On 06/28/2016 09:50 AM, Natxo Asenjo wrote:

On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy <aboko...@redhat.com <mailto:aboko...@redhat.com>> wrote:

    On Tue, 28 Jun 2016, Natxo Asenjo wrote:


        according to the RHDS documentation (
        one can have multiple directory server instances on the same hosts

        Would it be interesting to offer this functionality in
        freeipa.org <http://freeipa.org>? The
        business case would be to allow different kinds of
        authentication per
        instance/port. So one could block standard ldap connections on
        port 389 to
        the internet, for instance, but allow them on another port
        only if using
        external/GSSAPI auth, so no passswords would be involved.

    This is not how instances work in 389-ds. Each instance is fully
    independent of another one, including database content and structure.
    You cannot have instance that shares the same content with another one
    unless you enable database chaining (and then there are some

ok, thanks for the info.

    We used to have CA instance separate from the main IPA instance, for
    example, but then merged them together in the same instance using two
    different backends.

    Standard IPA 389-ds instance already allows its access on the unix
    socket with EXTERNAL/GSSAPI authentication. It is visible only within
    the scope of the IPA master host, of course.

    I'm still not sure what exactly you would like to achieve. All ports
    that 389-ds listens to do support the same authentication methods
    LDAPI protocol (unix domain sockets) which supports automapping
    POSIX ID and a user object that it maps to.

I'd like to have internally all sort of ldap access, but externally onlly certificate based, for example.

If there is a way to do that know that I am not aware of I'd be very interested to know it as well ;-). Right now we solve this problems using vpn connections with third parties, but ideally one could just open the port to the internet if only that kind of access was allowed.
maybe you can achieve this with access control, there are all kind of rules to allow access based on client's ip address, domain, security strength, authentication method - and combinations of them.

Thanks for your time.


Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to