Thank you Although, We are thinking of the same approach, we have proposed two other methods 1. Using views with Bind capability. Views are able to filter users in different OU's dynamically, however they do not support bind, so the half of the solution is not possible, yet. So we asked for bind capability on Views in this ticket. https://fedorahosted.org/389/ticket/49036 2. Better ACI or a new Policy capability for 389ds, which it could control bind per IP,Time,User,... https://fedorahosted.org/389/ticket/49037 If you are facing the same problem, please support these tickets.(post your views or vote for hem) Thanks > We accomplish for some applications by assigning a different proxy to each and then > control in LDAP who the proxy can see. This should work when you can't control the > logic used by the application itself. > > Deborah Crocker, PhD > Systems Engineer III > Office of Information Technology > The University of Alabama > Box 870346 > Tuscaloosa, AL 36587 > Office 205-348-3758 | Fax 205-348-9393 > deborah.crocker(a)ua.edu > > -----Original Message----- > From: msarmadi(a)arissystem.com [mailto:msarmadi@xxxxxxxxxxxxxx] > Sent: Monday, November 21, 2016 4:20 AM > To: 389-users(a)lists.fedoraproject.org > Subject: [389-users] Re: How to Restrict user authentication per application? > > Thank you, You are right about one problem. > > However, I believe what you are proposing is not a solution to the problem I'm talking > about. Just because, in the problem I'm addressing, I can't and it is not possible > to use your method. > > As I said, the applications we are using are not all of them supporting search or group > check. So for those which does not support your method, I posted this problem. Your > solution is not addressing this problem and is for the case which application supports > those things. > > - > Additionally, to support my idea of ACI on Bind, I think having ACI on Bind operation just > like others(read,write,...) has many advantages. I could talk about many things like > improve security. For example think of an environment which you want to protect your > directory from unwanted access, even "bind", based on a policy, time or ip for > example. > > Please mention that this mechanism is available in some other products, and also some > vendors have developed policy aware directory or a proxy which adds those to the simple > directory. (e.g. netiq edirectory or ldap proxy) I mean this need / requirement is actual > and natural. > > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email > to 389-users-leave(a)lists.fedoraproject.org _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
