ACL rule: getting crazy with it.

[Simone Taliercio <simonetaliercio@gmail.com>]

Hi All,

I've Jasig CAS connected to OpenLDAP for users authentication.

My LDAP Schema is the following:

dc=com

    dc=companyA,dc=com

         ou=user,dc=companyA,dc=com

    dc=companyB,dc=com

          ou=user,dc=companyB,dc=com

I would like to give to a specific user (cn=admin,ou=user,dc=companyB,dc=com)

the ability to create inetOrgPerson objetcs under ou=user,dc=companyA,dc=com

and the restriction to have only search access to ou=user,dc=companyB,dc=com where actually some attributes should be hidden (such as userPassword).

I tried several ACL but always with one strange problem: a user is able to login via CAS. Then, he/she logouts and if try with a different account then LDAP returns DN_RESOLUTION_FAILURE.

That issue is occurring even with a simple ACL such as:

access to *
        by self write
        by anonymous auth
        by users search

The only way to workaround that issue is removing any ACL or leaving "by users read".

As DN bind I'm using dc=com.

Any suggestion? I cannot understand if focusing on CAS for this issue, or ACL LDAP side.

Thanks a LOT for the support!

Simone