[Freeipa-users] Multi-tennancy and Freeipa
Alan Evans
alanwevans at gmail.com
Wed Sep 14 19:26:00 UTC 2011
Thanks all for your quick replies. My case is a bit of a corner case
anyway so I was not expecting to have a perfect solution. Having
tested out freeipa a few times in the last couple years it is
certainly impressive the progress that has been made.
I think for now I am going to continue using LDAP as we are and
re-evaluate adding Kerberos later or at most selectively enable it for
our admin users in the short term. :)
Regards,
-Alan
On Wed, Sep 14, 2011 at 3:22 PM, Simo Sorce <simo at redhat.com> wrote:
> On Wed, 2011-09-14 at 15:19 -0400, Rob Crittenden wrote:
>> Simo Sorce wrote:
>> > On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote:
>> >> On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote:
>> >>> Can Freeipa accommodate a mufti-tennant environment? i.e. I work for
>> >>> a managed service provider that currently uses LDAP for authentication
>> >>> for both our users and our customer's users. But Customer A cannot
>> >>> see Customer B's data due to access control on our directory. Each
>> >>> customer has at least one LDAP service account in their container in
>> >>> the tree that can only view that customer's container and my company
>> >>> container.
>> >>
>> >> At the moment we do not have the ability to move accounts into sub
>> >> containers. It is a feature we may want to implement in future, but we
>> >> kept the tree intentionally flat to avoid misuse we've seen as quite
>> >> common in products like AD.
>> >>
>> >>> Would we have to do something like create realms for each customer?
>> >>> Then configure trusts from customer realm to ours?
>> >>>
>> >>> EXAMPLE.COM - our realm
>> >>> CUSTOMERA.EXAMPLE.COM - customer a realm
>> >>> ... so on
>> >>
>> >> This may work onve ipa v3 is out. Building multiple realms (in multiple
>> >> servers/VMs) is possible but trust relationship management is not fully
>> >> backed in yet.
>> >>
>> >>> What about data within the directory? Currently our DIT is like:
>> >>>
>> >>> o=MyCompany,dc=example,dc=com
>> >>> o=CustomerA,dc=excample,dc=com
>> >>
>> >> If you create multiple realms you'll have to do it with multiple servers
>> >> with current IPA.
>> >>
>> >>> Would seperating by realms automatically divide that up? What about
>> >>> would Customer A be able to see any Customer B users using multiple
>> >>> realms alone or would we have to take additional precautions?
>> >>
>> >> In general ACIs can be used to limit who sees what.
>> >> It may be possible to use the current flat view on the server and
>> >> constrain access to specific users/groups using a bit of custom schema
>> >> in order to "label" entries, and custom ACIs.
>> >> Of course you would want to turn off anonymous access to the directory
>> >> and encrypt all traffic with SSL or GSSAPI at that point.
>> >
>> > Replying to myself, custom schema may not be necessary. It may be
>> > possible to use just ACIs and non-posix groups together w/o adding
>> > additional schema, that would make the problem simpler, although ACIs
>> > need to be built carefully not to cripple the admins view.
>> >
>> > Simo.
>> >
>>
>> The management framework only supports a single realm as well, even if
>> you could manage to insert the data.
>
> The ACIs solution would work with a single-realm model ... except that
> it also means each customer needs to do very careful access control when
> using kerberos for now, as we do not have a way to constrain which users
> can get tickets for which services in the same REALM. This is something
> we want to introduce in v3.0 anyways for various reasons. So going
> forward, segmentation of users should become simpler.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
More information about the Freeipa-users
mailing list