Hi Ben,



We too would like the proxy to restrict access based on the OALA attributes for the same types of situation you describe. 



We would also like the ability to bypass the proxy when the user is on campus (a facility available in EZproxy but not in OALA). This would enable 'walk-in' use of resources for users who are granted an IT account eg Academic Visitors to Departments. Then if the proxy was using the OALA attributes it would block off-campus access for these users, thus fulfilling our licence conditions.



Best wishes,

 

Jackie



Jackie Skinner

Library Web Manager and Digital Development Co-ordinator

Food and Nutritional Sciences Liaison Librarian

University of Reading Library

Whiteknights

PO Box 223

Reading RG6 6AE

www.reading.ac.uk/library    



-----Original Message-----

From: OpenAthens LA Users discussion group [mailto:[log in to unmask]] On Behalf Of Elwell, Ben

Sent: 14 February 2013 12:24

To: [log in to unmask]

Subject: Re: Trouble configuring EZProxy as a service provider



Hi Andy,



We have a large range of user accounts in AD/LDAP - as well as the full staff and student accounts, we have other types assigned to people who may not be full students (e.g. certain courses delivered by partner institutions etc). Some of these accounts are set to only allow access to some of our IT facilities, but not access to electronic resources (this is set via an LDAP attribute that OALA picks up, and then does not release any attributes for this user).

If OALA does not even release the "member" attribute for a user, they should not get access to any resources via Shib, so we would expect that the proxy would also deny them access.



I think this is the minimum basic requirement.



Beyond that, although we don't use it yet it would be good to use other attributes released to limit the use of certain resources through the proxy - e.g. limit some resources to staff only.

There are other issues with very restrictive licences on some resources (especially legal databases such as Lexis) so access may need to be restricted here too, especially for institutions that set up accounts for walk in users.



These are just a couple of examples - maybe other people on the list might like to highlight some other situations that I have missed, but being able to set restrict access for each resource through the proxy based on the attributes released by OALA would cover most uses that I can think of.



Regards

Ben



-----Original Message-----

From: OpenAthens LA Users discussion group [mailto:[log in to unmask]] On Behalf Of Andy Anderson

Sent: 14 February 2013 11:06

To: [log in to unmask]

Subject: Re: Trouble configuring EZProxy as a service provider



It's a basic proxy and there's no fine grained authorisation on the proxy side. Yet.



To get the basics up there we made what seemed a reasonable compromise that if a user has access to *log in* to systems on-campus and access those resources from there, then the same from off-campus would probably be ok for most purposes. 



So we can understand things better...



What are the scenarios where you're finding you need to restrict access to a proxied resource to certain users? 

What kind of proxying is involved where restrictions are needed (I'd guess it's going to be the ones with shared UN/PW access rather than IP)? 

Why aren't the resources that want or need fine grained access implementing systems that facilitate it? 



Many thanks,



Andy Anderson

Training Manager/Software QA Analyst



Eduserv



[log in to unmask] | +44 (0) 1225 474 303 | www.eduserv.org.uk | http://www.twitter.com/OpenAthensAndy | http://blog.eduserv.org.uk



Eduserv is a company limited by guarantee (registered in England & Wales, company number: 3763109) and a charity (charity number 1079456), whose registered office is at Royal Mead, Railway Place, Bath, BA1 1SR.

> -----Original Message-----

> From: OpenAthens LA Users discussion group [mailto:LIS- 

> [log in to unmask]] On Behalf Of Elwell, Ben

> Sent: 14 February 2013 10:13

> To: [log in to unmask]

> Subject: Re: Trouble configuring EZProxy as a service provider

> 

> Hi Julie,

> 

> We did set up the OALA proxy initially to test it. I don't remember it 

> being too tricky (although I should point out I didn't do most of the 

> work!) - most of the steps are the same as setting up EZProxy. We used 

> a separate runtime and proxy server, so if you can get the runtime server working you can probably get the proxy working too.

> Most of the work was in getting the wildcard certificate correct.

> 

> Being a very new product, I did find that it has fewer features than 

> EZProxy in some areas. Oddly, for a product so integrated into an 

> authentication system, it seemed to be lacking any authentication 

> control. It allowed any valid user account to use the proxy, even if 

> OALA is set to release no attributes at all for that account. This was 

> in

> 2.2 - I don't know whether this has changed for 2.2.1.

> 

> Regards

> Ben

> 

> -----Original Message-----

> From: OpenAthens LA Users discussion group [mailto:LIS- 

> [log in to unmask]] On Behalf Of Julie Cairney

> Sent: 14 February 2013 09:34

> To: [log in to unmask]

> Subject: Re: Trouble configuring EZProxy as a service provider

> 

> Hi,

> We are just starting the process of moving from OAMD to OALA and don't 

> have ezproxy. As OALA now has an integrated proxy, is it troublesome 

> to configure and get working?

> Thanks,

> Julie