If you map a directory user to database user object in the directory, the directory user inherits all the IP restrictions that are applicable to the mapped database user, as defined in the IP GDO. You can use tdgssauth to check whether the GDO applies the expected IP restrictions to a mapped directory user.
$ tdgssauth -m ldap -u diperm01 -i 192.0.2.15 TDGSS_BIN_FILE not set. TDGSSCONFIG GDO used in tdgss. Please enter a password: Status: authenticated, not authorized Database user: perm01 [permanent user] Profile: profile01 External roles: extrole01perm01, extrole02perm01, extrole03perm01 Authenticated user: ldap://esroot.example.com:389/CN=diperm01,OU=people,OU=testing,DC=example,DC=com Audit trail identifier: diperm01 Authenticating service: esroot1 Actual mechanism employed: ldap [OID 1.3.6.1.4.1.191.1.1012.1.20] Mechanism specific data: diperm01 Security context capabilities: replay detection out of sequence detection confidentiality integrity protection ready exportable security context The TDGSS function tdgss_inquire_policy_for_user returned an error: Major status 0x000d0000 – Failure Minor status 0xe10000ed – The user is not permitted to log on from the IP address.
Based on the results, if the restrictions do not function as needed, you can do one or both of the following:
- Disable the restrictions.
- Edit the restrictions to correct any problems and then enable the revised restrictions.
When the restrictions pass the test without problems, the IP restrictions are complete.