Host-based access restrictions

What is the preferred method for implementing host-based access restrictions in Directory Server 5.2?
I am setting up Solaris 9 clients using the native LDAP client.
I tried setting up host-based access using netgorups, and it works great, but found the user's group associations stopped working. Only the default group shows up.
Removing netgroups allows any valid user to authenticate to any host. Very bad.
As a last resort, one could add an ACL for each user in the LDAP server specifying which hosts he can bind from. But then again, it's the proxyagent that will be binding.
There has to be a better way to do this. Absolutely no info on this in the admin guides.

Solaris10u6 (Solaris 10 10/08) added a pam_list module that appears to do what your asking about from a brief glance at the whats new.

Similar Messages

  • How to configure CLI/DNIS based access restriction in 5.3 ?

    Hi,
    does anybody have an idea how the setting
    define CLI/DNIS-based access restrictions which is defined in ACS v. 4.2
    can be configured in acs 5.3 ?
    in v. 4 for every user in a group with 40 members  a different CLI is defined for each. How can I configure that in version 5.3 ?
    any help as always much appreciated!

    The equivalebt to NAR functionality can be found at:
    Policy Elements > Session Conditions > Network Conditions > End Station Filters
    Can then define an object with a set of CLI values
    These objects can then be used in policy conditions. So can create a condition with a set of CLI values and then match in authorization policy for values that are included in this set and set authorizations accoridngly
    Not sure if this is your use case but hopefully may be a start

  • Access restriction in IM52 based on company code and investment reason

    Hi,
    How can we have access restriction in IM52 based on company code and investment reason?
    thanks
    Randeep

    hi
    please check the authorization object for the transaction
    company code you can

  • Access restriction based on SSID

    Hello,
    I am interesting in a solution for access restriction based on SSID. I use RADIUS and ACS. Is there any solution to do limitation based on SSID? I use AP1200 series...
    Thanks in advance...
    FCS

    Hi,
    I am attempting this same result: SSID restriction based on group membership.
    When I re-configure the NAS client as Cisco IOS/PIX 6.x in order to rely on the cisco-av-pair field, this works great to limit the user to only the specified SSIDs, however the Access Point is no longer able to austhenticate to WDS since it uses LEAP authentication to the same RADIUS server - the Cisco IOS/Pix 6.x option does not support LEAP...
    Is there any way to change WDS authentication from LEAP to EAP-FAST for example? Or can we implement cisco-av-pair under Cisco Aironet for this?
    Thanks,
    Curtis H.

  • Access restriction based on Sales Units / Sales Area

    Hi all,
    I am looking into the access restriction functionality on business roles.
    One of our customers has a requirement to separate data between their different sales organisations. One sales organisation should not see customers, opportunities of the other sales organisation and vice versa.
    In the access restriction I see that the access context defines on which elements you can set the access restriction.
    For customers and opportunities the possibilities are: Employee or Territory.
    Setting the access restriction on Employees is not a solid solution for me (when the employees are changed in the org model, the access restriction is influenced on several business roles..)
    So what if we do not use territory management / if the territory management setup differs from the actual sales areas / sales units?
    So my main questions are: can we set access restriction based on Sales Units? (we will setup integration with SAP ERP which means we cannot enter sales areas for prospects...). And can we influence the access context or do we need developments for that?
    Kind regards,
    Jasper

    We plan to enhance the access restrictions based on sales organization and distribution channel in a future release.
    If you setup territory management, we offer sales office and sales group including sales organization as attributes to define a territory if you are connected with SAP ERP.

