Dear Andrey,
I did not make clear one point here. My exact ACI requirement is
like this, I need to deny bind operation when the connecting DN belongs
to certain group and the request is coming from certain ip address. How
to do it in ACI?. More specifically we have one INTERNET group and one
EMAIL group. If a person is in INTERNET group he will be allowed to
authenticate (BIND) only from squid proxy server Simillarly if a person
belongs to EMAIL grooup he will be allowed to authenticate (BIND) only
from email server. We are unable to acheive this type of control using
ACI. Please help.
regards
murthy
Andrey Ivanov wrote:
You can do it like this, for example :
----------------------------------
aci: (targetattr = "uniqueMember || uidNumber || gidNumber ||
homeDirectory || loginShell || gecos")(version 3.0; acl "Enable
attributes to read for certain ip adresses and to authentified users";
allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.*
") or (ip="192.168.1.15") or (ip="172.16.126.1")) and
(userdn="ldap:///all";));)
------------------------------------
Or you can simply use iptables...
2008/5/8 C.S.R.C.Murthy <murthy@xxxxxxxxxxx>:
Hello all,
Iam using directory server for squid ldap authentication. Squid takes
username/password, binds the directory server and if the BIND operation is
successful it allows the user through proxy. My problem is how to specify an
ACI so that BIND operation is allowed only from certain IP address?. ACI
allows me to restrict READ/SEARCH/WRITE operations but not BIND operation.
Please help.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
begin:vcard
fn:murthy chandragiri
n:chandragiri;murthy
email;internet:murthy@xxxxxxxxxxx
tel;work:+91-22-25595217
version:2.1
end:vcard
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
