Dear experts,
an accessUser account used for application access has to be granted read access to member accounts of a group (groupOfNames). The list of attributes to be read by the accessUser is limited. The accessUser has to search in the limited attribute list (e. g. uid=abcd). Using OpenLDAP 2.4.49 (with configured overlay 'memberOf') we achieved this goal by configuring the following ACLs in olcAcces of olcDatabase={1}mdb,cn=config:
{0}to * by self read by anonymous auth by * break {1}to dn.subtree="dc=example,dc=com" filter="(|(dc=example)(dc=users))" attrs="entry,Objectclass,dc" by dn.exact="cn=accessUser,dc=accessUsers,dc=example,dc=com" read by * break {2}to dn.subtree="dc=users,dc=example,dc=com" filter="(memberOf=cn=group1,dc=groups,dc=example,dc=com)" attrs="entry,objectclass,uid,cn,displayName,telephoneNumber,ou,mail,memberOf,entryDN" by dn.exact="cn=accessUser,dc=accessUsers,dc=example,dc=com" read by * break
During migration to OpenLDAP 2.5 we eliminated the overlay 'memberOf' and replaced it's functionality by the overlay 'dynlist'. As a consequence we experienced that the filter statement in ACL {2} doesn't work any longer in OpenLDAP 2.5.
Result of ldapsearch -x -W -D "cn=accessUser,dc=accessUsers,dc=example,dc=com" -b "dc=users,dc=example,dc=com" -s sub "(memberOf=cn=group1,dc=groups,dc=example,dc=com)" "entry objectclass uid cn displayName telephoneNumber ou mail memberOf entryDN" doesn't return any results alhough the group object contains members. We suppose that it has something to to with memberOf becoming some kind of 'virtual' attribute which may be only calculated when explicitly asked for. (Please correct this assumtion if it's incorrect.)
These are the relevant parts of our configuration in OpenLDAP 2.5: Frontend:
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=subschema" by * read
mdb:
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/symas/openldap-data olcAccess: {0}to * by self read by anonymous auth by * break olcAccess: {1}to dn.subtree="dc=example,dc=com" filter="(|(dc=example)(dc=us ers))" attrs="entry,Objectclass,dc" by dn.exact="cn=accessUser,dc=accessUse rs,dc=example,dc=com" read by * break olcAccess: {3}to dn.subtree="dc=users,dc=example,dc=com" filter="(|(dc=examp le)(dc=users))" attrs="entry,Objectclass,dc" by dn.exact="cn=accessUser,dc= accessUsers,dc=example,dc=com" read by * break" olcDbIndex: cn olcDbIndex: default eq,sub olcDbIndex: departmentNumber pres,eq,sub olcDbIndex: displayName olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: gidNumber eq olcDbIndex: givenName olcDbIndex: host eq olcDbIndex: inetUserStatus olcDbIndex: mail eq olcDbIndex: mailLocalAddress eq olcDbIndex: member eq olcDbIndex: memberOf eq olcDbIndex: memberUid eq olcDbIndex: objectclass eq olcDbIndex: sn olcDbIndex: sudoHost eq,sub olcDbIndex: sudoUser eq,sub olcDbIndex: uid olcDbIndex: uidNumber eq olcDbIndex: uniqueMember eq olcDbMaxReaders: 126 olcDbMaxSize: 10000000000 olcReadOnly: FALSE olcRootDN: cn=manager,dc=example,dc=com olcRootPW:: <abcd1234> olcSuffix: dc=example,dc=com
dn: olcOverlay={0}refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {0}refint olcRefintAttribute: member olcRefintNothing: cn=someone,dc=example,dc=com
dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyDefault: cn=passwordDefault,ou=password_policies,ou=configurations ,dc=example,dc=com olcPPolicyHashCleartext: TRUE
dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcDynListConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {2}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames
dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcSyncProvConfig olcOverlay: {3}syncprov olcSpCheckpoint: 10 1 olcSpSessionlog: 20000
dn: olcOverlay={4}dds,olcDatabase={1}mdb,cn=config objectClass: olcDDSConfig objectClass: olcOverlayConfig olcOverlay: {4}dds olcDDSinterval: 1h olcDDSmaxTtl: 10d olcDDSminTtl: 10s olcDDSstate: TRUE olcDDStolerance: 5s
dn: olcOverlay={5}otp,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {5}otp
My question now is: what is the correct ACL configuration/filter statement to ask for a user's group memberships to achieve our goal in OpenLDAP 2.5?
Any help would be greatly appreciated!
--Carsten
--On Monday, July 31, 2023 1:39 PM +0000 Carsten Jäckel carsten.jaeckel@tu-dortmund.de wrote:
Result of ldapsearch -x -W -D "cn=accessUser,dc=accessUsers,dc=example,dc=com" -b "dc=users,dc=example,dc=com" -s sub "(memberOf=cn=group1,dc=groups,dc=example,dc=com)" "entry objectclass uid cn displayName telephoneNumber ou mail memberOf entryDN" doesn't return any results alhough the group object contains members. We suppose that it has something to to with memberOf becoming some kind of 'virtual' attribute which may be only calculated when explicitly asked for. (Please correct this assumtion if it's incorrect.)
My question now is: what is the correct ACL configuration/filter statement to ask for a user's group memberships to achieve our goal in OpenLDAP 2.5?
You cannot filter on a dynamic memberOf attribute in an ACL. So it would require filtering on a non-virtual attribute in the user entries.
--Quanah
openldap-technical@openldap.org
-
Carsten Jäckel -
Quanah Gibson-Mount