Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   ACL doesn't works (http://www.linux-archive.org/fedora-user/707287-acl-doesnt-works.html)

Satish Patel 09-25-2012 05:27 PM

ACL doesn't works
 
Hello ALL,

I have a web base application and user authenticate web application using Directory Service (FDS). I want to restrict some user to not allow to login so i have implement host base deny ACL. But somehow it doesn't works. may be i am missing something. following acl i have.


*(targetattr = "*") (version 3.0;acl "Host ACL";deny (all)(userdn = "ldap:///uid=test,ou=People,dc=example,dc=com") and (ip="10.101.100.236");)


But interesting thing is, it works with ldapsearch but not with Web application?

~S

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Grzegorz Dwornicki 09-25-2012 05:46 PM

ACL doesn't works
 
Can you provide logs from FDS when you are trying to login via application?


Greg.

25 wrz 2012 19:27, "Satish Patel" <satish.txt@gmail.com> napisał(a):
Hello ALL,

I have a web base application and user authenticate web application using Directory Service (FDS). I want to restrict some user to not allow to login so i have implement host base deny ACL. But somehow it doesn't works. may be i am missing something. following acl i have.



┬*(targetattr = "*") (version 3.0;acl "Host ACL";deny (all)(userdn = "ldap:///uid=test,ou=People,dc=example,dc=com") and (ip="10.101.100.236");)



But interesting thing is, it works with ldapsearch but not with Web application?

~S


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Satish Patel 09-25-2012 06:07 PM

ACL doesn't works
 
This is what i got in access logs.


[25/Sep/2012:14:04:36 -0400] conn=497 fd=75 slot=75 connection from 10.101.100.236 to 10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(&(uid=test4)(objectClass=person))" attrs="1.1"
[25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101 nentries=1 etime=0

[25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection from 10.101.100.236 to 10.10.52.10
[25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND
[25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1
[25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"
[25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND






On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz Dwornicki <gd1100@gmail.com> wrote:


Can you provide logs from FDS when you are trying to login via application?


Greg.

25 wrz 2012 19:27, "Satish Patel" <satish.txt@gmail.com> napisał(a):

Hello ALL,

I have a web base application and user authenticate web application using Directory Service (FDS). I want to restrict some user to not allow to login so i have implement host base deny ACL. But somehow it doesn't works. may be i am missing something. following acl i have.




┬*(targetattr = "*") (version 3.0;acl "Host ACL";deny (all)(userdn = "ldap:///uid=test,ou=People,dc=example,dc=com") and (ip="10.101.100.236");)




But interesting thing is, it works with ldapsearch but not with Web application?

~S


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Patrick Morris 09-25-2012 06:16 PM

ACL doesn't works
 
On 9/25/2012 11:07 AM, Satish Patel
wrote:




This is what i got in access logs.





[25/Sep/2012:14:04:36
-0400] conn=497 fd=75 slot=75 connection from 10.101.100.236 to
10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
Manager" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
base="dc=example,dc=com" scope=2
filter="(&(uid=test4)(objectClass=person))" attrs="1.1"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
nentries=1 etime=0

[25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection
from 10.101.100.236 to 10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"

[25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND












On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz
Dwornicki <gd1100@gmail.com>
wrote:



Can you provide logs from FDS when you are trying to login
via application?


Greg.

25 wrz 2012 19:27, "Satish Patel"
<satish.txt@gmail.com>
napisał(a):



Hello ALL,



I have a web base application and user authenticate
web application using Directory Service (FDS). I want
to restrict some user to not allow to login so i have
implement host base deny ACL. But somehow it doesn't
works. may be i am missing something. following acl i
have.



┬*(targetattr = "*") (version
3.0;acl "Host ACL";deny (all)(userdn =
"ldap:///uid=test,ou=People,dc=example,dc=com") and
(ip="10.101.100.236");)




But interesting thing is, it works with ldapsearch
but not with Web application?











