msarmadi(a)arissystem.com wrote:
2. Better ACI or a new Policy capability for 389ds, which it could
control
bind per IP,Time,User,...
https://fedorahosted.org/389/ticket/49037
I'm also thinking about this stuff for quite a while:
The problem with a BIND request is that it's not yet authenticated. It's
anonymous.
Therefore the only (weakly) authenticated data you have is the IP address of the
LDAP client. You would have to provide a relation in the LDAP entries expressing
that a certain bind-DN is allowed to be sent from a certain IP address and in
this case grant auth access to userPassword (or other attributes used during
processing the BIND request).
Note that you're lost anyway if you're only using one account per person if you
have a partially compromised infrastructure.
Ciao, Michael.