Re: [Fedora-directory-users] How to control the BIND operation using ACI
If you have a complete control over an application configuration, anyway you can do anything you want, even use/etc/passwd file instead of LDAP :) If you consider however that a bind limitation based on the ACIs could be a useful feature you can request this feature at the bugzilla of Fedora Directory Server (bugzilla.redhat.com). I don't know whether this feature exists in OpenLDAP or Active Directory... 2008/5/11 <[EMAIL PROTECTED]>: >Thank you very much for the URLs. This will help me to control users of > which group can authenticate using ldap and go through proxy. I will > follow this approach. > > > As far as i can see making a quick google search squid can do > > authorisation using ldap fi>Still there is the case where if the squid > proxy server is administered > by some other people, they can bypass this restriction as instead of > defining filters for ldap operation, they can simply use BIND operation > to get authenticated. This can never be controlled at the LDAP server > level. For that matter this can be used by any application to bypass > group level control. -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] How to control the BIND operation using ACI
Hi, Thank you very much for the URLs. This will help me to control users of which group can authenticate using ldap and go through proxy. I will follow this approach. Still there is the case where if the squid proxy server is administered by some other people, they can bypass this restriction as instead of defining filters for ldap operation, they can simply use BIND operation to get authenticated. This can never be controlled at the LDAP server level. For that matter this can be used by any application to bypass group level control. regards murthy > As far as i can see making a quick google search squid can do > authorisation using ldap filters and groups; for example, look at this > page : > http://linux.com.hk/penguin/man/8/squid_ldap_group.html > > or here : > http://linux.die.net/man/8/squid_ldap_auth > > > 2008/5/10 <[EMAIL PROTECTED]>: >> Hi, >> Thanks for the confirmation. . Applications like squid are not doing >> any >> read/search/compare to verify authentication, but simply doing BIND >> operation.I think the directory server may incorporate some form of >> BIND >> control feature >> >> regards >> murthy >> >> >> > Yes, i think that there is no way to deny a BIND depending on the >> > group and originating IP condition. You can however deny any other >> > access (read/compare/search). Depending on the filter you define for >> > squid/sendmail/php web page (even the simplest objectClass=*) these >> > conditions are equivalent (the ldapsearch will bind but it will >> always >> > return an empty set)... >> > >> > >> > 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: >> >> Hi Andrey, >> >> As I first step, according to your suggestion, I have removed the >> >> default >> >> ACIs for anonymous and authenticated users. With this I expected >> that >> >> squid >> >> will not be able to BIND to the directory server as the default ACI >> >> action >> >> should be DENY in case there is no matching rule. But it is able to >> >> successfully BIND when I give proper login/password. If I am not >> able to >> >> deny BIND operation when there are no anonymous/authenticated ACI, >> then >> >> I >> >> will never be able to control BIND access, I assume. Please clarify. >> >> >> >> >> >> >> >> regards >> >> murthy >> >> >> >> Andrey Ivanov wrote: >> >> >> >> > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. >> >> > >> >> > As for your problem, here is what the ACIs should look like >> (supposing >> >> > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and >> >> > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid >> server >> >> > are 192.168.0.66 and 172.16.191.66, adresses of your email servers >> >> > 192.168.1.100 and 192.168.1.101) >> >> > >> >> > Delete all the default ACIs (for anonymous/authentified users) and >> >> > choose the attributes that you want to expose (attr1, attr2...) >> >> > >> >> > For INTERNET group : >> >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable >> >> > attributes to read for a certain ip adresses and to authentified >> >> > users";allow (read,search,compare)(((ip="192.168.0.66") or >> >> > (ip="172.16.191.66")) and (groupdn = >> >> > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com";));) >> >> > >> >> > >> >> > For EMAIL group : >> >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable >> >> > attributes to read for a certain ip adresses and to authentified >> >> > users";allow (read,search,compare)(((ip="192.168.1.100") or >> >> > (ip="192.168.1.101")) and (groupdn = >> >> > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com";));) >> >> > >> >> > 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: >> >> > >> >> > >> >> > > Dear Andrey, >> >> > > I did not make clear one point here. My exact ACI requirement >> is >> >> like >> >> > > this, I need to deny bind operation when the connecting DN >> belongs >> >> to >> >> > > certain group and the request is coming from certain ip address. >> How >> >> to >> >> do >> >> > > it in ACI?. More specifically we have one INTERNET group and one >> >> EMAIL >> >> > > group. If a person is in INTERNET group he will be allowed to >> >> authenticate >> >> > > (BIND) only from squid proxy server Simillarly if a person >> belongs >> >> to >> >> EMAIL >> >> > > grooup he will be allowed to authenticate (BIND) only from email >> >> server. >> >> We >> >> > > are unable to acheive this type of control using ACI. Please >> help. >> >> > > >> >> > > regards >> >> > > murthy >> >> > > >> >> > > Andrey Ivanov wrote: >> >> > > >> >> > > >> >> > > > You can do it like this, for example : >> >> > > > >> >> > > > -- >> >> > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || >> >> > > > homeDirectory || loginShell || gecos")(version 3.0; acl >> "Enable >> >> > > > attributes to read for certain ip adresses and to authentified >> >> users"; >> >>
Re: [Fedora-directory-users] How to control the BIND operation using ACI
As far as i can see making a quick google search squid can do authorisation using ldap filters and groups; for example, look at this page : http://linux.com.hk/penguin/man/8/squid_ldap_group.html or here : http://linux.die.net/man/8/squid_ldap_auth 2008/5/10 <[EMAIL PROTECTED]>: > Hi, > Thanks for the confirmation. . Applications like squid are not doing any > read/search/compare to verify authentication, but simply doing BIND > operation.I think the directory server may incorporate some form of BIND > control feature > > regards > murthy > > > > Yes, i think that there is no way to deny a BIND depending on the > > group and originating IP condition. You can however deny any other > > access (read/compare/search). Depending on the filter you define for > > squid/sendmail/php web page (even the simplest objectClass=*) these > > conditions are equivalent (the ldapsearch will bind but it will always > > return an empty set)... > > > > > > 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: > >> Hi Andrey, > >> As I first step, according to your suggestion, I have removed the > >> default > >> ACIs for anonymous and authenticated users. With this I expected that > >> squid > >> will not be able to BIND to the directory server as the default ACI > >> action > >> should be DENY in case there is no matching rule. But it is able to > >> successfully BIND when I give proper login/password. If I am not able to > >> deny BIND operation when there are no anonymous/authenticated ACI, then > >> I > >> will never be able to control BIND access, I assume. Please clarify. > >> > >> > >> > >> regards > >> murthy > >> > >> Andrey Ivanov wrote: > >> > >> > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. > >> > > >> > As for your problem, here is what the ACIs should look like (supposing > >> > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and > >> > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server > >> > are 192.168.0.66 and 172.16.191.66, adresses of your email servers > >> > 192.168.1.100 and 192.168.1.101) > >> > > >> > Delete all the default ACIs (for anonymous/authentified users) and > >> > choose the attributes that you want to expose (attr1, attr2...) > >> > > >> > For INTERNET group : > >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > >> > attributes to read for a certain ip adresses and to authentified > >> > users";allow (read,search,compare)(((ip="192.168.0.66") or > >> > (ip="172.16.191.66")) and (groupdn = > >> > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com";));) > >> > > >> > > >> > For EMAIL group : > >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > >> > attributes to read for a certain ip adresses and to authentified > >> > users";allow (read,search,compare)(((ip="192.168.1.100") or > >> > (ip="192.168.1.101")) and (groupdn = > >> > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com";));) > >> > > >> > 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: > >> > > >> > > >> > > Dear Andrey, > >> > > I did not make clear one point here. My exact ACI requirement is > >> like > >> > > this, I need to deny bind operation when the connecting DN belongs > >> to > >> > > certain group and the request is coming from certain ip address. How > >> to > >> do > >> > > it in ACI?. More specifically we have one INTERNET