如何设计“正确的” LDAP 架构,以便我可以有选择地针对某些服务进行身份验证?
我正在使用 LDAP,并尝试设置一个 ldap 服务器,该服务器可用于根据以下服务对用户进行身份验证:
- linux 登录(ubuntu)
- ssh 登录
- apache 登录
- 邮件(postfix 和 courier)
- bugzilla
- wiki
- ...
我(认为)我理解 objectClasses 的概念,并且我知道为我的用户设置以下 objectClasses 是有意义的:
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
但是,我如何处理 Web 应用程序?假设我希望用户 A 能够登录 bugzilla,但他不应该能够登录 wiki?或者某些用户应该能够本地登录 Ubuntu,但不允许从远程进行 ssh。我是用对象类还是组成员身份来解决这个问题?
欢迎任何提示和工作示例链接!
I'm playing around with LDAP and I'm trying to setup an ldap server that can be used to authenticate users against the following services:
- linux login (ubuntu)
- ssh login
- apache login
- mail (postfix & courier)
- bugzilla
- wiki
- ...
I (think) I understand the concept of objectClasses and I know that setting the following objectClasses for my users makes sense:
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
However, how do I deal with the web applications? Say I want user A to be able to login into bugzilla, but he shouldn't be able to login to the wiki? Or certain users should be able to login to Ubuntu locally, but are not allowed to ssh from remote. Do I solve this with objectClasses or with Group memberships?
Any hints and links to working examples are welcome!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看看团体。如果允许用户登录,则将用户添加到适当的组。许多工具可以配置为需要组成员身份才能允许访问。
如果我没记错的话,团体可以有一个成员列表,或者可以添加到个人中。如果您有大型团体,我会将团体成员资格数据添加到个人中。
Look at groups. Add the user to the appropriate group if they are allowed to login. Many tools can be configured to require group membership to allow access.
If I remember right groups can have a list of members, or be added to the individuals. If you have large groups, I would add the group membership data to the individuals.