Dear experts,
an accessUser account used for application access has to be granted read access
to member accounts of a group (groupOfNames). The list of attributes to be read
by the accessUser is limited.
The accessUser has to search in the limited attribute list (e. g. uid=abcd).
Using OpenLDAP 2.4.49 (with configured overlay 'memberOf') we achieved this
goal by configuring the following ACLs in olcAcces of
olcDatabase={1}mdb,cn=config:
{0}to * by self read by anonymous auth by * break
{1}to dn.subtree="dc=example,dc=com" filter="(|(dc=example)(dc=users))"
attrs="entry,Objectclass,dc" by
dn.exact="cn=accessUser,dc=accessUsers,dc=example,dc=com" read by * break
{2}to dn.subtree="dc=users,dc=example,dc=com"
filter="(memberOf=cn=group1,dc=groups,dc=example,dc=com)"
attrs="entry,objectclass,uid,cn,displayName,telephoneNumber,ou,mail,memberOf,entryDN"
by dn.exact="cn=accessUser,dc=accessUsers,dc=example,dc=com" read by * break
During migration to OpenLDAP 2.5 we eliminated the overlay 'memberOf' and
replaced it's functionality by the overlay 'dynlist'.
As a consequence we experienced that the filter statement in ACL {2} doesn't
work any longer in OpenLDAP 2.5.
Result of
ldapsearch -x -W -D "cn=accessUser,dc=accessUsers,dc=example,dc=com" -b
"dc=users,dc=example,dc=com" -s sub
"(memberOf=cn=group1,dc=groups,dc=example,dc=com)" "entry objectclass uid cn
displayName telephoneNumber ou mail memberOf entryDN"
doesn't return any results alhough the group object contains members.
We suppose that it has something to to with memberOf becoming some kind of
'virtual' attribute which may be only calculated when explicitly asked for.
(Please correct this assumtion if it's incorrect.)
These are the relevant parts of our configuration in OpenLDAP 2.5:
Frontend:
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=subschema" by * read
mdb:
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/symas/openldap-data
olcAccess: {0}to * by self read by anonymous auth by * break
olcAccess: {1}to dn.subtree="dc=example,dc=com" filter="(|(dc=example)(dc=us
ers))" attrs="entry,Objectclass,dc" by dn.exact="cn=accessUser,dc=accessUse
rs,dc=example,dc=com" read by * break
olcAccess: {3}to dn.subtree="dc=users,dc=example,dc=com" filter="(|(dc=examp
le)(dc=users))" attrs="entry,Objectclass,dc" by dn.exact="cn=accessUser,dc=
accessUsers,dc=example,dc=com" read by * break"
olcDbIndex: cn
olcDbIndex: default eq,sub
olcDbIndex: departmentNumber pres,eq,sub
olcDbIndex: displayName
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: gidNumber eq
olcDbIndex: givenName
olcDbIndex: host eq
olcDbIndex: inetUserStatus
olcDbIndex: mail eq
olcDbIndex: mailLocalAddress eq
olcDbIndex: member eq
olcDbIndex: memberOf eq
olcDbIndex: memberUid eq
olcDbIndex: objectclass eq
olcDbIndex: sn
olcDbIndex: sudoHost eq,sub
olcDbIndex: sudoUser eq,sub
olcDbIndex: uid
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
olcDbMaxReaders: 126
olcDbMaxSize: 10000000000
olcReadOnly: FALSE
olcRootDN: cn=manager,dc=example,dc=com
olcRootPW:: <abcd1234>
olcSuffix: dc=example,dc=com
dn: olcOverlay={0}refint,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {0}refint
olcRefintAttribute: member
olcRefintNothing: cn=someone,dc=example,dc=com
dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
objectClass: top
olcOverlay: {1}ppolicy
olcPPolicyDefault: cn=passwordDefault,ou=password_policies,ou=configurations
,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcDynListConfig
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: {2}dynlist
olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames
dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcSyncProvConfig
olcOverlay: {3}syncprov
olcSpCheckpoint: 10 1
olcSpSessionlog: 20000
dn: olcOverlay={4}dds,olcDatabase={1}mdb,cn=config
objectClass: olcDDSConfig
objectClass: olcOverlayConfig
olcOverlay: {4}dds
olcDDSinterval: 1h
olcDDSmaxTtl: 10d
olcDDSminTtl: 10s
olcDDSstate: TRUE
olcDDStolerance: 5s
dn: olcOverlay={5}otp,olcDatabase={1}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: {5}otp
My question now is:
what is the correct ACL configuration/filter statement to ask for a user's
group memberships to achieve our goal in OpenLDAP 2.5?
Any help would be greatly appreciated!
--Carsten
