On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote:
> Can Freeipa accommodate a mufti-tennant environment?  i.e. I work for
> a managed service provider that currently uses LDAP for authentication
> for both our users and our customer's users.  But Customer A cannot
> see Customer B's data due to access control on our directory.  Each
> customer has at least one LDAP service account in their container in
> the tree that can only view that customer's container and my company
> container.

At the moment we do not have the ability to move accounts into sub
containers. It is a feature we may want to implement in future, but we
kept the tree intentionally flat to avoid misuse we've seen as quite
common in products like AD.

> Would we have to do something like create realms for each customer?
> Then configure trusts from customer realm to ours?
> EXAMPLE.COM - our realm
> CUSTOMERA.EXAMPLE.COM - customer a realm
> ... so on

This may work onve ipa v3 is out. Building multiple realms (in multiple
servers/VMs) is possible but trust relationship management is not fully
backed in yet.

> What about data within the directory?  Currently our DIT is like:
> o=MyCompany,dc=example,dc=com
> o=CustomerA,dc=excample,dc=com

If you create multiple realms you'll have to do it with multiple servers
with current IPA.

> Would seperating by realms automatically divide that up?  What about
> would Customer A be able to see any Customer B users using multiple
> realms alone or would we have to take additional precautions?

In general ACIs can be used to limit who sees what.
It may be possible to use the current flat view on the server and
constrain access to specific users/groups using a bit of custom schema
in order to "label" entries, and custom ACIs.
Of course you would want to turn off anonymous access to the directory
and encrypt all traffic with SSL or GSSAPI at that point.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to