>> "Dr. Ogg" <ogg(a)sr375.com> schrieb am
18.11.2020 um 17:55 in Nachricht
<DM5PR06MB32906E48D22C0F65570D9BD0F0E10(a)DM5PR06MB3290.namprd06.prod.outlook.com>
http://www.haproxy.org/download/1.8/doc/proxy‑protocol.txt
for reference.
From: Howard Chu <hyc(a)symas.com>
Date: Wednesday, November 18, 2020 at 8:51 AM
To: Paul B. Henson <henson(a)acm.org>, openldap‑technical(a)openldap.org
<openldap‑technical(a)openldap.org>
Subject: Re: HAProxy protocol support?
Paul B. Henson wrote:
> So management is insisting that we migrate our openLDAP systems from on
premise into the cloud <sigh>. Specifically, AWS behind one of their load
balancers.
>
> However, we currently rely upon some level of IP address based access
control to distinguish between on‑campus and off‑campus clients. The Amazon
load balancers
> do client NAT, so the back end servers have no idea who is connecting at
the
TCP/IP level.
>
> They do support the haproxy in band protocol for supplying this information
from the load balancer to the server, but that requires specific
support
from
the
> server to do. I don't see any such support in openldap or any evidence of
past discussion regarding it.
>
> Is this something that would be considered as a possible feature to be
included at some point, or something not desired as part of the code base?
Depends on what that feature actually looks like. Feel free to submit a
proposal
on the ‑devel mailing list, including background info on what HAproxy
protocol
looks like, and what exact behaviors you want it to provide.
I wonder: Would it be possible to use a specific named bind for on-campus
hosts, and use the name used for binding to controll further access?
‑‑
‑‑ Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/