[Deploying Sakai] means of limiting access (logins) to sakai development instances
David Adams
da1 at vt.edu
Fri Apr 19 08:20:28 PDT 2013
Right, I think this is the important part. Any code you add to restrict
user access means you aren't testing the production user authorization code
fully. IP restrictions (at some layer other than your normal application
server and front end) are one tool to consider. I also recommend auditing
the actual logins in some way and comparing them to a whitelist. It would
be pretty simple to create a cron job to look up recent logins by user ID
and alert the appropriate people when a non-whitelisted login occurs, and
then run it as often as you feel necessary.
We have added special logging to the login code that routes to a separate
log file that's then extremely easy to grep out the login IDs and ensure
only people we know are logging into the system. Whether this kind of
post-hoc monitoring is good enough depends on how serious of a problem it
would be for you if someone who happened across the dev server were to poke
around for a few minutes. For us, that's something that we would want to
know about and address, but the possible consequences are minor, and it
hasn't actually ever happened. We still keep an eye out, but don't take
drastic measures.
David Adams
Director, Systems Integration and Support
Virginia Tech Learning Technologies
On Thu, Apr 18, 2013 at 7:37 PM, Steve Swinsburg
<steve.swinsburg at gmail.com>wrote:
> We just used IP restrictions, locking down access to the dev box to the
> applicable subnets. That way the code and config for the LDAP provider
> between dev and prod doesnt need to be any different.
>
>
> On Fri, Apr 19, 2013 at 12:18 AM, Hardy, Henry E. <Henry.Hardy at tufts.edu>wrote:
>
>> We would like to limit access to some of our development sakai instances
>> and we would like to know how you all might have accomplished this for
>> instance, using LDAP or other means.
>>
>> --HH
>>
>> Henry Edward Hardy
>> Senior Systems Administrator
>> Tufts Technology Services (TTS)
>> 169 Holland Street
>> Somerville, MA 02144
>> Tufts University
>> +1-617-627-3068
>> it.tufts.edu<https://exchange.tufts.edu/owa/UrlBlockedError.aspx>
>> _______________________________________________
>> production mailing list
>> production at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/production
>>
>> TO UNSUBSCRIBE: send email to
>> production-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
>>
>
>
> _______________________________________________
> production mailing list
> production at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/production
>
> TO UNSUBSCRIBE: send email to
> production-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/production/attachments/20130419/279e7d49/attachment.html
More information about the production
mailing list