[Freeipa-devel] Multitenancy in FreeIPA
Adam Young
ayoung at redhat.com
Fri Dec 16 00:03:39 UTC 2011
>> The directory will no longer be world readable. Instead, ACIs will
>> limit the users ability to read only the subtree in which they are
>> enrolled. LDAP operations will require an authenticated bind.
>>
>> When updating IPA, schema changes need to be applied to each of the
>> the tenant trees.
>> API
>> Each of the RPCs need to allow an optional parameter tenant.
>> Members of the original domain with an approapriate Permission will
>> be able to perform operations inside the tenant specified.
> Some configuration changes will need to be made around a number of the
> Directory Server plug-ins with regards to scope. We will likely need
> separate configuration entries to restrict the plug-ins to each tenant
> subtree. This includes the following plug-ins (and maybe others as well):
>
> - memberOf
> - DNA
> - Managed Entries
> - Auto-Membership
> - Attribute Uniqueness
Thanks. Created a Wiki page with the document contents, and added your
input here:
http://freeipa.org/page/Multitenancy
http://freeipa.org/page/Multitenancy#Directory_Server_Plugins
More information about the Freeipa-devel
mailing list