group and one > >> EMAIL > >> > > group. If a person is in INTERNET group he will be allowed to > >> authenticate > >> > > (BIND) only from squid proxy server Simillarly if a person belongs > >> to > >> EMAIL > >> > > grooup he will be allowed to authenticate (BIND) only from email > >> server. > >> We > >> > > are unable to acheive this type of control using ACI. Please help. > >> > > > >> > > regards > >> > > murthy > >> > > > >> > > Andrey Ivanov wrote: > >> > > > >> > > > >> > > > You can do it like this, for example : > >> > > > > >> > > > -- > >> > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || > >> > > > homeDirectory || loginShell || gecos")(version 3.0; acl "Enable > >> > > > attributes to read for certain ip adresses and to authentified > >> users"; > >> > > > allow (read,search,compare)(((ip="192.168.0.*") or > >> (ip="172.16.191.* > >> > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and > >> > > > (userdn="ldap:///all";));) > >> > > > > >> > > > Or you can simply use iptables... > >> > > > > >> > > > > >> > > > 2008/5/8 C.S.R.C.Murthy <[EMAIL PROTECTED]>: > >> > > > > >> > > > > >> > > > > >> > > > > Hello all, > >> > > > > Iam using directory server for squid ldap authentication. Squid > >> takes > >> > > > > username/password, binds the directory server and if the BIND > >> operation > >> > > > > is > >> > > > > successful it allows the user through proxy. My problem is how > >> to > >> specify >
Re: [Fedora-directory-users] How to control the BIND operation using ACI
Hi, Thanks for the confirmation. . Applications like squid are not doing any read/search/compare to verify authentication, but simply doing BIND operation.I think the directory server may incorporate some form of BIND control feature regards murthy > Yes, i think that there is no way to deny a BIND depending on the > group and originating IP condition. You can however deny any other > access (read/compare/search). Depending on the filter you define for > squid/sendmail/php web page (even the simplest objectClass=*) these > conditions are equivalent (the ldapsearch will bind but it will always > return an empty set)... > > > 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: >> Hi Andrey, >> As I first step, according to your suggestion, I have removed the >> default >> ACIs for anonymous and authenticated users. With this I expected that >> squid >> will not be able to BIND to the directory server as the default ACI >> action >> should be DENY in case there is no matching rule. But it is able to >> successfully BIND when I give proper login/password. If I am not able to >> deny BIND operation when there are no anonymous/authenticated ACI, then >> I >> will never be able to control BIND access, I assume. Please clarify. >> >> >> >> regards >> murthy >> >> Andrey Ivanov wrote: >> >> > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. >> > >> > As for your problem, here is what the ACIs should look like (supposing >> > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and >> > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server >> > are 192.168.0.66 and 172.16.191.66, adresses of your email servers >> > 192.168.1.100 and 192.168.1.101) >> > >> > Delete all the default ACIs (for anonymous/authentified users) and >> > choose the attributes that you want to expose (attr1, attr2...) >> > >> > For INTERNET group : >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable >> > attributes to read for a certain ip adresses and to authentified >> > users";allow (read,search,compare)(((ip="192.168.0.66") or >> > (ip="172.16.191.66")) and (groupdn = >> > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com";));) >> > >> > >> > For EMAIL group : >> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable >> > attributes to read for a certain ip adresses and to authentified >> > users";allow (read,search,compare)(((ip="192.168.1.100") or >> > (ip="192.168.1.101")) and (groupdn = >> > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com";));) >> > >> > 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: >> > >> > >> > > Dear Andrey, >> > > I did not make clear one point here. My exact ACI requirement is >> like >> > > this, I need to deny bind operation when the connecting DN belongs >> to >> > > certain group and the request is coming from certain ip address. How >> to >> do >> > > it in ACI?. More specifically we have one INTERNET group and one >> EMAIL >> > > group. If a person is in INTERNET group he will be allowed to >> authenticate >> > > (BIND) only from squid proxy server Simillarly if a person belongs >> to >> EMAIL >> > > grooup he will be allowed to authenticate (BIND) only from email >> server. >> We >> > > are unable to acheive this type of control using ACI. Please help. >> > > >> > > regards >> > > murthy >> > > >> > > Andrey Ivanov wrote: >> > > >> > > >> > > > You can do it like this, for example : >> > > > >> > > > -- >> > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || >> > > > homeDirectory || loginShell || gecos")(version 3.0; acl "Enable >> > > > attributes to read for certain ip adresses and to authentified >> users"; >> > > > allow (read,search,compare)(((ip="192.168.0.