User Network address Restriction, how to specify a subnet?

Using iManager
  (because I don't see this function in UMC, and Identity Console is not an option in SLD under OES and eDir is not a listed seperate product.)

I have a couple role accounts that keep getting locked from the offsite logins, and it would be really useful to restrict to only allow the local subnet they are needed in, but the field only allows individual IPs, not whole subnets.  

It isn't like I can even nail down which server is being touched and by which protocol (CIFS is Not one of them, NCP and LDAP are the only I am aware of)

Inline Documentation (the help available when you try to add an address) says
  IP Address
Specify a decimal number from 0 to 255 in each of the four fields. The first two fields represent the network segment. The last two fields represent the computer. 

Clearly not understanding networking, and stuck on IPX or the old class B being the only option (we all know better)

Adding all the IPs individually for multiple class C addresses isn't exactly my idea of fun or in the range of sane.
10.0.0.0/21 is what I really want to enter, but that is not an option.
Even 10.0.0.*  through 10.0.6.* would be fine, but is not an option.

Generating a big LDIF import is possible, just not the sane route. And what might that break?

I could get Identity Console via other clients, but that misses that big point.  
  A) it might not even work
  B) Should an Open Workgroup Suite have eDir as an entitlement and that is just broken for this client?

Have I just missed the function in UMC?

Other ideas?

________________________

Andy of KonecnyConsulting.ca in Toronto
Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0  

    Does it technically work if you define

    10.0.0.0

    10.0.1.0

    10.0.2.0

    10.0.3.0

    10.0.4.0

    10.0.5.0

    10.0.6.0

    and

    10.0.7.0

  • 0

    To your question B): Yes Open Workgroup suite should have an eDir entitlement - to A) I have no experience.

  • 0   in reply to   

    Not really. I put those in, and logins from 10.5.x.x still get though, even though I made sure replication was complete. 

    Clearly, it is treating the 10.0.0.0 as a /8    sigh

    IC time it is for next test.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0   in reply to 
    Yes Open Workgroup suite should have an eDir entitlement

    So, Support Case time on that front, while I pull it down from another client account that has it.   Thank you.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0   in reply to   

    The schema syntax SYN_NET_ADDRESS would for sure be sufficient to create a new address type "subnetted IPv4" next to 04 (IPv4), 0C (IPX), 10 (IPv6) and all the rest which is likely not used anywhere anymore. I've reported this way back around the time when FLAIM replaced RecMan (i.e. in the Beta of DS 8.xx). At that time microsegmentation was no hot topic, so noone did care.

    Anyway, while this feature is merely a must i think they shun the hassle to implement it as they'd need to touch back- and frontend code.

  • 0 in reply to   

    What about implementing these restrictions on the firewall or the connecting routers. Of course, that does only work, if the firewall or router knows the users. My routers don't discern between users, but my firewall needs authentication, so my firewall rules are user dependent (and the users and groups defined in the firewall are 1:1 mapped via ldap to eDir users and groups).

  • 0   in reply to 
    What about implementing these restrictions on the firewall or the connecting routers

    If only I could.  But not an option here. <sigh>  It is actually a router/firewall configuration issue (that has been bearable until now) that is messing things up, as all users coming through the WAN routers are showing as the route IPs, vs their own or their VPN IPs   otherwise we could hunt and nuke the problem logins at their source.  One site is moving later this year, so I will be pushing to get it done right with the new gear.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.