Hi,
I search a lot but can't find solution so I post here :
I have to allow a user to get informations from internal ldap for enterprise external software (cloud backup for laptop). only some accounts have to be retreive by this external user. I create a group (posixgroup) and add members to this one (memberUid) I create the posixAccount that will be used by external software to get informations on the member of the new group. (uid,userPassword,mail,givenName,sn)
so I want to make an acl that limit access for the create account to read only informations of users from the created group.
I already test overlay memberOf but it's not working with memberUid (not dn style)
info openldap server 2.4.40+dfsg-1 on debian jessie
simple ldap
ou=Users,dc=exemple,dc=com <-- all my users uid=readers,ou=Users,dc=exemple,dc=com <-- the user i want to use to see only cn=externalgroupaccess ou=Groups,dc=exemple,dc=com <-- posixGroup with memberUid cn=arcaboxUser,ou=Groups,dc=exemple,dc=com <-- the group that users have to be visible.
acl :
access to dn.subtree="dc=Comptes,dc=com" attrs=entry,uid,userPassword,mail,givenName,sn filter=() by dn="uid=readers,ou=Users,dc=exemple,dc=com" read by * break access to dn.subtree="dc=Comptes,dc=com" by dn="readers,ou=Users,dc=exemple,dc=com" search by * break
My problem is on the filter (I think) if I use this : filter=(uid=accountuid) the user "readers" can see the information from accountuid and not from others.
but cn=arcaboxUser,ou=Groups,dc=exemple,dc=com wil have more than 200 accounts.
Question : Someone have an idea to build a filter that containt all cn=arcaboxUser,ou=Groups,dc=exemple,dc=com memberUid value ?
I see "set" but if I understand this : http://www.openldap.org/faq/data/cache/1133.html , set is only use in by statement of acl not in filter.
Thank you
Nicolas (sorry for bad english)
I want to make an acl that limit access for a account to read only informations of users from one group