[Freeipa-users] HBAC rule refreshes and read-only slaves
Dmitri Pal
dpal at redhat.com
Fri Jun 8 14:26:52 UTC 2012
On 06/07/2012 09:22 PM, Cam McK wrote:
> Hello
>
>
> 2). We would also like to use FreeIPA in a trusted network but then
> have perhaps a read-only slave sitting in DMZ with the possibility of
> not containing the KDC or LDAP password stores on it, is this possible?
> (Basically authentication being done by a different PAM module, but
> pam_sss.so still allowing HBAC via the PAM 'account' directive.)
> Is it possible to have a 'regular' LDAP directory (in the DMZ) just
> slurping down the required LDAP info?
>
I suggest using an LDAP directory that can do proxy operations or proxy
authentications. You might consider 389 and sync in some user accounts
and groups while using pam passtrough capabilities. I think recent
upstream versions of 389 made this configuration possible but you need
to check with them. #389 on freenode is your best bet.
Openldap has some capabilities that might be of the value here too.
I am not quite sure what you are trying to accomplish here so a bit more
details would be helpful.
> Many Thanks
> Campbell
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120608/eb4e35fe/attachment.htm>
More information about the Freeipa-users
mailing list