<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    On 06/08/2012 11:00 AM, Nathan Kinder wrote:
    <blockquote cite="mid:4FD21387.1050402@redhat.com" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      On 06/08/2012 07:26 AM, Dmitri Pal wrote:
      <blockquote cite="mid:4FD20BAC.40803@redhat.com" type="cite">
        <meta content="text/html; charset=ISO-8859-1"
          http-equiv="Content-Type">
        On 06/07/2012 09:22 PM, Cam McK wrote:
        <blockquote
cite="mid:CA+BVP1p26tM01tTTqs_K-TOG0tqH6BMsr2qCgbvT4Mnei-uZPQ@mail.gmail.com"
          type="cite">Hello<br>
          <br>
          <br>
          2). We would also like to use FreeIPA in a trusted network but
          then have perhaps a read-only slave sitting in DMZ with the
          possibility of not containing the KDC or LDAP password stores
          on it, is this possible?<br>
           (Basically authentication being done by a different PAM
          module, but pam_sss.so still allowing HBAC via the PAM
          'account' directive.)<br>
          Is it possible to have a 'regular' LDAP directory (in the DMZ)
          just slurping down the required LDAP info?<br>
          <br>
        </blockquote>
        I suggest using an LDAP directory that can do proxy operations
        or proxy authentications. You might consider 389 and sync in
        some user accounts and groups while using pam passtrough
        capabilities. I think recent upstream versions of 389 made this
        configuration possible but you need to check with them. #389 on
        freenode is your best bet.  <br>
        Openldap has some capabilities that might be of the value here
        too.<br>
      </blockquote>
      389 can consult PAM to authenticate a user when performing an LDAP
      BIND operation.  This would probably take care of the
      authentication piece of the puzzle.<br>
      <br>
      You would also need to use fractional replication to avoid
      replicating things like passwords or Kerberos related attributes
      to the DMZ LDAP server.  Fractional replication can only trim out
      specific attributes.  It does not allow you to select portions of
      the tree to replicate at the entry level.  This would mean that
      all of your user accounts would need to be replicated out to the
      DMZ LDAP server, but you could trim sensitive attributes.<br>
      <blockquote cite="mid:4FD20BAC.40803@redhat.com" type="cite"> <br>
        I am not quite sure what you are trying to accomplish here so a
        bit more details would be helpful.<br>
      </blockquote>
      More details would definitely help.  I don't think you can easily
      accomplish what you want right now.  It could be possible with a
      lot of manual configuration of 389 on both the IPA and DMZ LDAP
      server sides, but I don't think anyone has set things up in this
      way with IPA before.<br>
      <br>
    </blockquote>
    <br>
    Yes, but you are definitely welcome to give it a try. We had in mind
    that such request would emerge one day and would like to hear from
    you about your progress.<br>
    <br>
    <blockquote cite="mid:4FD21387.1050402@redhat.com" type="cite"> -NGK<br>
      <blockquote cite="mid:4FD20BAC.40803@redhat.com" type="cite"> <br>
        <br>
        <blockquote
cite="mid:CA+BVP1p26tM01tTTqs_K-TOG0tqH6BMsr2qCgbvT4Mnei-uZPQ@mail.gmail.com"
          type="cite">Many Thanks<br>
          Campbell<br>
          <br>
          <pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
        </blockquote>
        <br>
        <br>
        <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>


</pre>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
      </blockquote>
      <br>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>


</pre>
  </body>
</html>