Re: ACL doesn't works

Satish Patel <satish.txt@xxxxxxxxx> · Thu, 27 Sep 2012 15:35:13 -0400

May be i am binding DN using cn=directory manager and because of that it don't understand about test or test4 user and because of that it ignore ACL

On Tue, Sep 25, 2012 at 7:31 PM, Grzegorz Dwornicki <gd1100@xxxxxxxxx> wrote:

I have to admit I thought that access log for webapp will show anomaly but I was wrong. If ldapsearch does not bind please show us logs of thesse. Maybe comparing the logs will tell us something...

Greg.
25 wrz 2012 20:17, "Satish Patel" <satish.txt@xxxxxxxxx> napisał(a):

Ah! i was testing multiple users. test and test4 both has ACL and has same problem. 

On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <patrick.morris@xxxxxx> wrote:

    On 9/25/2012 11:07 AM, Satish Patel
      wrote:

      This is what i got in access logs. 

      [25/Sep/2012:14:04:36
        -0400] conn=497 fd=75 slot=75 connection from 10.101.100.236 to
        10.10.52.10

        [25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
        Manager" method=128 version=3

        [25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
        nentries=0 etime=0 dn="cn=directory manager"

        [25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
        base="dc=example,dc=com" scope=2
        filter="(&(uid=test4)(objectClass=person))" attrs="1.1"

        [25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
        nentries=1 etime=0

        [25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection
        from 10.101.100.236 to 10.10.52.10

        [25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND

        [25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1

        [25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
        dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3

        [25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
        nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"

        [25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND

      On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz
        Dwornicki <gd1100@xxxxxxxxx>
        wrote:

          Can you provide logs from FDS when you are trying to login
            via application?
          Greg.
          25 wrz 2012 19:27, "Satish Patel"
            <satish.txt@xxxxxxxxx>
            napisał(a):

                  Hello ALL,

                  I have a web base application and user authenticate
                  web application using Directory Service (FDS). I want
                  to restrict some user to not allow to login so i have
                  implement host base deny ACL. But somehow it doesn't
                  works. may be i am missing something. following acl i
                  have.

                   (targetattr = "*") (version
                    3.0;acl "Host ACL";deny (all)(userdn =
                    "ldap:///uid=test,ou=People,dc=example,dc=com") and
                    (ip="10.101.100.236");)

                    But interesting thing is, it works with ldapsearch
                    but not with Web application? 

    Your ACL specifies "uid=test," but that bind was done with "test4".

--

389 users mailing list

389-users@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/389-users

--

389 users mailing list

389-users@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/389-users

--

389 users mailing list

389-users@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users