I am trying to configure acl in such a way users with attribute allowedService with application name can only login to that particular application.
We have users as follows:
dn: ou=People,dc=prime,dc=ds,dc=geo,dc=com
dn: uid=user1,ou=People,dc=prime,dc=ds,dc=geo,dc=com uid: user1 allowedService: gitlab
dn: uid=user2,ou=People,dc=prime,dc=ds,dc=geo,dc=com uid: user2 allowedService: zabbix
dn: uid=user3,ou=People,dc=prime,dc=ds,dc=geo,dc=com objectClass: top uid: user3 allowedService: zabbix
We created an user as follows:
dn: cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com cn: gitlab uid: gitlab
Now in application we given the details as follows: gitlab configuration base: ou=People,dc=prime,dc=ds,dc=geo,dc=com uid: uid bind_dn: cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com password: password
Now in acl we tried various options as follows:
root@geopc:/# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.subtree="ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com" by self write by * write olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by self write by * auth olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=gitlab)" by dn.exact="cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com" write by self write
But with this no user can able to login. But we change olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by self write by * write, all users can login.
But actually we need is only the user1 need only to login to gitlab application. And the users user2 and user3 need only to login to zabbix application
Can anyone please help me to configure acl for this. Thanks in advance.
Thanks Geo