The directory will no longer be world readable. Instead, ACIs will
limit the users ability to read only the subtree in which they are
enrolled. LDAP operations will require an authenticated bind.
When updating IPA, schema changes need to be applied to each of the
the tenant trees.
API
Each of the RPCs need to allow an optional parameter tenant.
Members of the original domain with an approapriate Permission will
be able to perform operations inside the tenant specified.
Some configuration changes will need to be made around a number of the
Directory Server plug-ins with regards to scope. We will likely need
separate configuration entries to restrict the plug-ins to each tenant
subtree. This includes the following plug-ins (and maybe others as well):
- memberOf
- DNA
- Managed Entries
- Auto-Membership
- Attribute Uniqueness
Thanks. Created a Wiki page with the document contents, and added your
input here:
http://freeipa.org/page/Multitenancy
http://freeipa.org/page/Multitenancy#Directory_Server_Plugins
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel