Need help in configuring LDAP acl

I am trying to configure acl in such a way users with attribute allowedService with application name can only login to that particular application.

We have users as follows:

dn: ou=People,dc=prime,dc=ds,dc=geo,dc=com

dn: uid=user1,ou=People,dc=prime,dc=ds,dc=geo,dc=com
uid: user1
allowedService: gitlab

dn: uid=user2,ou=People,dc=prime,dc=ds,dc=geo,dc=com
uid: user2
allowedService: zabbix

dn: uid=user3,ou=People,dc=prime,dc=ds,dc=geo,dc=com
objectClass: top
uid: user3
allowedService: zabbix

We created an user as follows:

dn: cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
cn: gitlab
uid: gitlab

Now in application we given the details as follows: gitlab configuration

base: ou=People,dc=prime,dc=ds,dc=geo,dc=com
uid: uid
bind_dn: cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com
password: password

Now in acl we tried various options as follows:

root@geopc:/# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}hdb)' olcAccess
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.subtree="ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com" by self write by * write
olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by self write by * auth
olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedService=gitlab)" by dn.exact="cn=gitlab,ou=Applications,ou=Groups,dc=prime,dc=ds,dc=geo,dc=com" write by self write

But with this no user can able to login. But we change olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" by self write by * write , all users can login.

But actually we need is only the user1 need only to login to gitlab application. And the users user2 and user3 need only to login to zabbix application

Can anyone please help me to configure acl for this. Thanks in advance.

Thanks

Geo

Answers


This is not what ACLs are for. They don't control who can login. They control what parts of the subtree a logged-in user can read or modify.


Need Your Help

Drupal Form API and $form_state is destroyed on a page refresh

php drupal drupal-6 drupal-fapi

I have a form that displays two submit buttons. The first submit button sets $form_state['storage'] to a value. The second submit button then reads this $form_state['storage'] value. If the value i...

what does “possible SYN flooding on port 8009. Sending cookies” mean in /var/log/messages?

apache tomcat redhat mod-jk flooding

I have a web application setup apache+mod_jk+tomcat(connector for mod_jk on 8009 port). Recently my app started to hang few times a day and in /var/logs/messages there are entries like "possible SYN

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.