Look closer you first bind as directory manager but later you bind as test. That second bind don't make any sense for me. Please attach ldapsearch log and audit logs. This may give someone including myself some clues about problem.
Greg. 27 wrz 2012 21:35, "Satish Patel" <[email protected]> napisał(a): > May be i am binding DN using cn=directory manager and because of that it > don't understand about test or test4 user and because of that it ignore ACL > > On Tue, Sep 25, 2012 at 7:31 PM, Grzegorz Dwornicki <[email protected]>wrote: > >> I have to admit I thought that access log for webapp will show anomaly >> but I was wrong. If ldapsearch does not bind please show us logs of thesse. >> Maybe comparing the logs will tell us something... >> >> Greg. >> 25 wrz 2012 20:17, "Satish Patel" <[email protected]> napisał(a): >> >> Ah! i was testing multiple users. test and test4 both has ACL and has >>> same problem. >>> >>> On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris >>> <[email protected]>wrote: >>> >>>> On 9/25/2012 11:07 AM, Satish Patel wrote: >>>> >>>> This is what i got in access logs. >>>> >>>> >>>> [25/Sep/2012:14:04:36 -0400] conn=497 fd=75 slot=75 connection from >>>>> 10.101.100.236 to 10.10.52.10 >>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory >>>>> Manager" method=128 version=3 >>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 dn="cn=directory manager" >>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH >>>>> base="dc=example,dc=com" scope=2 >>>>> filter="(&(uid=test4)(objectClass=person))" attrs="1.1" >>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection from >>>>> 10.101.100.236 to 10.10.52.10 >>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND >>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1 >>>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND >>>>> dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3 >>>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com" >>>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND >>>>> >>>> >>>> >>>> >>>> >>>> >>>> On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz Dwornicki >>>> <[email protected]>wrote: >>>> >>>>> Can you provide logs from FDS when you are trying to login via >>>>> application? >>>>> >>>>> Greg. >>>>> 25 wrz 2012 19:27, "Satish Patel" <[email protected]> napisał(a): >>>>> >>>>>> Hello ALL, >>>>>> >>>>>> I have a web base application and user authenticate web application >>>>>> using Directory Service (FDS). I want to restrict some user to not allow >>>>>> to >>>>>> login so i have implement host base deny ACL. But somehow it doesn't >>>>>> works. >>>>>> may be i am missing something. following acl i have. >>>>>> >>>>>> (targetattr = "*") (version 3.0;acl "Host ACL";deny (all)(userdn = >>>>>>> "ldap:///uid=test,ou=People,dc=example,dc=com";) and >>>>>>> (ip="10.101.100.236");) >>>>>>> >>>>>> >>>>>> But interesting thing is, it works with ldapsearch but not with Web >>>>>> application? >>>>>> >>>>> >>>> Your ACL specifies "uid=test," but that bind was done with "test4". >>>> >>>> -- >>>> 389 users mailing list >>>> [email protected] >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> >>> >>> >>> -- >>> 389 users mailing list >>> [email protected] >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >> >> -- >> 389 users mailing list >> [email protected] >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users >
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
