[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Help with ACL to allow member of groupOfNames to read their entry
I am using OpenLDAP 2.4.23 on CentOS 6 and trying to setup ACLs to allow simpleSecurityObjects who are members of a groupOfNames to read their entry (but not write) and ideally not see other member attributes in that same groupOfNames. These simpleSecurityObjects exist in various OUs and reside in the same OU as the groupOfNames that they require access to.
I'm using the memberOf overlay to maintain memberOf attributes within each simpleSecurityObject (which works well).
Sample simpleSecurityObject and groupOfNames:
uid=josh,ou=first string,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: josh
dn: cn=group1,ou=first string,dc=example,dc=com
objectClass: groupOfNames
cn: group1
member: uid=josh,ou=first string,dc=example,dc=com
Here is what I have so far for ACLs:
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword
by anonymous auth
by self write
by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
by * none
-
add: olcAccess
olcAccess: {1}to dn.subtree="ou=power users,dc=example,dc=com"
by anonymous auth
by self write
by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
by dn.exact="uid=power users admin,ou=service accounts,dc=example,dc=com" write
by dn.exact="uid=power users readonly,ou=service accounts,dc=example,dc=com" read
by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read
by users search
by * none
-
add: olcAccess
olcAccess: {2}to dn.subtree="ou=third string,dc=example,dc=com"
by self write
by anonymous auth
by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
by dn.exact="uid=third string admin,ou=service accounts,dc=example,dc=com" write
by dn.exact="uid=third string readonly,ou=service accounts,dc=example,dc=com" read
by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read
by users search
by * none
-
add: olcAccess
olcAccess: {3}to dn.subtree="ou=second string,dc=example,dc=com"
by self write
by anonymous auth
by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
by dn.exact="uid=second string admin,ou=service accounts,dc=example,dc=com" write
by dn.exact="uid=second string readonly,ou=service accounts,dc=example,dc=com" read
by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read
by users search
by * none
-
add: olcAccess
olcAccess: {4}to dn.subtree="ou=first string,dc=example,dc=com"
by self write
by anonymous auth
by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
by dn.exact="uid=first string admin,ou=service accounts,dc=example,dc=com" write
by dn.exact="uid=first string readonly,ou=service accounts,dc=example,dc=com" read
by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read
by users search
by * none
-
add: olcAccess
olcAccess: {5}to dn.subtree="ou=fourth string,dc=example,dc=com"
by self write
by anonymous auth
by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
by dn.exact="uid=fourth string admin,ou=service accounts,dc=example,dc=com" write
by dn.exact="uid=fourth string readonly,ou=service accounts,dc=example,dc=com" read
by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read
by users search
by * none
-
add: olcAccess
olcAccess: {6}to *
by self write
by anonymous auth
by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read
by dn.exact="uid=readonly,ou=people,dc=example,dc=com" read
by * none
I've tried placing the following ACL in various places in the list and it has failed to work each time:
(re: http://www.openldap.org/doc/admin24/access-control.html)
olcAccess: to attrs=member,entry
by dnattr=member selfwrite
by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read
by dn.exact="uid=readonly,ou=people,dc=example,dc=com" read
by * none
Any assistance would be greatly appreciated.
Thanks,
Josh