Currently we need to configure Group based LDAP login for our custom
applications. We have applications named app1, app2 etc.
For restricting users to login for a particular application for eg app1
then for that user it should have attribute named *allowedService = app1*,
for login to app2 that user need *allowedService = app2*
So in that way we created users.
Now for binding applications to ldap we created users like
*cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com
cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com*
Now we configured LDAP ACL as follows:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> filter="(allowedService=app1)" by
> dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by *
> break
> olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> filter="(allowedService=app2)" by
> dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by *
> break
> olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read
> by dn="cn=admin,dc=ds,dc=geo,dc=com" write by self read by * break
> olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by
> users read
> olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com" by
> anonymous write
>
But when any application that doesn't support filter (Like suiteCRM) we
created rule *olcAccess: {5}* and bind it with *app3* user but then the
whole ACL is not working and all users can login to all application.
So can anyone please help us on it
Thanks
Geo
