LDAP authorization with Sunone 5.2 P4

I want to LDAP authorization using attributes like acess-hours policy toallow or deny the users. Is this possible with Sunone Directory server 5.2 P4 on Solaris ?Please let me know the procedure for doing LDAP authorization for users .Regards,Radhakrishnan

[291 byte] By [bkrishna79a] at [2007-11-26 14:25:21]

«« Unable to set image on JLabel
»» Copying files from one pc to another pc

# 1

Sun Directory Server does support time-based constraints in Access Controls, using the bind rules and more specifically the keywords: dayofweek, timeofday.

But it is not possible to reject Bind requests (Authentication requests) with these. Instead Directory Proxy Server can be used as a front end to DS for this purpose.

Regards,

Ludovic.

ludovicpa at 2007-7-8 2:18:18 >

top of Java-index,Web & Directory Servers,Directory Servers...

# 2

Thanks for the inputs. What is the Director Proxy Server version compatible with DS 5.2 P4 ? Can you provide me the link to configure

DPS to allow or reject based on access-hours policy ?

Can I install Directory Proxy server in same Solaris host where I have installed Directory server ?

Thanks,

Radhakrishnan

bkrishna79a at 2007-7-8 2:18:18 >

# 3

I am using DPS 5.2 p4 along with DS 5.2 P4. In non-production environment, we install both in the same host as DS. However, I could not find any configuration regarding the time-based constraint.

sun_iplaneta at 2007-7-8 2:18:18 >

# 4

Sorry, my mistake. This option is not available yet in Sun Directory Proxy Server nor Directory Server.Regards,Ludovic.

ludovicpa at 2007-7-8 2:18:18 >

# 5

If I assume you don't have anonymous access turned on and using application (nonpeople) account to do lookup on user's uid to find user's real DN to use in BIND.

If the above is true then you can setup ACL, as Ludovic mentioned on application account so that it won't find user's DN in the above search using uid, hence it can't submit BIND

Thanks

Krishna Kusupudi

kusupudia at 2007-7-8 2:18:18 >

# 6

Using ACI will prevent the authenticating application to find the user with the uid specified, but will not prevent a direct bind with the known DN.

It is a good workaround though.

Radhakrishnan, do you have a use case for this time-based authorization capability ? I'd like to understand how useful this could be for customers if added in future releases of Directory Server. TIA.

Ludovic.

ludovicpa at 2007-7-8 2:18:18 >

# 7

Hi Ludovic,

Use Case : Let us say a Remote Access VPN user /Webvpn user logs in and the authentication/authorization request is being forwarded to the Sun one Directory Server.

Based on the access-hours attributes configured for the user on the Directory Server the bind request should be granted permission or deniod permission.

We have this facility in Microsoft Active Directory. Let me know if you need more information on this.

bkrishna79a at 2007-7-8 2:18:18 >

# 8

Thanks for the use case. I have filed an Request For Enhancement for Directory Server. Don't know when it'll be implemented though.Ludovic.

ludovicpa at 2007-7-8 2:18:18 >

# 9

I forgot to mention that this could be implemented as a custom Pre-Operation plug-in for the Bind operation. This would be triggered before the authentication took place, but could be used to deny authentication from specific applications based on the current time.Ludovic.

ludovicpa at 2007-7-8 2:18:18 >

Web & Directory Servers

Directory Servers

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

LDAP authorization with Sunone 5.2 P4

Web & Directory Servers New Topic

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified