Hi Andrey,
As I first step, according to your suggestion, I have removed the
default ACIs for anonymous and authenticated users. With this I expected
that squid will not be able to BIND to the directory server as the
default ACI action should be DENY in case there is no matching rule. But
it is able to successfully BIND when I give proper login/password. If I
am not able to deny BIND operation when there are no
anonymous/authenticated ACI, then I will never be able to control BIND
access, I assume. Please clarify.
regards
murthy
Andrey Ivanov wrote:
Anyway it is better to make the "allow" ACIs, not "deny" ACIs.
As for your problem, here is what the ACIs should look like (supposing
that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and
cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server
are 192.168.0.66 and 172.16.191.66, adresses of your email servers
192.168.1.100 and 192.168.1.101)
Delete all the default ACIs (for anonymous/authentified users) and
choose the attributes that you want to expose (attr1, attr2...)
For INTERNET group :
aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
attributes to read for a certain ip adresses and to authentified
users";allow (read,search,compare)(((ip="192.168.0.66") or
(ip="172.16.191.66")) and (groupdn =
"ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com";));)
For EMAIL group :
aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
attributes to read for a certain ip adresses and to authentified
users";allow (read,search,compare)(((ip="192.168.1.100") or
(ip="192.168.1.101")) and (groupdn =
"ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com";));)
2008/5/9 C.S.R.C.Murthy <murthy@xxxxxxxxxxx>:
Dear Andrey,
I did not make clear one point here. My exact ACI requirement is like
this, I need to deny bind operation when the connecting DN belongs to
certain group and the request is coming from certain ip address. How to do
it in ACI?. More specifically we have one INTERNET group and one EMAIL
group. If a person is in INTERNET group he will be allowed to authenticate
(BIND) only from squid proxy server Simillarly if a person belongs to EMAIL
grooup he will be allowed to authenticate (BIND) only from email server. We
are unable to acheive this type of control using ACI. Please help.
regards
murthy
Andrey Ivanov wrote:
You can do it like this, for example :
----------------------------------
aci: (targetattr = "uniqueMember || uidNumber || gidNumber ||
homeDirectory || loginShell || gecos")(version 3.0; acl "Enable
attributes to read for certain ip adresses and to authentified users";
allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.*
") or (ip="192.168.1.15") or (ip="172.16.126.1")) and
(userdn="ldap:///all";));)
------------------------------------
Or you can simply use iptables...
2008/5/8 C.S.R.C.Murthy <murthy@xxxxxxxxxxx>:
Hello all,
Iam using directory server for squid ldap authentication. Squid takes
username/password, binds the directory server and if the BIND operation
is
successful it allows the user through proxy. My problem is how to specify
an
ACI so that BIND operation is allowed only from certain IP address?. ACI
allows me to restrict READ/SEARCH/WRITE operations but not BIND
operation.
Please help.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
begin:vcard
fn:murthy chandragiri
n:chandragiri;murthy
email;internet:murthy@xxxxxxxxxxx
tel;work:+91-22-25595217
version:2.1
end:vcard
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
