Fully managed cloud. 30-day FREE full featured trial. Start Now
cancel
Showing results for 
Search instead for 
Did you mean: 

How to separate different authentication providers regarding network origin?

kochjoe
SQL-Fighter

Hi there,

is it possible to seperate different authentication mechanisms and allow then regarding their network origin. Imagine you have the following 2 user segments:

1.) LDAP Users are only allowed from Intranet

2.) Open ID Connect users are only allowed from Internet

By seperating these 2 groups based on their authentication we want to achieve a higher security level by not exposing LDAP authentication to the public internet.

Any thoughts are appreciated

 

1 ACCEPTED SOLUTION

Accepted Solutions

exa-Aleksandr
Team Exasol
Team Exasol

Hi @kochjoe ,

On almost vanilla 7.1.5 I was able to lock logins of all users not having "U1_ROLE" role by means of

{
    "loginFilters": [
        {"name": "default", "defaultPolicy": "deny"},
        {"name": "u1filter", "defaultPolicy": "allow", "roles": ["U1_ROLE"]}
    ]
}

so, probably, no special activation for "IP Filters" feature is not needed.

Could you show a simplified version of what doesn't work for you?

We could try to debug it step by step.

View solution in original post

5 REPLIES 5

exa-Aleksandr
Team Exasol
Team Exasol

Hi @kochjoe ,

You might try to use IP Filters (preview feature):

Create two roles like "LDAP_ROLE" & "OPENID_ROLE", manually assign these roles to corresponding users and then configure IP filters for the roles.

kochjoe
SQL-Fighter

Hi @exa-Aleksandr ,

thanks for your answer. This is exactly what we are looking for. Unfortunately I did not succeeded to implement it so far although I've followed the documentation. Do I've to activate the ipFilters Preview feature somewhere?

Kind regards

 

exa-Aleksandr
Team Exasol
Team Exasol

Hi @kochjoe ,

On almost vanilla 7.1.5 I was able to lock logins of all users not having "U1_ROLE" role by means of

{
    "loginFilters": [
        {"name": "default", "defaultPolicy": "deny"},
        {"name": "u1filter", "defaultPolicy": "allow", "roles": ["U1_ROLE"]}
    ]
}

so, probably, no special activation for "IP Filters" feature is not needed.

Could you show a simplified version of what doesn't work for you?

We could try to debug it step by step.

kochjoe
SQL-Fighter

Hi @exa-Aleksandr ,

thanks for your answer. There was an error in my ipFilters configuration. Now it is working. Before I close the topic: Is there an easy way where I can easily monitor which requests have been denied or allowed? Are the ipFilter activities logged within the audit tables or do I have to download the support log files for access analysis?

exa-Aleksandr
Team Exasol
Team Exasol

Hi @kochjoe ,

I'm glad to hear that the functionality works for you.

I can see my attempts blocked by IP Filters in EXA_DBA_AUDIT_SESSIONS with ERROR_TEXT='Connection exception - IP filter blocked login.' while wrong password leads to 'Connection exception - authentication failed.'.