msarmadi@xxxxxxxxxxxxxx wrote: > 2. Better ACI or a new Policy capability for 389ds, which it could control > bind per IP,Time,User,... > https://fedorahosted.org/389/ticket/49037 I'm also thinking about this stuff for quite a while: The problem with a BIND request is that it's not yet authenticated. It's anonymous. Therefore the only (weakly) authenticated data you have is the IP address of the LDAP client. You would have to provide a relation in the LDAP entries expressing that a certain bind-DN is allowed to be sent from a certain IP address and in this case grant auth access to userPassword (or other attributes used during processing the BIND request). Note that you're lost anyway if you're only using one account per person if you have a partially compromised infrastructure. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
