Currently we need to configure Group based LDAP login for our custom applications. We have applications named app1, app2 etc.
For restricting users to login for a particular application for eg app1 then for that user it should have attribute named allowedService = app1, for login to app2 that user need allowedService = app2
So in that way we created users.
Now for binding applications to ldap we created users like
cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com
Now we configured LDAP ACL as follows:
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write by anonymous auth
by dn="cn=admin,dc=ds,dc=geo,dc=com" write
by * none
olcAccess: {1}to dn.base=""
by * read
olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app1)"
by dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read
by * break
olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=app2)"
by dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read
by * break
olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read
by dn="cn=admin,dc=ds,dc=geo,dc=com" write
by self read
by * break
olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read
by users read
olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com"
by anonymous write
But when any application that doesn't support filter (Like suiteCRM) we created rule olcAccess: {5} and bind it with app3 user but then the whole ACL is not working and all users can login to all application.
So can anyone please help us on it
0 Answers