[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP Upgrade from OpenLDAP 2.1 to 2.4 - ACL Issues
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: OpenLDAP Upgrade from OpenLDAP 2.1 to 2.4 - ACL Issues
- From: "Madden, Joe" <Joe.Madden@mottmac.com>
- Date: Tue, 9 Aug 2016 13:54:58 +0000
- Accept-language: en-GB, en-US
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Joe.Madden@mottmac.com;
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mottmac.onmicrosoft.com; s=selector1-mottmac-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yb3ipgMPXOB9TiI4yjJUxIXbwLp4+YwnywlblSwjYxU=; b=lxQsvptZV2+TZ37hZP63K9nR/PtRFofR5eiBfQHdxgYArrha7UrIdwmMW4Yh2VgNL6Yd4MGwstsWLGdxfIR5ICG80BT3GCw7WGbRXgSOOB4waP9sIRXDoHqQzPikT8o9t49ikHu4h5AM98F2d0m68mDCG2I/JwECBof7ewAFtXI=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
- Thread-index: AdHyRAcyDUe+qVc8QG2yBzaNkAdnDQ==
- Thread-topic: OpenLDAP Upgrade from OpenLDAP 2.1 to 2.4 - ACL Issues
Hi List,
Hoping someone can help us out with our ACL problems post upgrading on our test system.
We've upgraded from OpenLDAP 2.1 to 2.4 with success. The directory is fine and the ACLS below work as expected minus the line [by dnattr=uniqueMember read]
Please see our ACL's below:
# Allow a user to update their password
access to attrs=userPassword
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by self write
by * auth
# Allow write and read access to the applications tree for specific users
# Normal users will only be able to see what they are a member of
access to dn.subtree="ou=applications,dc=oursystem,dc=co,dc=uk"
by dn="uid=root,dc=oursystem,dc=co,dc=uk" write
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=tomcat, ou=users,dc=oursystem,dc=co,dc=uk" read
by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
by dnattr=uniqueMember read
# Allow write and read access to the users tree for specific users
# Normal users will only be able to their own node
access to dn.subtree="ou=users,dc=oursystem,dc=co,dc=uk"
by dn="uid=root,dc=oursystem,dc=co,dc=uk" write
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=apache,ou=users,dc=oursystem,dc=co,dc=uk" read
by self write
# Allow write and read access for specific users
# Normal users will only be able to their own node
access to dn.subtree="dc=oursystem,dc=co,dc=uk"
by dn="uid=root,dc=oursystem,dc=co,dc=uk" write
by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
by self read
The apache, tomcat, root, support users work as expected and can access their respective accounts. We have a number of Unique Members who are members of DN's under dc=oursystem,dc=co,dc=uk. For Example:
DN: cn=online_application_1,ou=our_online_application_1,ou=applications,dc=oursystem,dc=co,dc=uk
We have uniqueMember attribute which contains the dn for users For Example:
uid=user1,ou=users,dc=oursystem,dc=co,dc=uk
As I understand it by dnattr=uniqueMember read on openldap 2.1 allowed the user to login to the ldap server, search the DN's under the ou=applications,dc=oursystem,dc=co,dc=uk for uniqueMember which contained there own DN.
This worked and our applications authenticated on OpenLDAP 2.1.
Since upgrading to 2.4 this ACL does not work in this way and I suspect it's by dnattr=uniqueMember read which is the problem. Does anyone have any help to offer on how to proceed? Is there a better way to do the ACL in question?
Thanks
Joe