slapd-meta
by Fr3ddie
Hello to the list,
I'm trying to configure the slapd-meta OpenLDAP backend on an online
cn=config
configuration with no luck. Slapd version is 2.4.39 (the maximum I can
achieve on the target machines building from vanilla source).
The documentation is clear but too concise for me so I will try to explain
what I'm trying to do to see if there is anybody that can help me.
Currently I have 3 slapd servers that share a common root for the DIT, i.e.:
dc=loc1,dc=root
dc=loc2,dc=root
dc=loc3,dc=root
What I would like to achieve is to obtain a fourth server that contains
the previous trees, along with its own tree, i.e. a server that contains:
dc=loc0,dc=root (locally hosted data)
dc=loc1,dc=root (coming from the first server, chasing referrals)
dc=loc2,dc=root (coming from the second server, chasing referrals)
dc=loc3,dc=root (coming from the third server, chasing referrals)
this way, all the clients connecting to this server will be able to
retrieve data also from the other three remote servers.
As far as I understood, I only need to configure the "loc0" server to access
the other three servers and get the data to serve to clients.
I have already configured the fourth server with its local DIT and this is
the configuration:
# cat 'cn=config.ldif'
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
structuralObjectClass: olcGlobal
creatorsName: cn=config
olcServerID: 1
olcThreads: 32
olcToolThreads: 8
olcRequires: LDAPv3
olcConnMaxPendingAuth: 100
olcTLSCACertificateFile: /etc/ssl/certs/my_ca_cert.pem
olcTLSCertificateFile: /etc/ssl/certs/this-host_x509_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/this-host_x509_key.key
olcTLSVerifyClient: try
olcTimeLimit: 600
olcLogLevel: stats2 sync
[...]
# cat 'cn=module{0}.ldif'
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModuleLoad: {2}accesslog
structuralObjectClass: olcModuleList
[...]
Schema files are the following:
cn={0}core.ldif
cn={1}cosine.ldif
cn={2}nis.ldif
cn={3}inetorgperson.ldif
cn={4}dyngroup.ldif
cn={5}kerberos.ldif
# cat 'olcDatabase={1}hdb.ldif'
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=loc0,dc=root
olcAccess: {0}to
attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn
=admin,dc=loc0,dc=root" write by anonymous auth by self write by *
none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=loc0,dc=root" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=loc0,dc=root
olcRootPW:: xxxxxxxxxxxxxxxxxxxx
olcDbCacheSize: 10000
olcDbCheckpoint: 512 10
olcDbConfig: {0}set_cachesize 0 524288000 1
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
olcDbIDLcacheSize: 30000
olcDbIndex: default pres,eq
[...]
structuralObjectClass: olcHdbConfig
olcSyncrepl: {0}rid=0 provider=ldap://second-host.loc0.root
bindmethod=s
imple binddn="cn=admin,dc=loc0,dc=root" credentials=xxxxxx
searchbase="dc=loc0,dc=root"
logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObj
ect)(reqResult=0))" schemachecking=on type=refreshAndPersist
retry="60 +" syn
cdata=accesslog starttls=yes
olcMirrorMode: TRUE
[...]
On top of this DB I have the "syncprov" and the "accesslog" overlays
configured
(these are two servers in "MirrorMode", configured following the
OpenLDAP admin documentation).
I believe this DB is the ones containing the actual "loc0" DIT data...
Then I have the accesslog DB for the replica (with the syncprov overlay
on top):
# cat 'olcDatabase={2}hdb.ldif'
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=loc0,dc=root
olcDbConfig: {0}set_cachesize 0 524288000 1
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
[...]
On top of this environment I start loading the needed modules with this
LDIF file:
version: 1
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: back_ldap
-
add: olcModuleLoad
olcModuleLoad: back_meta
-
add: olcModuleLoad
olcModuleLoad: rwm
and it seems I'm able to load the new modules without errors
into the configuration, thus I obtain:
# cat 'cn=module{0}.ldif'
dn: cn=module{0}
structuralObjectClass: olcModuleList
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModuleLoad: {2}accesslog
olcModuleLoad: {3}back_ldap
olcModuleLoad: {4}back_meta
olcModuleLoad: {5}rwm
[...]
