Hi List,
I've managed to answer my own question by reading the change log between the versions - Who would have figured the answer would have been there!
OpenLDAP 2.4 Introduced the requirement to have search permission on the parent DN when search a subtree. Therefore I had to update my ACL's to this:
# Allow a user to update their password
access to attrs=userPassword
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by self write
by * auth
#As of OpenLDAP 2.4.X you are required to provide search to the DN which you search though to find a attribute.
#We have therefore permitted search though the system for any authenticated user. The ACL's below line by dnattr=uniqueMember
#Controls what the user can actually read.
access to dn="ou=applications, dc=oursystem,dc=co,dc=uk"
by users search
# Allow write and read access to the applications tree for specific users # Normal users will only be able to see what they are a member of access to dn.subtree="ou=applications,dc=oursystem,dc=co,dc=uk"
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=tomcat, ou=users,dc=oursystem,dc=co,dc=uk" read
by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
by dnattr=uniqueMember read
# Allow write and read access to the users tree for specific users # Normal users will only be able to their own node access to dn.subtree="ou=users,dc=oursystem,dc=co,dc=uk"
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=apache,ou=users,dc=oursystem,dc=co,dc=uk" read
by self write
# Allow write and read access for specific users # Normal users will only be able to their own node access to dn.subtree="dc=oursystem,dc=co,dc=uk"
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
by self read
The new section added is :
#As of OpenLDAP 2.4.X you are required to provide search to the DN which you search though to find a attribute.
#We have therefore permitted search though the system for any authenticated user. The ACL's below line by dnattr=uniqueMember
#Controls what the user can actually read.
access to dn="ou=applications, dc=oursystem,dc=co,dc=uk"
by users search
Thanks
Joe.
-----Original Message-----
From: Madden, Joe
Sent: 09 August 2016 14:55
To: openldap-technical(a)openldap.org
Subject: OpenLDAP Upgrade from OpenLDAP 2.1 to 2.4 - ACL Issues
Hi List,
Hoping someone can help us out with our ACL problems post upgrading on our test system.
We've upgraded from OpenLDAP 2.1 to 2.4 with success. The directory is fine and the ACLS below work as expected minus the line [by dnattr=uniqueMember read]
Please see our ACL's below:
# Allow a user to update their password
access to attrs=userPassword
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by self write
by * auth
# Allow write and read access to the applications tree for specific users # Normal users will only be able to see what they are a member of access to dn.subtree="ou=applications,dc=oursystem,dc=co,dc=uk"
by dn="uid=root,dc=oursystem,dc=co,dc=uk" write
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=tomcat, ou=users,dc=oursystem,dc=co,dc=uk" read
by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
by dnattr=uniqueMember read
# Allow write and read access to the users tree for specific users # Normal users will only be able to their own node access to dn.subtree="ou=users,dc=oursystem,dc=co,dc=uk"
by dn="uid=root,dc=oursystem,dc=co,dc=uk" write
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=apache,ou=users,dc=oursystem,dc=co,dc=uk" read
by self write
# Allow write and read access for specific users # Normal users will only be able to their own node access to dn.subtree="dc=oursystem,dc=co,dc=uk"
by dn="uid=root,dc=oursystem,dc=co,dc=uk" write
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
by self read
The apache, tomcat, root, support users work as expected and can access their respective accounts. We have a number of Unique Members who are members of DN's under dc=oursystem,dc=co,dc=uk. For Example:
DN: cn=online_application_1,ou=our_online_application_1,ou=applications,dc=oursystem,dc=co,dc=uk
We have uniqueMember attribute which contains the dn for users For Example:
uid=user1,ou=users,dc=oursystem,dc=co,dc=uk
As I understand it by dnattr=uniqueMember read on openldap 2.1 allowed the user to login to the ldap server, search the DN's under the ou=applications,dc=oursystem,dc=co,dc=uk for uniqueMember which contained there own DN.
This worked and our applications authenticated on OpenLDAP 2.1.
Since upgrading to 2.4 this ACL does not work in this way and I suspect it's by dnattr=uniqueMember read which is the problem. Does anyone have any help to offer on how to proceed? Is there a better way to do the ACL in question?
Thanks
Joe