On Wed, 2016-11-16 at 13:30 +0000, Mehdi Sarmadi wrote:
> Hello
>
>
> In 389ds ACI, many operations like search,read,write,... can be restricted based on evaluating time, ip, dns name, authenticated user and some other conditions.
>
>
> We have multiple applications which authenticate(bind only) their users with a Directory (389ds).
>
>
> I need to restrict users from logging on applications based on a policy. For example UserA could be logged on App1, and not App2, and so on.
> For that I'm looking for a feature that could be helpful.
Is this just "who is allowed to access appX" or is it "while logged into
A you cannot login to B?"
Anyway, my advice is use groups and memberof if it's the first case.
Add the users to groups IE:
objectClass: groupOfNames
member: uid=user,ou=People,dc=....
Then if you have the memberOf plugin enabled, you want to run the fixup
task initially.
Once done, you should see:
dn: uid=william,ou=People,dc=...
uid: william
objectClass: inetUser <<-- Your users MUST have this objectClass
to accept the memberof attr.
memberOf: cn=network_admins,ou=Groups,dc=...
Now you can filter in your application config based on:
ldap_auth_filter = '(memberOf=cn=network_admins,ou=Groups,dc=...)'
Hope that helps.
>
>
> 1.
> I thought of a feature in ACI, in which ACI could be defined on Bind operations, too. For example we could define an ACI saying users with a filter, say (attributeA=App1) or (objectClass=App1User) and fromIP restriction(of the server of application App1), allows or denies binding of users. And users + apps which are not match in the criteria could not login(they will get err=49 or Invalid Credential), and those who match could login.
>
>
> 2.
> I thought of another solution, too, in which by putting users in dynamic containers which have bind feature. For example there is a certain type of OU which is dynamically filled by users that has certain characteristic,
> - OU=App1,DC=domain,DC=com contains users with (attributeA=App1) or (objectClass=App1User).
> - OU=App2,DC=domain,DC=com contains users with (attributeA=App2) or (objectClass=App1User).
>
>
> In this case I can tell app1 to authenticate UserA against its own OU=App1,DC=domain,DC=com contains users, and app2 against OU=App2,DC=domain,DC=com.
>
>
>
>
> I'm wondering if anyone has any idea or had been in the same place.
>
>
> Thanks
> _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
