>>> "Dr. Ogg" <[email protected]> schrieb am 18.11.2020 um 17:55 in Nachricht <dm5pr06mb32906e48d22c0f65570d9bd0f0...@dm5pr06mb3290.namprd06.prod.outlook.com>
> http://www.haproxy.org/download/1.8/doc/proxy‑protocol.txt > > for reference. > > > From: Howard Chu <[email protected]> > Date: Wednesday, November 18, 2020 at 8:51 AM > To: Paul B. Henson <[email protected]>, openldap‑[email protected] > <openldap‑[email protected]> > Subject: Re: HAProxy protocol support? > Paul B. Henson wrote: >> So management is insisting that we migrate our openLDAP systems from on > premise into the cloud <sigh>. Specifically, AWS behind one of their load > balancers. >> >> However, we currently rely upon some level of IP address based access > control to distinguish between on‑campus and off‑campus clients. The Amazon > load balancers >> do client NAT, so the back end servers have no idea who is connecting at the > TCP/IP level. >> >> They do support the haproxy in band protocol for supplying this information > from the load balancer to the server, but that requires specific support from > the >> server to do. I don't see any such support in openldap or any evidence of > past discussion regarding it. >> >> Is this something that would be considered as a possible feature to be > included at some point, or something not desired as part of the code base? > > Depends on what that feature actually looks like. Feel free to submit a > proposal > on the ‑devel mailing list, including background info on what HAproxy > protocol > looks like, and what exact behaviors you want it to provide. I wonder: Would it be possible to use a specific named bind for on-campus hosts, and use the name used for binding to controll further access? > > ‑‑ > ‑‑ Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/
