May be i am binding DN using cn=directory manager and because of that it don't understand about test or test4 user and because of that it ignore ACL
On Tue, Sep 25, 2012 at 7:31 PM, Grzegorz Dwornicki <[email protected]>wrote: > I have to admit I thought that access log for webapp will show anomaly but > I was wrong. If ldapsearch does not bind please show us logs of thesse. > Maybe comparing the logs will tell us something... > > Greg. > 25 wrz 2012 20:17, "Satish Patel" <[email protected]> napisał(a): > > Ah! i was testing multiple users. test and test4 both has ACL and has same >> problem. >> >> On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <[email protected]>wrote: >> >>> On 9/25/2012 11:07 AM, Satish Patel wrote: >>> >>> This is what i got in access logs. >>> >>> >>> [25/Sep/2012:14:04:36 -0400] conn=497 fd=75 slot=75 connection from >>>> 10.101.100.236 to 10.10.52.10 >>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory >>>> Manager" method=128 version=3 >>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97 >>>> nentries=0 etime=0 dn="cn=directory manager" >>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH >>>> base="dc=example,dc=com" scope=2 >>>> filter="(&(uid=test4)(objectClass=person))" attrs="1.1" >>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection from >>>> 10.101.100.236 to 10.10.52.10 >>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND >>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1 >>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND >>>> dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3 >>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97 >>>> nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com" >>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND >>>> >>> >>> >>> >>> >>> >>> On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz Dwornicki <[email protected]>wrote: >>> >>>> Can you provide logs from FDS when you are trying to login via >>>> application? >>>> >>>> Greg. >>>> 25 wrz 2012 19:27, "Satish Patel" <[email protected]> napisał(a): >>>> >>>>> Hello ALL, >>>>> >>>>> I have a web base application and user authenticate web application >>>>> using Directory Service (FDS). I want to restrict some user to not allow >>>>> to >>>>> login so i have implement host base deny ACL. But somehow it doesn't >>>>> works. >>>>> may be i am missing something. following acl i have. >>>>> >>>>> (targetattr = "*") (version 3.0;acl "Host ACL";deny (all)(userdn = >>>>>> "ldap:///uid=test,ou=People,dc=example,dc=com";) and >>>>>> (ip="10.101.100.236");) >>>>>> >>>>> >>>>> But interesting thing is, it works with ldapsearch but not with Web >>>>> application? >>>>> >>>> >>> Your ACL specifies "uid=test," but that bind was done with "test4". >>> >>> -- >>> 389 users mailing list >>> [email protected] >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >> >> >> -- >> 389 users mailing list >> [email protected] >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users >
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
