Paul B. Henson wrote:
So management is insisting that we migrate our openLDAP systems from on premise into the cloud <sigh>. Specifically, AWS behind one of their load balancers.
However, we currently rely upon some level of IP address based access control to distinguish between on-campus and off-campus clients. The Amazon load balancers do client NAT, so the back end servers have no idea who is connecting at the TCP/IP level.
They do support the haproxy in band protocol for supplying this information from the load balancer to the server, but that requires specific support from the server to do. I don't see any such support in openldap or any evidence of past discussion regarding it.
Is this something that would be considered as a possible feature to be included at some point, or something not desired as part of the code base?
Depends on what that feature actually looks like. Feel free to submit a proposal on the -devel mailing list, including background info on what HAproxy protocol looks like, and what exact behaviors you want it to provide.