[Freeipa-users] Multi-tennancy and Freeipa

Rob Crittenden rcritten at redhat.com
Wed Sep 14 19:19:51 UTC 2011 

Simo Sorce wrote:
> On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote:
>> On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote:
>>> Can Freeipa accommodate a mufti-tennant environment?  i.e. I work for
>>> a managed service provider that currently uses LDAP for authentication
>>> for both our users and our customer's users.  But Customer A cannot
>>> see Customer B's data due to access control on our directory.  Each
>>> customer has at least one LDAP service account in their container in
>>> the tree that can only view that customer's container and my company
>>> container.
>>
>> At the moment we do not have the ability to move accounts into sub
>> containers. It is a feature we may want to implement in future, but we
>> kept the tree intentionally flat to avoid misuse we've seen as quite
>> common in products like AD.
>>
>>> Would we have to do something like create realms for each customer?
>>> Then configure trusts from customer realm to ours?
>>>
>>> EXAMPLE.COM - our realm
>>> CUSTOMERA.EXAMPLE.COM - customer a realm
>>> ... so on
>>
>> This may work onve ipa v3 is out. Building multiple realms (in multiple
>> servers/VMs) is possible but trust relationship management is not fully
>> backed in yet.
>>
>>> What about data within the directory?  Currently our DIT is like:
>>>
>>> o=MyCompany,dc=example,dc=com
>>> o=CustomerA,dc=excample,dc=com
>>
>> If you create multiple realms you'll have to do it with multiple servers
>> with current IPA.
>>
>>> Would seperating by realms automatically divide that up?  What about
>>> would Customer A be able to see any Customer B users using multiple
>>> realms alone or would we have to take additional precautions?
>>
>> In general ACIs can be used to limit who sees what.
>> It may be possible to use the current flat view on the server and
>> constrain access to specific users/groups using a bit of custom schema
>> in order to "label" entries, and custom ACIs.
>> Of course you would want to turn off anonymous access to the directory
>> and encrypt all traffic with SSL or GSSAPI at that point.
>
> Replying to myself, custom schema may not be necessary. It may be
> possible to use just ACIs and non-posix groups together w/o adding
> additional schema, that would make the problem simpler, although ACIs
> need to be built carefully not to cripple the admins view.
>
> Simo.
>

The management framework only supports a single realm as well, even if 
you could manage to insert the data.

rob

More information about the Freeipa-users mailing list