I'm configuring at the moment a openldap server. For defining user permissions I use a ldif file. For checking the permissions and to see if all works like expected I use the Apache Directory Studio.
One requirement for the user permissions is, that a user can read its own entry, a local administrator can read all user entries in his branch and a "global" admin can read all user entries. So far so good everything works.
Additional I need to know to which groups a user belongs. For that I wanted to use the operational attribute memberOf which is supported by openldap. Unfortunately only the "global" administrator is able to see operational attributes. If I try to fetch operational attributes within Apache Directory Studio using a local administrator or a simple user no operational attribute will be displayed/fetched.
I tried to give those users the read permission for all member-attributes where their dn is entered with the following rule:
olcAccess: to attrs=member,entry
by dnattr=member selfwrite
by * break
This rule is similiar to the one at the end of the openldap documentation, chapter 8.3.5. This doesn't seem to work at all, so I tried to add a general rule to access the role entries:
olcAccess: to dn.regex="ou=Roles,dc=([^,]+),dc=customers,dc=domain,dc=de$" attrs=entry,@groupOfNames,children
by group.expand="cn=Administrators,ou=Roles,dc=$1,dc=customers,dc=domain,dc=de" write
by group.expand="cn=ProductionUser,ou=Roles,dc=$1,dc=customers,dc=domain,dc=de" read
by group.expand="cn=TestUser,ou=Roles,dc=$1,dc=customers,dc=domain,dc=de" read
by * break
With this rule any user can read all role entries for his branch. The operational attributes or at least memberOf will still not be visible for the users.
So what permissions do I need to grant so that every user can read at least the memberOf-attribute for its own entry?
