On 06/07/2012 09:22 PM, Cam McK wrote: > Hello > > > 2). We would also like to use FreeIPA in a trusted network but then > have perhaps a read-only slave sitting in DMZ with the possibility of > not containing the KDC or LDAP password stores on it, is this possible? > (Basically authentication being done by a different PAM module, but > pam_sss.so still allowing HBAC via the PAM 'account' directive.) > Is it possible to have a 'regular' LDAP directory (in the DMZ) just > slurping down the required LDAP info? > I suggest using an LDAP directory that can do proxy operations or proxy authentications. You might consider 389 and sync in some user accounts and groups while using pam passtrough capabilities. I think recent upstream versions of 389 made this configuration possible but you need to check with them. #389 on freenode is your best bet. Openldap has some capabilities that might be of the value here too.
I am not quite sure what you are trying to accomplish here so a bit more details would be helpful. > Many Thanks > Campbell > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users