> On Mon, 2016-11-21 at 10:19 +0000, msarmadi(a)arissystem.com wrote: > > No, look. There are two ways to check. > > First is where the application does a search for the group, and checks > the dn is in the member attribute. > > But *every* application will have a userfilter yes? In that filter, if > you have the memberOf plugin turned on, you are filtering on an > attribute of the user that is their membership to a group. IE > > uid: user1 > memberOf: cn=groupa,ou=Groups,dc=.... > > Because you are asking about filtering, obviously you have filtering > capability on the users. Just look at memberOf plugin, and you can then > filter on the users memberOf attribute that shows what group they are > in. Already, We are using all of what are suggesting. The problem is: - Some application are not using filters along with bind, to control user login - for some reasons (e.g. not having the capability, are not designed to get user list, or they do not have need to keep things about Users, or you can't count on applications be reliable in accessing the directory correctly but you need control things centrally) - LDAP Should be able to protect itself, and have more mature policies in Access Control, even for bind operation. For example; Think of an environment which a system or application is compromised, or has malware, or something like those. In that situation we should be able to protect directory with at least bind operation ACL, and if possible with more mature access policies. > > Are you telling me that your application that supports ldap does not > support a user filter configuration option? > > > You already can control bind by time and ip in the directory, Would you please let us know how? >but not > easily at the same time as attribute I don't think. Plus aci's are not > the answer here IMO. So, do you think of any other methods? _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
