Hi All,

I've Jasig CAS connected to OpenLDAP for users authentication.

My LDAP Schema is the following:

dc=com

dc=companyA,dc=com

ou=user,dc=companyA,dc=com

dc=companyB,dc=com

ou=user,dc=companyB,dc=com

I would like to give to a specific user (cn=admin,ou=user,dc=companyB,dc=com)

the ability to create inetOrgPerson objetcs under ou=user,dc=companyA,dc=com

and the restriction to have only search access to ou=user,dc=companyB,dc=com where actually some attributes should be hidden (such as userPassword).

I tried several ACL but always with one strange problem: a user is able to login via CAS. Then, he/she logouts and if try with a different account then LDAP returns DN_RESOLUTION_FAILURE.

That issue is occurring even with a simple ACL such as:

access to *
        by self write
        by anonymous auth
        by users search

The only way to workaround that issue is removing any ACL or leaving "by users read".

As DN bind I'm using dc=com.

Any suggestion? I cannot understand if focusing on CAS for this issue, or ACL LDAP side.

Thanks a LOT for the support!

Simone