"Dr. Ogg" ogg@sr375.com schrieb am 18.11.2020 um 17:55 in Nachricht
DM5PR06MB32906E48D22C0F65570D9BD0F0E10@DM5PR06MB3290.namprd06.prod.outlook.com
http://www.haproxy.org/download/1.8/doc/proxy%E2%80%91protocol.txt
for reference.
From: Howard Chu hyc@symas.com Date: Wednesday, November 18, 2020 at 8:51 AM To: Paul B. Henson henson@acm.org, openldap‑technical@openldap.org <openldap‑technical@openldap.org> Subject: Re: HAProxy protocol support? Paul B. Henson wrote:
So management is insisting that we migrate our openLDAP systems from on
premise into the cloud <sigh>. Specifically, AWS behind one of their load balancers.
However, we currently rely upon some level of IP address based access
control to distinguish between on‑campus and off‑campus clients. The Amazon
load balancers
do client NAT, so the back end servers have no idea who is connecting at
the
TCP/IP level.
They do support the haproxy in band protocol for supplying this information
from the load balancer to the server, but that requires specific support
from
the
server to do. I don't see any such support in openldap or any evidence of
past discussion regarding it.
Is this something that would be considered as a possible feature to be
included at some point, or something not desired as part of the code base?
Depends on what that feature actually looks like. Feel free to submit a proposal on the ‑devel mailing list, including background info on what HAproxy protocol looks like, and what exact behaviors you want it to provide.
I wonder: Would it be possible to use a specific named bind for on-campus hosts, and use the name used for binding to controll further access?
‑‑ ‑‑ Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On 11/18/2020 11:05 PM, Ulrich Windl wrote:
I wonder: Would it be possible to use a specific named bind for on-campus hosts, and use the name used for binding to controll further access?
Hmm, I'm not completely sure what you mean here? Do you mean an authenticated bind? Our current IP address access control allows anonymous users on campus access to attributes that anonymous users off-campus cannot get to, and it also limits authenticated binds for non-service accounts to on campus only.
"Paul B. Henson" henson@acm.org schrieb am 19.11.2020 um 20:28 in Nachricht
3caa7199-fb23-5cf8-07f5-1bfbac50b8a5@acm.org:
On 11/18/2020 11:05 PM, Ulrich Windl wrote:
I wonder: Would it be possible to use a specific named bind for on-campus hosts, and use the name used for binding to controll further access?
Hmm, I'm not completely sure what you mean here? Do you mean an authenticated bind? Our current IP address access control allows
Yes, authenticated ("named" vs. anonymous) binds.
anonymous users on campus access to attributes that anonymous users off-campus cannot get to, and it also limits authenticated binds for non-service accounts to on campus only.
I'm aware that this might require a change like having to use an authenticated bind for "get more" from LDAP (as opposed to anonymous binds).
Regards, Ulrich
openldap-technical@openldap.org
-
Paul B. Henson -
Ulrich Windl