Hi List,
Hoping someone can help us out with our ACL problems post upgrading on our test system.
We've upgraded from OpenLDAP 2.1 to 2.4 with success. The directory is fine and the ACLS below work as expected minus the line [by dnattr=uniqueMember read]
Please see our ACL's below:
# Allow a user to update their password access to attrs=userPassword by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write by self write by * auth
# Allow write and read access to the applications tree for specific users # Normal users will only be able to see what they are a member of access to dn.subtree="ou=applications,dc=oursystem,dc=co,dc=uk" by dn="uid=root,dc=oursystem,dc=co,dc=uk" write by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write by dn="uid=tomcat, ou=users,dc=oursystem,dc=co,dc=uk" read by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read by dnattr=uniqueMember read
# Allow write and read access to the users tree for specific users # Normal users will only be able to their own node access to dn.subtree="ou=users,dc=oursystem,dc=co,dc=uk" by dn="uid=root,dc=oursystem,dc=co,dc=uk" write by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write by dn="uid=apache,ou=users,dc=oursystem,dc=co,dc=uk" read by self write
# Allow write and read access for specific users # Normal users will only be able to their own node access to dn.subtree="dc=oursystem,dc=co,dc=uk" by dn="uid=root,dc=oursystem,dc=co,dc=uk" write by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read by self read
The apache, tomcat, root, support users work as expected and can access their respective accounts. We have a number of Unique Members who are members of DN's under dc=oursystem,dc=co,dc=uk. For Example:
DN: cn=online_application_1,ou=our_online_application_1,ou=applications,dc=oursystem,dc=co,dc=uk
We have uniqueMember attribute which contains the dn for users For Example:
uid=user1,ou=users,dc=oursystem,dc=co,dc=uk
As I understand it by dnattr=uniqueMember read on openldap 2.1 allowed the user to login to the ldap server, search the DN's under the ou=applications,dc=oursystem,dc=co,dc=uk for uniqueMember which contained there own DN.
This worked and our applications authenticated on OpenLDAP 2.1.
Since upgrading to 2.4 this ACL does not work in this way and I suspect it's by dnattr=uniqueMember read which is the problem. Does anyone have any help to offer on how to proceed? Is there a better way to do the ACL in question?
Thanks
Joe
openldap-technical@openldap.org