I am trying to configure acl in such a way users with attribute allowedService with application name can only login to that particular application.

We have users as follows:

dn: ou=People,dc=prime,dc=ds,dc=geo,dc=com

dn: uid=user1,ou=People,dc=prime,dc=ds,dc=geo,dc=com uid: user1 allowedService: gitlab

dn: uid=user2,ou=People,dc=prime,dc=ds,dc=geo,dc=com uid: user2 allowedService: zabbix

dn: uid=user3,ou=People,dc=prime,dc=ds,dc=geo,dc=com objectClass: top uid: user3 allowedService: zabbix

We created an user as follows:

dn: cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com cn: gitlab uid: gitlab

Now in application we given the details as follows: gitlab configuration base: ou=People,dc=prime,dc=ds,dc=geo,dc=com uid: uid bind_dn: cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com password: password

Now in acl we tried various options as follows:

root@geopc:/# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.subtree="ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com" by self write by * write olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by self write by * auth olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=gitlab)" by dn.exact="cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com" write by self write

But with this no user can able to login. But we change olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by self write by * write, all users can login.

But actually we need is only the user1 need only to login to gitlab application. And the users user2 and user3 need only to login to zabbix application

Can anyone please help me to configure acl for this. Thanks in advance.

Thanks Geo