a) Create two user accounts and tell the users to use different accounts
b) Create two user accounts and use a login module to logon the user with one of those based on IP-address (mod_auth_ip, allow/deny-rules, etc)
c) Use Directory Services Integration (I don't see an option here either, since the IP-address must be used to differentiate)
d) Brute force, changing the webtop.jsp
e) reverse-proxy
I can think of many problems with these options.
a and b are difficult since my client has a LDAP for authentication where only a single account is available per user
d can be a sollution:
- Integration mode must be disabled
- Changes must be made to launcher.jsp aswell
- Changing the expect script might be an option (based on TTA_CLIENT_IPADDR)
e will be difficult when firewall-forwarding is enabled, which does not like reverse-proxies
The brute force option is probably the way to go and I will give more thought to that one to see if there are more issues then I already mentioned.
- Remold | Everett
At 20:46 19-7-2007, you wrote:
We have the same request from customers. we think of two solutions
1) changing in the webtop.jsp Page
2) changing in the login script (unix.exp)
To filter applications, they must be named by Internal-<application>, Extern-<application>.
If more is needed, let me know.
TAB
Rick Butland schrieb:
I can only think of one "solution" to this, that's to use two different sets of credentials, (or at least, two different person objects) - one with full access to applications (for "home" use), and one with restricted access ("roaming" use), and use IP address filtering to prevent the user from logging on with his "home" credentials from other than a known address.
So, for the "home" user, you'd have a person object with "Links" that contain the full suite of applications, and connection rules like:
Client Server Connection Type
172.16.0.100 * SSL
* * Deny
This user then could only login from a known location using these credentials. Outside of that location, they'd have to use the an alternate "roaming" Person Object, (possibly mapped to the same uid, assuming you're using Unix credentials for SGD login, but with some other unambiguous data, like "CN="), with a more limited suite of applications. No connection rules are necessary.
Of course, this lacks transparency to the end user, and to the administrator.
If you front-ended this with a webserver authentication module, so that the ENS/LDAP lookup phase would be set to the "right" ID based on client IP address, this would be more transparent. You might have a look at http://www.troppoavanti.it/software/apache/mod_auth_ip/ - but personally I haven't tried this. Would seem you could use the AuthenticateIP directive to set the username to specific username when coming from a specific IP address - but this approach frightens me in that it basically allows anyone with that (possibly spoofed) IP address to bypass authentication (if I understand the mod_auth_ip module correctly.)
Outside of using mod_auth_ip, Apache provides for IP-based access controls, using the Allow/Deny directives. You can establish more than one set of access control for a directory using the "Satisfy" directive, and they can also overlap.
Alternatively, I'm wondering if there may be a way to abuse the Directory Services Integration facility to do this? But so far, nothing comes to mind.
There's also a brute-force method - modify the webtop.jsp to not display certain applications, for certain users and certain IP addresses, but this doesn't really seem like a very good approach at all, and wouldn't work with integrated mode.
A reverse-proxy that can do URL rewrites might be an approach as well.
I dunno, most of these latter mechanisms seem convoluted to me, would have to think more about this. Meanwhile, hope this helps,
Rick
Remold Krol | Everett wrote:
Hiya all,
Does anyone has an idea to make the following possible:
When a user logs on to SSGD from a know IP-address (for example his home IP-address) he/she should see all applications within SSGD.
When the same user logs on via an unknown IP-address (for example an internet cafe) he/she should see only a subset of the applications within SSGD.
The only solution I can think of is set up 2 seperate SSGD servers. By using a network device (like an level-4 switch) to direct the user to one or the other SSGD server to create one single URL for both SSGD servers.
Regards,
Remold | Everett
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
--
ToolBox Solution GmbH
CEO/CTO Tillmann A. Basien
Balinger Straße 37A
D-70567 Stuttgart
Fon: +49 (0) 711 71 68 631
Hy : +49 (0) 173 87 38 987
Fax: +49 (0) 711 45 70 899
** Sun Microsystems OEM Partner **
mailto:[EMAIL PROTECTED] / http://www.tbsol.de HRB: 23711
This message and any files or documents attached are strictly confidential or otherwise legally protected. It is intended only for the individual or entity named. If you are not the named addressee or have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or use it for any purpose. Please also note that transmission cannot be guaranteed to be secure or error-free.
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
_______________________________________________ SGD-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sgd-users
