Yes, i think that there is no way to deny a BIND depending on the
group and originating IP condition. You can however deny any other
access (read/compare/search). Depending on the filter you define for
squid/sendmail/php web page (even the simplest objectClass=*) these
conditions are equivalent (the ldapsearch will bind but it will always
return an empty set)...
2008/5/9 C.S.R.C.Murthy <murthy(a)barc.gov.in>:
Hi Andrey,
As I first step, according to your suggestion, I have removed the default
ACIs for anonymous and authenticated users. With this I expected that squid
will not be able to BIND to the directory server as the default ACI action
should be DENY in case there is no matching rule. But it is able to
successfully BIND when I give proper login/password. If I am not able to
deny BIND operation when there are no anonymous/authenticated ACI, then I
will never be able to control BIND access, I assume. Please clarify.
regards
murthy
Andrey Ivanov wrote:
> Anyway it is better to make the "allow" ACIs, not "deny" ACIs.
>
> As for your problem, here is what the ACIs should look like (supposing
> that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and
> cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server
> are 192.168.0.66 and 172.16.191.66, adresses of your email servers
> 192.168.1.100 and 192.168.1.101)
>
> Delete all the default ACIs (for anonymous/authentified users) and
> choose the attributes that you want to expose (attr1, attr2...)
>
> For INTERNET group :
> aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
> attributes to read for a certain ip adresses and to authentified
> users";allow (read,search,compare)(((ip="192.168.0.66") or
> (ip="172.16.191.66")) and (groupdn =
> "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));)
>
>
> For EMAIL group :
> aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
> attributes to read for a certain ip adresses and to authentified
> users";allow (read,search,compare)(((ip="192.168.1.100") or
> (ip="192.168.1.101")) and (groupdn =
> "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));)
>
> 2008/5/9 C.S.R.C.Murthy <murthy(a)barc.gov.in>:
>
>
> > Dear Andrey,
> > I did not make clear one point here. My exact ACI requirement is like
> > this, I need to deny bind operation when the connecting DN belongs to
> > certain group and the request is coming from certain ip address. How to
do
> > it in ACI?. More specifically we have one INTERNET group and one EMAIL
> > group. If a person is in INTERNET group he will be allowed to
authenticate
> > (BIND) only from squid proxy server Simillarly if a person belongs to
EMAIL
> > grooup he will be allowed to authenticate (BIND) only from email server.
We
> > are unable to acheive this type of control using ACI. Please help.
> >
> > regards
> > murthy
> >
> > Andrey Ivanov wrote:
> >
> >
> > > You can do it like this, for example :
> > >
> > > ----------------------------------
> > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber ||
> > > homeDirectory || loginShell || gecos")(version 3.0; acl
"Enable
> > > attributes to read for certain ip adresses and to authentified
users";
> > > allow (read,search,compare)(((ip="192.168.0.*") or
(ip="172.16.191.*
> > > ") or (ip="192.168.1.15") or (ip="172.16.126.1"))
and
> > > (userdn="ldap:///all"));)
> > > ------------------------------------
> > > Or you can simply use iptables...
> > >
> > >
> > > 2008/5/8 C.S.R.C.Murthy <murthy(a)barc.gov.in>:
> > >
> > >
> > >
> > > > Hello all,
> > > > Iam using directory server for squid ldap authentication. Squid
takes
> > > > username/password, binds the directory server and if the BIND
operation
> > > > is
> > > > successful it allows the user through proxy. My problem is how to
specify
> > > > an
> > > > ACI so that BIND operation is allowed only from certain IP address?.
ACI
> > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND
> > > > operation.