On 06/08/2012 11:00 AM, Nathan Kinder wrote: > On 06/08/2012 07:26 AM, Dmitri Pal wrote: >> On 06/07/2012 09:22 PM, Cam McK wrote: >>> Hello >>> >>> >>> 2). We would also like to use FreeIPA in a trusted network but then >>> have perhaps a read-only slave sitting in DMZ with the possibility >>> of not containing the KDC or LDAP password stores on it, is this >>> possible? >>> (Basically authentication being done by a different PAM module, but >>> pam_sss.so still allowing HBAC via the PAM 'account' directive.) >>> Is it possible to have a 'regular' LDAP directory (in the DMZ) just >>> slurping down the required LDAP info? >>> >> I suggest using an LDAP directory that can do proxy operations or >> proxy authentications. You might consider 389 and sync in some user >> accounts and groups while using pam passtrough capabilities. I think >> recent upstream versions of 389 made this configuration possible but >> you need to check with them. #389 on freenode is your best bet. >> Openldap has some capabilities that might be of the value here too. > 389 can consult PAM to authenticate a user when performing an LDAP > BIND operation. This would probably take care of the authentication > piece of the puzzle. > > You would also need to use fractional replication to avoid replicating > things like passwords or Kerberos related attributes to the DMZ LDAP > server. Fractional replication can only trim out specific > attributes. It does not allow you to select portions of the tree to > replicate at the entry level. This would mean that all of your user > accounts would need to be replicated out to the DMZ LDAP server, but > you could trim sensitive attributes. >> >> I am not quite sure what you are trying to accomplish here so a bit >> more details would be helpful. > More details would definitely help. I don't think you can easily > accomplish what you want right now. It could be possible with a lot > of manual configuration of 389 on both the IPA and DMZ LDAP server > sides, but I don't think anyone has set things up in this way with IPA > before. >
Yes, but you are definitely welcome to give it a try. We had in mind that such request would emerge one day and would like to hear from you about your progress. > -NGK >> >> >>> Many Thanks >>> Campbell >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users