How to Restrict user authentication per application?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello

In 389ds ACI, many operations like search,read,write,... can be restricted based on evaluating time, ip, dns name, authenticated user and some other conditions. 

We have multiple applications which authenticate(bind only) their users with a Directory (389ds). 

I need to restrict users from logging on applications based on a policy. For example UserA could be logged on App1, and not App2, and so on.
For that I'm looking for a feature that could be helpful. 

1.
I thought of a feature in ACI, in which ACI could be defined on Bind operations, too. For example we could define an ACI saying users with a filter, say (attributeA=App1) or (objectClass=App1User) and fromIP restriction(of the server of application App1), allows or denies binding of users. And users + apps which are not match in the criteria could not login(they will get err=49 or Invalid Credential), and those who match could login.

2.
I thought of another solution, too, in which by putting users in dynamic containers which have bind feature. For example there is a certain type of OU which is dynamically filled by users that has certain characteristic,
-  OU=App1,DC=domain,DC=com contains users with (attributeA=App1) or (objectClass=App1User). 
-  OU=App2,DC=domain,DC=com contains users with (attributeA=App2) or (objectClass=App1User). 

In this case I can tell app1 to authenticate UserA against its own OU=App1,DC=domain,DC=com contains users, and app2 against OU=App2,DC=domain,DC=com.


I'm wondering if anyone has any idea or had been in the same place.

Thanks
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux