1

Is there a way to authenticate an user account (active directory) via ldap only when it is requesting from a specific ip range? In any other cases, the user account should not work.

Short: Is it possible to make user accounts work only in a specified ip range?

dev_user
  • 11
  • 4
  • 2
    `Is it possible to make user accounts work only in a specified ip range?` No. – Greg Askew Jul 04 '19 at 13:21
  • @GregAskew so what is the sladp "access to ... by peername.ip... none" directive used for? Or as another approach the "pam attribute" to allow authentication for specific hostnames? – dev_user Jul 04 '19 at 13:29
  • Sounds like you are conflating Active Directory and some other product. – Greg Askew Jul 04 '19 at 16:05
  • If you're asking about restricting network access to a resource based on source/destination IP addresss, then you should be looking at your network firewall settings. AD is designed to be available to all devices on your internal corporate network. Whatever you do, do NOT punch holes in your firewall for external AD authentication. If you trust the other network, set up an encrypted tunnel to extend your corporate network. There are a lot of caveats here. – twconnell Jul 05 '19 at 16:40

1 Answers1

0

Built-in no, but that leave me a question open, why unspecific network can talk to your DC ?

Please make sure you enable your firewall inside your DC, and make sure you don't allow external's resource to your LAN.

If your goal is to restrict some users please use the Logon on to restriction;

Log On To — Click to specify workstation logon restrictions that will allow this user to log on only to specified computers in the domain. By default, a user is able to log on at any workstation computer that is joined to the domain. Note that this control does not affect the user’s ability to log on locally to a computer using a local computer account instead of a domain account.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48