Dear Devin,
On Wednesday 12 November 2008, Devin Bougie wrote:
> Hi, All. Surely I'm missing something simple, but I have not been
> able to get the firewall like role definition to work properly with
> remote_host. As a workaround we're using remote_ip instead of
> remote_host, but that would require us to create a rule for each of
> our subnets. For example, none of the following seem to be working:
> allow remote_host /.*.lns.cornell.edu/
> allow remote_host /.*\.lns\.cornell\.edu/
> allow remote_host "lnx100.lns.cornell.edu"
the remote_host information is directly read from Apache environment. By
default the Apache configuration have HostnameLookups turned off in order to
reduce latency. However if you set in your Apache configuration files:
| HostnameLookups On
the above FireRole rules will became valid. In any case in general it might be
better to create rules based on IP address as you're already doing since you
can use network mask syntax and your Apache server will avoid a DNS lookup at
every connection.
> While on the topic, is there a simple way to create a rule that would
> match every use who is authenticated using an external authentication
> system (in our case, "external_auth_classe")?
Just create a rule like:
| allow login_method "external_auth_classe"
As hint, note that you can create rules based on all the key you'll find if
you log into your installation of Invenio and go to:
<.../youraccount/edit?ln=en&verbose=9>
The "verbose=9" URL attribute will disclose the available information. All the
keys in bold under "Your Settings" are eligible for building a FireRole rule.
Best regards,
Samuele
--
.O.
..O
OOO
