[Freeipa-users] Multi-tennancy and Freeipa

Simo Sorce simo at redhat.com
Wed Sep 14 19:22:41 UTC 2011 

On Wed, 2011-09-14 at 15:19 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Wed, 2011-09-14 at 15:08 -0400, Simo Sorce wrote:
> >> On Wed, 2011-09-14 at 11:36 -0400, Dmitri Pal wrote:
> >>> Can Freeipa accommodate a mufti-tennant environment?  i.e. I work for
> >>> a managed service provider that currently uses LDAP for authentication
> >>> for both our users and our customer's users.  But Customer A cannot
> >>> see Customer B's data due to access control on our directory.  Each
> >>> customer has at least one LDAP service account in their container in
> >>> the tree that can only view that customer's container and my company
> >>> container.
> >>
> >> At the moment we do not have the ability to move accounts into sub
> >> containers. It is a feature we may want to implement in future, but we
> >> kept the tree intentionally flat to avoid misuse we've seen as quite
> >> common in products like AD.
> >>
> >>> Would we have to do something like create realms for each customer?
> >>> Then configure trusts from customer realm to ours?
> >>>
> >>> EXAMPLE.COM - our realm
> >>> CUSTOMERA.EXAMPLE.COM - customer a realm
> >>> ... so on
> >>
> >> This may work onve ipa v3 is out. Building multiple realms (in multiple
> >> servers/VMs) is possible but trust relationship management is not fully
> >> backed in yet.
> >>
> >>> What about data within the directory?  Currently our DIT is like:
> >>>
> >>> o=MyCompany,dc=example,dc=com
> >>> o=CustomerA,dc=excample,dc=com
> >>
> >> If you create multiple realms you'll have to do it with multiple servers
> >> with current IPA.
> >>
> >>> Would seperating by realms automatically divide that up?  What about
> >>> would Customer A be able to see any Customer B users using multiple
> >>> realms alone or would we have to take additional precautions?
> >>
> >> In general ACIs can be used to limit who sees what.
> >> It may be possible to use the current flat view on the server and
> >> constrain access to specific users/groups using a bit of custom schema
> >> in order to "label" entries, and custom ACIs.
> >> Of course you would want to turn off anonymous access to the directory
> >> and encrypt all traffic with SSL or GSSAPI at that point.
> >
> > Replying to myself, custom schema may not be necessary. It may be
> > possible to use just ACIs and non-posix groups together w/o adding
> > additional schema, that would make the problem simpler, although ACIs
> > need to be built carefully not to cripple the admins view.
> >
> > Simo.
> >
> 
> The management framework only supports a single realm as well, even if 
> you could manage to insert the data.

The ACIs solution would work with a single-realm model ... except that
it also means each customer needs to do very careful access control when
using kerberos for now, as we do not have a way to constrain which users
can get tickets for which services in the same REALM. This is something
we want to introduce in v3.0 anyways for various reasons. So going
forward, segmentation of users should become simpler.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list