We use Sun iPlanet LDAP server (or Java LDAP server...whatever they are 
calling it today...) for all of our CCA authentication.  When we did our 
Clean Access implementation this past summer we created new custom LDAP 
attributes that would allow us to "block" a user for various conditions:

EduPersonResnetBlocked
EduPersonResnetDMCA
EduResnetAbuse
EduResnetGaming
EduResnetReenable

These fields are all integer fields.  We created a custom PHP web page 
that allows us to modify these fields via pull down boxes and write back 
to the LDAP servers.  

We then have custom roles defined in CCA for DMCA/Abuse/Gaming that are 
checked when a user authenticates, if they have the EduPersonResnetDMCA 
field set to "1", then they get assigned the DMCA role.  When they run 
their browser the only page they get is one that says call our office to 
schedule an appointment because you're in trouble (well nicer than 
that!).  :)  

This has worked very well for us, other than our initial problem of CCA 
being case sensitive to LDAP queries for some reason.  

If your using AD I imagine you should also be able to create custom 
attributes in a similiar way to assign them roles.  Just remember that 
you'll have to create these attributes for ALL users.  If one of those 
attributes does not exist for a user, CCA may assign an incorrect role to 
the user.  We had to add these attributes to all existing user accounts 
and they are automatically added to a user account when a new account is 
created in LDAP.  

--greg


Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
http://www.oswego.edu/~gfuller


On Fri, 18 Apr 2008 09:22:26 -0500, Miller, Paul <[log in to unmask]> wrote:

>Can anyone tell me if there is a way to restrict a user from logging in
>to Clean Access.  I noticed that I can restrict a device, but no options
>for a user.
>
> 
>
>Paul Miller
>
>Network Administrator
>
>Dominican University
>
>River Forest, IL
>
>708-524-6641
>
> 
>
>