May be i am binding DN using cn=directory manager and because of that it don't understand about test or test4 user and because of that it ignore ACL<br><br><div class="gmail_quote">On Tue, Sep 25, 2012 at 7:31 PM, Grzegorz Dwornicki <span dir="ltr"><<a href="mailto:gd1100@gmail.com" target="_blank">gd1100@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p>I have to admit I thought that access log for webapp will show anomaly but I was wrong. If ldapsearch does not bind please show us logs of thesse. Maybe comparing the logs will tell us something...</p>
<p>Greg.</p>
<div class="gmail_quote">25 wrz 2012 20:17, "Satish Patel" <<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>> napisał(a):<div><div class="h5"><br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Ah! i was testing multiple users. test and test4 both has ACL and has same problem. <br><br><div class="gmail_quote">On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <span dir="ltr"><<a href="mailto:patrick.morris@hp.com" target="_blank">patrick.morris@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div>
<div>On 9/25/2012 11:07 AM, Satish Patel
wrote:<br>
</div>
<blockquote type="cite">
This is what i got in access logs. <br>
<br>
<br>
<blockquote style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">[25/Sep/2012:14:04:36
-0400] conn=497 fd=75 slot=75 connection from 10.101.100.236 to
10.10.52.10<br>
[25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
Manager" method=128 version=3<br>
[25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"<br>
[25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
base="dc=example,dc=com" scope=2
filter="(&(uid=test4)(objectClass=person))" attrs="1.1"<br>
[25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
nentries=1 etime=0<br>
[25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection
from 10.101.100.236 to 10.10.52.10<br>
[25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND<br>
[25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1<br>
[25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3<br>
[25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"<br>
[25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND<br>
</blockquote>
<br>
<br>
<br>
<br>
<br>
<div class="gmail_quote">On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz
Dwornicki <span dir="ltr"><<a href="mailto:gd1100@gmail.com" target="_blank">gd1100@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p>Can you provide logs from FDS when you are trying to login
via application?</p>
<p>Greg.</p>
<div class="gmail_quote">25 wrz 2012 19:27, "Satish Patel"
<<a href="mailto:satish.txt@gmail.com" target="_blank">satish.txt@gmail.com</a>>
napisał(a):<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
Hello ALL,<br>
<br>
I have a web base application and user authenticate
web application using Directory Service (FDS). I want
to restrict some user to not allow to login so i have
implement host base deny ACL. But somehow it doesn't
works. may be i am missing something. following acl i
have.<br>
<br>
<blockquote style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"> (targetattr = "*") (version
3.0;acl "Host ACL";deny (all)(userdn =
<a>"ldap:///uid=test,ou=People,dc=example,dc=com"</a>) and
(ip="10.101.100.236");)<br>
</blockquote>
<div><br>
But interesting thing is, it works with ldapsearch
but not with Web application? <br>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br></div>
Your ACL specifies "uid=test," but that bind was done with "test4".<br>
</div>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div></div></div>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br>