Re: [Freeipa-users] HBAC rule refreshes and read-only slaves

[Nathan Kinder]

On 06/08/2012 07:26 AM, Dmitri Pal wrote:

On 06/07/2012 09:22 PM, Cam McK wrote:

Hello


2). We would also like to use FreeIPA in a trusted network but then 
have perhaps a read-only slave sitting in DMZ with the possibility of 
not containing the KDC or LDAP password stores on it, is this possible?
 (Basically authentication being done by a different PAM module, but 
pam_sss.so still allowing HBAC via the PAM 'account' directive.)
Is it possible to have a 'regular' LDAP directory (in the DMZ) just 
slurping down the required LDAP info?


I suggest using an LDAP directory that can do proxy operations or 
proxy authentications. You might consider 389 and sync in some user 
accounts and groups while using pam passtrough capabilities. I think 
recent upstream versions of 389 made this configuration possible but 
you need to check with them. #389 on freenode is your best bet.

Openldap has some capabilities that might be of the value here too.
389 can consult PAM to authenticate a user when performing an LDAP BIND 
operation.  This would probably take care of the authentication piece of 
the puzzle.


You would also need to use fractional replication to avoid replicating 
things like passwords or Kerberos related attributes to the DMZ LDAP 
server.  Fractional replication can only trim out specific attributes.  
It does not allow you to select portions of the tree to replicate at the 
entry level.  This would mean that all of your user accounts would need 
to be replicated out to the DMZ LDAP server, but you could trim 
sensitive attributes.


I am not quite sure what you are trying to accomplish here so a bit 
more details would be helpful.
More details would definitely help.  I don't think you can easily 
accomplish what you want right now.  It could be possible with a lot of 
manual configuration of 389 on both the IPA and DMZ LDAP server sides, 
but I don't think anyone has set things up in this way with IPA before.


-NGK




Many Thanks
Campbell


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] HBAC rule refreshes and read-only slaves

[Cam McK]

Hello

Thanks for an awesome product! I have two questions that I can't seem to
find answers for...

1). How long is the delay between changing a HBAC rule and it coming into
affect on the host machine?
Currently this information only seems to be updated on the host after an
'service sssd reload/restart' also are the HBAC access rules are stored
within LDAP Directory?

2). We would also like to use FreeIPA in a trusted network but then have
perhaps a read-only slave sitting in DMZ with the possibility of not
containing the KDC or LDAP password stores on it, is this possible?
 (Basically authentication being done by a different PAM module, but
pam_sss.so still allowing HBAC via the PAM 'account' directive.)
Is it possible to have a 'regular' LDAP directory (in the DMZ) just
slurping down the required LDAP info?

Many Thanks
Campbell
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users