Menu
▾
▴
Re: [Fwd] Net::LDAP question
|
From: Chris R. <chr...@me...> - 2000-09-22 12:27:54
|
peter furmonavicius <pet...@ya...> wrote:
> At 8:36 AM +0100 9/22/00, Chris Ridd wrote:
>> Jim Harle <ha...@us...> wrote:
>> > Peter, just use $ENV{'REMOTE_ADDR'} to get this. --Jim Harle
>>>
>>
>> Right, but that doesn't do the second part of what Peter wanted - he
>> would appear to have access controls based on the client's network
>> address, and so wants the web server to proxy the LDAP connection to the
>> server making it *appear* that the connection is coming from the machine
>> the user is running their web browser on.
>
> Hi. First of all, thanks to everyone who took the time to write, I
> really appreciate it.
>
> Chris speculated correctly. I have ACLs that take care of 'direct' LDAP
> queries. These ACLs are based upon the requesters IP addresss or DNS
> names. This works fine except when we open up our LDAP directory to the
> 'world' through a WWW gateway. Then it appears as if everyone is coming
> in locally since the LDAP directory server sees the IP address of the
> machine that the Perl cgi is running on.
>
> Here is the 'solution' that I came up with, tell me what you think. I
> changed the ldap cgi gateway to check the $ENV{'REMOTE_ADDR'} variable.
> If it is an IP address 'local' to the Yale University domain, then I bind
> to the LDAP server with one "dn". If the IP address is not 'local' to
> the Yale University domain, then I bind to the LDAP server with another
> different "dn". Then I changed the LDAP server ACLs to account for
> permissions based upon the "dn" of the requestor. This seems to work
> just fine.
>
> Comments?
> --
> -------------------------------------------------------------------------
> -- Yale University Peter Furmonavicius
> Information Technology Services Senior Research Programmer
> 175 Whitney Avenue mailto:pet...@ya...
> P.O. Box 208276 http://pantheon.yale.edu/~peter
> New Haven, CT 06520-8276 phone: 203.432.6691 fax: 203.432.9216
Sounds like a reasonable solution to me.
Cheers,
Chris
|