From: Chris R. <chr...@me...> - 2000-09-22 12:27:54
|
peter furmonavicius <pet...@ya...> wrote: > At 8:36 AM +0100 9/22/00, Chris Ridd wrote: >> Jim Harle <ha...@us...> wrote: >> > Peter, just use $ENV{'REMOTE_ADDR'} to get this. --Jim Harle >>> >> >> Right, but that doesn't do the second part of what Peter wanted - he >> would appear to have access controls based on the client's network >> address, and so wants the web server to proxy the LDAP connection to the >> server making it *appear* that the connection is coming from the machine >> the user is running their web browser on. > > Hi. First of all, thanks to everyone who took the time to write, I > really appreciate it. > > Chris speculated correctly. I have ACLs that take care of 'direct' LDAP > queries. These ACLs are based upon the requesters IP addresss or DNS > names. This works fine except when we open up our LDAP directory to the > 'world' through a WWW gateway. Then it appears as if everyone is coming > in locally since the LDAP directory server sees the IP address of the > machine that the Perl cgi is running on. > > Here is the 'solution' that I came up with, tell me what you think. I > changed the ldap cgi gateway to check the $ENV{'REMOTE_ADDR'} variable. > If it is an IP address 'local' to the Yale University domain, then I bind > to the LDAP server with one "dn". If the IP address is not 'local' to > the Yale University domain, then I bind to the LDAP server with another > different "dn". Then I changed the LDAP server ACLs to account for > permissions based upon the "dn" of the requestor. This seems to work > just fine. > > Comments? > -- > ------------------------------------------------------------------------- > -- Yale University Peter Furmonavicius > Information Technology Services Senior Research Programmer > 175 Whitney Avenue mailto:pet...@ya... > P.O. Box 208276 http://pantheon.yale.edu/~peter > New Haven, CT 06520-8276 phone: 203.432.6691 fax: 203.432.9216 Sounds like a reasonable solution to me. Cheers, Chris |