首先把我看到的有用的資料留下:
1、官方文檔-基本用戶手冊:http://directory.apache.org/apacheds/basic-user-guide.html 主要介紹了安裝以及基本操作、登錄等。
2、官方文檔-高級用戶手冊:http://directory.apache.org/apacheds/advanced-user-guide.html 介紹了代碼編譯、系統結構、服務配置以及服務權限管理,這里吐槽一下,真的很難懂,并且各種TODO;
3、看起來像官方的文檔:http://joacim.breiler.com/apacheds/book.html 介紹得很詳盡,例子也很豐富。
4、訪問控制實例 FR20_ApacheDS_Access_Control_Administration_The_X.500_Way.pdf
=============================================================================================================
常用的名詞解析:
DIT Directory Information Tree
AA administrative areas
AP administrative points
AAA autonomous administrative area 有自治權的管理區域,所有的實體均統一管理
SAA specific administrative area 特定管理區域
IAA inner administrative area 內部管理區域
SAP specific administrative point
ACI Access Control Information
Usually an entry is selected as the administrative point and marked with an operational attribute. The attributeType of the operational attribute is 'administrativeRole'.
通過添加一個可選屬性來使一個實體成為管理點
ACSA access control specific area
=================================================================================================================
實戰演練
需求:
1、LDAP超級管理員,管理LDAP上的所有數據;
2、匿名用戶可以查看用戶信息;
3、用戶分為開發、測試和運維三組;
4、通過用戶組授權
操作指南:
1、安裝ApacheDS服務端;
下載地址:apacheds-2.0.0-M15-64bit.bin 下載到目錄/home/apacheds/
- /etc/init.d/apacheds-2.0.0-M15-default start
2、安裝Apache Directory Studio
本次使用Eclipse插件,詳見 http://directory.apache.org/studio/installation-in-eclipse.html,也支持Eclipse market安裝。
3、連接與配置
切換到Eclipse的LDAP視圖,新建連接
hostname:199.155.122.90 port:10389 encryption method: nocryption (不同加密算法端口注意)
authentication method: simple user:uid=admin,ou=system passwd:secret (默認的最高權限用戶)
OpenConfiguration啟用Access Control,禁用匿名登錄
重啟apacheds服務生效
4、分區設置
系統默認example分區,我們刪除之,并新建,本次創建dc=xxx.com
5、新建ou=users,新建ou=groups。
- dn: ou=groups,dc=taotaosou.com
- objectClass: organizationalUnit
- objectClass: top
- ou: groups
- dn: ou=users,dc=taotaosou.com
- objectClass: organizationalUnit
- objectClass: top
- ou: users
- dn: dc=taotaosou.com
- objectclass: domain
- objectclass: top
- dc: taotaosou.com
- administrativeRole: accessControlSpecificArea
- dn: cn=enableAllUsersRead,dc=taotaosou.com
- objectClass: subentry
- objectClass: accessControlSubentry
- objectClass: top
- cn: enableAllUsersRead
- prescriptiveACI: { identificationTag "enableAllUsersRead", precedence 0, aut
- henticationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers
- }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValu
- es }, grantsAndDenials { grantCompare, grantFilterMatch, grantRead, grantRe
- turnDN, grantBrowse } } } } }
- subtreeSpecification: { }
- dn: cn=allowSelfAccessAndModification,dc=taotaosou.com
- objectClass: subentry
- objectClass: accessControlSubentry
- objectClass: top
- cn: allowSelfAccessAndModification
- prescriptiveACI: { identificationTag "allowSelfAccessAndModification", prece
- dence 10, authenticationLevel simple, itemOrUserFirst userFirst: { userClas
- ses { thisEntry }, userPermissions { { protectedItems { entry, allUserAttri
- buteTypesAndValues }, grantsAndDenials { grantRemove, grantExport, grantCom
- pare, grantImport, grantRead, grantFilterMatch, grantModify, grantInvoke, g
- rantDiscloseOnError, grantRename, grantReturnDN, grantBrowse, grantAdd } }
- } } }
- subtreeSpecification: { }
- dn: cn=enableAdminSuper,dc=taotaosou.com
- objectClass: subentry
- objectClass: accessControlSubentry
- objectClass: top
- cn: enableAdminSuper
- prescriptiveACI: { identificationTag "enableAdminSuper", precedence 0, authe
- nticationLevel strong, itemOrUserFirst userFirst: { userClasses { userGroup
- { "cn=administrator,ou=gourp,dc=taotaosou.com" } }, userPermissions { { pr
- otectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials {
- grantRemove, grantExport, grantCompare, grantImport, grantRead, grantFilter
- Match, grantModify, grantInvoke, grantDiscloseOnError, grantRename, grantRe
- turnDN, grantBrowse, grantAdd } } } } }
- subtreeSpecification: { }
http://blog.csdn.net/lansine2005/article/details/19978411