prevent anyone from ldap to connect #37
-
|
Hello, in tac_plus we had this snippet to prevent anyone that exists in ldap from connecting to the hardware. We specify users manually in the configuration with password = mavis . In tac_plus-ng this trick doesn't work. Maybe you can advise how we can replace group/acl in this case? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hi, in tac_plus-ng that functionality did move, more or less, to the ruleset you're using. If your goal is to permit requests that match a certain criteria (like group membership) and deny everything left then a final "deny" after evaluating the positive list is enough. Just handle the positive criteria first, and let the bad one fall through. ruleset { (Apologies -- "Add Code" doesn't seem to work, so this isn't well-formatted.) Cheers, Marc |
Beta Was this translation helpful? Give feedback.
Hi,
in tac_plus-ng that functionality did move, more or less, to the ruleset you're using. If your goal is to permit requests that match a certain criteria (like group membership) and deny everything left then a final "deny" after evaluating the positive list is enough. Just handle the positive criteria first, and let the bad one fall through.
ruleset {
rule {
script {
if (member == ...) { profile = ... permit }
if (member == ...) { profile = ... permit }
deny
}
}
}
(Apologies -- "Add Code" doesn't seem to work, so this isn't well-formatted.)
Cheers,
Marc