Anyway it is better to make the "allow" ACIs, not "deny" ACIs. As for your problem, here is what the ACIs should look like (supposing that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server are 192.168.0.66 and 172.16.191.66, adresses of your email servers 192.168.1.100 and 192.168.1.101) Delete all the default ACIs (for anonymous/authentified users) and choose the attributes that you want to expose (attr1, attr2...) For INTERNET group : aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable attributes to read for a certain ip adresses and to authentified users";allow (read,search,compare)(((ip="192.168.0.66") or (ip="172.16.191.66")) and (groupdn = "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com";));) For EMAIL group : aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable attributes to read for a certain ip adresses and to authentified users";allow (read,search,compare)(((ip="192.168.1.100") or (ip="192.168.1.101")) and (groupdn = "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com";));) 2008/5/9 C.S.R.C.Murthy <murthy at barc.gov.in>: > Dear Andrey, > I did not make clear one point here. My exact ACI requirement is like > this, I need to deny bind operation when the connecting DN belongs to > certain group and the request is coming from certain ip address. How to do > it in ACI?. More specifically we have one INTERNET group and one EMAIL > group. If a person is in INTERNET group he will be allowed to authenticate > (BIND) only from squid proxy server Simillarly if a person belongs to EMAIL > grooup he will be allowed to authenticate (BIND) only from email server. We > are unable to acheive this type of control using ACI. Please help. > > regards > murthy > > Andrey Ivanov wrote: >> >> You can do it like this, for example : >> >> ---------------------------------- >> aci: (targetattr = "uniqueMember || uidNumber || gidNumber || >> homeDirectory || loginShell || gecos")(version 3.0; acl "Enable >> attributes to read for certain ip adresses and to authentified users"; >> allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* >> ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and >> (userdn="ldap:///all";));) >> ------------------------------------ >> Or you can simply use iptables... >> >> >> 2008/5/8 C.S.R.C.Murthy <murthy at barc.gov.in>: >> >>> >>> Hello all, >>> Iam using directory server for squid ldap authentication. Squid takes >>> username/password, binds the directory server and if the BIND operation >>> is >>> successful it allows the user through proxy. My problem is how to specify >>> an >>> ACI so that BIND operation is allowed only from certain IP address?. ACI >>> allows me to restrict READ/SEARCH/WRITE operations but not BIND >>> operation. >>> Please help. >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
