On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote: > Can Freeipa accommodate a mufti-tennant environment? i.e. I work for > a managed service provider that currently uses LDAP for authentication > for both our users and our customer's users. But Customer A cannot > see Customer B's data due to access control on our directory. Each > customer has at least one LDAP service account in their container in > the tree that can only view that customer's container and my company > container.
At the moment we do not have the ability to move accounts into sub containers. It is a feature we may want to implement in future, but we kept the tree intentionally flat to avoid misuse we've seen as quite common in products like AD. > Would we have to do something like create realms for each customer? > Then configure trusts from customer realm to ours? > > EXAMPLE.COM - our realm > CUSTOMERA.EXAMPLE.COM - customer a realm > ... so on This may work onve ipa v3 is out. Building multiple realms (in multiple servers/VMs) is possible but trust relationship management is not fully backed in yet. > What about data within the directory? Currently our DIT is like: > > o=MyCompany,dc=example,dc=com > o=CustomerA,dc=excample,dc=com If you create multiple realms you'll have to do it with multiple servers with current IPA. > Would seperating by realms automatically divide that up? What about > would Customer A be able to see any Customer B users using multiple > realms alone or would we have to take additional precautions? In general ACIs can be used to limit who sees what. It may be possible to use the current flat view on the server and constrain access to specific users/groups using a bit of custom schema in order to "label" entries, and custom ACIs. Of course you would want to turn off anonymous access to the directory and encrypt all traffic with SSL or GSSAPI at that point. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users