[Freeipa-users] Limiting group/user visibility

Lassi Pölönen lassi.polonen at iki.fi
Wed Nov 30 19:46:21 UTC 2011 

Hi,

that could be one option as well, not completely ruled out. But in some 
cases it is a bit too much overhead though. If there are multiple small 
organizations with only a handful of account and servers, setting up a 
dedicated HA instance for each one doesn't feel very cost effective as 
it would mean tens of those. Currently a single installation can't 
handle multiple realms, am I right?

-Lassi Pölönen

On 30.11.2011 21:01, Steven Jones wrote:
> Hi,
>
> I would have thought this was a case/design of separate realm's.
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Lassi Pölönen [lassi.polonen at iki.fi]
> Sent: Thursday, 1 December 2011 12:18 a.m.
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] Limiting group/user visibility
>
> Hi,
>
> I'm looking for implementing FreeIPA in an environment where there are
> multiple customers in multiple organizations and a single organization
> that manages the users, sets the access rights etc.
>
> We don't have a centralized system currently so I will be starting from
> the scratch in that sense. The first concern I've had so far is that we
> don't want different customers to be able to find information about each
> other. Currently in my test setup any user can find out every user in a
> group if they know the group name and all the groups for each user if
> they know the username. In some cases this might reveal information the
> customer is not willing to share.
>
> So are there ways to limit that e.g certain hosts/hostgroups or
> users/usergroups see some defined subset of the directory? Or are there
> some other suggested approaches? As the current setup relies on local
> authentication, users naturally are able to find users/groups only on
> servers they are able to log in and that is the level of confidentiality
> we are looking for if possible
>
>
> -Lassi Pölönen
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list