On Wed, 2016-11-16 at 13:30 +0000, Mehdi Sarmadi wrote:
Hello
In 389ds ACI, many operations like search,read,write,... can be restricted based on
evaluating time, ip, dns name, authenticated user and some other conditions.
We have multiple applications which authenticate(bind only) their users with a Directory
(389ds).
I need to restrict users from logging on applications based on a policy. For example
UserA could be logged on App1, and not App2, and so on.
For that I'm looking for a feature that could be helpful.
Is this just "who is allowed to access appX" or is it "while logged into
A you cannot login to B?"
Anyway, my advice is use groups and memberof if it's the first case.
Add the users to groups IE:
objectClass: groupOfNames
member: uid=user,ou=People,dc=....
Then if you have the memberOf plugin enabled, you want to run the fixup
task initially.
Once done, you should see:
dn: uid=william,ou=People,dc=...
uid: william
objectClass: inetUser <<-- Your users MUST have this objectClass
to accept the memberof attr.
memberOf: cn=network_admins,ou=Groups,dc=...
Now you can filter in your application config based on:
ldap_auth_filter = '(memberOf=cn=network_admins,ou=Groups,dc=...)'
Hope that helps.
1.
I thought of a feature in ACI, in which ACI could be defined on Bind operations, too. For
example we could define an ACI saying users with a filter, say (attributeA=App1) or
(objectClass=App1User) and fromIP restriction(of the server of application App1), allows
or denies binding of users. And users + apps which are not match in the criteria could not
login(they will get err=49 or Invalid Credential), and those who match could login.
2.
I thought of another solution, too, in which by putting users in dynamic containers which
have bind feature. For example there is a certain type of OU which is dynamically filled
by users that has certain characteristic,
- OU=App1,DC=domain,DC=com contains users with (attributeA=App1) or
(objectClass=App1User).
- OU=App2,DC=domain,DC=com contains users with (attributeA=App2) or
(objectClass=App1User).
In this case I can tell app1 to authenticate UserA against its own
OU=App1,DC=domain,DC=com contains users, and app2 against OU=App2,DC=domain,DC=com.
I'm wondering if anyone has any idea or had been in the same place.
Thanks
_______________________________________________ 389-users mailing list --
389-users(a)lists.fedoraproject.org To unsubscribe send an email to
389-users-leave(a)lists.fedoraproject.org
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane