[389-users] ACL doesn't works

Grzegorz Dwornicki gd1100 at gmail.com
Tue Sep 25 23:31:27 UTC 2012 

I have to admit I thought that access log for webapp will show anomaly but
I was wrong. If ldapsearch does not bind please show us logs of thesse.
Maybe comparing the logs will tell us something...

Greg.
25 wrz 2012 20:17, "Satish Patel" <satish.txt at gmail.com> napisał(a):

> Ah! i was testing multiple users. test and test4 both has ACL and has same
> problem.
>
> On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <patrick.morris at hp.com>wrote:
>
>>  On 9/25/2012 11:07 AM, Satish Patel wrote:
>>
>> This is what i got in access logs.
>>
>>
>> [25/Sep/2012:14:04:36 -0400] conn=497 fd=75 slot=75 connection from
>>> 10.101.100.236 to 10.10.52.10
>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
>>> Manager" method=128 version=3
>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
>>> nentries=0 etime=0 dn="cn=directory manager"
>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH base="dc=example,dc=com"
>>> scope=2 filter="(&(uid=test4)(objectClass=person))" attrs="1.1"
>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
>>> nentries=1 etime=0
>>> [25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection from
>>> 10.101.100.236 to 10.10.52.10
>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND
>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1
>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
>>> dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3
>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
>>> nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"
>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND
>>>
>>
>>
>>
>>
>>
>> On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz Dwornicki <gd1100 at gmail.com>wrote:
>>
>>> Can you provide logs from FDS when you are trying to login via
>>> application?
>>>
>>> Greg.
>>> 25 wrz 2012 19:27, "Satish Patel" <satish.txt at gmail.com> napisał(a):
>>>
>>>>  Hello ALL,
>>>>
>>>> I have a web base application and user authenticate web application
>>>> using Directory Service (FDS). I want to restrict some user to not allow to
>>>> login so i have implement host base deny ACL. But somehow it doesn't works.
>>>> may be i am missing something. following acl i have.
>>>>
>>>>  (targetattr = "*") (version 3.0;acl "Host ACL";deny (all)(userdn =
>>>>> "ldap:///uid=test,ou=People,dc=example,dc=com") and
>>>>> (ip="10.101.100.236");)
>>>>>
>>>>
>>>> But interesting thing is, it works with ldapsearch but not with Web
>>>> application?
>>>>
>>>
>> Your ACL specifies "uid=test," but that bind was done with "test4".
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120926/d3755cc2/attachment.html>

More information about the 389-users mailing list