I can only think of one "solution" to this, that's to use two different
sets of credentials, (or at least, two different person objects) - one
with full access to applications (for "home" use), and one with
restricted access ("roaming" use), and use IP address filtering to
prevent the user from logging on with his "home" credentials from other
than a known address.
So, for the "home" user, you'd have a person object with "Links" that
contain the full suite of applications, and connection rules like:
Client Server Connection Type
172.16.0.100 * SSL
* * Deny
This user then could only login from a known location using these
credentials. Outside of that location, they'd have to use the an
alternate "roaming" Person Object, (possibly mapped to the same uid,
assuming you're using Unix credentials for SGD login, but with some
other unambiguous data, like "CN="), with a more limited suite of
applications. No connection rules are necessary.
Of course, this lacks transparency to the end user, and to the
administrator.
If you front-ended this with a webserver authentication module, so that
the ENS/LDAP lookup phase would be set to the "right" ID based on client
IP address, this would be more transparent. You might have a look at
http://www.troppoavanti.it/software/apache/mod_auth_ip/ - but personally
I haven't tried this. Would seem you could use the AuthenticateIP
directive to set the username to specific username when coming from a
specific IP address - but this approach frightens me in that it
basically allows anyone with that (possibly spoofed) IP address to
bypass authentication (if I understand the mod_auth_ip module correctly.)
Outside of using mod_auth_ip, Apache provides for IP-based access
controls, using the Allow/Deny directives. You can establish more than
one set of access control for a directory using the "Satisfy" directive,
and they can also overlap.
Alternatively, I'm wondering if there may be a way to abuse the
Directory Services Integration facility to do this? But so far, nothing
comes to mind.
There's also a brute-force method - modify the webtop.jsp to not display
certain applications, for certain users and certain IP addresses, but
this doesn't really seem like a very good approach at all, and wouldn't
work with integrated mode.
A reverse-proxy that can do URL rewrites might be an approach as well.
I dunno, most of these latter mechanisms seem convoluted to me, would
have to think more about this. Meanwhile, hope this helps,
Rick
Remold Krol | Everett wrote:
Hiya all,
Does anyone has an idea to make the following possible:
When a user logs on to SSGD from a know IP-address (for example his
home IP-address) he/she should see all applications within SSGD.
When the same user logs on via an unknown IP-address (for example an
internet cafe) he/she should see only a subset of the applications
within SSGD.
The only solution I can think of is set up 2 seperate SSGD servers. By
using a network device (like an level-4 switch) to direct the user to
one or the other SSGD server to create one single URL for both SSGD
servers.
Regards,
Remold | Everett
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
--
Rick Butland
E-Mail: [EMAIL PROTECTED]
AccessLine: (703) 579-1947 x53261
Direct: (703) 444-9398
Mobile: (703) 328-8130
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
