In OpenLDAP (Slapd), how do I give users permission to search which groups they're a member of?

Question

Currently, only my admin user is allowed to search what group a particular user is in.

If I have the following user:

dn: uid=tester,ou=people,dc=example,dc=com
cn: tester
displayName: tester
objectClass: inetOrgPerson
objectClass: top
sn: tester
uid: tester

And if the following group has the above user as a member (check its member attribute):

dn: ou=testingGroup,dc=example,dc=com
cn: testingGroup
objectClass: groupOfNames
objectClass: top
ou: testingGroup
member: uid=tester,ou=people,dc=example,dc=com

Then, with the admin credentials, I can do this search successfully:

ldapsearch \
    -D "cn=admin,dc=example,dc=com" \
    -w ${ADMIN_PW} \
    -b 'dc=example,dc=com' \
    "(&(objectClass=groupOfNames)(member=uid=tester,ou=people,dc=example,dc=com))"

I can also successfully do a similar search as the admin:

ldapsearch \
    -D "cn=admin,dc=example,dc=com" \
    -w ${ADMIN_PW} \
    -b 'dc=example,dc=com' \
    "(&(uid=tester)(objectClass=inetOrgPerson)(memberOf=ou=testingGroup,dc=example,dc=com))"

I want to enable users to do the above searches themselves (instead of being able to do it only as the admin), as shown below. But they don't (yet) seem to have the permission to search for data pertaining to themselves and I don't know how to enable it correctly. In short, when I run the commands as the tester user, I get "32 No such object" as a result instead of the results I get as the admin user, but I want the same results. I want these searches to work:

ldapsearch \
    -D "uid=tester,ou=people,dc=example,dc=com" \
    -w ${USER_PW} \
    -b 'dc=example,dc=com' \
    "(&(objectClass=groupOfNames)(member=uid=tester,ou=people,dc=example,dc=com))"

ldapsearch \
    -D "uid=tester,ou=people,dc=example,dc=com" \
    -w ${USER_PW} \
    -b 'dc=example,dc=com' \
    "(&(uid=tester)(objectClass=inetOrgPerson)(memberOf=ou=testingGroup,dc=example,dc=com))"

I suspect that the answer is found here but I'm new to OpenLDAP and haven't managed to figure out how to do it. Please, can you help me out?

Answer 1

I was able to give users permission to search for their own memberOf attribute, with the following configuration:

olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth manage by * break
olcAccess: {1}to dn.subtree="ou=people,dc=example,dc=com" by sel
 f read by anonymous auth
olcAccess: {2}to dn.children="dc=example,dc=com" attrs=userPassw
 ord,shadowLastChange by self write

And with this command:

ldapsearch \
    -D "uid=tester,ou=people,dc=example,dc=com" \
    -w ${USER_PW} \
    -b 'uid=tester,ou=people,dc=example,dc=com' \
    memberOf

So that part is working, whereas I couldn't determine how to configure the olcAccess entries further so that users can also search within a directory and be shown the group they're a member of. It seems to have something to do with "access to attrs=member,entry by dnattr=member" (perhaps in combination with a control field in the previous entry), but I couldn't find out how it works. I got this far before I had to give up:

olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth manage by * break
olcAccess: {1}to dn.subtree="ou=people,dc=example,dc=com" by sel
 f read break by anonymous auth
olcAccess: {2}to dn.subtree="ou=testingGroup,dc=example,dc=com" a
 ttrs=member,entry by dnattr=member read
olcAccess: {3}to dn.children="dc=example,dc=com" attrs=userPassw
 ord,shadowLastChange by self write

I find that this, this, this, this, and this link are/were helpful for this issue.