  • Host-based OpenLDAP Authentication On Mac OS X Mountain Lion

    Hello All,
    I'm sorry if this is the wrong group to post such a question, or if this has been already answered.
    I have openldap (slapd version 2.4.31-1+nmu2ubuntu8) running on Ubuntu Server 14.04. The 'hostObject' objectClass is added in the OpenLDAP directory. The 'host' attribute is added under all ldap users, which allows users to access just those particular hosts. Apple schema has been added as well.
    I have a ubuntu client that authenticates users against the ldap server. The ubuntu client is configured to perform host-based authentication via pam modules. Only users that have access to the Ubuntu client can login, and others are denied access. I also have a Mac OS X Mountain Lion (10.8.5) client that authenticates users against the same openldap server. All network users can login through the login window. I would like to restrict access to the Mountain Lion client based on hosts, as I've it on the Ubuntu client.
    I tried to search for documentation on this, but didn't find any good one. Most of the documentation suggest that network user access be controlled on the Mountain Lion client. I'd really like to have that control on ldap server and not on client. Also, restricting network user access using 'Users & Groups' settings in System Preferences fails. All ldap users are blocked from login.
    I have successfully tested host-based authentication on a Ubuntu Server 10.04 client that is connected to the same ldap server. So, I know host based authentication works. I would really appreciate if anyone could shed some light on this, or point me to a document that talks about host-based authentication on Mac OS X Mountain Lion client.
    Thanks,
    Amit

    I just found the anwer to my own issue. The installation failed on Jam Pack Content 3 disk. To finish the installation I need to go to the Logic Pro Main menu under the item Download supplemental content

  • Create access restriction in designer using script

    Hello,
    I am looking for a way to automate the creation of access restriction within universe.
    I looked in the API universe reference and it seems that there is no entries for such an object
    For information I use Business Objects XIR2 with SP3
    Thanks for any help or answer

    Creation/Modification of Universe Access Restrictions is not part of the Universe Designer SDK, but part of the BusinessObjects Enterprise SDK. 
    It requires sending requests to the CMS using the SDK to get User and UserGroup information.
    For the COM-based version of the Enterprise SDK, the object is known as Overload, and described here:
    [http://devlibrary.businessobjects.com/BusinessObjectsXIR2SP2/en/en/BOE_SDK/boesdk_com_doc/doc/boesdk_com_doc/CrystalEnterpriseOverloadPluginLibrary.html#1351377]
    Sincerely,
    Ted Ueda

  • Access restriction in Universe

    Hi All,
    In our environment we have 2 domain (US and Europe) and most of the user have id created for both the domain. We have 2 identical databases one in US and other in Europe. US database holds US information and Europe holds Europe data. 
    In our BO environment we have set the ad groups to create new id for each user Alias i.e if the user abcd has access in both US and Europe domain BO creates 2 separate ids for each domain (bo internally creates abcd and abcd0). We have only one universe and set of reports which has connection switching based on the domain user logs into BO (access restriction at connection level). This works absolutely fine, switches database connection depending on the domain user logs in.
    Now we are hearing from our users that they can access the personal reports created under Europe login in US login (this because users has abcd and abcd0). So we decided to create enterprise id and alias the users from AD group (abcd --> alias AD abcd), if we do this the change the connection swap is not happening as the BOUSER always returns abcd as user and universe restriction is only picking the default connection.
    Thanks
    Srinivas

    Hi,
    As you have mentioned in the post that OS is solaris. so for Solaris LAFix has been released by PG for this issue.Below are the details:
    VERSION:     XIR3.0 LAFix0.18
    PLATFORMS:       Solaris Solaris 10
    LANGUAGES:       English
    ADAPT ID:      ADAPT01099598
    Synopsis:     Universe connection override does not work u2013 Error WIS 10901
    WARNING: This LAFix has not been through a full regression test cycle but it has been deemed to fix the problem reported by the customer.  Inadvertent introduction of an unforeseen issue can however not be fully excluded. Before providing this LAFix to the customer, Customer Assurance must perform their own tests to confirm customer issue is solved.
    ADDITIONAL INFORMATION
           Installation Instructions :
    1.     Stop all BO Enterprise services, e.g <BOE_DIR>/bobje/stopservers
    2.     Gunzip and Untar  XI3.0_RHEL_LAFix0.18.tar.gz
    3.     Change directory to <EXTRACTED_LOCATION>/LAFix0.13/DISK_1
    4.     Run install.sh
    5.     Re-start all BOE services, e.g ./startservers
           Uninstall Instructions :
    2. Run uninstallpatch.sh from your system.
         New Behavior :
                The above issue is now resolved.
         Limitations :
                No known limitations
         Component(s):
          libuum.so
    Note: LAFix is released on top of XI 3.0
    To download the or get the LAFix you need to contact to your Sales Account Manager of BusinessObjects.
    Cheers,
    Deepti Bajpai

