[Date Prev][Date Next] [Chronological] [Thread] [Top]

Help with ACL to allow member of groupOfNames to read their entry



I am using OpenLDAP 2.4.23 on CentOS 6 and trying to setup ACLs to allow simpleSecurityObjects who are members of a groupOfNames to read their entry (but not write) and ideally not see other member attributes in that same groupOfNames.  These simpleSecurityObjects exist in various OUs and reside in the same OU as the groupOfNames that they require access to.

I'm using the memberOf overlay to maintain memberOf attributes within each simpleSecurityObject (which works well).


Sample simpleSecurityObject and groupOfNames:

uid=josh,ou=first string,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: josh

dn: cn=group1,ou=first string,dc=example,dc=com
objectClass: groupOfNames
cn: group1
member: uid=josh,ou=first string,dc=example,dc=com


Here is what I have so far for ACLs:

dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword 
  by anonymous auth
  by self write
  by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
  by * none
-
add: olcAccess
olcAccess: {1}to dn.subtree="ou=power users,dc=example,dc=com"
  by anonymous auth
  by self write
  by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
  by dn.exact="uid=power users admin,ou=service accounts,dc=example,dc=com" write
  by dn.exact="uid=power users readonly,ou=service accounts,dc=example,dc=com" read
  by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read  
  by users search
  by * none  
-
add: olcAccess
olcAccess: {2}to dn.subtree="ou=third string,dc=example,dc=com"
  by self write
  by anonymous auth
  by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
  by dn.exact="uid=third string admin,ou=service accounts,dc=example,dc=com" write
  by dn.exact="uid=third string readonly,ou=service accounts,dc=example,dc=com" read
  by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read  
  by users search
  by * none  
-
add: olcAccess
olcAccess: {3}to dn.subtree="ou=second string,dc=example,dc=com"
  by self write
  by anonymous auth
  by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
  by dn.exact="uid=second string admin,ou=service accounts,dc=example,dc=com" write
  by dn.exact="uid=second string readonly,ou=service accounts,dc=example,dc=com" read
  by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read  
  by users search
  by * none  
-
add: olcAccess
olcAccess: {4}to dn.subtree="ou=first string,dc=example,dc=com"
  by self write
  by anonymous auth
  by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
  by dn.exact="uid=first string admin,ou=service accounts,dc=example,dc=com" write
  by dn.exact="uid=first string readonly,ou=service accounts,dc=example,dc=com" read
  by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read  
  by users search
  by * none  
-
add: olcAccess
olcAccess: {5}to dn.subtree="ou=fourth string,dc=example,dc=com"
  by self write
  by anonymous auth
  by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
  by dn.exact="uid=fourth string admin,ou=service accounts,dc=example,dc=com" write
  by dn.exact="uid=fourth string readonly,ou=service accounts,dc=example,dc=com" read
  by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read  
  by users search
  by * none  
-
add: olcAccess
olcAccess: {6}to *
  by self write
  by anonymous auth  
  by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write  
  by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read  
  by dn.exact="uid=readonly,ou=people,dc=example,dc=com" read
  by * none 



I've tried placing the following ACL in various places in the list and it has failed to work each time:

(re:  http://www.openldap.org/doc/admin24/access-control.html)

olcAccess: to attrs=member,entry
  by dnattr=member selfwrite
  by group.exact="cn=ol-admins,ou=groups,dc=example,dc=com" write
  by dn.exact="uid=global-ro,ou=service accounts,dc=example,dc=com" read  
  by dn.exact="uid=readonly,ou=people,dc=example,dc=com" read
  by * none



Any assistance would be greatly appreciated.

Thanks,
Josh