Re: [Freeipa-users] multiple ds instances (maybe off-topic)

Tue, 28 Jun 2016 01:14:09 -0700 


On 06/28/2016 09:50 AM, Natxo Asenjo wrote:




On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy 
<[email protected] <mailto:[email protected]>> wrote:


    On Tue, 28 Jun 2016, Natxo Asenjo wrote:

        hi,

        according to the RHDS documentation (
        
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html)
        one can have multiple directory server instances on the same hosts

        Would it be interesting to offer this functionality in
        freeipa.org <http://freeipa.org>? The
        business case would be to allow different kinds of
        authentication per
        instance/port. So one could block standard ldap connections on
        port 389 to
        the internet, for instance, but allow them on another port
        only if using
        external/GSSAPI auth, so no passswords would be involved.

    This is not how instances work in 389-ds. Each instance is fully
    independent of another one, including database content and structure.
    You cannot have instance that shares the same content with another one
    unless you enable database chaining (and then there are some
    limitations).


ok, thanks for the info.

    We used to have CA instance separate from the main IPA instance, for
    example, but then merged them together in the same instance using two
    different backends.

    Standard IPA 389-ds instance already allows its access on the unix
    domain
    socket with EXTERNAL/GSSAPI authentication. It is visible only within
    the scope of the IPA master host, of course.

    I'm still not sure what exactly you would like to achieve. All ports
    that 389-ds listens to do support the same authentication methods
    except
    LDAPI protocol (unix domain sockets) which supports automapping
    between
    POSIX ID and a user object that it maps to.



I'd like to have internally all sort of ldap access, but externally 
onlly certificate based, for example.



If there is a way to do that know that I am not aware of I'd be very 
interested to know it as well ;-). Right now we solve this problems 
using vpn connections with third parties, but ideally one could just 
open the port to the internet if only that kind of access was allowed.

maybe you can achieve this with access control, there are all kind of 
rules to allow access based on client's ip address, domain, security 
strength, authentication method - and combinations of them.



Thanks for your time.

--
regards,
Natxo





--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to