ldapsearch with "Ismemberof" OpenDJ | Without Bypass-Acl

Question

i have some problems with "ismemberof" on OpenDj.

I want to have a user in OpenDj (like "uid=jdoe,ou=people,dc=example,dc=com"), which can do a "isMemberof"-Query. The problem is on default an User-DN in OpenDj can't perform "isMemberOf"-Querys.

The result show's:

    ldapsearch -h host -p port -D "uid=jdoe,ou=people,dc=example,dc=com" -W "(isMemberOf=cn=cn=group1,ou=groups,dc=example,dc=com)"

    extended LDIF

    LDAPv3
    base <ou=people,dc=example,dc=com> with scope subtree> 
    filter:(isMemberOf=cn=group1,ou=groups,dc=example,dc=com)
    requesting: ALL


    search result

    search: 2

    result: 0 Success 

    numResponses: 1

If i give the User-DN the "bypass-acl" privilege, than the query show's all member of the group. But the privilege "bypass-acl" gives the User-DN also "modify" rights.

I just want to have an User-DN, which can only perform a "isMemberOf"-Query nothing else. I've tried this with ACI:

    cat test.ldif 

    dn: uid=jdoe,ou=people,dc=example,dc=com

    changetype: modify

    add: aci

    aci: (target="ldap:///\*,dc=example,dc=com) (targetattr = "\*")(version 3.0;acl "Search and >Read "; allow (search, write)(userdn = "ldap:///uid=jdoe,ou=people,dc=example,dc=com");)

unsuccessfully.

Do somebody have an idea? :/

best regards,

Ironchunk

Answer 1

It looks like jdoe doesn't have the permissions to search/read properly the organization. But the detailed reason for not getting entries might be disclosed in the logs/access file. Check the Search Result log message to see if there is some information.

Have you tried to put the ACI at the dc=example,dc=com level ? Usually, you do not put an ACI specific to a user in the user entry, but to the branch in which the ACI applies to.

aci: (targetattr!="userPassword")(version 3.0; acl "Search and Read for uid=jdoe except passwords"; allow (read,search,compare) userdn="ldap:///uid=jdoe,ou=people,dc=example,dc=com";)

Regards,

Ludovic