[Freeipa-users] Multi-tennancy and Freeipa

Adam Young ayoung at redhat.com
Mon Dec 19 16:50:01 UTC 2011 

On 12/16/2011 03:41 PM, Dmitri Pal wrote:
> On 12/16/2011 02:37 PM, Alan Evans wrote:
>> Adam,
>>
>> This is great news.  The feedback I have after a quick read through (I
>> will try to put a bit more time on it later) would be to make the
>> 'tennant' separation more flexible and why not use existing ldap
>> schema?
>>
>> Instead of forcing the user into cn={TENANT},cn=tenants,$suffix why
>> not create a 'tennant' aux class that would allow the end user to
>> design a DIT however they would like.
>>
>> We for example use o=<company|organization>,$suffix.  Then any schema
>> maintenance instead of being:
>> For each tennant in (cn=tenants,$suffix)
>> It would be:
>> For each tennant in (ldapsearch (objectclass=tennant))
>>
>> Then the end provider could design a DIT that fit their needs with
>> replication in mind.  Consider the flexibility of:
>>
>> o=<Tennant1>,C=US,$suffix
>> o=<Tennant2>,C=UK,$suffix
>> o=<Tennant3>,OU=North America,$suffix
>> o=<Tennant4>,OU=Europe,$suffix
>>
>> That's my 2¢ at the moment.  I'd be glad to banter back and forth
>> about this with you. :)
>>
>> Regards,
>> -Alan
> This is very flexible but I am not sure IPA would be able to be that
> flexible.
> One of the design goals from the beginning was: static schema and flat
> DIT. The whole project is built around it. Such approach would really
> come as a "system shock". I am not against it, just saying it would be
> harder as it goes even further than Adam's proposal in changing the
> fundamental principals.

Also,  it is not just the user table that we need to segregate but the 
entire DIT.  Roles,  Groups,  SUDO,  HBAC,  and so forth all need to be 
segregated into a separate subtree, not just the user lists.  So putting 
users in a aux class doesn't really support sufficient segregation.  The 
assumption for us is that the IPA base scheme would be for 
administrative machines,  and then each of the tenant subtrees would be 
for a subset of the machines in the system.

But that is really only one view of it,  and I think I can see where you 
are coming from:  you want to be able to manage,say customers, but use 
the same rules for them as you do for employees?



>
>> On Fri, Dec 16, 2011 at 5:35 AM, Adam Young<ayoung at redhat.com>  wrote:
>>> I opened a ticket for multitenancy
>>>
>>> https://fedorahosted.org/freeipa/ticket/2201
>>>
>>> Here is a detailed write up of the issues.
>>>
>>> http://freeipa.org/page/Multitenancy
>>>
>>> Please provide any feedback that you have and I will update.
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>

More information about the Freeipa-users mailing list