aci:(targetattr = "*")(target = "ldap:///ou=Restricted,o=tupperware,c=US")(version 3.0; acl "Restricted Read Access"; allow (read,search,compare) (userdn = "ldap:///uid=someone,ou=users,o=tupperware,c=US") and (ip="192.168.1.*" or ip="10.2.3.4" or ip="10.2.3.5" or ip="10.2.3.6") ;)

It doesn't really prevent the uid=someone from logging in but the user won't be able to read any attributes from the target tree unless accessing from those IP addresses.

Maybe not really what you are after but just a suggestion.

Cheers,

Bazza

On 08/07/2010, at 5:48 AM, Fairchild, Anthony wrote:

Hello,

I have gotten 389 directory up and running and am beginning to add users, but would like to know how to restrict a user to only logging in to a specific host or a group of hosts. Could anybody point me to some documentation on this? I don't seem to be having much luck finding it through Google.

--
Anthony
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users