Now I try to load the slapd-meta directives into a new database using
this LDIF:
version: 1
dn: olcDatabase={3}meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: {3}meta
olcSuffix: dc=root
olcDbURI: "ldap://server-loc1.loc1.root/dc=loc1,dc=root"
olcDbIdAssertBind: bindmethod=simple
binddn="cn=admin,dc=loc1,dc=root" credentials=xxxxxx starttls=yes
tls_reqcert=demand
olcDbURI: "ldap://server-loc2.loc2.root/dc=loc2,dc=root"
olcDbIdAssertBind: bindmethod=simple
binddn="cn=admin,dc=loc2,dc=root" credentials=xxxxxx starttls=yes
tls_reqcert=demand
olcDbURI: "ldap://server-loc3.loc3.root/dc=loc3,dc=root"
olcDbIdAssertBind: bindmethod=simple
binddn="cn=admin,dc=loc3,dc=root" credentials=xxxxxx starttls=yes
tls_reqcert=demand
but I obtain an error that sticks me trying various combinations without
success:
# ldapadd -Y EXTERNAL -H ldapi:/// -f slapd-META-DB-CREATION.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase={3}meta,cn=config"
ldap_add: Object class violation (65)
additional info: attribute 'olcDbURI' not allowed
and:
# tail /var/log/openldap/slapd.log
Nov 9 19:47:17 server01 slapd[32392]: conn=1025 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:47:29 server01 slapd[32392]: conn=1052 op=2 INTERM
oid=1.3.6.1.4.1.4203.1.9.1.4
Nov 9 19:49:47 server01 slapd[32392]: conn=1327 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:52:17 server01 slapd[32392]: conn=1628 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:54:46 server01 slapd[32392]: conn=1929 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:57:07 server01 slapd[32392]: Entry
(olcDatabase={3}meta,cn=config), attribute 'olcDbURI' not allowed
Into the slapd-meta documentation the "URI" directive is mentioned but
the "DbURI" seems to
raise a "better error", in fact if I try to modify the above LDIF file
using "URI" I obtain:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase={3}meta,cn=config"
ldap_add: Undefined attribute type (17)
additional info: olcUri: attribute type undefined
Moreover, it is not stated into the slapd-meta docs that the slapd-ldap
backend is needed by slapd-meta but,
anyway, I think its needed because if I try to load the slapd-meta alone
it raises an error (I don't remember exactly which one).
At this point I'm stuck to this error and I wasn't able to find any hint
on the web to solve this :(
The examples I was able to find were related with the static slapd.conf
configuration, I counldn't
find any "full" configuration example using the cn=config.
I'm wondering if I should create a "cn=root" actual DB first and then
link the sub-DITs to it,
or, maybe, add some other overlay... I really can't understand how it
should work :(
Can please anybody help me?
Thank you very much
6 years, 10 months
Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 3 months
chaining for a single backend?
by Marc Patermann
Hi,
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends.
Only one is containing linux accounts with ppolicy overlay.
This should use chaining to replicate the ppolicy changes which
otherwise stay local.
Can this be achieved?
Marc
7 years, 7 months
LMBD questions (stat & copy)
by Bruno Freudensprung
Hi,
I am trying to detect MDB_MAP_FULL based on mdb_stat(txn, dbi, &stat) results and I am wondering if I am on the right track or doing things correctly.
