"Dr. Ogg" ogg@sr375.com schrieb am 18.11.2020 um 17:55 in Nachricht
DM5PR06MB32906E48D22C0F65570D9BD0F0E10@DM5PR06MB3290.namprd06.prod.outlook.com
http://www.haproxy.org/download/1.8/doc/proxy%E2%80%91protocol.txt
for reference.
From: Howard Chu hyc@symas.com Date: Wednesday, November 18, 2020 at 8:51 AM To: Paul B. Henson henson@acm.org, openldap‑technical@openldap.org <openldap‑technical@openldap.org> Subject: Re: HAProxy protocol support? Paul B. Henson wrote:
So management is insisting that we migrate our openLDAP systems from on
premise into the cloud <sigh>. Specifically, AWS behind one of their load balancers.
However, we currently rely upon some level of IP address based access
control to distinguish between on‑campus and off‑campus clients. The Amazon
load balancers
do client NAT, so the back end servers have no idea who is connecting at
the
TCP/IP level.
They do support the haproxy in band protocol for supplying this information
from the load balancer to the server, but that requires specific support
from
the
server to do. I don't see any such support in openldap or any evidence of
past discussion regarding it.
Is this something that would be considered as a possible feature to be
included at some point, or something not desired as part of the code base?
Depends on what that feature actually looks like. Feel free to submit a proposal on the ‑devel mailing list, including background info on what HAproxy protocol looks like, and what exact behaviors you want it to provide.
I wonder: Would it be possible to use a specific named bind for on-campus hosts, and use the name used for binding to controll further access?
‑‑ ‑‑ Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/