英文:
Learning LDAP with OpenLDAP - where is the cn=admin in dc=example,dc=org?
问题
我正在尝试学习使用 osixia 的 Docker 镜像学习 LDAP 与 OpenLDAP。我已经启动了这个镜像,并且可以使用命令行、Apache 目录工作室或 phpldapadmin 连接到它。然而,我感到非常困惑。
在进行身份验证时,我的绑定 ID 是 cn=admin 在 dc=example,dc=org,密码是 admin。我已经检查过,其他密码都不匹配。但是我在树中找不到任何 admin!在 dc=example,dc=org 中搜索 cn=admin 也没有结果。
这怎么可能呢?管理员密码实际上存储在哪里呢?...
就像当我使用 uid=admin,ou=system 登录 Apache Directory 时,我在 ou=system 中看到了 uid=admin 并且可以更改其密码。但是在这里它不存在,尽管我可以用它登录?
英文:
I am trying to learn LDAP with OpenLDAP, using osixia's docker image. I've started the image, and am able to connect to it using cli or Apache directory studio or phpldapadmin. However, I'm very confused.
When authenticating, my bind id is cn=admin in dc=example,dc=org and password is admin. I've checked, other passwords don't match. But I don't see any admin in the tree! and searching for cn=admin in dc=example,dc=org gives no result.
How can this be possible? Where is the admin password actually stored?...
Like, when I log into Apache Directory using uid=admin,ou=system, I see the uid=admin in ou=system and can change its password. But here its not present, even though I can use it to log in?
答案1
得分: 1
初始的OpenLDAP管理员帐户在您的OpenLDAP服务器配置中被定义为**rootDN
,这使它有点特殊 - 除了始终具有根(超级用户)特权外,rootDN
不需要作为数据库中的实际条目存在,如果是这样,其密码哈希将存储在相同的DB配置条目中的rootPW
**中。(事实上,这是您将如何_创建_初始数据库条目,因为它一开始是完全空的 - 除非您使用'slapadd'直接更新DB文件。)
如果您的服务器使用基于LDAP的配置,每个数据库的rootDN
和其密码将在相应的cn=config
下的olcDatabase条目中定义。对于基于文件的配置,它们在slapd.conf
中定义。
(请注意,cn=config
是一个单独的分区,可能配置有不同的rootDN
;或者它可以预配置为仅允许基于UID的ldapsearch -Y EXTERNAL
,就像MySQL在这些天里一样工作。)
英文:
The initial OpenLDAP admin account is defined as a rootDN
in your OpenLDAP server's configuration, which makes it somewhat special – aside from always having root (superuser) privileges, the rootDN is not required to exist as a real entry in the database at all, in which case its password hash will be stored in rootPW
in the same DB configuration entry. (Indeed that's how you would create the initial database entries, as it starts off completely empty – unless you use 'slapadd' to directly update the DB files.)
If your server uses LDAP-based configuration, each database's rootDN and its password will be defined within the corresponding olcDatabase entries under cn=config
. For file-based configuration, they are defined in slapd.conf
.
(Note that cn=config
is a separate partition and may have a different rootDN configured; or it may be pre-configured with an ACL that only allows UID-based ldapsearch -Y EXTERNAL
, much like MySQL works these days.)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论