RE: OpenLDAP Upgrade from OpenLDAP 2.1 to 2.4 - ACL Issues

[Madden, Joe]

Hi List,

I've managed to answer my own question by reading the change log between the 
versions - Who would have figured the answer would have been there!

OpenLDAP 2.4 Introduced the requirement to have search permission on the parent 
DN when search a subtree. Therefore I had to update my ACL's to this:

# Allow a user to update their password
access to attrs=userPassword
       by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
       by self write
       by * auth

#As of OpenLDAP 2.4.X you are required to provide search to the DN which you 
search though to find a attribute. 
#We have therefore permitted search though the system for any authenticated 
user. The ACL's below line by dnattr=uniqueMember
#Controls what the user can actually read.
access to dn="ou=applications, dc=oursystem,dc=co,dc=uk"
       by users search

# Allow write and read access to the applications tree for specific users # 
Normal users will only be able to see what they are a member of access to 
dn.subtree="ou=applications,dc=oursystem,dc=co,dc=uk"
       by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=tomcat, ou=users,dc=oursystem,dc=co,dc=uk" read
       by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
       by dnattr=uniqueMember read

# Allow write and read access to the users tree for specific users # Normal 
users will only be able to their own node access to 
dn.subtree="ou=users,dc=oursystem,dc=co,dc=uk"
       by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=apache,ou=users,dc=oursystem,dc=co,dc=uk" read
       by self write

# Allow write and read access for specific users # Normal users will only be 
able to their own node access to dn.subtree="dc=oursystem,dc=co,dc=uk"
       by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
           by self read


The new section added is :

#As of OpenLDAP 2.4.X you are required to provide search to the DN which you 
search though to find a attribute. 
#We have therefore permitted search though the system for any authenticated 
user. The ACL's below line by dnattr=uniqueMember
#Controls what the user can actually read.
access to dn="ou=applications, dc=oursystem,dc=co,dc=uk"
       by users search

Thanks

Joe.
-----Original Message-----
From: Madden, Joe 
Sent: 09 August 2016 14:55
To: openldap-technical@openldap.org
Subject: OpenLDAP Upgrade from OpenLDAP 2.1 to 2.4 - ACL Issues

Hi List,

Hoping someone can help us out with our ACL problems post upgrading on our test 
system.

We've upgraded from OpenLDAP 2.1 to 2.4 with success. The directory is fine and 
the ACLS below work as expected minus the line  [by dnattr=uniqueMember read]

Please see our ACL's below:


# Allow a user to update their password
access to attrs=userPassword
       by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
       by self write
       by * auth

# Allow write and read access to the applications tree for specific users # 
Normal users will only be able to see what they are a member of access to 
dn.subtree="ou=applications,dc=oursystem,dc=co,dc=uk"
       by dn="uid=root,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=tomcat, ou=users,dc=oursystem,dc=co,dc=uk" read
       by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
       by dnattr=uniqueMember read

# Allow write and read access to the users tree for specific users # Normal 
users will only be able to their own node access to 
dn.subtree="ou=users,dc=oursystem,dc=co,dc=uk"
       by dn="uid=root,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=apache,ou=users,dc=oursystem,dc=co,dc=uk" read
       by self write

# Allow write and read access for specific users # Normal users will only be 
able to their own node access to dn.subtree="dc=oursystem,dc=co,dc=uk"
       by dn="uid=root,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=support,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=backup,ou=users,dc=oursystem,dc=co,dc=uk" write
       by dn="uid=apache, ou=users,dc=oursystem,dc=co,dc=uk" read
           by self read

The apache, tomcat, root, support users work as expected and can access their 
respective accounts. We have a number of Unique Members who are members of DN's 
under dc=oursystem,dc=co,dc=uk. For Example:

DN: 
cn=online_application_1,ou=our_online_application_1,ou=applications,dc=oursystem,dc=co,dc=uk

We have uniqueMember attribute which contains the dn for users For Example:

uid=user1,ou=users,dc=oursystem,dc=co,dc=uk

As I understand it by dnattr=uniqueMember read on openldap 2.1 allowed the user 
to login to the ldap server, search the DN's under the 
ou=applications,dc=oursystem,dc=co,dc=uk for uniqueMember which contained there 
own DN.

This worked and our applications authenticated on OpenLDAP 2.1.

Since upgrading to 2.4 this ACL does not work in this way and I suspect it's by 
dnattr=uniqueMember read which is the problem. Does anyone have any help to 
offer on how to proceed? Is there a better way to do the ACL in question?

Thanks

Joe