We have the same request from customers. we think of two solutions
1) changing in the webtop.jsp Page
2) changing in the login script (unix.exp)
To filter applications, they must be named by Internal-<application>,
Extern-<application>.
If more is needed, let me know.
TAB
Rick Butland schrieb:
I can only think of one "solution" to this, that's to use two
different sets of credentials, (or at least, two different person
objects) - one with full access to applications (for "home" use), and
one with restricted access ("roaming" use), and use IP address
filtering to prevent the user from logging on with his "home"
credentials from other than a known address.
So, for the "home" user, you'd have a person object with "Links" that
contain the full suite of applications, and connection rules like:
Client Server Connection Type
172.16.0.100 * SSL
* * Deny
This user then could only login from a known location using these
credentials. Outside of that location, they'd have to use the an
alternate "roaming" Person Object, (possibly mapped to the same uid,
assuming you're using Unix credentials for SGD login, but with some
other unambiguous data, like "CN="), with a more limited suite of
applications. No connection rules are necessary.
Of course, this lacks transparency to the end user, and to the
administrator.
If you front-ended this with a webserver authentication module, so
that the ENS/LDAP lookup phase would be set to the "right" ID based on
client IP address, this would be more transparent. You might have a
look at http://www.troppoavanti.it/software/apache/mod_auth_ip/ - but
personally I haven't tried this. Would seem you could use the
AuthenticateIP directive to set the username to specific username when
coming from a specific IP address - but this approach frightens me in
that it basically allows anyone with that (possibly spoofed) IP
address to bypass authentication (if I understand the mod_auth_ip
module correctly.)
Outside of using mod_auth_ip, Apache provides for IP-based access
controls, using the Allow/Deny directives. You can establish more
than one set of access control for a directory using the "Satisfy"
directive, and they can also overlap.
Alternatively, I'm wondering if there may be a way to abuse the
Directory Services Integration facility to do this? But so far,
nothing comes to mind.
There's also a brute-force method - modify the webtop.jsp to not
display certain applications, for certain users and certain IP
addresses, but this doesn't really seem like a very good approach at
all, and wouldn't work with integrated mode.
A reverse-proxy that can do URL rewrites might be an approach as well.
I dunno, most of these latter mechanisms seem convoluted to me, would
have to think more about this. Meanwhile, hope this helps,
Rick
Remold Krol | Everett wrote:
Hiya all,
Does anyone has an idea to make the following possible:
When a user logs on to SSGD from a know IP-address (for example his
home IP-address) he/she should see all applications within SSGD.
When the same user logs on via an unknown IP-address (for example an
internet cafe) he/she should see only a subset of the applications
within SSGD.
The only solution I can think of is set up 2 seperate SSGD servers.
By using a network device (like an level-4 switch) to direct the user
to one or the other SSGD server to create one single URL for both
SSGD servers.
Regards,
Remold | Everett
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
--
*ToolBox Solution GmbH*
CEO/CTO Tillmann A. Basien
Balinger Straße 37A
D-70567 Stuttgart
Fon: +49 (0) 711 71 68 631
Hy : +49 (0) 173 87 38 987
Fax: +49 (0) 711 45 70 899
*** Sun Microsystems OEM Partner ***
mailto:[EMAIL PROTECTED] / http://www.tbsol.de <http://www.tbsol.de>HRB: 23711
This message and any files or documents attached are strictly
confidential or otherwise legally protected. It is intended only for the
individual or entity named. If you are not the named addressee or have
received this email in error, please inform the sender immediately,
delete it from your system and do not copy or disclose it or use it for
any purpose. Please also note that transmission cannot be guaranteed to
be secure or error-free.
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
