On Tue, 28 Jun 2016, Natxo Asenjo wrote:

according to the RHDS documentation (
one can have multiple directory server instances on the same hosts

Would it be interesting to offer this functionality in freeipa.org? The
business case would be to allow different kinds of authentication per
instance/port. So one could block standard ldap connections on port 389 to
the internet, for instance, but allow them on another port only if using
external/GSSAPI auth, so no passswords would be involved.
This is not how instances work in 389-ds. Each instance is fully
independent of another one, including database content and structure.
You cannot have instance that shares the same content with another one
unless you enable database chaining (and then there are some

We used to have CA instance separate from the main IPA instance, for
example, but then merged them together in the same instance using two
different backends.

Standard IPA 389-ds instance already allows its access on the unix domain
socket with EXTERNAL/GSSAPI authentication. It is visible only within
the scope of the IPA master host, of course.

I'm still not sure what exactly you would like to achieve. All ports
that 389-ds listens to do support the same authentication methods except
LDAPI protocol (unix domain sockets) which supports automapping between
POSIX ID and a user object that it maps to.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to