*") or >> (ip="172.16.191.* >> > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and >> > > > (userdn="ldap:///all";));) >> > > > >> > > > Or you can simply use iptables... >> > > > >> > > > >> > > > 2008/5/8 C.S.R.C.Murthy <[EMAIL PROTECTED]>: >> > > > >> > > > >> > > > >> > > > > Hello all, >> > > > > Iam using directory server for squid ldap authentication. Squid >> takes >> > > > > username/password, binds the directory server and if the BIND >> operation >> > > > > is >> > > > > successful it allows the user through proxy. My problem is how >> to >> specify >> > > > > an >> > > > > ACI so that BIND operation is allowed only from certain IP >> address?. >> ACI >> > > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND >> > > > > operation. > > -- > Fedora-directory-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] How to control the BIND operation using ACI
Yes, i think that there is no way to deny a BIND depending on the group and originating IP condition. You can however deny any other access (read/compare/search). Depending on the filter you define for squid/sendmail/php web page (even the simplest objectClass=*) these conditions are equivalent (the ldapsearch will bind but it will always return an empty set)... 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: > Hi Andrey, > As I first step, according to your suggestion, I have removed the default > ACIs for anonymous and authenticated users. With this I expected that squid > will not be able to BIND to the directory server as the default ACI action > should be DENY in case there is no matching rule. But it is able to > successfully BIND when I give proper login/password. If I am not able to > deny BIND operation when there are no anonymous/authenticated ACI, then I > will never be able to control BIND access, I assume. Please clarify. > > > > regards > murthy > > Andrey Ivanov wrote: > > > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. > > > > As for your problem, here is what the ACIs should look like (supposing > > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and > > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server > > are 192.168.0.66 and 172.16.191.66, adresses of your email servers > > 192.168.1.100 and 192.168.1.101) > > > > Delete all the default ACIs (for anonymous/authentified users) and > > choose the attributes that you want to expose (attr1, attr2...) > > > > For INTERNET group : > > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > > attributes to read for a certain ip adresses and to authentified > > users";allow (read,search,compare)(((ip="192.168.0.66") or > > (ip="172.16.191.66")) and (groupdn = > > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com";));) > > > > > > For EMAIL group : > > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > > attributes to read for a certain ip adresses and to authentified > > users";allow (read,search,compare)(((ip="192.168.1.100") or > > (ip="192.168.1.101")) and (groupdn = > > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com";));) > > > > 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: > > > > > > > Dear Andrey, > > > I did not make clear one point here. My exact ACI requirement is like > > > this, I need to deny bind operation when the connecting DN belongs to > > > certain group and the request is coming from certain ip address. How to > do > > > it in ACI?. More specifically we have one INTERNET group and one EMAIL > > > group. If a person is in INTERNET group he will be allowed to > authenticate > > > (BIND) only from squid proxy server Simillarly if a person belongs to > EMAIL > > > grooup he will be allowed to authenticate (BIND) only from email server. > We > > > are unable to acheive this type of control using ACI. Please help. > > > > > > regards > > > murthy > > > > > > Andrey Ivanov wrote: > > > > > > > > > > You can do it like this, for example : > > > > > > > > -- > > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || > > > > homeDirectory || loginShell || gecos")(version 3.0; acl "Enable > > > > attributes to read for certain ip adresses and to authentified users"; > > > > allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* > > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and > > > > (userdn="ldap:///all";));) > > > > > > > > Or