On Wed, 2016-11-16 at 13:30 +0000, Mehdi Sarmadi wrote: > Hello > > > In 389ds ACI, many operations like search,read,write,... can be restricted > based on evaluating time, ip, dns name, authenticated user and some other > conditions. > > > We have multiple applications which authenticate(bind only) their users with > a Directory (389ds). > > > I need to restrict users from logging on applications based on a policy. For > example UserA could be logged on App1, and not App2, and so on. > For that I'm looking for a feature that could be helpful.
Is this just "who is allowed to access appX" or is it "while logged into
A you cannot login to B?"
Anyway, my advice is use groups and memberof if it's the first case.
Add the users to groups IE:
objectClass: groupOfNames
member: uid=user,ou=People,dc=....
Then if you have the memberOf plugin enabled, you want to run the fixup
task initially.
Once done, you should see:
dn: uid=william,ou=People,dc=...
uid: william
objectClass: inetUser <<-- Your users MUST have this objectClass
to accept the memberof attr.
memberOf: cn=network_admins,ou=Groups,dc=...
Now you can filter in your application config based on:
ldap_auth_filter = '(memberOf=cn=network_admins,ou=Groups,dc=...)'
Hope that helps.
>
>
> 1.
> I thought of a feature in ACI, in which ACI could be defined on Bind
> operations, too. For example we could define an ACI saying users with a
> filter, say (attributeA=App1) or (objectClass=App1User) and fromIP
> restriction(of the server of application App1), allows or denies binding of
> users. And users + apps which are not match in the criteria could not
> login(they will get err=49 or Invalid Credential), and those who match could
> login.
>
>
> 2.
> I thought of another solution, too, in which by putting users in dynamic
> containers which have bind feature. For example there is a certain type of OU
> which is dynamically filled by users that has certain characteristic,
> - OU=App1,DC=domain,DC=com contains users with (attributeA=App1) or
> (objectClass=App1User).
> - OU=App2,DC=domain,DC=com contains users with (attributeA=App2) or
> (objectClass=App1User).
>
>
> In this case I can tell app1 to authenticate UserA against its own
> OU=App1,DC=domain,DC=com contains users, and app2 against
> OU=App2,DC=domain,DC=com.
>
>
>
>
> I'm wondering if anyone has any idea or had been in the same place.
>
>
> Thanks
> _______________________________________________ 389-users mailing list --
> [email protected] To unsubscribe send an email to
> [email protected]
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
