[Fedora-directory-users] How to control the BIND operation using ACI

murthy at barc.gov.in murthy at barc.gov.in
Sat May 10 04:18:07 UTC 2008 

Hi,
Thanks for the confirmation. . Applications like squid are not doing any
read/search/compare to verify authentication, but simply doing BIND
operation.I think the directory server may incorporate some form of BIND
control feature

regards
murthy
> Yes, i think that there is no way to deny a BIND depending on the
> group and originating IP condition. You can however deny any other
> access (read/compare/search). Depending on the filter you define for
> squid/sendmail/php web page (even the simplest objectClass=*)  these
> conditions are equivalent (the ldapsearch will bind but it will always
> return an empty set)...
>
>
> 2008/5/9 C.S.R.C.Murthy <murthy at barc.gov.in>:
>> Hi Andrey,
>>   As I first step, according to your  suggestion, I have removed the
>> default
>> ACIs for anonymous and authenticated users. With this I expected that
>> squid
>> will not be able to BIND to the directory server as the default ACI
>> action
>> should be DENY in case there is no matching rule. But it is able to
>> successfully BIND when I give proper login/password. If I am not able to
>> deny BIND operation when there are no anonymous/authenticated ACI, then
>> I
>> will never be able to control BIND access, I assume. Please clarify.
>>
>>
>>
>>  regards
>>  murthy
>>
>>  Andrey Ivanov wrote:
>>
>> > Anyway it is better to make the "allow" ACIs, not "deny" ACIs.
>> >
>> > As for your problem, here is what the ACIs should look like (supposing
>> > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and
>> > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server
>> > are 192.168.0.66 and 172.16.191.66, adresses of your email servers
>> > 192.168.1.100 and 192.168.1.101)
>> >
>> > Delete all the default ACIs (for anonymous/authentified users) and
>> > choose the attributes that you want to expose (attr1,  attr2...)
>> >
>> > For INTERNET group :
>> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
>> > attributes to read for a certain ip adresses and to authentified
>> > users";allow (read,search,compare)(((ip="192.168.0.66") or
>> > (ip="172.16.191.66")) and (groupdn =
>> > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));)
>> >
>> >
>> > For EMAIL group :
>> > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable
>> > attributes to read for a certain ip adresses and to authentified
>> > users";allow (read,search,compare)(((ip="192.168.1.100") or
>> > (ip="192.168.1.101")) and (groupdn =
>> > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));)
>> >
>> > 2008/5/9 C.S.R.C.Murthy <murthy at barc.gov.in>:
>> >
>> >
>> > > Dear Andrey,
>> > >  I did not make clear one point here. My exact ACI requirement is
>> like
>> > > this, I need to deny bind operation when the connecting DN belongs
>> to
>> > > certain group and the request is coming from certain ip address. How
>> to
>> do
>> > > it in ACI?. More specifically we have one INTERNET group and one
>> EMAIL
>> > > group. If a person is in INTERNET group he will be allowed to
>> authenticate
>> > > (BIND) only from squid proxy server  Simillarly if a person belongs
>> to
>> EMAIL
>> > > grooup he will be allowed to authenticate (BIND) only from email
>> server.
>> We
>> > > are unable to acheive this type of control using ACI. Please help.
>> > >
>> > > regards
>> > > murthy
>> > >
>> > > Andrey Ivanov wrote:
>> > >
>> > >
>> > > > You can do it like this, for example :
>> > > >
>> > > > ----------------------------------
>> > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber ||
>> > > > homeDirectory ||  loginShell || gecos")(version 3.0; acl "Enable
>> > > > attributes to read for certain ip adresses and to authentified
>> users";
>> > > > allow (read,search,compare)(((ip="192.168.0.*") or
>> (ip="172.16.191.*
>> > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and
>> > > > (userdn="ldap:///all"));)
>> > > > ------------------------------------
>> > > > Or you can simply use iptables...
>> > > >
>> > > >
>> > > > 2008/5/8 C.S.R.C.Murthy <murthy at barc.gov.in>:
>> > > >
>> > > >
>> > > >
>> > > > > Hello all,
>> > > > >  Iam using directory server for squid ldap authentication. Squid
>> takes
>> > > > > username/password, binds the directory server and if the BIND
>> operation
>> > > > > is
>> > > > > successful it allows the user through proxy. My problem is how
>> to
>> specify
>> > > > > an
>> > > > > ACI so that BIND operation is allowed only from certain IP
>> address?.
>> ACI
>> > > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND
>> > > > > operation.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list