[Freeipa-users] multiple ds instances (maybe off-topic)
Natxo Asenjo
natxo.asenjo at gmail.com
Tue Jun 28 07:50:16 UTC 2016
On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Tue, 28 Jun 2016, Natxo Asenjo wrote:
>
>> hi,
>>
>> according to the RHDS documentation (
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html
>> )
>> one can have multiple directory server instances on the same hosts
>>
>> Would it be interesting to offer this functionality in freeipa.org? The
>> business case would be to allow different kinds of authentication per
>> instance/port. So one could block standard ldap connections on port 389 to
>> the internet, for instance, but allow them on another port only if using
>> external/GSSAPI auth, so no passswords would be involved.
>>
> This is not how instances work in 389-ds. Each instance is fully
> independent of another one, including database content and structure.
> You cannot have instance that shares the same content with another one
> unless you enable database chaining (and then there are some
> limitations).
>
ok, thanks for the info.
> We used to have CA instance separate from the main IPA instance, for
> example, but then merged them together in the same instance using two
> different backends.
>
> Standard IPA 389-ds instance already allows its access on the unix domain
> socket with EXTERNAL/GSSAPI authentication. It is visible only within
> the scope of the IPA master host, of course.
>
> I'm still not sure what exactly you would like to achieve. All ports
> that 389-ds listens to do support the same authentication methods except
> LDAPI protocol (unix domain sockets) which supports automapping between
> POSIX ID and a user object that it maps to.
>
I'd like to have internally all sort of ldap access, but externally onlly
certificate based, for example.
If there is a way to do that know that I am not aware of I'd be very
interested to know it as well ;-). Right now we solve this problems using
vpn connections with third parties, but ideally one could just open the
port to the internet if only that kind of access was allowed.
Thanks for your time.
--
regards,
Natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160628/1ea3a7f7/attachment.htm>
More information about the Freeipa-users
mailing list