you can simply use iptables... > > > > > > > > > > > > 2008/5/8 C.S.R.C.Murthy <[EMAIL PROTECTED]>: > > > > > > > > > > > > > > > > > Hello all, > > > > > Iam using directory server for squid ldap authentication. Squid > takes > > > > > username/password, binds the directory server and if the BIND > operation > > > > > is > > > > > successful it allows the user through proxy. My problem is how to > specify > > > > > an > > > > > ACI so that BIND operation is allowed only from certain IP address?. > ACI > > > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND > > > > > operation. -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] How to control the BIND operation using ACI
Hi Andrey, As I first step, according to your suggestion, I have removed the default ACIs for anonymous and authenticated users. With this I expected that squid will not be able to BIND to the directory server as the default ACI action should be DENY in case there is no matching rule. But it is able to successfully BIND when I give proper login/password. If I am not able to deny BIND operation when there are no anonymous/authenticated ACI, then I will never be able to control BIND access, I assume. Please clarify. regards murthy Andrey Ivanov wrote: Anyway it is better to make the "allow" ACIs, not "deny" ACIs. As for your problem, here is what the ACIs should look like (supposing that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server are 192.168.0.66 and 172.16.191.66, adresses of your email servers 192.168.1.100 and 192.168.1.101) Delete all the default ACIs (for anonymous/authentified users) and choose the attributes that you want to expose (attr1, attr2...) For INTERNET group : aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable attributes to read for a certain ip adresses and to authentified users";allow (read,search,compare)(((ip="192.168.0.66") or (ip="172.16.191.66")) and (groupdn = "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com";));) For EMAIL group : aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable attributes to read for a certain ip adresses and to authentified users";allow (read,search,compare)(((ip="192.168.1.100") or (ip="192.168.1.101")) and (groupdn = "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com";));) 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: Dear Andrey, I did not make clear one point here. My exact ACI requirement is like this, I need to deny bind operation when the connecting DN belongs to certain group and the request is coming from certain ip address. How to do it in ACI?. More specifically we have one INTERNET group and one EMAIL group. If a person is in INTERNET group he will be allowed to authenticate (BIND) only from squid proxy server Simillarly if a person belongs to EMAIL grooup he will be allowed to authenticate (BIND) only from email server. We are unable to acheive this type of control using ACI. Please help. regards murthy Andrey Ivanov wrote: You can do it like this, for example : -- aci: (targetattr = "uniqueMember || uidNumber || gidNumber || homeDirectory || loginShell || gecos")(version 3.0; acl "Enable attributes to read for certain ip adresses and to authentified users"; allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and (userdn="ldap:///all";));) Or you can simply use iptables... 2008/5/8 C.S.R.C.Murthy <[EMAIL PROTECTED]>: Hello all, Iam using directory server for squid ldap authentication. Squid takes username/password, binds the directory server and if the BIND operation is successful it allows the user through proxy. My problem is how to specify an ACI so that BIND operation is allowed only from certain IP address?. ACI allows me to restrict READ/SEARCH/WRITE operations but not BIND operation. Please help. -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users begin:vcard fn:murthy chandragiri n:chandragiri;murthy email;internet:[EMAIL PROTECTED] tel;work:+91-22-25595217 version:2.1 end:vcard -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] How to control the BIND operation using ACI
