[389-users] How do I restrict groups

Michael Lang michael.lang at CTBTO.ORG
Wed Jul 10 05:54:47 UTC 2013 

On 07/09/2013 10:07 PM, Mark Reynolds wrote:
> Hi Andy,
>
> What exactly do mean restrict the number of users/groups?  Like a size 
> limit, or you want to restrict particular users/groups that the client 
> can see?
>
> If you want to restrict particular entries then you should use access 
> control - as long as your client is not binding as the root 
> DN(cn=directory manager):
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html


Andy,

I would use "Views" to do so. They are compared to like a filter 
(without specifying the on the client) but mandatory to authenticate (as 
you would like to limit the base what they can see). There for you would 
add some unique identification for your objects (eq. nsrole: 
cn=myApplicationName,dc=example,dc=com of course you can have multiple ones)
then you create an object like

dn: ou=MyView,dc=example,dc=com
objectClass: top
objectClass: nsview
objectClass: organizationalUnit
ou: MyView
nsviewfilter: (nsrole=cn=myApplication,...)

and restrict the DN's your clients authenticating against your Directory 
to this view only ...

https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/using-views.html

regards
mIke


>
> Regards,
> Mark
>
> On 07/08/2013 06:43 PM, Andy Spooner wrote:
>>
>> How do I restrict the number of groups or users that an 
>> application/service can see?
>>
>> I have an application that authenticates against 389. I want to 
>> restrict the groups that are available to the application.
>>
>> Regards
>>
>> Andy
>>
>> *The contents of this email are strictly confidential to the intended 
>> recipient(s).  If received in error you may not copy or distribute 
>> this message and should delete and destroy all copies and kindly 
>> notify the sender by return email.  Emails may be interfered with, 
>> may contain computer viruses or other defects. SHORT FILMS 4 U 
>> Limited gives no warranties in relation to these matters**.*
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -- 
> Mark Reynolds
> Red Hat, Inc
> mreynolds at redhat.com
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130710/3c269028/attachment.html>

More information about the 389-users mailing list