We use Sun iPlanet LDAP server (or Java LDAP server...whatever they are calling it today...) for all of our CCA authentication. When we did our Clean Access implementation this past summer we created new custom LDAP attributes that would allow us to "block" a user for various conditions:
EduPersonResnetBlocked EduPersonResnetDMCA EduResnetAbuse EduResnetGaming EduResnetReenable These fields are all integer fields. We created a custom PHP web page that allows us to modify these fields via pull down boxes and write back to the LDAP servers. We then have custom roles defined in CCA for DMCA/Abuse/Gaming that are checked when a user authenticates, if they have the EduPersonResnetDMCA field set to "1", then they get assigned the DMCA role. When they run their browser the only page they get is one that says call our office to schedule an appointment because you're in trouble (well nicer than that!). :) This has worked very well for us, other than our initial problem of CCA being case sensitive to LDAP queries for some reason. If your using AD I imagine you should also be able to create custom attributes in a similiar way to assign them roles. Just remember that you'll have to create these attributes for ALL users. If one of those attributes does not exist for a user, CCA may assign an incorrect role to the user. We had to add these attributes to all existing user accounts and they are automatically added to a user account when a new account is created in LDAP. --greg Gregory A. Fuller - CCNA Network Manager State University of New York at Oswego http://www.oswego.edu/~gfuller On Fri, 18 Apr 2008 09:22:26 -0500, Miller, Paul <[EMAIL PROTECTED]> wrote: >Can anyone tell me if there is a way to restrict a user from logging in >to Clean Access. I noticed that I can restrict a device, but no options >for a user. > > > >Paul Miller > >Network Administrator > >Dominican University > >River Forest, IL > >708-524-6641 > > > >
