Suppose the IP GDO defines IP access restrictions as follows:
<?xml version="1.0" encoding="UTF-8"?> <tdat name="tdat"> <system name="tnt38"> <users tag="users"> <user name="drct01"/> <user name="drct02"/> <user name="perm01" tag="tagperm01"/> </users> <ipfilters> <ipfilter name="filter1" type="restrictive"> <allow ip="141.206.36.0/24"/> <allow ip="141.206.35.0/24"/> <deny ip="141.206.35.88/32"/> <appliesto tagref="allusers"/> </ipfilter> </ipfilters> </system> </tdat>
Use tdsbind to test user restrictions (without binding), based on the XML document entry above, to determine which restrictions apply to user dlj for the IP addresses from which the user normally logs on to the database.
The last line of the output indicates whether the logon is allowed or denied.
$ tdsbind -U djl -I 141.206.35.87 LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com LdapServerName: esroot LdapServerPort: 389 LdapServerRealm: esrootdom Logon by user <djl> from IP <141.206.35.87> is allowed $ tdsbind -U djl -I 141.206.35.88 LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com LdapServerName: esroot LdapServerPort: 389 LdapServerRealm: esrootdom Logon by user <djl> from IP <141.206.35.88> is not allowed $ tdsbind -U djl -I 141.206.35.89 LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com LdapServerName: esroot LdapServerPort: 389 LdapServerRealm: esrootdom Logon by user <djl> from IP <141.206.35.89> is allowed $
You can also use tdsbind to test an LDAP logon for a particular IP address, with binding.
$ tdsbind -u diperm01 -I 141.206.35.88 Enter LDAP password: LdapGroupBaseFQDN: ou=groups,ou=testing,dc=doman,dc=com LdapUserBaseFQDN: ou=people,ou=testing,dc=doman,dc=com LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=doman,dc=com LdapServerName: esroot LdapServerPort: 389 LdapServerRealm: esrootdom FQDN: CN=diperm01,OU=people,OU=testing,DC=domain,DC=com GUID: 535cbe8b-3bc7-ff4a-a1f1-3c56886b7858 Audit trail ID: AKNOL3CZ1Y55UVIPRHRLIQ01YLA Profiles: profperm01 Roles: extrole01perm01, extrole02perm01, extrole03perm01 Users: perm01 Logon by user <perm01> from IP <141.206.35.88> is not allowed $