0
我有一個將用戶添加到slapd的spring應用程序。用戶被添加並關聯到一個組。 該應用程序是模塊化的,不同的模塊有能力創建一個用戶添加到slapd。原始開發人員沒有考慮到該組,並且其中兩個模塊會創建無法登錄到第三個模塊的用戶。一旦我糾正這一點,我請參閱slapd上的所有DN的組中進行搜索:通過Java應用程序將用戶添加到LDAP導致組搜索
conn=1020 op=1 SRCH base="ou=groups,dc=example,dc=com" scope=1 deref=3 filter="(member=uid=hack-a-tack,ou=users,dc=example,dc=com)"
這個搜索,然後遍歷組中的每個用戶,而不僅僅是一個在過濾器中。
Jun 12 10:07:16 cm-coret1 slapd[8145]: conn=1020 op=1 SRCH base="ou=groups,dc=example,dc=com" scope=1 deref=3 filter="(member=uid=hack-a-tack,ou=users,dc=example,dc=com)"
Jun 12 10:07:16 cm-coret1 slapd[8145]: conn=1020 op=1 SRCH attr=cn
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access to "ou=groups,dc=example,dc=com" "entry" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => dn: [2] ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_get: [3] attr entry
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: access to entry "ou=groups,dc=example,dc=com", attr "entry" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: to all values by "cn=manager,ou=users,dc=example,dc=com", (=0)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=manager,ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] applying write(=wrscxd) (stop)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] mask: write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => slap_access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_filter_candidates
Jun 12 10:07:16 cm-coret1 slapd[8145]: #011EQUALITY
Jun 12 10:07:16 cm-coret1 slapd[8145]: bdb_idl_fetch_key: [01872a84]
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_filter_candidates: id=0 first=0 last=0
Jun 12 10:07:16 cm-coret1 slapd[8145]: bdb_idl_fetch_key: %ou=groups,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_filter_candidates
Jun 12 10:07:16 cm-coret1 slapd[8145]: #011AND
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_list_candidates 0xa0
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_filter_candidates
Jun 12 10:07:16 cm-coret1 slapd[8145]: #011EQUALITY
Jun 12 10:07:16 cm-coret1 slapd[8145]: bdb_idl_fetch_key: [757973d2]
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_filter_candidates: id=1 first=6 last=6
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_list_candidates: id=1 first=6 last=6
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_filter_candidates: id=1 first=6 last=6
Jun 12 10:07:16 cm-coret1 slapd[8145]: => test_filter
Jun 12 10:07:16 cm-coret1 slapd[8145]: EQUALITY
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access to "cn=USER,ou=groups,dc=example,dc=com" "member" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => dn: [2] ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_get: [3] attr member
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: access to entry "cn=USER,ou=groups,dc=example,dc=com", attr "member" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: to value by "cn=manager,ou=users,dc=example,dc=com", (=0)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=manager,ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] applying write(=wrscxd) (stop)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] mask: write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => slap_access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: dnMatch -3#012#011"uid=redients,ou=users,dc=example,dc=com"#012#011"uid=hack-a-tack,ou=users,dc=example,dc=com"
........> just continues to loop after this
然後阻止所有其他連接嘗試進行任何類型的搜索或更新。 有誰知道我是否可以配置SLAPD.conf來發布此搜索?
是的,我的意思是停下來。 – peekay