ubuntu 12.04 - Need help in configuring LDAP acl -
i trying configure acl in such way users attribute allowedservice application name can login particular application.
we have users follows:
dn: ou=people,dc=prime,dc=ds,dc=geo,dc=com dn: uid=user1,ou=people,dc=prime,dc=ds,dc=geo,dc=com uid: user1 allowedservice: gitlab dn: uid=user2,ou=people,dc=prime,dc=ds,dc=geo,dc=com uid: user2 allowedservice: zabbix dn: uid=user3,ou=people,dc=prime,dc=ds,dc=geo,dc=com objectclass: top uid: user3 allowedservice: zabbix we created user follows:
dn: cn=gitlab,ou=applications,ou=groups,dc=prime,dc=ds,dc=geo,dc=com cn: gitlab uid: gitlab now in application given details follows: gitlab configuration
base: ou=people,dc=prime,dc=ds,dc=geo,dc=com uid: uid bind_dn: cn=gitlab,ou=applications,ou=groups,dc=prime,dc=ds,dc=geo,dc=com password: password now in acl tried various options follows:
root@geopc:/# ldapsearch -q -lll -y external -h ldapi:/// -b cn=config '(olcdatabase={1}hdb)' olcaccess dn: olcdatabase={1}hdb,cn=config olcaccess: {0}to attrs=userpassword,shadowlastchange self write anonymous auth dn="cn=admin,dc=ds,dc=geo,dc=com" write * none olcaccess: {1}to dn.base="" * read olcaccess: {2}to dn.subtree="ou=applications,ou=groups,dc=prime,dc=ds,dc=geo,dc=com" self write * write olcaccess: {3}to dn.subtree="ou=people,dc=prime,dc=ds,dc=geo,dc=com" self write * auth olcaccess: {4}to dn.subtree="ou=people,dc=prime,dc=ds,dc=geo,dc=com" filter="(allowedservice=gitlab)" dn.exact="cn=gitlab,ou=applications,ou=groups,dc=prime,dc=ds,dc=geo,dc=com" write self write but no user can able login. change olcaccess: {3}to dn.subtree="ou=people,dc=prime,dc=ds,dc=geo,dc=com" self write * write , users can login.
but need user1 need login gitlab application. , users user2 , user3 need login zabbix application
can please me configure acl this. in advance.
thanks
geo
this not acls for. don't control can login. control parts of subtree logged-in user can read or modify.
Comments
Post a Comment