[389-users] ACL doesn't works

Patrick Morris patrick.morris at hp.com
Tue Sep 25 18:16:20 UTC 2012 

On 9/25/2012 11:07 AM, Satish Patel wrote:
> This is what i got in access logs.
>
>
>     [25/Sep/2012:14:04:36 -0400] conn=497 fd=75 slot=75 connection
>     from 10.101.100.236 to 10.10.52.10
>     [25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
>     Manager" method=128 version=3
>     [25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
>     nentries=0 etime=0 dn="cn=directory manager"
>     [25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
>     base="dc=example,dc=com" scope=2
>     filter="(&(uid=test4)(objectClass=person))" attrs="1.1"
>     [25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
>     nentries=1 etime=0
>     [25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection
>     from 10.101.100.236 to 10.10.52.10
>     [25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND
>     [25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1
>     [25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
>     dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3
>     [25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
>     nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"
>     [25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND
>
>
>
>
>
>
> On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz Dwornicki <gd1100 at gmail.com 
> <mailto:gd1100 at gmail.com>> wrote:
>
>     Can you provide logs from FDS when you are trying to login via
>     application?
>
>     Greg.
>
>     25 wrz 2012 19:27, "Satish Patel" <satish.txt at gmail.com
>     <mailto:satish.txt at gmail.com>> napisaƂ(a):
>
>         Hello ALL,
>
>         I have a web base application and user authenticate web
>         application using Directory Service (FDS). I want to restrict
>         some user to not allow to login so i have implement host base
>         deny ACL. But somehow it doesn't works. may be i am missing
>         something. following acl i have.
>
>              (targetattr = "*") (version 3.0;acl "Host ACL";deny
>             (all)(userdn =
>             "ldap:///uid=test,ou=People,dc=example,dc=com") and
>             (ip="10.101.100.236");)
>
>
>         But interesting thing is, it works with ldapsearch but not
>         with Web application?
>

Your ACL specifies "uid=test," but that bind was done with "test4".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120925/bcd5bea2/attachment.html>

More information about the 389-users mailing list