<div dir="ltr"><br><div class="gmail_extra">hi Ludwig,<br><br></div><div class="gmail_extra"><div class="gmail_quote">On Tue, Jun 28, 2016 at 10:03 AM, Ludwig Krispenz <span dir="ltr"><<a href="mailto:lkrispen@redhat.com" target="_blank">lkrispen@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"> <br> <div>On 06/28/2016 09:50 AM, Natxo Asenjo wrote:<br> </div> <blockquote type="cite"> <div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><br><div>I'd like to have internally all sort of ldap access, but externally onlly certificate based, for example.<br> <br> </div> <div>If there is a way to do that know that I am not aware of I'd be very interested to know it as well ;-). Right now we solve this problems using vpn connections with third parties, but ideally one could just open the port to the internet if only that kind of access was allowed.<br> </div> </div> </div> </div> </blockquote></div></div> maybe you can achieve this with access control, there are all kind of rules to allow access based on client's ip address, domain, security strength, authentication method - and combinations of them.<span class=""></span> </div><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank"></a><br></blockquote></div><br></div><div class="gmail_extra">Do you mean something like explained here: <a href="http://directory.fedoraproject.org/docs/389ds/design/rootdn-access-control.html">http://directory.fedoraproject.org/docs/389ds/design/rootdn-access-control.html</a> ?<br><br></div><div class="gmail_extra">Thanks!<br></div><div class="gmail_extra"><div class="gmail_signature" data-smartmail="gmail_signature">--<br>Groeten,<br>natxo</div> </div></div>