Re: [Freeipa-users] multiple ds instances (maybe off-topic)

2016-06-28 Thread Ludwig Krispenz 


On 06/28/2016 10:33 AM, Natxo Asenjo wrote:


hi Ludwig,

On Tue, Jun 28, 2016 at 10:03 AM, Ludwig Krispenz > wrote:



On 06/28/2016 09:50 AM, Natxo Asenjo wrote:


I'd like to have internally all sort of ldap access, but
externally onlly certificate based, for example.

If there is a way to do that know that I am not aware of I'd be
very interested to know it as well ;-). Right now we solve this
problems using vpn connections with third parties, but ideally
one could just open the port to the internet if only that kind of
access was allowed.

maybe you can achieve this with access control, there are all kind
of rules to allow access based on client's ip address, domain,
security strength, authentication method - and combinations of them.


Do you mean something like explained here: 
http://directory.fedoraproject.org/docs/389ds/design/rootdn-access-control.html 
?

I was thinking of something like this (and the other bind rules):

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Bind_Rules.html#Bind_Rules-Defining_Access_Based_on_Authentication_Method

the link you sent is about restraing access of directory manager, which 
is not subject to normal acis


Thanks!
--
Groeten,
natxo




--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

2016-06-28 Thread Natxo Asenjo 
hi Ludwig,

On Tue, Jun 28, 2016 at 10:03 AM, Ludwig Krispenz 
wrote:

>
> On 06/28/2016 09:50 AM, Natxo Asenjo wrote:
>
>
> I'd like to have internally all sort of ldap access, but externally onlly
> certificate based, for example.
>
> If there is a way to do that know that I am not aware of I'd be very
> interested to know it as well ;-). Right now we solve this problems using
> vpn connections with third parties, but ideally one could just open the
> port to the internet if only that kind of access was allowed.
>
> maybe you can achieve this with access control, there are all kind of
> rules to allow access based on client's ip address, domain, security
> strength, authentication method - and combinations of them.
> 
>

Do you mean something like explained here:
http://directory.fedoraproject.org/docs/389ds/design/rootdn-access-control.html
?

Thanks!
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

2016-06-28 Thread Ludwig Krispenz 


On 06/28/2016 09:50 AM, Natxo Asenjo wrote:



On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy 
> wrote:


On Tue, 28 Jun 2016, Natxo Asenjo wrote:

hi,

according to the RHDS documentation (

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html)
one can have multiple directory server instances on the same hosts

Would it be interesting to offer this functionality in
freeipa.org ? The
business case would be to allow different kinds of
authentication per
instance/port. So one could block standard ldap connections on
port 389 to
the internet, for instance, but allow them on another port
only if using
external/GSSAPI auth, so no passswords would be involved.

This is not how instances work in 389-ds. Each instance is fully
independent of another one, including database content and structure.
You cannot have instance that shares the same content with another one
unless you enable database chaining (and then there are some
limitations).


ok, thanks for the info.

We used to have CA instance separate from the main IPA instance, for
example, but then merged them together in the same instance using two
different backends.

Standard IPA 389-ds instance already allows its access on the unix
domain
socket with EXTERNAL/GSSAPI authentication. It is visible only within
the scope of the IPA master host, of course.

I'm still not sure what exactly you would like to achieve. All ports
that 389-ds listens to do support the same authentication methods
except
LDAPI protocol (unix domain sockets) which supports automapping
between
POSIX ID and a user object that it maps to.


I'd like to have internally all sort of ldap access, but externally 
onlly certificate based, for example.


If there is a way to do that know that I am not aware of I'd be very 
interested to know it as well ;-). Right now we solve this problems 
using vpn connections with third parties, but ideally one could just 
open the port to the internet if only that kind of access was allowed.
maybe you can achieve this with access control, there are all kind of 
rules to allow access based on client's ip address, domain, security 
strength, authentication method - and combinations of them.



Thanks for your time.

--
regards,
Natxo





--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

2016-06-28 Thread Natxo Asenjo 
On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy 
wrote:

> On Tue, 28 Jun 2016, Natxo Asenjo wrote:
>
>> hi,
>>
>> according to the RHDS documentation (
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html
>> )
>> one can have multiple directory server instances on the same hosts
>>
>> Would it be interesting to offer this functionality in freeipa.org? The
>> business case would be to allow different kinds of authentication per
>> instance/port. So one could block standard ldap connections on port 389 to
>> the internet, for instance, but allow them on another port only if using
>> external/GSSAPI auth, so no passswords would be involved.
>>
> This is not how instances work in 389-ds. Each instance is fully
> independent of another one, including database content and structure.
> You cannot have instance that shares the same content with another one
> unless you enable database chaining (and then there are some
> limitations).
>

ok, thanks for the info.


> We used to have CA instance separate from the main IPA instance, for
> example, but then merged them together in the same instance using two
> different backends.
>
> Standard IPA 389-ds instance already allows its access on the unix domain
> socket with EXTERNAL/GSSAPI authentication. It is visible only within
> the scope of the IPA master host, of course.
>
> I'm still not sure what exactly you would like to achieve. All ports
> that 389-ds listens to do support the same authentication methods except
> LDAPI protocol (unix domain sockets) which supports automapping between
> POSIX ID and a user object that it maps to.
>

I'd like to have internally all sort of ldap access, but externally onlly
certificate based, for example.

If there is a way to do that know that I am not aware of I'd be very
interested to know it as well ;-). Right now we solve this problems using
vpn connections with third parties, but ideally one could just open the
port to the internet if only that kind of access was allowed.


Thanks for your time.

-- 
regards,
Natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

2016-06-28 Thread Alexander Bokovoy 

On Tue, 28 Jun 2016, Natxo Asenjo wrote:

hi,

according to the RHDS documentation (
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html)
one can have multiple directory server instances on the same hosts

Would it be interesting to offer this functionality in freeipa.org? The
business case would be to allow different kinds of authentication per
instance/port. So one could block standard ldap connections on port 389 to
the internet, for instance, but allow them on another port only if using
external/GSSAPI auth, so no passswords would be involved.

This is not how instances work in 389-ds. Each instance is fully
independent of another one, including database content and structure.
You cannot have instance that shares the same content with another one
unless you enable database chaining (and then there are some
limitations).

We used to have CA instance separate from the main IPA instance, for
example, but then merged them together in the same instance using two
different backends.

Standard IPA 389-ds instance already allows its access on the unix domain
socket with EXTERNAL/GSSAPI authentication. It is visible only within
the scope of the IPA master host, of course.

I'm still not sure what exactly you would like to achieve. All ports
that 389-ds listens to do support the same authentication methods except
LDAPI protocol (unix domain sockets) which supports automapping between
POSIX ID and a user object that it maps to.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] multiple ds instances (maybe off-topic)

2016-06-28 Thread Natxo Asenjo 
hi,

according to the RHDS documentation (
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html)
one can have multiple directory server instances on the same hosts

Would it be interesting to offer this functionality in freeipa.org? The
business case would be to allow different kinds of authentication per
instance/port. So one could block standard ldap connections on port 389 to
the internet, for instance, but allow them on another port only if using
external/GSSAPI auth, so no passswords would be involved.

This would be useful for external services not using saml, for instance.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project