Menu
▾
▴
Re: [Fwd] Net::LDAP question
|
From: peter f. <pet...@ya...> - 2000-09-22 12:12:36
|
At 8:36 AM +0100 9/22/00, Chris Ridd wrote:
>Jim Harle <ha...@us...> wrote:
> > Peter, just use $ENV{'REMOTE_ADDR'} to get this. --Jim Harle
>>
>
>Right, but that doesn't do the second part of what Peter wanted - he would
>appear to have access controls based on the client's network address, and
>so wants the web server to proxy the LDAP connection to the server making
>it *appear* that the connection is coming from the machine the user is
>running their web browser on.
Hi. First of all, thanks to everyone who took the time to write, I
really appreciate it.
Chris speculated correctly. I have ACLs that take care of 'direct'
LDAP queries. These ACLs are based upon the requesters IP addresss
or DNS names. This works fine except when we open up our LDAP
directory to the 'world' through a WWW gateway. Then it appears as
if everyone is coming in locally since the LDAP directory server sees
the IP address of the machine that the Perl cgi is running on.
Here is the 'solution' that I came up with, tell me what you think.
I changed the ldap cgi gateway to check the $ENV{'REMOTE_ADDR'}
variable. If it is an IP address 'local' to the Yale University
domain, then I bind to the LDAP server with one "dn". If the IP
address is not 'local' to the Yale University domain, then I bind to
the LDAP server with another different "dn". Then I changed the LDAP
server ACLs to account for permissions based upon the "dn" of the
requestor. This seems to work just fine.
Comments?
--
---------------------------------------------------------------------------
Yale University Peter Furmonavicius
Information Technology Services Senior Research Programmer
175 Whitney Avenue mailto:pet...@ya...
P.O. Box 208276 http://pantheon.yale.edu/~peter
New Haven, CT 06520-8276 phone: 203.432.6691 fax: 203.432.9216
|
