Hi Jakub, Thank you for the reply. Although I can't use that configuration right now, it may be something to think about in the near future.
I've already voted for QPID-2305. And you are right, I'm using C++ Broker. Thank you once again, Regards. On Qua, 2013-04-03 at 17:22 +0200, Jakub Scholz wrote: > Hi Bruno, > > I do not think there is such option on the C++ broker right now. When we > needed to achieve something similar with our brokers, we used following > workaround ... > > 1) We configured the broker to use one port for PLAIN connections and > another one for SSL > 2) We restricted the SSL port to use only SSL Client Authentication > 3) We used the PLAIN authentication for the administration users and the > SSL Client Authentication for the normal clients > 4) We used iptables to restrict the PLAIN port to be available only from > the administration network and the SSL port to be available from the client > network > 5) We created the admin users in the SASL database > 6) We created the normal clients in the NSS database > > As a result, the normal clients see only the SSL port where they cannot > connect using username/password but only with certificates. It is not > perfect, but it helped us to get the approval from our security department. > > Regards > Jakub > > PS: There is a JIRA for this problem entered a long time ago by one of my > colleagues ... QPID-2305 > PS2: The Java broker already has such feature, but from your previous > emails I understood that you are using the C++ broker ... > > > On Wed, Apr 3, 2013 at 4:23 PM, Bruno Matos > <[email protected]>wrote: > > > Hello, > > > > Is it possible to restrict the source IP address or network for a given > > user/group? I want to restrict the admin group connections to my local > > network. > > > > Thank you. > > > > -- > > Bruno Matos > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > -- Bruno Matos --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
