[Fedora-directory-users] How to control the BIND operation using ACI

C.S.R.C.Murthy murthy at barc.gov.in
Fri May 9 04:55:31 UTC 2008 

Dear Andrey,
    I did not make clear one point here. My exact ACI requirement is 
like this, I need to deny bind operation when the connecting DN belongs 
to certain group and the request is coming from certain ip address. How 
to do it in ACI?. More specifically we have one INTERNET group and one 
EMAIL group. If a person is in INTERNET group he will be allowed to 
authenticate (BIND) only from squid proxy server  Simillarly if a person 
belongs to EMAIL grooup he will be allowed to authenticate (BIND) only 
from email server. We are unable to acheive this type of control using 
ACI. Please help.

regards
murthy

Andrey Ivanov wrote:
> You can do it like this, for example :
>
> ----------------------------------
> aci: (targetattr = "uniqueMember || uidNumber || gidNumber ||
> homeDirectory ||  loginShell || gecos")(version 3.0; acl "Enable
> attributes to read for certain ip adresses and to authentified users";
> allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.*
> ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and
> (userdn="ldap:///all"));)
> ------------------------------------
> Or you can simply use iptables...
>
>
> 2008/5/8 C.S.R.C.Murthy <murthy at barc.gov.in>:
>   
>> Hello all,
>>    Iam using directory server for squid ldap authentication. Squid takes
>> username/password, binds the directory server and if the BIND operation is
>> successful it allows the user through proxy. My problem is how to specify an
>> ACI so that BIND operation is allowed only from certain IP address?. ACI
>> allows me to restrict READ/SEARCH/WRITE operations but not BIND operation.
>> Please help.
>>     
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: murthy.vcf
Type: text/x-vcard
Size: 137 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080509/601ab990/attachment.vcf>

More information about the Fedora-directory-users mailing list