Monday, November 21, 2016

[389-users] Re: How to Restrict user authentication per application?

We accomplish for some applications by assigning a different proxy to each and then control in LDAP who the proxy can see. This should work when you can't control the logic used by the application itself.

Deborah Crocker, PhD
Systems Engineer III
Office of Information Technology
The University of Alabama
Box 870346
Tuscaloosa, AL 36587
Office 205-348-3758 | Fax 205-348-9393
deborah.crocker@ua.edu

-----Original Message-----
From: msarmadi@arissystem.com [mailto:msarmadi@arissystem.com]
Sent: Monday, November 21, 2016 4:20 AM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Re: How to Restrict user authentication per application?

Thank you, You are right about one problem.

However, I believe what you are proposing is not a solution to the problem I'm talking about. Just because, in the problem I'm addressing, I can't and it is not possible to use your method.

As I said, the applications we are using are not all of them supporting search or group check. So for those which does not support your method, I posted this problem. Your solution is not addressing this problem and is for the case which application supports those things.

-
Additionally, to support my idea of ACI on Bind, I think having ACI on Bind operation just like others(read,write,...) has many advantages. I could talk about many things like improve security. For example think of an environment which you want to protect your directory from unwanted access, even "bind", based on a policy, time or ip for example.

Please mention that this mechanism is available in some other products, and also some vendors have developed policy aware directory or a proxy which adds those to the simple directory. (e.g. netiq edirectory or ldap proxy) I mean this need / requirement is actual and natural.

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)