At this time, anonymous queries are allowed against the EECS LDAP directory, but searches are restricted to no more than 100 results. Unfortunately this configuration still allows an anonymous query to retrieve some details about a specific person, such as their email address, phone number or advisor. To mitigate this, after April 1 only authenticated queries will be allowed when coming from an off-campus IP address. For the purposes of this change, “off-campus” means an IP not in the any of the following ranges:
- 128.32.0.0/16
- 169.229.0.0/16
- 136.152.0.0/16
- 172.16.0.0/16
- 10.16.0.0/16
Those who need continued anonymous access to the directory from off-campus can use the [campus VPN](http://ist.berkeley.edu/node/591), which will give their off-campus machine a campus IP address. Those who need to run queries that return unlimited results can bind to the directory using their EECS credentials, or an “application” account can be created if needed.
We expect this change will affect a small number of people, but if you have any concerns or questions please contact the IRIS helpdesk at help@eecs.berkeley.edu.
UPDATE
[2014-08-07 15:37:09 | Rob McNicholas]
Our initial plan to restrict LDAP access ran into some problems and has been rescheduled. We hope to revisit this issue in September, 2014.
Our use of haproxy prevents the OpenLDAP nodes from seeing the IP address of the clients, which prevents us from using OpenLDAP-based ACLs. We are upgrading the operating system and haproxy software on and deploying new haproxy nodes which we hope will allow us to work around this limitation.
Resolved as of 2014-08-07 15:31:00