1. 环境
OpenLDAP 版本:2.4.46
用户数:2
用户列表:user1,user2(ym)
2. 问题现象
curl命令通过ldap查询可以查询到所有用户的密码
curl --user "uid=user1,ou=people,o=emr" "ldap://master-1-1:10389/o=emr??sub"
3. 解决方案
- 查询开源ldap后端指定配置的数据库是什么种类的,BDB, HDB or MDB,数据库种类影响配置文件的修改参数,会导致如下异常:
ldap_modify: No such object (32) matched DN: cn=config
参考:https://serverfault.com/questions/765744/openldap-no-such-object-32。
ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q "olcDatabase=*" dn
- 编辑此次更改的配置文件
[root@master-1-1(xx) ~]# vim admin.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="uid=admin,o=emr" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="uid=admin,o=emr" write by * read
- 更改ldap配置,命令如下,正常返回截图如下
ldapmodify -Y EXTERNAL -H ldapi:/// -f admin.ldif
- curl查询检查,命令及修改后不可见密码返回如下
curl --user "uid=user1,ou=people,o=emr" "ldap://master-1-1:10389/o=emr??sub"
