Thanks all for your quick replies. My case is a bit of a corner case anyway so I was not expecting to have a perfect solution. Having tested out freeipa a few times in the last couple years it is certainly impressive the progress that has been made.
I think for now I am going to continue using LDAP as we are and re-evaluate adding Kerberos later or at most selectively enable it for our admin users in the short term. :) Regards, -Alan On Wed, Sep 14, 2011 at 3:22 PM, Simo Sorce <s...@redhat.com> wrote: > On Wed, 2011-09-14 at 15:19 -0400, Rob Crittenden wrote: >> Simo Sorce wrote: >> > On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote: >> >> On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: >> >>> Can Freeipa accommodate a mufti-tennant environment? i.e. I work for >> >>> a managed service provider that currently uses LDAP for authentication >> >>> for both our users and our customer's users. But Customer A cannot >> >>> see Customer B's data due to access control on our directory. Each >> >>> customer has at least one LDAP service account in their container in >> >>> the tree that can only view that customer's container and my company >> >>> container. >> >> >> >> At the moment we do not have the ability to move accounts into sub >> >> containers. It is a feature we may want to implement in future, but we >> >> kept the tree intentionally flat to avoid misuse we've seen as quite >> >> common in products like AD. >> >> >> >>> Would we have to do something like create realms for each customer? >> >>> Then configure trusts from customer realm to ours? >> >>> >> >>> EXAMPLE.COM - our realm >> >>> CUSTOMERA.EXAMPLE.COM - customer a realm >> >>> ... so on >> >> >> >> This may work onve ipa v3 is out. Building multiple realms (in multiple >> >> servers/VMs) is possible but trust relationship management is not fully >> >> backed in yet. >> >> >> >>> What about data within the directory? Currently our DIT is like: >> >>> >> >>> o=MyCompany,dc=example,dc=com >> >>> o=CustomerA,dc=excample,dc=com >> >> >> >> If you create multiple realms you'll have to do it with multiple servers >> >> with current IPA. >> >> >> >>> Would seperating by realms automatically divide that up? What about >> >>> would Customer A be able to see any Customer B users using multiple >> >>> realms alone or would we have to take additional precautions? >> >> >> >> In general ACIs can be used to limit who sees what. >> >> It may be possible to use the current flat view on the server and >> >> constrain access to specific users/groups using a bit of custom schema >> >> in order to "label" entries, and custom ACIs. >> >> Of course you would want to turn off anonymous access to the directory >> >> and encrypt all traffic with SSL or GSSAPI at that point. >> > >> > Replying to myself, custom schema may not be necessary. It may be >> > possible to use just ACIs and non-posix groups together w/o adding >> > additional schema, that would make the problem simpler, although ACIs >> > need to be built carefully not to cripple the admins view. >> > >> > Simo. >> > >> >> The management framework only supports a single realm as well, even if >> you could manage to insert the data. > > The ACIs solution would work with a single-realm model ... except that > it also means each customer needs to do very careful access control when > using kerberos for now, as we do not have a way to constrain which users > can get tickets for which services in the same REALM. This is something > we want to introduce in v3.0 anyways for various reasons. So going > forward, segmentation of users should become simpler. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users