  • Session and Access Restriction

    Hi:
    I have this problem with access restriction. I was trying to build a "secure" site with sessions where users are able to login and access secure webpages upon successful login. And these webpages are not available as soon as the user session expires or terminated. However, from time to time, these web pages are still accessible after logging out by pressing "back" button on the browser or book-marking these pages.
    I noticed that Hotmail and old Yahoo mail system have the same problem as the one that I have just described.
    I am not using https or virtual host or anythind like that, because I didn't have the resource. It is supposed to be a Basic Authentication (login/password) scheme.
    Could any one light me some fresh ideas?
    Thanks
    Tian Lei Xia ":)

    To avoid the bookmarking problem, set a session attribute with the login details.
    Once they login:
    if(request.getParameter("username")!=null)
         session.setAttribute("username","personA");
    if(session.getAttribute("username")==null)
         //don't display the page
    else
         //show them the pageThis is a very basic technique and there are other ways of doing this. As for logging out then the session should just be invalidated.
    An alternative would be to use the security features of the web deployment descriptor and get the web container to handle the sessions for you (See servlet API specs 2.3 for more details).
    Good luck,
    Anthony

  • E1000 Access Restrictions Issue

    I attempted to create a rule to limit access only to specific URLs during a specific time of day.  However, it seems to have blocked all of the internet for the user at that MAC address, outside of the times I had chosen.  I double-checked to make sure that the radio button next to 'Allow' was selected in the section that reads:  "Internet access during selected days and hours."  I don't know what I'm doing wrong.   How is the time of day determined by the router?  Is there a clock which needs to be set to my time zone somewhere?  If so, I've yet to find it.  Also, why is it blocking all access to the internet?  It should only be blocking 3 URLs.

    The Access Restrictions feature of a Linksys router allows you to limit Internet access on your network.  You can deny certain computers’ Internet access or block certain applications and services.  This article will provide instructions on how to set up Access Restrictions by blocking certain days or hours.
    Here is the link for the same: http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&docid=20b29e54474a4a17aff594cb659747ea_4041.xml&pid=80&r...
    The time zone on your router should be set correctly according to the time zone in your current location.  This is to ensure that the Parental controls feature will block Internet access on the exact time you specified.  To configure the time zone on your router, access your router’s web-based setup page, then go to Basic Setup sub tab under the Setup tab.  Click the Time Zone drop-down menu and select the appropriate time zone.  Once done, click Save Settings.

  • Structural Access Restriction

    G'day all.
    I am wondering what are options available in SAP if we'd like to put additional user restriction base on organisation structure. I know the  structural authorization but if we don't have HR module, what sort of options available in the standard SAP system?
    Thanks

    sandy,
    What is stuctural access restriction?
    Additional user restriction in SAP system like (SRM, CRM...
    You can restrict users on personnel number ( I know you dont have HR installed)
    Indirect role concept
    Position based secureity
    all deal with org struture.
    In Ecc you can go with role base security or enabler concept
    In SRM : we restrict user on org  struture & even in CRM also .(for more information search for documents).
    Thanks,
    Sri

  • Access Restriction shuts down access to all computers

    I have set up access restriction times for my son (we have wireless access for all systems).  I use the MAC address on his systems. Xbox, Kindle Fire and his Laptop. 
    The MAC address are Correct. Here is the problem:
    I set the "allow" and times from 6pm - 11:00 pm (while on xmas vacation) - the system works for a while he is shut off as i would like but....
    After a period of time the entire house goes off line. I have to reboot the power on e2000 router and then disable the access restrictions. System then works. Problem is repeatable. What is the deal. I have updated firmware already. Otherwise the system works great. Never dies. Just when i set access restricions for a SPECIFIC time it kills entiore houese. BTW i can deny him outright 24/7 and the system idsables his access fine. Its just when i set specific times. I am very frustrated.
    Solved!
    Go to Solution.