Your ACL specifies "uid=test," but that bind was done with "test4".



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Satish Patel 09-25-2012 06:17 PM

ACL doesn't works
 
Ah! i was testing multiple users. test and test4 both has ACL and has same problem.

On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <patrick.morris@hp.com> wrote:






On 9/25/2012 11:07 AM, Satish Patel
wrote:




This is what i got in access logs.





[25/Sep/2012:14:04:36
-0400] conn=497 fd=75 slot=75 connection from 10.101.100.236 to
10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
Manager" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
base="dc=example,dc=com" scope=2
filter="(&(uid=test4)(objectClass=person))" attrs="1.1"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
nentries=1 etime=0

[25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection
from 10.101.100.236 to 10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"

[25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND












On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz
Dwornicki <gd1100@gmail.com>
wrote:



Can you provide logs from FDS when you are trying to login
via application?


Greg.

25 wrz 2012 19:27, "Satish Patel"
<satish.txt@gmail.com>
napisał(a):



Hello ALL,



I have a web base application and user authenticate
web application using Directory Service (FDS). I want
to restrict some user to not allow to login so i have
implement host base deny ACL. But somehow it doesn't
works. may be i am missing something. following acl i
have.



┬*(targetattr = "*") (version
3.0;acl "Host ACL";deny (all)(userdn =
"ldap:///uid=test,ou=People,dc=example,dc=com") and
(ip="10.101.100.236");)




But interesting thing is, it works with ldapsearch
but not with Web application?











Your ACL specifies "uid=test," but that bind was done with "test4".




--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Grzegorz Dwornicki 09-25-2012 11:31 PM

ACL doesn't works
 
I have to admit I thought that access log for webapp will show anomaly but I was wrong. If ldapsearch does not bind please show us logs of thesse. Maybe comparing the logs will tell us something...


Greg.

25 wrz 2012 20:17, "Satish Patel" <satish.txt@gmail.com> napisał(a):
Ah! i was testing multiple users. test and test4 both has ACL and has same problem.

On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <patrick.morris@hp.com> wrote:







On 9/25/2012 11:07 AM, Satish Patel
wrote:




This is what i got in access logs.





[25/Sep/2012:14:04:36
-0400] conn=497 fd=75 slot=75 connection from 10.101.100.236 to
10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
Manager" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
base="dc=example,dc=com" scope=2
filter="(&(uid=test4)(objectClass=person))" attrs="1.1"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
nentries=1 etime=0

[25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection
from 10.101.100.236 to 10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"

[25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND












On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz
Dwornicki <gd1100@gmail.com>
wrote:



Can you provide logs from FDS when you are trying to login
via application?


Greg.

25 wrz 2012 19:27, "Satish Patel"
<satish.txt@gmail.com>
napisał(a):



Hello ALL,



I have a web base application and user authenticate
web application using Directory Service (FDS). I want
to restrict some user to not allow to login so i have
implement host base deny ACL. But somehow it doesn't
works. may be i am missing something. following acl i
have.



┬*(targetattr = "*") (version
3.0;acl "Host ACL";deny (all)(userdn =
"ldap:///uid=test,ou=People,dc=example,dc=com") and
(ip="10.101.100.236");)




But interesting thing is, it works with ldapsearch
but not with Web application?











Your ACL specifies "uid=test," but that bind was done with "test4".




--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Satish Patel 09-27-2012 07:35 PM

ACL doesn't works
 
May be i am binding DN using cn=directory manager and because of that it don't understand about test or test4 user and because of that it ignore ACL

On Tue, Sep 25, 2012 at 7:31 PM, Grzegorz Dwornicki <gd1100@gmail.com> wrote:


I have to admit I thought that access log for webapp will show anomaly but I was wrong. If ldapsearch does not bind please show us logs of thesse. Maybe comparing the logs will tell us something...



Greg.

25 wrz 2012 20:17, "Satish Patel" <satish.txt@gmail.com> napisał(a):

Ah! i was testing multiple users. test and test4 both has ACL and has same problem.

On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <patrick.morris@hp.com> wrote:








On 9/25/2012 11:07 AM, Satish Patel
wrote:




This is what i got in access logs.





[25/Sep/2012:14:04:36
-0400] conn=497 fd=75 slot=75 connection from 10.101.100.236 to
10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
Manager" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
base="dc=example,dc=com" scope=2
filter="(&(uid=test4)(objectClass=person))" attrs="1.1"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
nentries=1 etime=0

[25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection
from 10.101.100.236 to 10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"

[25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND












On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz
Dwornicki <gd1100@gmail.com>
wrote:



Can you provide logs from FDS when you are trying to login
via application?


Greg.

25 wrz 2012 19:27, "Satish Patel"
<satish.txt@gmail.com>
napisał(a):



Hello ALL,



I have a web base application and user authenticate
web application using Directory Service (FDS). I want
to restrict some user to not allow to login so i have
implement host base deny ACL. But somehow it doesn't
works. may be i am missing something. following acl i
have.



┬*(targetattr = "*") (version
3.0;acl "Host ACL";deny (all)(userdn =
"ldap:///uid=test,ou=People,dc=example,dc=com") and
(ip="10.101.100.236");)




But interesting thing is, it works with ldapsearch
but not with Web application?











Your ACL specifies "uid=test," but that bind was done with "test4".




--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Grzegorz Dwornicki 09-27-2012 07:41 PM

ACL doesn't works
 
Look closer you first bind as directory manager but later you bind as test. That second bind don't make any sense for me. Please attach ldapsearch log and audit logs. This may give someone including myself some clues about problem.



Greg.

27 wrz 2012 21:35, "Satish Patel" <satish.txt@gmail.com> napisał(a):
May be i am binding DN using cn=directory manager and because of that it don't understand about test or test4 user and because of that it ignore ACL

On Tue, Sep 25, 2012 at 7:31 PM, Grzegorz Dwornicki <gd1100@gmail.com> wrote:



I have to admit I thought that access log for webapp will show anomaly but I was wrong. If ldapsearch does not bind please show us logs of thesse. Maybe comparing the logs will tell us something...




Greg.

25 wrz 2012 20:17, "Satish Patel" <satish.txt@gmail.com> napisał(a):


Ah! i was testing multiple users. test and test4 both has ACL and has same problem.

On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <patrick.morris@hp.com> wrote:









On 9/25/2012 11:07 AM, Satish Patel
wrote:




This is what i got in access logs.





[25/Sep/2012:14:04:36
-0400] conn=497 fd=75 slot=75 connection from 10.101.100.236 to
10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
Manager" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
base="dc=example,dc=com" scope=2
filter="(&(uid=test4)(objectClass=person))" attrs="1.1"

[25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
nentries=1 etime=0

[25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection
from 10.101.100.236 to 10.10.52.10

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND

[25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3

[25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"

[25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND












On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz
Dwornicki <gd1100@gmail.com>
wrote:



Can you provide logs from FDS when you are trying to login
via application?


Greg.

25 wrz 2012 19:27, "Satish Patel"
<satish.txt@gmail.com>
napisał(a):



Hello ALL,



I have a web base application and user authenticate
web application using Directory Service (FDS). I want
to restrict some user to not allow to login so i have
implement host base deny ACL. But somehow it doesn't
works. may be i am missing something. following acl i
have.



┬*(targetattr = "*") (version
3.0;acl "Host ACL";deny (all)(userdn =
"ldap:///uid=test,ou=People,dc=example,dc=com") and
(ip="10.101.100.236");)




But interesting thing is, it works with ldapsearch
but not with Web application?











Your ACL specifies "uid=test," but that bind was done with "test4".




--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 09:35 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.