Thank you for the reply
Please take a look at
https://fedorahosted.org/389/ticket/49036
I tried to be descriptive and explaining an environment from a point of view
It might help me explain better.
By Users, I'm referring to End Users which can use applications - those they are
permitted. And I should say that an application checks user's authentication
credentials by binding to the directory using them.
The expected behaviour is: there be a mechanism where I could place a Rule that userA(DN
corresponding to End UserA) can bind to directory only from App1 and not App2 (based on
his manager's request).
I think, that mechanism must be an ACI Like behaviour in which bind operation(initiated by
an application software, say App1) for a user(User DN corresponding to, say, UserA) could
be controller by IP (if UserA is allowed to user App1, App1(from IP1) can bind using
UserDN of UserA), and if not it should be defined as Deny Rule.
Moreover, having that mechanism, like what is doable in directory ACI on other
operations(read,write,search,...), we could expect more mature constraints, e.g. time, a
certain user attribute, etc.
Please let me know what sort of other details could help? or what can I explain.
BR
--
Mehdi Sarmadi
Senior Technical Solutions Engineer
Aris System