On Wed, Nov 30, 2011 at 01:18:46PM +0200, Lassi Pölönen wrote:
> I'm looking for implementing FreeIPA in an environment where there are
> multiple customers in multiple organizations and a single organization
> that manages the users, sets the access rights etc.
> We don't have a centralized system currently so I will be starting from
> the scratch in that sense. The first concern I've had so far is that we
> don't want different customers to be able to find information about each
> other. Currently in my test setup any user can find out every user in a
> group if they know the group name and all the groups for each user if
> they know the username. In some cases this might reveal information the
> customer is not willing to share.
> So are there ways to limit that e.g certain hosts/hostgroups or
> users/usergroups see some defined subset of the directory? Or are there
> some other suggested approaches? As the current setup relies on local
> authentication, users naturally are able to find users/groups only on
> servers they are able to log in and that is the level of confidentiality
> we are looking for if possible
> -Lassi Pölönen
If you insist on a single instance for multiple organizations, then I
agree with Stephen Ingram that the correct way would be to setup ACIs.
You could also abuse the ldap_user_search_filter and ldap_group_search_filter
parameters to limit NSS lookups performed by SSSD. However, nothing
would prevent clients from looking at the directory structure with
ldapsearch or using the IPA UI.
Freeipa-users mailing list