    Kindly double check on this article the settings you've set on the router especially for the policies and its respective time restrictions however if it does the same thing, reset the router for an hour then reconfigure it. 
    Setting up Access Restrictions on a Linksys router using the classic web-based interface
    http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&vw=1&articleid=4041

  • Access restriction policy

    I own a e2000 router with the latest firmware. Set up access restriction policy for the mobile devices from my children. Deny policy based on Mac adress. Sometimes it works en sometimes it won' t work. It seems that my children keep using for instance whatssapp busy that the internet connections keeps open despite the policy. Does anyone know a solution for this?
    kind regards,
    cees

    Thanks Jake,
    Ik know that factory reset is possible via the webinterface. My quenstion was if it is possible to do a scheduled reboot with a option in the firmware? Indeed the time-zone is important. I checked this.
    Does anybody know if access restriction policy works on a live internet connection? For example: my daughter uses her smartphone with Facebook and she uses it from 16:00 tot 17:00 hour and the policy is that at 16:30 it must be blocked? Or can the policy only work on a connection when it starts up (and then checks the time in the policy to know if a restriction is possible.
    cheers

  • WRT54GS Internet Access Restriction Policies

    I am finding it challenging to correctly define Internet Access Restriction
    policies on my Linksys WRT54GSv4 wireless router. Documentation does not
    describe multiple policies being enabled.  I think that multiple policies
    should be from most restrictive to least, but I am not sure.
    I wish to deny Internet access from my child's WII and PSP from 10:30 PM to
    6:30 AM.  Also, I want to filter all hosts for blocked words and blocked
    sites.
    Currently, I have three policies:
    1) Child_Evening --
    WII and PSP MAC Filter
    10:30 PM to 11:55 PM
    Deny
    2) Child_Night --
    WII and PSP MAC Filter
    12:00 AM to 6:30 AM
    Deny
    3) SiteWord --
    IP Range 192.168.1.2 - 254
    Block Various Sites
    Block Various Words
    I would like input as to the correct use of multiple Internet Access
    Restriction policies

    create an Internet Access Policy:1. Internet access Policy - 1
    2. Enable.
    3. Child Access(Name of the policy)
    4. Deny range 192.169.1.252
    5. 10:30 PM to 11:55 PM - Everyday
    6. Blocked Services - All
    7. Port Range Start - 1  ;  End - 61000
    8.Save Settings
    9.Rebooting....
    You deny all access through by all services to any sites.
    Create the same policy with different number and name to deny access  from 12:00 AM to 6:300 AM..
    Url Filtering Policy to deny adult sites, they're too much with different url address.You can deny most of them,but not all.
    Good Luck!!!!!
    Message Edited by gochev_george on 03-16-200702:47 AM
    Message Edited by gochev_george on 03-16-200702:54 AM
    Thanks
    Kind Regards
    ing.George Gochev
    DSL and Telecommunications Engineer

  • Access restriction question

    I have a WRT54G v2 wireless router/access point (Firmware Version v2.02.7) ...and I am using access restrictions with some success, but I have one question - is there any way to setup a rule (or rules) such that site blocking is time-based?
    For example, the internet is up and available, except for myspace.com, which is blocked between 7pm and 5am.
    I know that a time window that spans midnight requires two rules, but what I don't know is how to have a rule that is both site-based AND time-based. If I create a new rule and change its status from "allow PCs" to "deny PCs", the router's web-based GUI immediately disables the blocked protocols, blocked sites, and blocked keywords fields...and so it seems that what I am asking for is not possible...unless I am missing something.
    Any ideas? Thanks.
    cheers,
    Steve
    Message Edited by Scuba_Steve on 09-18-2007 12:10 PM

    Okay...the answer is this - NO. So what to do? Install a different firmware. I installed Tomato and it blows the doors off of the standard Linksys firmware...and the supported access restriction rules are far more powerful and intuitive.

Maybe you are looking for