I am currently configuring an Openldap server. To define user permissions, I use an ldif file. To check permissions and see if everything works as expected, I use Apache Directory Studio.
A prerequisite for user permissions is that a user can read his own entry, a local administrator can read all user entries in his store, and a "global" administrator can read all user entries. So far everything works so well.
In addition, I need to know which groups a user belongs to. For that I wanted to use the operating attribute
member of this is supported by openldap. Unfortunately, only the "global" administrator can see the operational attributes. When I try to retrieve operational attributes in Apache Directory Studio with a local administrator or a simple user, no operational attribute is displayed / retrieved.
I tried to give these users read permission for all member attributes that use their DNS with the following rule:
olcAccess: to attrs = member, entry
from dnattr = member selfwrite
from * break
This rule is similar to the one at the end of the openldap documentation, chapter 8.3.5. This does not seem to work at all, so I've tried to add a general rule for accessing the role entries:
olcAccess: to dn.regex = "ou = roles, dc = ([^,]+), dc = customer, dc = domain, dc = de $ "attrs = entry, @ groupOfNames, children
by group.expand = "cn = Administrators, ou = roles, dc = $ 1, dc = customers, dc = domain, dc = de" write
by group.expand = "cn = ProductionUser, ou = roles, dc = $ 1, dc = customers, dc = domain, dc = de"
by group.expand = "cn = test user, ou = roles, dc = $ 1, dc = customer, dc = domain, dc = de" read
from * break
This rule allows each user to read all role entries for their store. The operating attributes or at least
member of will still not be visible to the users.
So, what permissions do I have to grant so that every user can read at least those
member ofAttribute for a separate entry?