- 论坛徽章:
- 0
|
我搭建了一个LDAP的系统,用来实现对几十台linux进行单点登录。
问题1.帐户已经建好了,我没有做访问控制,发现用匿名用户就可以连接上去查看我的LDAP信息,感觉很不安全,不知道怎么写这个access:不允许匿名访问,只允许用rootpw能上。
问题2。我配置了TLS来加密传输,但是服务端或客户端关了加密传输,还是可以正常使用。怎么样才能看得出是用了加密的还是未加密的呢?我从日志里看了一下,是有一个“TLS established tls_ssf=256 ssf=256”的记录区别,但是感觉还是不可靠,不知道大家有没有更好的方法?
我的slapd.conf:
[root@linux4 openldap]# more etc/openldap/slapd.conf |grep -v "^#"|more -s
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/dyngroup.schema
include /usr/local/openldap/etc/openldap/schema/misc.schema
include /usr/local/openldap/etc/openldap/schema/openldap.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/ppolicy.schema
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
access to *
by self write
by * auth
loglevel 256
database bdb
suffix "dc=home,dc=com"
rootdn "cn=root,dc=home,dc=com"
rootpw secret
directory /usr/local/openldap/var/openldap-data
index objectClass eq
[root@linux4 openldap] |
我的ldif文件:
[root@linux4 openldap]# more ldap.ldif
# extended LDIF
#
# LDAPv3
# base <dc=home,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# home.com 建立根目录
dn: dc=home,dc=com
objectClass: dcObject
objectClass: organization
o: home.Inc
dc: home
# group, home.com 建立用户组OU
dn: ou=group,dc=home,dc=com
objectClass: organizationalUnit
ou: group
# user, home.com 建立用户OU:
dn: ou=user,dc=home,dc=com
objectClass: organizationalUnit
ou: user
# zuhao, Group, home.com 建立用户组
dn: cn=zuhao,ou=Group,dc=home,dc=com
objectClass: posixGroup
objectClass: top
cn: zuhao
userPassword:: e2NyeXB0fXg=
gidNumber: 504
# hao, user, home.com建立用户帐户
dn: uid=hao,ou=user,dc=home,dc=com
uid: hao
cn: hao
objectClass: account
objectClass: posixAccount
objectClass: top
#objectClass: shadowAccount
#shadowLastChange: 14090
#shadowMax: 99999
#shadowWarning: 7
loginShell: /bin/bash
uidNumber: 504
gidNumber: 504
homeDirectory: /home
userPassword:: e1NIQX0wRXhJbFdNS1RyVk80NFZmRGhPZEZHK083bkk9
[root@linux4 openldap] |
[ 本帖最后由 haoy 于 2008-8-10 17:32 编辑 ] |
|