[Freeipa-users] Multi-tennancy and Freeipa

Simo Sorce simo at redhat.com
Wed Sep 14 19:17:17 UTC 2011 

On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote:
> On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote:
> > Can Freeipa accommodate a mufti-tennant environment?  i.e. I work for
> > a managed service provider that currently uses LDAP for authentication
> > for both our users and our customer's users.  But Customer A cannot
> > see Customer B's data due to access control on our directory.  Each
> > customer has at least one LDAP service account in their container in
> > the tree that can only view that customer's container and my company
> > container.
> 
> At the moment we do not have the ability to move accounts into sub
> containers. It is a feature we may want to implement in future, but we
> kept the tree intentionally flat to avoid misuse we've seen as quite
> common in products like AD.
> 
> > Would we have to do something like create realms for each customer?
> > Then configure trusts from customer realm to ours?
> > 
> > EXAMPLE.COM - our realm
> > CUSTOMERA.EXAMPLE.COM - customer a realm
> > ... so on
> 
> This may work onve ipa v3 is out. Building multiple realms (in multiple
> servers/VMs) is possible but trust relationship management is not fully
> backed in yet.
> 
> > What about data within the directory?  Currently our DIT is like:
> > 
> > o=MyCompany,dc=example,dc=com
> > o=CustomerA,dc=excample,dc=com
> 
> If you create multiple realms you'll have to do it with multiple servers
> with current IPA.
> 
> > Would seperating by realms automatically divide that up?  What about
> > would Customer A be able to see any Customer B users using multiple
> > realms alone or would we have to take additional precautions?
> 
> In general ACIs can be used to limit who sees what.
> It may be possible to use the current flat view on the server and
> constrain access to specific users/groups using a bit of custom schema
> in order to "label" entries, and custom ACIs.
> Of course you would want to turn off anonymous access to the directory
> and encrypt all traffic with SSL or GSSAPI at that point.

Replying to myself, custom schema may not be necessary. It may be
possible to use just ACIs and non-posix groups together w/o adding
additional schema, that would make the problem simpler, although ACIs
need to be built carefully not to cripple the admins view.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list