5:46 a.m.
I have three applications that use my ldap installation to authenticate users with Bind
operation. I need to restrict each app so it only be able to bind it's own users. my
idea was to create a multi-value attribute for each user named "App" which has
the name of the application that the user is allowed use (For instance: mail, portal and
office). I'm looking for a way to restrict each application from binding users who do
not have that application in their "App" attribute. for example portal
application must only be able to bind users which have the attribute
"App=portal". I was unable to do such thing using ACI.
Is it possible to implement such restriction?
11:19 a.m.
New subject: How can I restrict bind operation based on attributes?
Perhaps via suffix?
________________________________________
From: kashefi(a)arissystem.com [kashefi(a)arissystem.com]
Sent: Tuesday, June 21, 2016 03:46
To: 389-users(a)lists.fedoraproject.org
Subject: [389-users] How can I restrict bind operation based on attributes?
I have three applications that use my ldap installation to authenticate users with Bind
operation. I need to restrict each app so it only be able to bind it's own users. my
idea was to create a multi-value attribute for each user named "App" which has
the name of the application that the user is allowed use (For instance: mail, portal and
office). I'm looking for a way to restrict each application from binding users who do
not have that application in their "App" attribute. for example portal
application must only be able to bind users which have the attribute
"App=portal". I was unable to do such thing using ACI.
Is it possible to implement such restriction?
--
389-users mailing list
389-users(a)lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject...
5:52 p.m.
New subject: How can I restrict bind operation based on attributes?
On Tue, 2016-06-21 at 10:46 +0000, kashefi(a)arissystem.com wrote:
I have three applications that use my ldap installation to
authenticate users with Bind operation. I need to restrict each app so it only be able to
bind it's own users. my idea was to create a multi-value attribute for each user named
"App" which has the name of the application that the user is allowed use (For
instance: mail, portal and office). I'm looking for a way to restrict each application
from binding users who do not have that application in their "App" attribute.
for example portal application must only be able to bind users which have the attribute
"App=portal". I was unable to do such thing using ACI.
Is it possible to implement such restriction?
I think this is how I would do it.
Lets say we have a user:
dn: uid=test1,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
objectClass: YourCustomAppSchema
userPassword: password
uid: test1
application: foo
dn: uid=test2,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
objectClass: YourCustomAppSchema
userPassword: password
uid: test2
application: bar
Then the application foo, can have in it's user filter:
(&(uid=%s)(application=foo))
To this filter, test1 will satisfy, but test2 will not.
Conversely, test2 will work for application bar, but not foo.
Because of the way most applications work they follow this pattern:
* Anonymous bind
* User filter with username to find the DN of the object
** new bind with DN of the object if found
** fail if no DN found
As a result, this pattern will satisfy your requirements.
Check the ldapfilter configuration directive to your applications, it's
likely what you want to use.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
2859
days inactive
2864
days old
389-users@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
kashefi@arissystem.com -
Mailvaganam, Hari -
William Brown