I've been configurating a LDAP server on a linux instance using AWS EC2. Up to now, I successfully set up LDAP and phpLDAPadmin to work together.
I've created Users and Groups "Organisation Units". I've added users and groups to those "OU"s. Now I want to grand access to specific parts of my LDAP tree to the "Users" members of a "Group". That's what I wasn't able to configure up to now...
My LDAP tree looks like this:
+--> dc=www,dc=website,dc=com (3)
---> cn=admin
+--> ou=groups (4)
| ---> cn=admin_users
| ---> cn=app1_users
| ---> cn=app2_users
| ---> cn=basic_users
+--> ou=users (3)
| ---> cn=user1
| ---> cn=user2
| ---> cn=user3
Let's say that I added user1 + user2 to the "memberUid" list of "app1_users" and user2 + user3 to the "memberUid" list of "app2_users".
I want:
- cn=admin have full rights/access to the tree
- app1_users can connect (to phpLDAPadmin) and add new members to the the group itself
- the same for app2_users' users
A connected user (on phpLDAPadmin) should only see the tree (and child substrees) he's part of.
Here are the ACI I tried (but whose were obsiouvly not working):
access to attrs=shadowLastChange
by self write
by dn="cn=admin,dc=www,dc=website,dc=com" write
by * read
access to attrs=userPassword
by self write
by dn="cn=admin,dc=www,dc=website,dc=com" write
by anonymous auth by * none
access to dn.base=""
by * read
access to dn.subtree="cn=app1_users,ou=groups,dc=www,dc=website,dc=com"
by group.base="cn=app1_users,dc=www,dc=website,dc=com" write
by dn.base="cn=admin,dc=www,dc=website,dc=com" write
by * none
access to dn.subtree="cn=app2_users,ou=groups,dc=www,dc=website,dc=com"
by group.base="cn=app2_users,dc=www,dc=website,dc=com" write
by dn.base="cn=admin,dc=www,dc=website,dc=com" write
by * none
access to *
by self write
by dn="cn=admin,dc=www,dc=website,dc=com" write
by * read
Is there something wrong with my configuration ?
