Simo Sorce wrote:
On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote:
On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote:
Can Freeipa accommodate a mufti-tennant environment? i.e. I work for
a managed service provider that currently uses LDAP for authentication
for both our users and our customer's users. But Customer A cannot
see Customer B's data due to access control on our directory. Each
customer has at least one LDAP service account in their container in
the tree that can only view that customer's container and my company
container.
At the moment we do not have the ability to move accounts into sub
containers. It is a feature we may want to implement in future, but we
kept the tree intentionally flat to avoid misuse we've seen as quite
common in products like AD.
Would we have to do something like create realms for each customer?
Then configure trusts from customer realm to ours?
EXAMPLE.COM - our realm
CUSTOMERA.EXAMPLE.COM - customer a realm
... so on
This may work onve ipa v3 is out. Building multiple realms (in multiple
servers/VMs) is possible but trust relationship management is not fully
backed in yet.
What about data within the directory? Currently our DIT is like:
o=MyCompany,dc=example,dc=com
o=CustomerA,dc=excample,dc=com
If you create multiple realms you'll have to do it with multiple servers
with current IPA.
Would seperating by realms automatically divide that up? What about
would Customer A be able to see any Customer B users using multiple
realms alone or would we have to take additional precautions?
In general ACIs can be used to limit who sees what.
It may be possible to use the current flat view on the server and
constrain access to specific users/groups using a bit of custom schema
in order to "label" entries, and custom ACIs.
Of course you would want to turn off anonymous access to the directory
and encrypt all traffic with SSL or GSSAPI at that point.
Replying to myself, custom schema may not be necessary. It may be
possible to use just ACIs and non-posix groups together w/o adding
additional schema, that would make the problem simpler, although ACIs
need to be built carefully not to cripple the admins view.
Simo.
The management framework only supports a single realm as well, even if
you could manage to insert the data.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
