[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP ACL for restricting applications with same user dn

Currently we need to configure Group based LDAP login for our custom applications. We have applications named app1, app2 etc.

For restricting users to login for a particular application for eg app1 then for that user it should have attribute named allowedService = app1, for login to app2 that user need allowedService = app2

So in that way we created users.

Now for binding applications to ldap we created users like


Now we configured LDAP ACL as follows:

    olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none
    olcAccess: {1}to dn.base="" by * read
    olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app1)" by dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * break
    olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app2)" by dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * break
    olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by dn="cn=admin,dc=ds,dc=geo,dc=com" write by self read by * break
    olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by users read
    olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com" by anonymous write

But when any application that doesn't support filter (Like suiteCRM) we created rule olcAccess: {5} and bind it with app3 user but then the whole ACL is not working and all users can login to all application.

So can anyone please help us on it