Anyway it is better to make the "allow" ACIs, not "deny" ACIs. As for your problem, here is what the ACIs should look like (supposing that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server are 192.168.0.66 and 172.16.191.66, adresses of your email servers 192.168.1.100 and 192.168.1.101) Delete all the default ACIs (for anonymous/authentified users) and choose the attributes that you want to expose (attr1, attr2...) For INTERNET group : aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable attributes to read for a certain ip adresses and to authentified users";allow (read,search,compare)(((ip="192.168.0.66") or (ip="172.16.191.66")) and (groupdn = "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com";));) For EMAIL group : aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable attributes to read for a certain ip adresses and to authentified users";allow (read,search,compare)(((ip="192.168.1.100") or (ip="192.168.1.101")) and (groupdn = "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com";));) 2008/5/9 C.S.R.C.Murthy <[EMAIL PROTECTED]>: > Dear Andrey, > I did not make clear one point here. My exact ACI requirement is like > this, I need to deny bind operation when the connecting DN belongs to > certain group and the request is coming from certain ip address. How to do > it in ACI?. More specifically we have one INTERNET group and one EMAIL > group. If a person is in INTERNET group he will be allowed to authenticate > (BIND) only from squid proxy server Simillarly if a person belongs to EMAIL > grooup he will be allowed to authenticate (BIND) only from email server. We > are unable to acheive this type of control using ACI. Please help. > > regards > murthy > > Andrey Ivanov wrote: >> >> You can do it like this, for example : >> >> -- >> aci: (targetattr = "uniqueMember || uidNumber || gidNumber || >> homeDirectory || loginShell || gecos")(version 3.0; acl "Enable >> attributes to read for certain ip adresses and to authentified users"; >> allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* >> ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and >> (userdn="ldap:///all";));) >> >> Or you can simply use iptables... >> >> >> 2008/5/8 C.S.R.C.Murthy <[EMAIL PROTECTED]>: >> >>> >>> Hello all, >>> Iam using directory server for squid ldap authentication. Squid takes >>> username/password, binds the directory server and if the BIND operation >>> is >>> successful it allows the user through proxy. My problem is how to specify >>> an >>> ACI so that BIND operation is allowed only from certain IP address?. ACI >>> allows me to restrict READ/SEARCH/WRITE operations but not BIND >>> operation. >>> Please help. >>> >> >> -- >> Fedora-directory-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] How to control the BIND operation using ACI
Dear Andrey, I did not make clear one point here. My exact ACI requirement is like this, I need to deny bind operation when the connecting DN belongs to certain group and the request is coming from certain ip address. How to do it in ACI?. More specifically we have one INTERNET group and one EMAIL group. If a person is in INTERNET group he will be allowed to authenticate (BIND) only from squid proxy server Simillarly if a person belongs to EMAIL grooup he will be allowed to authenticate (BIND) only from email server. We are unable to acheive this type of control using ACI. Please help. regards murthy Andrey Ivanov wrote: You can do it like this, for example : -- aci: (targetattr = "uniqueMember || uidNumber || gidNumber || homeDirectory || loginShell || gecos")(version 3.0; acl "Enable attributes to read for certain ip adresses and to authentified users"; allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and (userdn="ldap:///all";));) Or you can simply use iptables... 2008/5/8 C.S.R.C.Murthy <[EMAIL PROTECTED]>: Hello all, Iam using directory server for squid ldap authentication. Squid takes username/password, binds the directory server and if the BIND operation is successful it allows the user through proxy. My problem is how to specify an ACI so that BIND operation is allowed only from certain IP address?. ACI allows me to restrict READ/SEARCH/WRITE operations but not BIND operation. Please help. -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users begin:vcard fn:murthy chandragiri n:chandragiri;murthy email;internet:[EMAIL PROTECTED] tel;work:+91-22-25595217 version:2.1 end:vcard -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] How to control the BIND operation using ACI
You can do it like this, for example : -- aci: (targetattr = "uniqueMember || uidNumber || gidNumber || homeDirectory || loginShell || gecos")(version 3.0; acl "Enable attributes to read for certain ip adresses and to authentified users"; allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and (userdn="ldap:///all";));) Or you can simply use iptables... 2008/5/8 C.S.R.C.Murthy <[EMAIL PROTECTED]>: > Hello all, >Iam using directory server for squid ldap authentication. Squid takes > username/password, binds the directory server and if the BIND operation is > successful it allows the user through proxy. My problem is how to specify an > ACI so that BIND operation is allowed only from certain IP address?. ACI > allows me to restrict READ/SEARCH/WRITE operations but not BIND operation. > Please help. -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
