LDAP中采用了ACL的權限控制。

在/etc/openldap/slapd.conf文件中：#

#?See?slapd.conf(5)?for?details?on?configuration?options.

#?This?file?should?NOT?be?world?readable.

#

include/etc/openldap/schema/corba.schema

include/etc/openldap/schema/core.schema

include/etc/openldap/schema/cosine.schema

include/etc/openldap/schema/duaconf.schema

include/etc/openldap/schema/dyngroup.schema

include/etc/openldap/schema/inetorgperson.schema

include/etc/openldap/schema/java.schema

include/etc/openldap/schema/misc.schema

include/etc/openldap/schema/nis.schema

include/etc/openldap/schema/openldap.schema

include/etc/openldap/schema/ppolicy.schema

include/etc/openldap/schema/collective.schema

#?Allow?LDAPv2?client?connections.??This?is?NOT?the?default.

allow?bind_v2

#?Do?not?enable?referrals?until?AFTER?you?have?a?working?directory

#?service?AND?an?understanding?of?referrals.

#referralldap://root.openldap.org

pidfile/var/run/openldap/slapd.pid

argsfile/var/run/openldap/slapd.args

#?Load?dynamic?backend?modules

#?-?modulepath?is?architecture?dependent?value?(32/64-bit?system)

#?-?back_sql.la?overlay?requires?openldap-server-sql?package

#?-?dyngroup.la?and?dynlist.la?cannot?be?used?at?the?same?time

#modulepath?/usr/lib/openldap

#?modulepath?/usr/lib64/openldap

#?moduleload?accesslog.la

#?moduleload?auditlog.la

#?moduleload?back_sql.la

#?moduleload?chain.la

#?moduleload?collect.la

#?moduleload?constraint.la

#?moduleload?dds.la

#?moduleload?deref.la

#?moduleload?dyngroup.la

#?moduleload?dynlist.la

#?moduleload?memberof.la

#?moduleload?pbind.la

#?moduleload?pcache.la

#?moduleload?ppolicy.la

#?moduleload?refint.la

#?moduleload?retcode.la

#?moduleload?rwm.la

#?moduleload?seqmod.la

#?moduleload?smbk5pwd.la

#?moduleload?sssvlv.la

#?moduleload?syncprov.la

#?moduleload?translucent.la

#?moduleload?unique.la

#?moduleload?valsort.la

#?The?next?three?lines?allow?use?of?TLS?for?encrypting?connections?using?a

#?dummy?test?certificate?which?you?can?generate?by?running

#?/usr/libexec/openldap/generate-server-cert.sh.?Your?client?software?may?balk

#?at?self-signed?certificates,?however.

TLSCACertificatePath?/etc/openldap/certs

TLSCertificateFile?"\"OpenLDAP?Server\""

TLSCertificateKeyFile?/etc/openldap/certs/password

#?Sample?security?restrictions

#Require?integrity?protection?(prevent?hijacking)

#Require?112-bit?(3DES?or?better)?encryption?for?updates

#Require?63-bit?encryption?for?simple?bind

#?security?ssf=1?update_ssf=112?simple_bind=64

#?Sample?access?control?policy:

#Root?DSE:?allow?anyone?to?read?it

#Subschema?(sub)entry?DSE:?allow?anyone?to?read?it

#Other?DSEs:

#Allow?self?write?access

#Allow?authenticated?users?read?access

#Allow?anonymous?users?to?authenticate

#Directives?needed?to?implement?policy:

#?access?to?dn.base=""?by?*?read

#?access?to?dn.base="cn=Subschema"?by?*?read

#下面的控制權限的語句。

access?to?dn.subtree="ou=People,dc=bawo,dc=cn"?attrs=userPassword,shadowLastChange

by?dn="cn=admin,dc=bawo,dc=cn"?write

by?self?write

by?anonymous?auth

by?*?read

#access?to?attrs=uid,uidNumber,gidNumber,memberUid

#by?*?read

#?if?no?access?controls?are?present,?the?default?policy

#

#?allows?anyone?and?everyone?to?read?anything?but?restricts

#?updates?to?rootdn.??(e.g.,?"access?to?*?by?*?read")

#

#?rootdn?can?always?read?and?write?EVERYTHING!

#?enable?on-the-fly?configuration?(cn=config)

database?config

access?to?*

by?dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"?manage

by?*?none

#?enable?server?status?monitoring?(cn=monitor)

database?monitor

access?to?*

by?dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"?read

by?dn.exact="cn=admin,dc=bawo,dc=cn"?read

by?*?none

#######################################################################

#?database?definitions

#######################################################################

databasebdb

suffix"dc=XX,dc=cn"

checkpoint1024?15

rootdn"cn=admin,dc=XX,dc=cn"

#?Cleartext?passwords,?especially?for?the?rootdn,?should

#?be?avoided.??See?slappasswd(8)?and?slapd.conf(5)?for?details.

#?Use?of?strong?authentication?encouraged.

rootpw123456

#?rootpw{crypt}ijFYNcSNctBYg

#?The?database?directory?MUST?exist?prior?to?running?slapd?AND

#?should?only?be?accessible?by?the?slapd?and?slap?tools.

#?Mode?700?recommended.

directory/var/lib/ldap

#?Indices?to?maintain?for?this?database

index?objectClass???????????????????????eq,pres

index?ou,cn,mail,surname,givenname??????eq,pres,sub

index?uidNumber,gidNumber,loginShell????eq,pres

index?uid,memberUid?????????????????????eq,pres,sub

index?nisMapName,nisMapEntry????????????eq,pres,sub

添加完上面的語句后，然后需要更新這個配置文件到ldap的服務中。service?slapd?stop

rm?-rf?/etc/openldap/slapd.d/

chown?-R?ldap:ldap?/var/lib/ldap

chown?-R?ldap:ldap?/etc/openldap/

#測試并生成配置文件：

slaptest??-f?/etc/openldap/slapd.conf?-F?/etc/openldap/slapd.d

#返回config?file?testing?succeeded,則配置成功。

chown?-R?ldap:ldap?/etc/openldap/slapd.d

service?slapd?restart

完成之后，就把LDAP的權限設置成功了。用戶可以在phpLDAPadmin中自行修改自己的密碼了。

其他設置項目可以自行探索。

其他權限設置參考