[Fedora-directory-users] How to control the BIND operation using ACI

Andrey Ivanov andrey.ivanov at polytechnique.fr
Sat May 10 10:41:21 UTC 2008 

As far as i can see making a quick google search squid can do
authorisation using ldap filters and groups; for example, look at this
page :
http://linux.com.hk/penguin/man/8/squid_ldap_group.html

or here :
http://linux.die.net/man/8/squid_ldap_auth


2008/5/10  <murthy at barc.gov.in>:
> Hi,
>  Thanks for the confirmation. . Applications like squid are not doing any
>  read/search/compare to verify authentication, but simply doing BIND
>  operation.I think the directory server may incorporate some form of BIND
>  control feature
>
>  regards
>  murthy
>
>
> > Yes, i think that there is no way to deny a BIND depending on the
>  > group and originating IP condition. You can however deny any other
>  > access (read/compare/search). Depending on the filter you define for
>  > squid/sendmail/php web page (even the simplest objectClass=*)  these
>  > conditions are equivalent (the ldapsearch will bind but it will always
>  > return an empty set)...
>  >
>  >
>  > 2008/5/9 C.S.R.C.Murthy <murthy at barc.gov.in>:
>  >> Hi Andrey,
>  >>   As I first step, according to your  suggestion, I have removed the
>  >> default
>  >> ACIs for anonymous and authenticated users. With this I expected that
>  >> squid
>  >> will not be able to BIND to the directory server as the default ACI
>  >> action
>  >> should be DENY in case there is no matching rule. But it is able to
>  >> successfully BIND when I give proper login/password. If I am not able to
>  >> deny BIND operation when there are no anonymous/authenticated ACI, then
>  >> I
>  >> will never be able to control BIND access, I assume. Please clarify.
>  >>
>  >>
>  >>
>  >>  regards
>  >>  murthy
>  >>
>  >>  Andrey Ivanov wrote:
>  >>
>  >> > Anyway it is better to make the "allow" ACIs, not "deny" ACIs.
>  >> >
>  >> > As for your problem, here is what the ACIs should look like (supposing
>  >> > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and
>  >> > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server
>  >> > are 192.168.0.66 and 172.16.191.66, adresses of your email servers
>  >> > 192.168.1.100 and 192.168.1.101)
>  >> >
>  >> > Delete all the default ACIs (for anonymous/authentified users) and
>  >> > choose the attributes that you want to expose (attr1,  attr2...)
>  >> >
>  >> > For INTERNET group :
>  >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
>  >> > attributes to read for a certain ip adresses and to authentified
>  >> > users";allow (read,search,compare)(((ip="192.168.0.66") or
>  >> > (ip="172.16.191.66")) and (groupdn =
>  >> > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));)
>  >> >
>  >> >
>  >> > For EMAIL group :
>  >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
>  >> > attributes to read for a certain ip adresses and to authentified
>  >> > users";allow (read,search,compare)(((ip="192.168.1.100") or
>  >> > (ip="192.168.1.101")) and (groupdn =
>  >> > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));)
>  >> >
>  >> > 2008/5/9 C.S.R.C.Murthy <murthy at barc.gov.in>:
>  >> >
>  >> >
>  >> > > Dear Andrey,
>  >> > >  I did not make clear one point here. My exact ACI requirement is
>  >> like
>  >> > > this, I need to deny bind operation when the connecting DN belongs
>  >> to
>  >> > > certain group and the request is coming from certain ip address. How
>  >> to
>  >> do
>  >> > > it in ACI?. More specifically we have one INTERNET group and one
>  >> EMAIL
>  >> > > group. If a person is in INTERNET group he will be allowed to
>  >> authenticate
>  >> > > (BIND) only from squid proxy server  Simillarly if a person belongs
>  >> to
>  >> EMAIL
>  >> > > grooup he will be allowed to authenticate (BIND) only from email
>  >> server.
>  >> We
>  >> > > are unable to acheive this type of control using ACI. Please help.
>  >> > >
>  >> > > regards
>  >> > > murthy
>  >> > >
>  >> > > Andrey Ivanov wrote:
>  >> > >
>  >> > >
>  >> > > > You can do it like this, for example :
>  >> > > >
>  >> > > > ----------------------------------
>  >> > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber ||
>  >> > > > homeDirectory ||  loginShell || gecos")(version 3.0; acl "Enable
>  >> > > > attributes to read for certain ip adresses and to authentified
>  >> users";
>  >> > > > allow (read,search,compare)(((ip="192.168.0.*") or
>  >> (ip="172.16.191.*
>  >> > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and
>  >> > > > (userdn="ldap:///all"));)
>  >> > > > ------------------------------------
>  >> > > > Or you can simply use iptables...
>  >> > > >
>  >> > > >
>  >> > > > 2008/5/8 C.S.R.C.Murthy <murthy at barc.gov.in>:
>  >> > > >
>  >> > > >
>  >> > > >
>  >> > > > > Hello all,
>  >> > > > >  Iam using directory server for squid ldap authentication. Squid
>  >> takes
>  >> > > > > username/password, binds the directory server and if the BIND
>  >> operation
>  >> > > > > is
>  >> > > > > successful it allows the user through proxy. My problem is how
>  >> to
>  >> specify
>  >> > > > > an
>  >> > > > > ACI so that BIND operation is allowed only from certain IP
>  >> address?.
>  >> ACI
>  >> > > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND
>  >> > > > > operation.
>  >
>
>
> > --
>  > Fedora-directory-users mailing list
>  > Fedora-directory-users at redhat.com
>  > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  >
>
>
>  --
>  Fedora-directory-users mailing list
>  Fedora-directory-users at redhat.com
>  https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list