Hello
In 389ds ACI, many operations like search,read,write,... can be restricted based on evaluating time, ip, dns name, authenticated user and some other conditions.
We have multiple applications which authenticate(bind only) their users with a Directory (389ds).
I need to restrict users from logging on applications based on a policy. For example UserA could be logged on App1, and not App2, and so on.
For that I'm looking for a feature that could be helpful.
1.
I thought of a feature in ACI, in which ACI could be defined on Bind operations, too. For example we could define an ACI saying users with a filter, say (attributeA=App1) or (objectClass=App1User) and fromIP restriction(of the server of application App1), allows or denies binding of users. And users + apps which are not match in the criteria could not login(they will get err=49 or Invalid Credential), and those who match could login.
2.
I thought of another solution, too, in which by putting users in dynamic containers which have bind feature. For example there is a certain type of OU which is dynamically filled by users that has certain characteristic,
- OU=App1,DC=domain,DC=com contains users with (attributeA=App1) or (objectClass=App1User).
- OU=App2,DC=domain,DC=com contains users with (attributeA=App2) or (objectClass=App1User).
In this case I can tell app1 to authenticate UserA against its own OU=App1,DC=domain,DC=com contains users, and app2 against OU=App2,DC=domain,DC=com.
I'm wondering if anyone has any idea or had been in the same place.
Thanks
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx