<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <div class="moz-cite-prefix">On 06/28/2016 09:50 AM, Natxo Asenjo
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAHBEJzWbyZOxeGGq9kGt_97yMdFgAtoe8BgRj9ftTw04gsKDCg@mail.gmail.com"
      type="cite">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Tue, Jun 28, 2016 at 9:07 AM,
            Alexander Bokovoy <span dir="ltr"><<a
                moz-do-not-send="true" href="mailto:abokovoy@redhat.com"
                target="_blank">abokovoy@redhat.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex"><span
                class="">On Tue, 28 Jun 2016, Natxo Asenjo wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  hi,<br>
                  <br>
                  according to the RHDS documentation (<br>
                  <a moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html"
                    rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html</a>)<br>
                  one can have multiple directory server instances on
                  the same hosts<br>
                  <br>
                  Would it be interesting to offer this functionality in
                  <a moz-do-not-send="true" href="http://freeipa.org"
                    rel="noreferrer" target="_blank">freeipa.org</a>?
                  The<br>
                  business case would be to allow different kinds of
                  authentication per<br>
                  instance/port. So one could block standard ldap
                  connections on port 389 to<br>
                  the internet, for instance, but allow them on another
                  port only if using<br>
                  external/GSSAPI auth, so no passswords would be
                  involved.<br>
                </blockquote>
              </span>
              This is not how instances work in 389-ds. Each instance is
              fully<br>
              independent of another one, including database content and
              structure.<br>
              You cannot have instance that shares the same content with
              another one<br>
              unless you enable database chaining (and then there are
              some<br>
              limitations).<br>
            </blockquote>
            <div><br>
            </div>
            <div>ok, thanks for the info.<br>
               <br>
            </div>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              We used to have CA instance separate from the main IPA
              instance, for<br>
              example, but then merged them together in the same
              instance using two<br>
              different backends.<br>
              <br>
              Standard IPA 389-ds instance already allows its access on
              the unix domain<br>
              socket with EXTERNAL/GSSAPI authentication. It is visible
              only within<br>
              the scope of the IPA master host, of course.<br>
              <br>
              I'm still not sure what exactly you would like to achieve.
              All ports<br>
              that 389-ds listens to do support the same authentication
              methods except<br>
              LDAPI protocol (unix domain sockets) which supports
              automapping between<br>
              POSIX ID and a user object that it maps to.<span
                class="HOEnZb"><font color="#888888"><br>
                </font></span></blockquote>
            <div><br>
            </div>
            <div>I'd like to have internally all sort of ldap access,
              but externally onlly certificate based, for example.<br>
              <br>
            </div>
            <div>If there is a way to do that know that I am not aware
              of I'd be very interested to know it as well ;-). Right
              now we solve this problems using vpn connections with
              third parties, but ideally one could just open the port to
              the internet if only that kind of access was allowed.<br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    maybe you can achieve this with access control, there are all kind
    of rules to allow access based on client's ip address, domain,
    security strength, authentication method - and combinations of them.<br>
    <blockquote
cite="mid:CAHBEJzWbyZOxeGGq9kGt_97yMdFgAtoe8BgRj9ftTw04gsKDCg@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <div><br>
            </div>
            <div><br>
            </div>
            <div>Thanks for your time.<br>
              <br>
              -- <br>
            </div>
            <div>regards,<br>
            </div>
            <div>Natxo</div>
          </div>
          <br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Red Hat GmbH, <a class="moz-txt-link-freetext" href="http://www.de.redhat.com/">http://www.de.redhat.com/</a>, Registered seat: Grasbrunn, 
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander</pre>
  </body>
</html>