I have a small and simple test program (http://pastebin.com/SPCYgWMC) exhibiting the following behavior (consistent between Windows 7 64-bit and Ubuntu 15.10 64-bit - latest version of lmdb cloned and recompiled on Linux):
* Inserting 20990 key value pairs in a database is OK when using one transaction. Just before commiting the write transaction, mdb_stat(txn, dbi, &stat) shows that the total number of pages (253) is very close the the number of pages of the map (256). Indeed, adding another entry leads to MDB_MAP_FULL. To put it shortly, this scenario looks OK (I am assuming there might be 3 "internal-purpose" pages not shown by mdb_stat) and can be tested by setting the stat_test variable to 0 at line 20 of the test program.
* Inserting same 20990 key value pairs in a database fails (MDB_MAP_FULL encountered at 19357) when using two consecutive write transactions. Just before MDB_MAP_FULL, mdb_stat(txn, dbi, &stat) shows that the total number of pages (232) is "quite far" from the the number of pages of the map (256), leading my MDB_MAP_FULL detection heuristic to fail. It means that only 92% of the total amount of data can be sucessfully added to the database. Other scenarii (with same key/value lengths though) stop at 85% only. This can be tested by setting the stat_test variable to 1 (line 20).
By "total number of pages" I mean ms_branch_pages + ms_leaf_pages + ms_overflow_pages.
Do you think I am on a wrong track? (maybe mdb_stat does not show 24 "internal-purpose" pages in the second case? or I am forgetting something?).
One last remark: it seems that mdb_env_copy(db, copy_dir) is possible during a write transaction on Windows (like stated in the documentation), but not on Linux (the test program seems to be stopped on a mutex at line 62). This can be tested by changing the copy_test variable to 1 at line 19. Is it expected given my program?
Best regards,
Bruno.
7 years, 8 months
Re: what databases are to be replicated for a slave?
by Jephte Clain
2015-12-29 20:38 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Tuesday, December 29, 2015 12:48 PM +0400 Jephte Clain
> <jephte.clain(a)univ-reunion.fr> wrote:
>
>
>
>>> No. Replicas do not accept writes. Replicas do not have a master
>>> configuration for cn=config. Replica's do not have server IDs.
>>
>> ok I guess I understand. this is the reason why I usually call them
>> "slaves", not replicas (but I messed things up and called them replicas
>> this time ^^)
>> I also have replicas that only replicate data (or a subset of data) for
>> some services
>
>
> No. The terms replica and slave are interchangeable. As are master and
> provider. Given the very negative connotations of the concept of masters
> and slaves, the preferred terms are "provider" instead of "master" and
> "replica" instead of "slaves".
Aaargh, now I can't help thinking about "providers" whipping
"replicas". slapd can be so cruel sometimes :-)
And in case you wonder, here in reunion island we have a (relatively)
long history of slavery. We even have a day to commemorate abolition
of slavery: december 20th
>
>
>> the slaves are there in case of catastrophic failure of both masters (we
>> had one of these failure for another service due to a problem with the
>> shared storage. No one want to have this kind of emergency...)
>> If the master(s) crash, I just have to choose a slave as the new master,
>> slapcat the cn=config database, update the provider address, slapadd the
>> updated config, and update the loadbalancer settings. this is a bit of
>> work but at least we can restore service in a (relatively) small amount
>> of time.
>
>
> If they accept writes, they are not slaves/replicas. If you are replicating
> cn=config across all the systems, then they must all be masters. Your
> general description above sounds like you do not correctly understand how
> MMR functions.
OK... I finally understand what was bothering you
My replicas do _not_ accept writes. Sorry to have let you think so
I have two setups:
- a "legacy" one, with one master accessible to the applications that
can write, and two complete replicas (data + cn=config) behind a
loadbalancer for the reads. One of these replicas could become the new
master if the needs arise. And there are a bunch of partial replicas
(only a subset of data) for some specific services. The reason is on
our vmware farm, network access is regularly cut (don't know why, the
system guy neither), and these services cannot reconnect on their
own... piece of #$*! software :(
- a "new" one, with two masters in mirror mode (only one get the
writes at anytime thanks to the loadbalancer), and two replicas (only
data) which get all the reads. I feel like configuring chaining to be
able to write from the replicas, but I have no experience of the
benefits of this configuration...
