11:05 p.m.
>> "Dr. Ogg" <ogg(a)sr375.com> schrieb am
18.11.2020 um 17:55 in Nachricht
<DM5PR06MB32906E48D22C0F65570D9BD0F0E10(a)DM5PR06MB3290.namprd06.prod.outlook.com>
http://www.haproxy.org/download/1.8/doc/proxy‑protocol.txt
for reference.
From: Howard Chu <hyc(a)symas.com>
Date: Wednesday, November 18, 2020 at 8:51 AM
To: Paul B. Henson <henson(a)acm.org>, openldap‑technical(a)openldap.org
<openldap‑technical(a)openldap.org>
Subject: Re: HAProxy protocol support?
Paul B. Henson wrote:
> So management is insisting that we migrate our openLDAP systems from on
premise into the cloud <sigh>. Specifically, AWS behind one of their load
balancers.
>
> However, we currently rely upon some level of IP address based access
control to distinguish between on‑campus and off‑campus clients. The Amazon
load balancers
> do client NAT, so the back end servers have no idea who is connecting at
the
TCP/IP level.
>
> They do support the haproxy in band protocol for supplying this information
from the load balancer to the server, but that requires specific
support
from
the
> server to do. I don't see any such support in openldap or any evidence of
past discussion regarding it.
>
> Is this something that would be considered as a possible feature to be
included at some point, or something not desired as part of the code base?
Depends on what that feature actually looks like. Feel free to submit a
proposal
on the ‑devel mailing list, including background info on what HAproxy
protocol
looks like, and what exact behaviors you want it to provide.
I wonder: Would it be possible to use a specific named bind for on-campus
hosts, and use the name used for binding to controll further access?
‑‑
‑‑ Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:28 a.m.
On 11/18/2020 11:05 PM, Ulrich Windl wrote:
I wonder: Would it be possible to use a specific named bind for on-campus
hosts, and use the name used for binding to controll further access?
Hmm, I'm not completely sure what you mean here? Do you mean an
authenticated bind? Our current IP address access control allows
anonymous users on campus access to attributes that anonymous users
off-campus cannot get to, and it also limits authenticated binds for
non-service accounts to on campus only.
12:12 a.m.
>> "Paul B. Henson" <henson(a)acm.org> schrieb am
19.11.2020 um 20:28 in Nachricht
<3caa7199-fb23-5cf8-07f5-1bfbac50b8a5(a)acm.org>:
On 11/18/2020 11:05 PM, Ulrich Windl wrote:
>
> I wonder: Would it be possible to use a specific named bind for on-campus
> hosts, and use the name used for binding to controll further access?
Hmm, I'm not completely sure what you mean here? Do you mean an
authenticated bind? Our current IP address access control allows
Yes, authenticated ("named" vs. anonymous) binds.
anonymous users on campus access to attributes that anonymous users
off-campus cannot get to, and it also limits authenticated binds for
non-service accounts to on campus only.
I'm aware that this might require a change like having to use an authenticated bind
for "get more" from LDAP (as opposed to anonymous binds).
Regards,
Ulrich
1044
days inactive
1045
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Paul B. Henson -
Ulrich Windl