Please let me your thoughts on this. Can anyone please help me on it.


On Thu, Dec 31, 2015 at 9:11 PM, Geo P.C. <pcgeopc@gmail.com> wrote:
Currently we need to configure Group based LDAP login for our custom applications. We have applications named app1, app2 etc.

For restricting users to login for a particular application for eg app1 then for that user it should have attribute named allowedService = app1, for login to app2 that user need allowedService = app2

So in that way we created users.

Now for binding applications to ldap we created users like

cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com
cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com


Now we configured LDAP ACL as follows:


    olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none
    olcAccess: {1}to dn.base="" by * read
    olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app1)" by dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * break
    olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app2)" by dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * break
    olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by dn="cn=admin,dc=ds,dc=geo,dc=com" write by self read by * break
    olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by users read
    olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com" by anonymous write

But when any application that doesn't support filter (Like suiteCRM) we created rule olcAccess: {5} and bind it with app3 user but then the whole ACL is not working and all users can login to all application.

So can anyone please help us on it

Thanks
Geo