I have read the admin guide several times, but I am open to any
suggestion to improve my skills
>
>>> Accesslog is unique to a given master.
>>
>> Ok that's what I wanted to know for sure
>>
>> Shouldn't the doc stat this clearly?
>
>
> Please file an ITS noting the docs should be updated on this point.
Ok. I may even provide a patch. I'll do it tomorrow.
Have a nice day/night (don't know where you live ^^)
Regards,
Jephté
--
Jephté CLAIN | Développeur, Intégrateur d'applications
Service Système d'Information
Direction des Systèmes d'Information
Tél: +262 262 93 86 31 || Gsm: +262 692 29 58 24
7 years, 8 months
LMDB ITS 8324 WriteMap performance on Windows
by Victor Baybekov
Hi,
Thanks a lot for ITS#8324! For embedded, not server, use case that change
adds much convenience.
I have tested the master from .NET via P/Invoke and do not see any major
slowdown with default options. To insert 10M <int32,int32> pairs inside a
single transaction v.0.9.14 takes minimum 3400 msec, latest master takes
minimum 3750 msec. This is not scientific, just best result from 10 runs.
Sometimes both timings increase to 5000+ msecs. On average slowdown is
visible but tolerable - from 2.9 Mops to 2.6 Mops (absolute numbers are
still awesome!). With Append and NoSync I could get 3.45 Mops on the same
test with master build.
However, with WriteMap performance of master drops 3x to 10000 msec or just
1 Mops, while for the v.0.9.14 performance with WriteMap improves to 2350
msec or 4.25 Mops.
Is this the cost of convenience or it could be fixed so that WriteMap still
"is faster and uses fewer mallocs" as the docs say?
Best regards,
Victor
7 years, 8 months
Re: pass-through authentication
by Dan White
On 12/17/15 18:32 -0600, Timothy Keith wrote:
>We are attempting to set up an LDAP server which will answer queries
>from an application. The database will contain metadata on a set of
>users in the application. The application will also query the server
>to authenticate the user’s password, however, this server will not
>house the password. That resides on another server, which our server
>will query. We do not have administrative rights to the other
>server.
>
> The difficulty we are having now is setting up the pass-through
>authentication for the passwords. Any pointers in how to proceed with
>this would be greatly appreciated.
On 12/21/15 17:24 -0600, Timothy Keith wrote:
>We have limited access to the servers. Same company, different IT
>organization. Our LDAP requirement must be transparent to those servers.
>We want to inherit the LDAP directory information from the Unix servers -
>mostly the user Id and passwords, and add information that is needed by
>applications that our servers will manage.
On 12/31/15 09:51 -0600, Timothy Keith wrote:
> On Wed, Dec 30, 2015 at 7:04 PM, Dan White <dwhite(a)cafedemocracy.org> wrote:
>> On 12/30/15 18:51 -0600, Timothy Keith wrote:
>>
>>> This is tail of the latest saslauthd debug output :
>>>
>>> ldap_sasl_interactive_bind: user selected: DIGEST-MD5
>>>
>>
>> res_errno: 7, res_error: <SASL(-4): no mechanism available: >, res_matched:
>>> <>
>>> ldap_free_request (origid 1, msgid 1)
>>> ldap_int_sasl_bind: DIGEST-MD5
>>> ldap_parse_sasl_bind_result
>>> ldap_parse_result
>>> ldap_msgfree
>>> ldap_err2string
>>>
>>
>> Is DIGEST-MD5 available on your ldap server? Try:
>>
>> ldapsearch -LLL -x -H ldap://1.2.3.4 -s "base" -b ""
>> supportedSASLMechanisms
>> Which should list the advertised sasl mechanisms.
>>
>> Verify the digest-md5 mechanism is installed with
>> saslpluginviewer/pluginviewer.
