Re: [Freeipa-users] Limiting group/user visibility

Wed, 30 Nov 2011 11:47:37 -0800 

Hi,
that could be one option as well, not completely ruled out. But in some cases it is a bit too much overhead though. If there are multiple small organizations with only a handful of account and servers, setting up a dedicated HA instance for each one doesn't feel very cost effective as it would mean tens of those. Currently a single installation can't handle multiple realms, am I right? 

-Lassi Pölönen

On 30.11.2011 21:01, Steven Jones wrote:

Hi,

I would have thought this was a case/design of separate realm's.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Lassi Pölönen [lassi.polo...@iki.fi]
Sent: Thursday, 1 December 2011 12:18 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Limiting group/user visibility

Hi,

I'm looking for implementing FreeIPA in an environment where there are
multiple customers in multiple organizations and a single organization
that manages the users, sets the access rights etc.

We don't have a centralized system currently so I will be starting from
the scratch in that sense. The first concern I've had so far is that we
don't want different customers to be able to find information about each
other. Currently in my test setup any user can find out every user in a
group if they know the group name and all the groups for each user if
they know the username. In some cases this might reveal information the
customer is not willing to share.

So are there ways to limit that e.g certain hosts/hostgroups or
users/usergroups see some defined subset of the directory? Or are there
some other suggested approaches? As the current setup relies on local
authentication, users naturally are able to find users/groups only on
servers they are able to log in and that is the level of confidentiality
we are looking for if possible


-Lassi Pölönen


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to