On Sun, 2017-11-12 at 23:06 +0100, Jan Kowalsky wrote: > Hi all, > > after reading post on the lists regarding acis I was wondering what > will > be the preferred way to only grant access to the directory for hosts > in > the own network. > > On some comments I read that it's generally discouraged to use aci's > with a "not" logic like: > > ip != 10.0.0.* > > or something like this. > The != is only an issue for targetattr, because if you do: targetattr != sn Then this includes all system attributes like nsACcountlock and resource limit types etc. IP addr != is fine :) > Does this apply to ip address based access too? > > My approach would be just someting like: > > aci: (targetattr = "*") (version 3.0;acl "Bind from special IPs > only";deny (all) (ip != "192.168.100.*" and ip != "10.0.0.*);) > > do allow only from 192.168.100.* networks or from 10.0.0.*. > > As long as I understood, I have to define aci's for every base dn > separately if I running multiple databases. Is there any way to > define > this for the whole server? If you have the databases nested IE: dc=example,dc=com ou=foo,dc=example,dc=com And in the mapping tree these are marked as "parent", then the aci of dc=example,dc=com should apply to ou=foo too. Generally, I would look at: https://research.google.com/pubs/pub43231.html IP address based security is not a good control: You should be using other factors and information to provide access I think. You could limit admins to using TLS user certs for identity rather than passwords, using minssf rules, longer password policy, etc. Hope that helps, -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
