ldap/sldap
给新建的账户赋权限也是通过修改配置文件/etc/openldap/slapd.conf来实现,具体的增加的内容如下:
如上面示例中就定义了两个用户,一个是只读用户cn=bbs,dc=361way,dc=com和一个可写用户cn=bbsadmin,dc=361way,dc=com 以及这两个用户对所列的字段、正则匹配的用户有相应的权限 。
# Personal LDAP address book.
access to dn.regex="cn=[^,]+,mail=([^,]+)@([^,]+),ou=Users,domainName=([^,]+),o=domains,dc=361way,dc=com$"
by anonymous none
by self none
by dn.exact="cn=bbs,dc=361way,dc=com" read
by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
by dn.regex="mail=$1@$2,ou=Users,domainName=$3,o=domains,dc=361way,dc=com$" write
by users none
# Allow users to change their own passwords and mail forwarding addresses.
access to attrs="userPassword,mailForwardingAddress"
by anonymous auth
by self write
by dn.exact="cn=bbs,dc=361way,dc=com" read
by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
by users none
# Allow to read others public info.
access to attrs="cn,sn,gn,givenName,telephoneNumber"
by anonymous auth
by self write
by dn.exact="cn=bbs,dc=361way,dc=com" read
by dn.exact="cn=bbsadmin,dc=361way,dc=com" write
by users read