>
>Dan, that ldapsearch returns :
>dn:
>supportedSASLMechanisms: PLAIN
The server is only offering the PLAIN mechanism to you. It appears you're
using saslauthd's ldap backend, and have explicitly configured 'ldap_mech:
digest-md5' in your corresponding config. If that's correct, you could
change that to PLAIN instead.
Consider protecting the bind with tls if available.
slapo-pbind may be a simpler alternative (to pass-through sasl
authentication), depending on the specifics of your setup.
--
Dan White
7 years, 8 months
Re: openldap 2.4.43 keeps crashing
by Jephte Clain
2015-12-30 22:51 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Wednesday, December 30, 2015 10:36 PM +0400 Jephte Clain
> <jephte.clain(a)univ-reunion.fr> wrote:
>
>> 2015-12-29 20:47 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>:
>>>
>>> --On Monday, December 28, 2015 10:18 PM -0800 Quanah Gibson-Mount
>>> <quanah(a)zimbra.com> wrote:
>>>
>>>> David,
>>>>
>>>> Why haven't you reported this to the ITS?
>>>
>>>
>>>
>>> Discussed with Howard. It isn't in 0.9 yet because it hasn't been
>>> confirmed if the fix is good or not. David, if that fix has resolved
>>> the issue, *please* follow up with the ITS noting that to be the case.
>>>
>>
>> Hello,
>>
>> I can confirm this is the problem I have. Starting slapd in debug
>> mode, it dies after some time:
>>
>> /tmp/buildd/openldap-2.4.43/servers/slapd/back-mdb/../../../libraries/lib
>> lmdb/mdb.c:5276: Assertion 'NUMKEYS(mp) > 1' failed in
>> mdb_page_search_root()
>> /usr/local/slaptools/lib/functions: line 44: 30232 Abandon
>> /usr/sbin/slapd -h "$SLAPD_SERVICES" -g "$SLAPD_GROUP" -u
>> "$SLAPD_USER" -F "$SLAPDD" -d "$dlevel" "$@"
>>
>> I didn't notice it because it doesn't dump core. And somehow, the
>> initscript I use eats the stderr output of slapd (I'll fix it for
>> future errors)
>>
>> For now, I'll revert to the previous working version, but I'm willing
>> to test any fix
>> The funny part is only the replica dies regularly, not the master
>> although it is the one to receive the writes
>
>
> You can apply the patch that was made to mdb.master to the 2.4.43 source
> tree, and see if it resolves the problem or not. ;)
Hmmm... I really need some holidays... I couldn't manage to find the
commit today (too tired?) and now I remember grep is my friend
$ git checkout mdb.master
$ git log --pretty=oneline | grep 8336
58d1fd4c73c96ef3097816e975b3d421ead4d86e ITS#8336 fix page_search_root
assert on FreeDB
I'll have a look tomorrow. Thanks. Regards,
Jephté
--
Jephté CLAIN | Développeur, Intégrateur d'applications
Service Système d'Information
Direction des Systèmes d'Information
Tél: +262 262 93 86 31 || Gsm: +262 692 29 58 24
7 years, 8 months
LDAP ACL for restricting applications with same user dn
by Geo P.C.
Currently we need to configure Group based LDAP login for our custom
applications. We have applications named app1, app2 etc.
For restricting users to login for a particular application for eg app1
then for that user it should have attribute named *allowedService = app1*,
for login to app2 that user need *allowedService = app2*
So in that way we created users.
Now for binding applications to ldap we created users like
*cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com
cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com*
Now we configured LDAP ACL as follows:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> filter="(allowedService=app1)" by
> dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by *
> break
> olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> filter="(allowedService=app2)" by
> dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by *
> break
> olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read
> by dn="cn=admin,dc=ds,dc=geo,dc=com" write by self read by * break
> olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by
> users read
> olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com" by
> anonymous write
>
But when any application that doesn't support filter (Like suiteCRM) we
created rule *olcAccess: {5}* and bind it with *app3* user but then the
whole ACL is not working and all users can login to all application.
So can anyone please help us on it
Thanks
Geo
7 years, 9 months