Re: How to Restrict user authentication per application?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2016-11-21 at 10:19 +0000, msarmadi@xxxxxxxxxxxxxx wrote:
> Thank you, You are right about one problem. 
> 
> However, I believe what you are proposing is not a solution to the problem I'm talking about. Just because, in the problem I'm addressing, I can't and it is not possible to use your method. 
> 
> As I said, the applications we are using are not all of them supporting search or group check. So for those which does not support your method, I posted this problem. Your solution is not addressing this problem and is for the case which application supports those things. 
> 

No, look. There are two ways to check.

First is where the application does a search for the group, and checks
the dn is in the member attribute.

But *every* application will have a userfilter yes? In that filter, if
you have the memberOf plugin turned on, you are filtering on an
attribute of the user that is their membership to a group. IE

uid: user1
memberOf: cn=groupa,ou=Groups,dc=....

Because you are asking about filtering, obviously you have filtering
capability on the users. Just look at memberOf plugin, and you can then
filter on the users memberOf attribute that shows what group they are
in. 

Are you telling me that your application that supports ldap does not
support a user filter configuration option? 

> -
> Additionally, to support my idea of ACI on Bind, I think having ACI on Bind operation just like others(read,write,...) has many advantages. I could talk about many things like improve security. For example think of an environment which you want to protect your directory from unwanted access, even "bind", based on a policy, time or ip for example.
> 
> Please mention that this mechanism is available in some other products, and also some vendors have developed policy aware directory or a proxy which adds those to the simple directory. (e.g. netiq edirectory or ldap proxy) I mean this need / requirement is actual and natural.
> 

You already can control bind by time and ip in the directory, but not
easily at the same time as attribute I don't think. Plus aci's are not
the answer here IMO. 


> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux