From the command prompt, run the tdgssauth utility to determine if the restrictions contained in the GDO affect users as expected. Test several users with different IP addresses; test users who should, and users who should not, be restricted from logging on.
This example shows a failure specific to IP addresses. When IP restrictions prevent a log on attempt, minor status 0xe10000ed is displayed in the last line of the output.
$ tdgssauth -m ldap -u diperm01 -i 192.0.2.15
TDGSS_BIN_FILE not set.
TDGSSCONFIG GDO used in tdgss.
Please enter a password:
Status: authenticated, not authorized
Database user: perm01 [permanent user]
Profile: profile01
External roles: extrole01perm01, extrole02perm01, extrole03perm01
Authenticated user: ldap://esroot.example.com:389/CN=diperm01,OU=people,OU=testing,DC=example,DC=com
Audit trail identifier: diperm01
Authenticating service: esroot1
Actual mechanism employed: ldap [OID 1.3.6.1.4.1.191.1.1012.1.20]
Mechanism specific data: diperm01
Security context capabilities: replay detection
out of sequence detection
confidentiality
integrity
protection ready
exportable security context
The TDGSS function tdgss_inquire_policy_for_user returned an error:
Major status 0x000d0000 – Failure
Minor status 0xe10000ed – The user is not permitted to log on from the IP address.