If you map a directory user to database user object in the directory, the directory user inherits all the IP restrictions that are applicable to the mapped database user, as defined in the IP GDO. You can use tdgssauth to check whether the GDO applies the expected IP restrictions to a mapped directory user.
$ tdgssauth -m ldap -u diperm01 -i 192.0.2.15
TDGSS_BIN_FILE not set.
TDGSSCONFIG GDO used in tdgss.
Please enter a password:
Status: authenticated, not authorized
Database user: perm01 [permanent user]
Profile: profile01
External roles: extrole01perm01, extrole02perm01, extrole03perm01
Authenticated user: ldap://esroot.example.com:389/CN=diperm01,OU=people,OU=testing,DC=example,DC=com
Audit trail identifier: diperm01
Authenticating service: esroot1
Actual mechanism employed: ldap [OID 1.3.6.1.4.1.191.1.1012.1.20]
Mechanism specific data: diperm01
Security context capabilities: replay detection
out of sequence detection
confidentiality
integrity
protection ready
exportable security context
The TDGSS function tdgss_inquire_policy_for_user returned an error:
Major status 0x000d0000 – Failure
Minor status 0xe10000ed – The user is not permitted to log on from the IP address.
Based on the results, if the restrictions do not function as needed, you can do one or both of the following:
- Disable the restrictions.
- Edit the restrictions to correct any problems and then enable the revised restrictions.
When the restrictions pass the test without problems, the IP restrictions are complete.