Dear Peter Thanks for your update. As you specified I am trying to set up this option. Thanks again
Geo. *Thanks & Regards Geo P.C. www.geopc.co.cc* On Tue, May 7, 2013 at 8:34 PM, Peter Gietz <[email protected]> wrote: > Hi Geo, > > I don't think that alias object will be of use for you. Frankly I don't > quite understand how you would like to use that. > > What you should do as I proposed (solution 2b.): > > define an attribute like allowedService and manage that instead of using > groups. > > create accounts for each application (all applications have binddn and > bind password to connect to an ldap server) > > And the restrict access rights of these DNs via ACLs such as : > > access to filter=(allowedService=Wordpress) > by cn=wordpress,ou=serviceaccounts,dc=examle,dc=com > read > ... > > access to * by * none > > Cheers, > > Peter > > > > Am 07.05.2013 14:59, schrieb Geo P.C.: > > Dear Peter, > > Thanks for your reply. In order to login to an application from a > selected group only we checked alias option. But it was not working. Please > see the details: > > In application we have given base dn as ou=People,dc=geo,dc=com and the > user dn: uid=geo_pc,ou=People,dc=geo,dc=com can able to login to the > application successfully. > > Now we created an alias as follows: > > dn: uid=geo_pc,ou=Applications,ou=Groups,dc=geo,dc=com > > aliasedobjectname: uid=geo_pc,ou=People,dc=geo,dc=com > > objectclass: alias > > objectclass: extensibleObject > > objectclass: top > > uid: geo_pc > > Now in application we have given base dn as > ou=Applications,ou=Groups,dc=geo,dc=com but with this user > ou=Applications,ou=Groups,dc=geo,dc=com we are unable to login to the > application. > > Please let us know is there any additional configuration we need to done. Can > you please help me on it. > > > > > Thanks > Geo > > > > > > > *Thanks & Regards > Geo P.C. > www.geopc.co.cc* > > > On Tue, May 7, 2013 at 5:51 PM, Peter Gietz <[email protected]> wrote: > >> >> 1.) If you had a config parameter like search filter in your application >> you could use that to make unwanted users invisible for the application. >> But this means you can't use group entries , but dynamic groups, i.e. a >> group is an ldapfilter, e.g. "(allowedServices=Wordpress)" and you manage >> group privileges in an own attribute allowedServices. >> >> 2.) You could also do this via ACLs in the server, each application using >> its own bind dn, which can then have read access to a subset of the data. >> Here you can use a.) group entries or b.) dynamic groups >> >> 3.) Of course you could also have a separate replica for each application >> with filtered entries, but only with dynamic groups (see 1.), but that is a >> lot of overhead. Beware: combining this with 2. i.e. group ACLs on replica >> bindDN is a rathole, don't do that! >> >> 4.) IMHO best would be to file a feature request to the application >> developers for supporting LDAP-groups >> >> >> if not 4.) my recommendation would be 2a.) being the minimal invasive >> alternative. >> >> Hope this helps, >> >> Peter >> >> >> Am 06.05.2013 12:21, schrieb Geo P.C.: >> >> Hi >> >> We are using many applications like zabbix, phabricator, AC etc. We need >> to integrate LDAP in all these applications. These application support LDAP >> but not group based authentication. >> >> Please let us know is there any option to restrict selected users to >> login. We created all users under ou ‘users’ . >> >> [image: Inline image 1] >> >> On these application we need to login certain users only. How we can >> restrict it as we can’t able to restrict on application side >> >> In these application they provide only “Base DN” and “Search Attribute” >> so we can’t able to give dn: ou=users,ou=system as it gives access to all >> users. >> >> So is it possible to give Base DN as “cn=Zabbix,ou=groups,ou=system” and >> this group contains only user1 and user2. SO it will restrict users. >> >> Please let us know how we can implement this scenario. Thanks in advance >> please help us to solve this issue. >> >> Thanks >> Geo >> >> >> >> >> -- >> >> Peter Gietz, CEO >> >> DAASI International GmbH >> Europaplatz 3 >> D-72072 Tübingen >> Germany >> >> phone: +49 7071 407109-0 >> fax: +49 7071 407109-9 >> email: [email protected] >> web: www.daasi.de >> >> Sitz der Gesellschaft: Tübingen >> Registergericht: Amtsgericht Stuttgart, HRB 382175 >> Geschäftsleitung: Peter Gietz >> >> >> >> > > > -- > > Peter Gietz, CEO > > DAASI International GmbH > Europaplatz 3 > D-72072 Tübingen > Germany > > phone: +49 7071 407109-0 > fax: +49 7071 407109-9 > email: [email protected] > web: www.daasi.de > > Sitz der Gesellschaft: Tübingen > Registergericht: Amtsgericht Stuttgart, HRB 382175 > Geschäftsleitung: Peter Gietz > > > >
<<image/jpeg>>
