I am using OpenLDAP 2.4.23 on CentOS 6 and trying to setup ACLs to allow simpleSecurityObjects who are members of a groupOfNames to read their entry (but not write) and ideally not see other member attributes in that same groupOfNames. These simpleSecurityObjects exist in various OUs and reside in the same OU as the groupOfNames that they require access to.
I'm using the memberOf overlay to maintain memberOf attributes within each simpleSecurityObject (which works well).
Sample simpleSecurityObject and groupOfNames:
uid=josh,ou=first string,dc=example,dc=com objectClass: account objectClass: simpleSecurityObject objectClass: top uid: josh
dn: cn=group1,ou=first string,dc=example,dc=com objectClass: groupOfNames cn: group1 member: uid=josh,ou=first string,dc=example,dc=com
Here is what I have so far for ACLs:
dn: olcDatabase={1}bdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword by anonymous auth by self write by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write by * none - add: olcAccess olcAccess: {1}to dn.subtree="ou=power users,dc=example,dc=com" by anonymous auth by self write by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write by dn.exact="uid=power users admin,ou=service accounts,dc=example,dc=com" write by dn.exact="uid=power users readonly,ou=service accounts,dc=example,dc=com" read by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read by users search by * none - add: olcAccess olcAccess: {2}to dn.subtree="ou=third string,dc=example,dc=com" by self write by anonymous auth by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write by dn.exact="uid=third string admin,ou=service accounts,dc=example,dc=com" write by dn.exact="uid=third string readonly,ou=service accounts,dc=example,dc=com" read by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read by users search by * none - add: olcAccess olcAccess: {3}to dn.subtree="ou=second string,dc=example,dc=com" by self write by anonymous auth by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write by dn.exact="uid=second string admin,ou=service accounts,dc=example,dc=com" write by dn.exact="uid=second string readonly,ou=service accounts,dc=example,dc=com" read by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read by users search by * none - add: olcAccess olcAccess: {4}to dn.subtree="ou=first string,dc=example,dc=com" by self write by anonymous auth by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write by dn.exact="uid=first string admin,ou=service accounts,dc=example,dc=com" write by dn.exact="uid=first string readonly,ou=service accounts,dc=example,dc=com" read by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read by users search by * none - add: olcAccess olcAccess: {5}to dn.subtree="ou=fourth string,dc=example,dc=com" by self write by anonymous auth by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write by dn.exact="uid=fourth string admin,ou=service accounts,dc=example,dc=com" write by dn.exact="uid=fourth string readonly,ou=service accounts,dc=example,dc=com" read by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read by users search by * none - add: olcAccess olcAccess: {6}to * by self write by anonymous auth by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read by dn.exact="uid=readonly,ou=people,dc=example,dc=com" read by * none
I've tried placing the following ACL in various places in the list and it has failed to work each time:
(re: http://www.openldap.org/doc/admin24/access-control.html)
olcAccess: to attrs=member,entry by dnattr=member selfwrite by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read by dn.exact="uid=readonly,ou=people,dc=example,dc=com" read by * none
Any assistance would be greatly appreciated.
Thanks, Josh
openldap-technical@openldap.org
-
Josh Miller