ApacheDS文檔比較難讀,定義用戶權限部分比較隱晦,好在硬骨頭已經啃下。
首先把我看到的有用的資料留下:
1、官方文檔-基本用戶手冊:http://directory.apache.org/apacheds/basic-user-guide.html 主要介紹了安裝以及基本操作、登錄等。
2、官方文檔-高級用戶手冊:http://directory.apache.org/apacheds/advanced-user-guide.html 介紹了代碼編譯、系統結構、服務配置以及服務權限管理,這裏吐槽一下,真的很難懂,並且各種TODO;
3、看起來像官方的文檔:http://joacim.breiler.com/apacheds/book.html 介紹得很詳盡,例子也很豐富。
4、訪問控制實例 FR20_ApacheDS_Access_Control_Administration_The_X.500_Way.pdf
=============================================================================================================
常用的名詞解析:
DIT Directory Information Tree
AA administrative areas
AP administrative points
AAA autonomous administrative area 有自治權的管理區域,所有的實體均統一管理
SAA specific administrative area 特定管理區域
IAA inner administrative area 內部管理區域
SAP specific administrative point
ACI Access Control Information
Usually an entry is selected as the administrative point and marked with an operational attribute. The attributeType of the operational attribute is 'administrativeRole'.
通過添加一個可選屬性來使一個實體成爲管理點
ACSA access control specific area
=================================================================================================================
實戰演練
需求:
1、LDAP超級管理員,管理LDAP上的所有數據;
2、匿名用戶可以查看用戶信息;
3、用戶分爲開發、測試和運維三組;
4、通過用戶組授權
操作指南:
1、安裝ApacheDS服務端;
下載地址:apacheds-2.0.0-M15-64bit.bin 下載到目錄/home/apacheds/
chmod +x *.bin/etc/init.d/apacheds-2.0.0-M15-default start
2、安裝Apache Directory Studio
本次使用Eclipse插件,詳見 http://directory.apache.org/studio/installation-in-eclipse.html,也支持Eclipse market安裝。
3、連接與配置
切換到Eclipse的LDAP視圖,新建連接
hostname:199.155.122.90 port:10389 encryption method: nocryption (不同加密算法端口注意)
authentication method: simple user:uid=admin,ou=system passwd:secret (默認的最高權限用戶)
OpenConfiguration啓用Access Control,禁用匿名登錄
重啓apacheds服務生效
4、分區設置
系統默認example分區,我們刪除之,並新建,本次創建dc=xxx.com
5、新建ou=users,新建ou=groups。
dn: ou=groups,dc=taotaosou.com
objectClass: organizationalUnit
objectClass: top
ou: groupsdn: ou=users,dc=taotaosou.com
objectClass: organizationalUnit
objectClass: top
ou: users6、根目錄啓用權限控制,添加administrativeRole屬性是關鍵
dn: dc=taotaosou.com
objectclass: domain
objectclass: top
dc: taotaosou.com
administrativeRole: accessControlSpecificArea7、添加匿名讀權限
dn: cn=enableAllUsersRead,dc=taotaosou.com
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: enableAllUsersRead
prescriptiveACI: { identificationTag "enableAllUsersRead", precedence 0, aut
henticationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers
}, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValu
es }, grantsAndDenials { grantCompare, grantFilterMatch, grantRead, grantRe
turnDN, grantBrowse } } } } }
subtreeSpecification: { }8、添加用戶自己修改資料權限
dn: cn=allowSelfAccessAndModification,dc=taotaosou.com
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: allowSelfAccessAndModification
prescriptiveACI: { identificationTag "allowSelfAccessAndModification", prece
dence 10, authenticationLevel simple, itemOrUserFirst userFirst: { userClas
ses { thisEntry }, userPermissions { { protectedItems { entry, allUserAttri
buteTypesAndValues }, grantsAndDenials { grantRemove, grantExport, grantCom
pare, grantImport, grantRead, grantFilterMatch, grantModify, grantInvoke, g
rantDiscloseOnError, grantRename, grantReturnDN, grantBrowse, grantAdd } }
} } }
subtreeSpecification: { }9、添加管理員權限
dn: cn=enableAdminSuper,dc=taotaosou.com
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: enableAdminSuper
prescriptiveACI: { identificationTag "enableAdminSuper", precedence 0, authe
nticationLevel strong, itemOrUserFirst userFirst: { userClasses { userGroup
{ "cn=administrator,ou=gourp,dc=taotaosou.com" } }, userPermissions { { pr
otectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials {
grantRemove, grantExport, grantCompare, grantImport, grantRead, grantFilter
Match, grantModify, grantInvoke, grantDiscloseOnError, grantRename, grantRe
turnDN, grantBrowse, grantAdd } } } } }
subtreeSpecification: { }