[Fedora-directory-users] How to control the BIND operation using ACI

Fri May 9 18:37:03 UTC 2008

Yes, i think that there is no way to deny a BIND depending on the
group and originating IP condition. You can however deny any other
access (read/compare/search). Depending on the filter you define for
squid/sendmail/php web page (even the simplest objectClass=*)  these
conditions are equivalent (the ldapsearch will bind but it will always
return an empty set)...

2008/5/9 C.S.R.C.Murthy <murthy at barc.gov.in>:
> Hi Andrey,
>   As I first step, according to your  suggestion, I have removed the default
> ACIs for anonymous and authenticated users. With this I expected that squid
> will not be able to BIND to the directory server as the default ACI action
> should be DENY in case there is no matching rule. But it is able to
> successfully BIND when I give proper login/password. If I am not able to
> deny BIND operation when there are no anonymous/authenticated ACI, then I
> will never be able to control BIND access, I assume. Please clarify.
>
>
>
>  regards
>  murthy
>
>  Andrey Ivanov wrote:
>
> > Anyway it is better to make the "allow" ACIs, not "deny" ACIs.
> >
> > As for your problem, here is what the ACIs should look like (supposing
> > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and
> > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server
> > are 192.168.0.66 and 172.16.191.66, adresses of your email servers
> > 192.168.1.100 and 192.168.1.101)
> >
> > Delete all the default ACIs (for anonymous/authentified users) and
> > choose the attributes that you want to expose (attr1,  attr2...)
> >
> > For INTERNET group :
> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
> > attributes to read for a certain ip adresses and to authentified
> > users";allow (read,search,compare)(((ip="192.168.0.66") or
> > (ip="172.16.191.66")) and (groupdn =
> > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));)
> >
> >
> > For EMAIL group :
> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
> > attributes to read for a certain ip adresses and to authentified
> > users";allow (read,search,compare)(((ip="192.168.1.100") or
> > (ip="192.168.1.101")) and (groupdn =
> > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));)
> >
> > 2008/5/9 C.S.R.C.Murthy <murthy at barc.gov.in>:
> >
> >
> > > Dear Andrey,
> > >  I did not make clear one point here. My exact ACI requirement is like
> > > this, I need to deny bind operation when the connecting DN belongs to
> > > certain group and the request is coming from certain ip address. How to
> do
> > > it in ACI?. More specifically we have one INTERNET group and one EMAIL
> > > group. If a person is in INTERNET group he will be allowed to
> authenticate
> > > (BIND) only from squid proxy server  Simillarly if a person belongs to
> EMAIL
> > > grooup he will be allowed to authenticate (BIND) only from email server.
> We
> > > are unable to acheive this type of control using ACI. Please help.
> > >
> > > regards
> > > murthy
> > >
> > > Andrey Ivanov wrote:
> > >
> > >
> > > > You can do it like this, for example :
> > > >
> > > > ----------------------------------
> > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber ||
> > > > homeDirectory ||  loginShell || gecos")(version 3.0; acl "Enable
> > > > attributes to read for certain ip adresses and to authentified users";
> > > > allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.*
> > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and
> > > > (userdn="ldap:///all"));)
> > > > ------------------------------------
> > > > Or you can simply use iptables...
> > > >
> > > >
> > > > 2008/5/8 C.S.R.C.Murthy <murthy at barc.gov.in>:
> > > >
> > > >
> > > >
> > > > > Hello all,
> > > > >  Iam using directory server for squid ldap authentication. Squid
> takes
> > > > > username/password, binds the directory server and if the BIND
> operation
> > > > > is
> > > > > successful it allows the user through proxy. My problem is how to
> specify
> > > > > an
> > > > > ACI so that BIND operation is allowed only from certain IP address?.
> ACI
> > > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND
> > > > > operation.