[Freeipa-users] HBAC rule refreshes and read-only slaves

Dmitri Pal dpal at redhat.com
Fri Jun 8 15:14:57 UTC 2012 

On 06/08/2012 11:00 AM, Nathan Kinder wrote:
> On 06/08/2012 07:26 AM, Dmitri Pal wrote:
>> On 06/07/2012 09:22 PM, Cam McK wrote:
>>> Hello
>>>
>>>
>>> 2). We would also like to use FreeIPA in a trusted network but then
>>> have perhaps a read-only slave sitting in DMZ with the possibility
>>> of not containing the KDC or LDAP password stores on it, is this
>>> possible?
>>>  (Basically authentication being done by a different PAM module, but
>>> pam_sss.so still allowing HBAC via the PAM 'account' directive.)
>>> Is it possible to have a 'regular' LDAP directory (in the DMZ) just
>>> slurping down the required LDAP info?
>>>
>> I suggest using an LDAP directory that can do proxy operations or
>> proxy authentications. You might consider 389 and sync in some user
>> accounts and groups while using pam passtrough capabilities. I think
>> recent upstream versions of 389 made this configuration possible but
>> you need to check with them. #389 on freenode is your best bet. 
>> Openldap has some capabilities that might be of the value here too.
> 389 can consult PAM to authenticate a user when performing an LDAP
> BIND operation.  This would probably take care of the authentication
> piece of the puzzle.
>
> You would also need to use fractional replication to avoid replicating
> things like passwords or Kerberos related attributes to the DMZ LDAP
> server.  Fractional replication can only trim out specific
> attributes.  It does not allow you to select portions of the tree to
> replicate at the entry level.  This would mean that all of your user
> accounts would need to be replicated out to the DMZ LDAP server, but
> you could trim sensitive attributes.
>>
>> I am not quite sure what you are trying to accomplish here so a bit
>> more details would be helpful.
> More details would definitely help.  I don't think you can easily
> accomplish what you want right now.  It could be possible with a lot
> of manual configuration of 389 on both the IPA and DMZ LDAP server
> sides, but I don't think anyone has set things up in this way with IPA
> before.
>

Yes, but you are definitely welcome to give it a try. We had in mind
that such request would emerge one day and would like to hear from you
about your progress.

> -NGK
>>
>>
>>> Many Thanks
>>> Campbell
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120608/667fc857/attachment.htm>

More information about the Freeipa-users mailing list