[Freeipa-devel] FreeIPA and per-machine views

[Stephen Gallagher]

I've ben working on the multiple search base feature in SSSD and I've had some thoughts that might be relevant to the FreeIPA v3 core effort. The idea behind multiple search bases is fairly simple; instead of simply checking one subtree for user or group information, you check several in series, stopping at the first match.

I was looking into this to identify the primary reasons why a deployment might use such an approach and I came up with two important use-cases.

1) This is a fairly simple way to extend a network you don't fully control. A classic example might be a Computer Science department at a university. They would want to use the campus user accounts (probably provided by the university IT department), but also add new groups for sharing or access control on CS department machines. This could be done with multiple search bases by setting the first base to the CS department subtree and the second base to a replicated university subtree.

2) The second important use-case is for dealing with third-party applications with hard-coded groups. For a hypothetical example, let's say that a closed-source database program requires a user to be in the group 'dbadmins' in order to access a shell for editing the database. However, there may be more than one such database deployed in the network, possibly among different teams. Having multiple search bases allows different machines to have different views of this group.

I think it's definitely worth discussing how we might address these same use-cases in FreeIPA v3. My thought was that we might want to implement custom "views" of LDAP based on the hostgroups to which a client belongs. I can see a lot of implementation difficulties with this, however. Alternate ideas are most welcome.