Currently we need to configure Group based LDAP login for our custom applications. We have applications named app1, app2 etc.
For restricting users to login for a particular application for eg app1 then for that user it should have attribute named *allowedService = app1*, for login to app2 that user need *allowedService = app2*
So in that way we created users.
Now for binding applications to ldap we created users like
*cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com*
Now we configured LDAP ACL as follows:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app1)" by dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * break olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app2)" by dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * break olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by dn="cn=admin,dc=ds,dc=geo,dc=com" write by self read by * break olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by users read olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com" by anonymous write
But when any application that doesn't support filter (Like suiteCRM) we created rule *olcAccess: {5}* and bind it with *app3* user but then the whole ACL is not working and all users can login to all application.
So can anyone please help us on it
Thanks Geo
Please let me your thoughts on this. Can anyone please help me on it.
On Thu, Dec 31, 2015 at 9:11 PM, Geo P.C. pcgeopc@gmail.com wrote:
Currently we need to configure Group based LDAP login for our custom applications. We have applications named app1, app2 etc.
For restricting users to login for a particular application for eg app1 then for that user it should have attribute named *allowedService = app1*, for login to app2 that user need *allowedService = app2*
So in that way we created users.
Now for binding applications to ldap we created users like
*cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com*
Now we configured LDAP ACL as follows:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write byanonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app1)" by dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * break olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app2)" by dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * break olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by dn="cn=admin,dc=ds,dc=geo,dc=com" write by self read by * break olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by users read olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com" by anonymous write
But when any application that doesn't support filter (Like suiteCRM) we created rule *olcAccess: {5}* and bind it with *app3* user but then the whole ACL is not working and all users can login to all application.
So can anyone please help us on it
Thanks Geo
openldap-technical@openldap.org
-
Geo P.C.