[389-users] ACL doesn't works
Satish Patel
satish.txt at gmail.com
Thu Sep 27 19:35:13 UTC 2012
May be i am binding DN using cn=directory manager and because of that it
don't understand about test or test4 user and because of that it ignore ACL
On Tue, Sep 25, 2012 at 7:31 PM, Grzegorz Dwornicki <gd1100 at gmail.com>wrote:
> I have to admit I thought that access log for webapp will show anomaly but
> I was wrong. If ldapsearch does not bind please show us logs of thesse.
> Maybe comparing the logs will tell us something...
>
> Greg.
> 25 wrz 2012 20:17, "Satish Patel" <satish.txt at gmail.com> napisał(a):
>
> Ah! i was testing multiple users. test and test4 both has ACL and has same
>> problem.
>>
>> On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <patrick.morris at hp.com>wrote:
>>
>>> On 9/25/2012 11:07 AM, Satish Patel wrote:
>>>
>>> This is what i got in access logs.
>>>
>>>
>>> [25/Sep/2012:14:04:36 -0400] conn=497 fd=75 slot=75 connection from
>>>> 10.101.100.236 to 10.10.52.10
>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
>>>> Manager" method=128 version=3
>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
>>>> nentries=0 etime=0 dn="cn=directory manager"
>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
>>>> base="dc=example,dc=com" scope=2
>>>> filter="(&(uid=test4)(objectClass=person))" attrs="1.1"
>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
>>>> nentries=1 etime=0
>>>> [25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection from
>>>> 10.101.100.236 to 10.10.52.10
>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND
>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1
>>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
>>>> dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3
>>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
>>>> nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"
>>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND
>>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz Dwornicki <gd1100 at gmail.com>wrote:
>>>
>>>> Can you provide logs from FDS when you are trying to login via
>>>> application?
>>>>
>>>> Greg.
>>>> 25 wrz 2012 19:27, "Satish Patel" <satish.txt at gmail.com> napisał(a):
>>>>
>>>>> Hello ALL,
>>>>>
>>>>> I have a web base application and user authenticate web application
>>>>> using Directory Service (FDS). I want to restrict some user to not allow to
>>>>> login so i have implement host base deny ACL. But somehow it doesn't works.
>>>>> may be i am missing something. following acl i have.
>>>>>
>>>>> (targetattr = "*") (version 3.0;acl "Host ACL";deny (all)(userdn =
>>>>>> "ldap:///uid=test,ou=People,dc=example,dc=com") and
>>>>>> (ip="10.101.100.236");)
>>>>>>
>>>>>
>>>>> But interesting thing is, it works with ldapsearch but not with Web
>>>>> application?
>>>>>
>>>>
>>> Your ACL specifies "uid=test," but that bind was done with "test4".
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120927/33b6fe0f/attachment.html>
More information about the 389-users
mailing list