首先把我看到的有用的资料留下:
1、官方文档-基本用户手册:http://directory.apache.org/apacheds/basic-user-guide.html 主要介绍了安装以及基本操作、登录等。
2、官方文档-高级用户手册:http://directory.apache.org/apacheds/advanced-user-guide.html 介绍了代码编译、系统结构、服务配置以及服务权限管理,这里吐槽一下,真的很难懂,并且各种TODO;
3、看起来像官方的文档:http://joacim.breiler.com/apacheds/book.html 介绍得很详尽,例子也很丰富。
4、访问控制实例 FR20_ApacheDS_Access_Control_Administration_The_X.500_Way.pdf
=============================================================================================================
常用的名词解析:
DIT Directory Information Tree
AA administrative areas
AP administrative points
AAA autonomous administrative area 有自治权的管理区域,所有的实体均统一管理
SAA specific administrative area 特定管理区域
IAA inner administrative area 内部管理区域
SAP specific administrative point
ACI Access Control Information
Usually an entry is selected as the administrative point and marked with an operational attribute. The attributeType of the operational attribute is 'administrativeRole'.
通过添加一个可选属性来使一个实体成为管理点
ACSA access control specific area
=================================================================================================================
实战演练
需求:
1、LDAP超级管理员,管理LDAP上的所有数据;
2、匿名用户可以查看用户信息;
3、用户分为开发、测试和运维三组;
4、通过用户组授权
操作指南:
1、安装ApacheDS服务端;
下载地址:apacheds-2.0.0-M15-64bit.bin 下载到目录/home/apacheds/
- /etc/init.d/apacheds-2.0.0-M15-default start
这样就完成了ApacheDS的安装与启动2、安装Apache Directory Studio
本次使用Eclipse插件,详见 http://directory.apache.org/studio/installation-in-eclipse.html,也支持Eclipse market安装。
3、连接与配置
切换到Eclipse的LDAP视图,新建连接
hostname:199.155.122.90 port:10389 encryption method: nocryption (不同加密算法端口注意)
authentication method: simple user:uid=admin,ou=system passwd:secret (默认的最高权限用户)
OpenConfiguration启用Access Control,禁用匿名登录
重启apacheds服务生效
4、分区设置
系统默认example分区,我们删除之,并新建,本次创建dc=xxx.com
5、新建ou=users,新建ou=groups。
- dn: ou=groups,dc=taotaosou.com
- objectClass: organizationalUnit
- objectClass: top
- ou: groups
- dn: ou=users,dc=taotaosou.com
- objectClass: organizationalUnit
- objectClass: top
- ou: users
6、根目录启用权限控制,添加administrativeRole属性是关键- dn: dc=taotaosou.com
- objectclass: domain
- objectclass: top
- dc: taotaosou.com
- administrativeRole: accessControlSpecificArea
7、添加匿名读权限- dn: cn=enableAllUsersRead,dc=taotaosou.com
- objectClass: subentry
- objectClass: accessControlSubentry
- objectClass: top
- cn: enableAllUsersRead
- prescriptiveACI: { identificationTag "enableAllUsersRead", precedence 0, aut
- henticationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers
- }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValu
- es }, grantsAndDenials { grantCompare, grantFilterMatch, grantRead, grantRe
- turnDN, grantBrowse } } } } }
- subtreeSpecification: { }
8、添加用户自己修改资料权限- dn: cn=allowSelfAccessAndModification,dc=taotaosou.com
- objectClass: subentry
- objectClass: accessControlSubentry
- objectClass: top
- cn: allowSelfAccessAndModification
- prescriptiveACI: { identificationTag "allowSelfAccessAndModification", prece
- dence 10, authenticationLevel simple, itemOrUserFirst userFirst: { userClas
- ses { thisEntry }, userPermissions { { protectedItems { entry, allUserAttri
- buteTypesAndValues }, grantsAndDenials { grantRemove, grantExport, grantCom
- pare, grantImport, grantRead, grantFilterMatch, grantModify, grantInvoke, g
- rantDiscloseOnError, grantRename, grantReturnDN, grantBrowse, grantAdd } }
- } } }
- subtreeSpecification: { }
9、添加管理员权限- dn: cn=enableAdminSuper,dc=taotaosou.com
- objectClass: subentry
- objectClass: accessControlSubentry
- objectClass: top
- cn: enableAdminSuper
- prescriptiveACI: { identificationTag "enableAdminSuper", precedence 0, authe
- nticationLevel strong, itemOrUserFirst userFirst: { userClasses { userGroup
- { "cn=administrator,ou=gourp,dc=taotaosou.com" } }, userPermissions { { pr
- otectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials {
- grantRemove, grantExport, grantCompare, grantImport, grantRead, grantFilter
- Match, grantModify, grantInvoke, grantDiscloseOnError, grantRename, grantRe
- turnDN, grantBrowse, grantAdd } } } } }
- subtreeSpecification: { }
http://blog.csdn.net/lansine2005/article/details/19978411