Currently, only my admin user is allowed to search what group a particular user is in.
If I have the following user:
dn: uid=tester,ou=people,dc=example,dc=com
cn: tester
displayName: tester
objectClass: inetOrgPerson
objectClass: top
sn: tester
uid: tester
And if the following group has the above user as a member (check its member attribute):
dn: ou=testingGroup,dc=example,dc=com
cn: testingGroup
objectClass: groupOfNames
objectClass: top
ou: testingGroup
member: uid=tester,ou=people,dc=example,dc=com
Then, with the admin credentials, I can do this search successfully:
ldapsearch \
-D "cn=admin,dc=example,dc=com" \
-w ${ADMIN_PW} \
-b 'dc=example,dc=com' \
"(&(objectClass=groupOfNames)(member=uid=tester,ou=people,dc=example,dc=com))"
I can also successfully do a similar search as the admin:
ldapsearch \
-D "cn=admin,dc=example,dc=com" \
-w ${ADMIN_PW} \
-b 'dc=example,dc=com' \
"(&(uid=tester)(objectClass=inetOrgPerson)(memberOf=ou=testingGroup,dc=example,dc=com))"
I want to enable users to do the above searches themselves (instead of being able to do it only as the admin), as shown below. But they don't (yet) seem to have the permission to search for data pertaining to themselves and I don't know how to enable it correctly. In short, when I run the commands as the tester user, I get "32 No such object" as a result instead of the results I get as the admin user, but I want the same results. I want these searches to work:
ldapsearch \
-D "uid=tester,ou=people,dc=example,dc=com" \
-w ${USER_PW} \
-b 'dc=example,dc=com' \
"(&(objectClass=groupOfNames)(member=uid=tester,ou=people,dc=example,dc=com))"
ldapsearch \
-D "uid=tester,ou=people,dc=example,dc=com" \
-w ${USER_PW} \
-b 'dc=example,dc=com' \
"(&(uid=tester)(objectClass=inetOrgPerson)(memberOf=ou=testingGroup,dc=example,dc=com))"
I suspect that the answer is found here but I'm new to OpenLDAP and haven't managed to figure out how to do it. Please, can you help me out?
I was able to give users permission to search for their own memberOf attribute, with the following configuration:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcAccess: {1}to dn.subtree="ou=people,dc=example,dc=com" by sel
f read by anonymous auth
olcAccess: {2}to dn.children="dc=example,dc=com" attrs=userPassw
ord,shadowLastChange by self write
And with this command:
ldapsearch \
-D "uid=tester,ou=people,dc=example,dc=com" \
-w ${USER_PW} \
-b 'uid=tester,ou=people,dc=example,dc=com' \
memberOf
So that part is working, whereas I couldn't determine how to configure the olcAccess entries further so that users can also search within a directory and be shown the group they're a member of. It seems to have something to do with "access to attrs=member,entry by dnattr=member" (perhaps in combination with a control field in the previous entry), but I couldn't find out how it works. I got this far before I had to give up:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcAccess: {1}to dn.subtree="ou=people,dc=example,dc=com" by sel
f read break by anonymous auth
olcAccess: {2}to dn.subtree="ou=testingGroup,dc=example,dc=com" a
ttrs=member,entry by dnattr=member read
olcAccess: {3}to dn.children="dc=example,dc=com" attrs=userPassw
ord,shadowLastChange by self write
I find that this, this, this, this, and this link are/were helpful for this issue.