Jump to: navigation, search
MithiWiki Home > ConnectXf Home > ConnectXf Administration > Configuration > How do I restrict access to Baya (web client) for the entire domain to a set of IP addresses
HowTo Icon.png
How To
Product Connect Xf
Version 3.10
Applies to Administrators
Level Advanced


How do I restrict access to Baya (web client) for the entire domain to a set of IP addresses

This is an advanced topic, which describes how the domains default access policy can be set, and which will apply to all the users of the domain by default (unless the user's policy is set which then overrides the domain's default access policy)

Setting the default access policy

  • Create a file /tmp/webclientip.def.ldif from the LDIF template given below
  • In the ldif replace the following:
  • replace <domainname> with the domain's name eg. mithi.com
  • replace <default IP ranges or IP addresses separated by **> with IP ranges or ip addresses eg. 192.168.0.15**192.168.0.14**192.168.0.13
  • Save the file
  • Run the following command
ldapadd -xv -D "cn=Manager,dc=mithibo" -w "$PGPASSWORD" -f /tmp/mailclientip.def.ldif 
  • Restart tomcat
/etc/init.d/tomcat restart

Testing the applied policy

  • Test login using the following steps
  • Test login using the web client from a client in the allowed ip list - Should login
  • Test login using the web client from a client not in the the allowed ip list - Should not login
  • Login to the Application Manager
  • Change the HTTP access control
  • In the Entity View, choose Directory-->Authorization-->User
  • Select the user and set the HTTP Client access as nocheck
  • Test using the mail client and the above user. Login from a client not in the the allowed ip list - Should login

LDIF template

dn: cn=mailclientip, ou=boproperty, ou=user, cn=<domainame>, ou=domains, cn=
 enterprise, o=enterprise, dc=MITHIbo
timestampproperty: whenchanged
ldapstorage: mithiHTTPIp
record: user
compulsary: f
type: text
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: mithiBO
readable: t
property: t
hasscope: f
cn: mailclientip
label: HTTP client IP or IP range
multiline: f
encodedecode: f
isregencomposite: f
sync: f
admincompulsary: f
allowblankvalue: t
singlevaluedlist: +
dircontainer: cd
contenttype: iprange,singlevaluedlist
editable: t
description: The IP address or range of IP addresses from which HTTP access is allowed if the value of the Enable HTTP access field is 'check'.
multivalue: t
admineditable: t
inheritsvalue: f
isregenrequired: f
showinusage: t
default: <default IP ranges or IP addresses separated by **>

dn: cn=mailclientaccess,ou=boproperty,ou=user,cn=<domainname>,ou=domains,cn=en
 terprise,o=enterprise,dc=mithibo
cn: mailclientaccess
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: mithiBO
admincompulsary: f
admineditable: t
allowblankvalue: t
compulsary: f
default: check
record: user
description: Control the access to the account using the HTTP protocol. The va
 lid values and the actions related are as follows:<br><br>nocheck - allow acc
 ess using the HTTP protocol<br><br>block - disallow access using the HTTP pro
 tocol<br><br>check - allow access only from machines having the IP address or
 in the IP address range specified by the HTTP Client IP or IP Range property
 .
dircontainer: cd
editable: t
encodedecode: f
inheritsvalue: f
label: Enable HTTP access
ldapstorage: mithiHTTPAccess
list: check,block,nocheck
multiline: f
multivalue: f
property: t
readable: t
showinusage: t
sync: f
timestampproperty: whenchanged
type: list
isregenrequired: f
isregencomposite: f
hasscope: f