Ticket #110 - RFE limiting root DN by host, IP, time of day, day of week
RFE Description: There is no way to restrict when and where some one can attempt
root DN binds. An intruder can brute force guess the password all
day long until they succeed, especailly if the DS is publicly
available.
Fix Description: Created a new plugin, type "internalpreoperation" and an internal
preop bind function. You can configure the plugin with some basic
access control:
rootdn-open-time: 0800
rootdn-close-time: 1700
rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri
rootdn-allow-host: *.redhat.com
rootdn-allow-host: *.fedora.com
rootdn-deny-host: dangerous.boracle.com
rootdn-allow-ip: 127.0.0.1
rootdn-allow-ip: 2000:db8:de30::11
rootdn-deny-ip: 192.168.1.*
As with our other ACL code, deny's always override the allow rules.
https://fedorahosted.org/389/ticket/110
Reviewed by: richm(Thanks Rich!)