD
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=centaur,dc=TLD" write by anonymous auth by * none
olcAccess: {2}to * by self read by dn="cn=admin,dc=centaur,dc=TLD" write by
dn="cn=readonly,dc=centaur,dc=TLD" read by * none

标签: dockeropenldap

解决方案

这是我的工作设置。问题是让环境变量LDAP_READONLY_USER: true覆盖了我的安全导入(osixia/docker-openldap/issues/456)。

目录层次结构

在此处输入图像描述

98-数据.ldif

dn: cn=ldapadm,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
cn: ldapadm
sn: LDAP Manager
userpassword: VerySecret

dn: ou=ABC,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: ABC

dn: cn=manager,ou=ABC,dc=centaur,dc=TLD
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: manager
givenName: Eve
sn: Manager
displayName: Eve Manager
userpassword: VerySecret

99-config.ldif

dn: olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to *
            by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
            by * break
olcAccess: to attrs=userPassword,shadowLastChange
            by self write
            by dn="cn=ldapadm,dc=centaur,dc=TLD" write
            by anonymous auth
            by * none
olcAccess: to * by self read
            by dn="cn=admin,dc=centaur,dc=TLD" write
            by dn="cn=ldapadm,dc=centaur,dc=TLD" write
            by users read
            by * none

我的-env.startup.yaml

LDAP_ORGANISATION: Centaur
LDAP_DOMAIN: centaur.TLD
LDAP_ADMIN_PASSWORD: admin
LDAP_CONFIG_PASSWORD: config  
LDAP_READONLY_USER: false
LDAP_TLS: false
LDAP_TLS_ENFORCE: false

Dockerfile

FROM osixia/openldap:1.4.0
MAINTAINER Leos Literak <leos.literak@DOMAIN.TLD>

ADD bootstrap /container/service/slapd/assets/config/bootstrap
ADD certs /container/service/slapd/assets/certs
ADD environment /container/environment/01-custom

命令

docker build -t leos/ABC-ldap:0.0.13 --rm .
docker ps
set CONTAINER=dbad6fe6798e
docker run -p 389:389 -p 636:636  --detach leos/ABC-ldap:0.0.13  --loglevel debug
docker exec %CONTAINER% ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}mdb))"
docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b dc=centaur,dc=TLD -D "cn=admin,dc=centaur,dc=TLD" -w admin
docker exec %CONTAINER% ldapsearch -x -H ldap://localhost -b dc=centaur,dc=TLD -D "cn=manager,ou=ABC,dc=centaur,dc=TLD" -w VerySecret
docker stop %CONTAINER%

推荐阅读