Please let me your thoughts on this. Can anyone please help me on it.
On Thu, Dec 31, 2015 at 9:11 PM, Geo P.C. <[email protected]> wrote: > Currently we need to configure Group based LDAP login for our custom > applications. We have applications named app1, app2 etc. > > For restricting users to login for a particular application for eg app1 > then for that user it should have attribute named *allowedService = app1*, > for login to app2 that user need *allowedService = app2* > > So in that way we created users. > > Now for binding applications to ldap we created users like > > > *cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com > cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com* > > Now we configured LDAP ACL as follows: > > > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by >> anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none >> olcAccess: {1}to dn.base="" by * read >> olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" >> filter="(allowedService=app1)" by >> dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * >> break >> olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" >> filter="(allowedService=app2)" by >> dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * >> break >> olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" >> attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read >> by dn="cn=admin,dc=ds,dc=geo,dc=com" write by self read by * break >> olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" >> by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by >> users read >> olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com" by >> anonymous write >> > > But when any application that doesn't support filter (Like suiteCRM) we > created rule *olcAccess: {5}* and bind it with *app3* user but then the > whole ACL is not working and all users can login to all application. > > So can anyone please help us on it > > Thanks > Geo > > > >
