Hi all,
There's a nice litle article on http://www.freeipa.org/page/V3/Multiten ancy:
Multi-tenancy is an aspect of Identity Management (IdM) where multiple parties use the same resource without learn any information about each other. The example is two rival companies who both operate servers hosted in a public cloud. Neither company should be aware of the existance of the other users presence in the web using, and they definitely should not be able to enumerate either the users or the hosts of the other company due to information leaks inside the cloud services.
The article is rather old and Multitenancy seems not possible in FreeIPA 4.x.
Is there any progress on this, future plans? Multitenancy for IPA should be a very nice feature!
Kind regards,
Winfried
Hi Winfried,
On to, 06 heinä 2017, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
There's a nice litle article on http://www.freeipa.org/page/V3/Multiten ancy:
Multi-tenancy is an aspect of Identity Management (IdM) where multiple parties use the same resource without learn any information about each other. The example is two rival companies who both operate servers hosted in a public cloud. Neither company should be aware of the existance of the other users presence in the web using, and they definitely should not be able to enumerate either the users or the hosts of the other company due to information leaks inside the cloud services.
The article is rather old and Multitenancy seems not possible in FreeIPA 4.x.
Is there any progress on this, future plans? Multitenancy for IPA should be a very nice feature!
While it may sound as a nice feature, it is very hard to implement, as that article tells you that it would go against current FreeIPA LDAP DIT design and assumptions in the code.
We are not planning to work on that feature in short to mid-term time. In fact, we are planning to reduce amount of new features being added for next few major releases, to concentrate on making FreeIPA bullet-proof:
- better handling of error conditions - better support for various installation needs with Ansible - better diagnosing tools - etc
we have enough features already for most common use cases that concentrating on day to day operations' predictability becomes important before we move forward.
This does not mean we would stop with new features. Rather, we want to make a solid platform to deliver features as add-ons at some point in future.
Hi all,
Thanks for the quick respone. Too bad, but that's the way it is. I'll come back to this question in a few years....
Winfried
-----Oorspronkelijke bericht-----
Datum: Thu, 6 Jul 2017 12:47:29 +0300 Onderwerp: [Freeipa-users] Re: FreeIPA Multitenancy Cc: Winfried de Heiden wdh@dds.nl, Alexander Bokovoy <abokovoy@redhat .com> Aan: FreeIPA users list freeipa-users@lists.fedorahosted.org Reply-to: FreeIPA users list freeipa-users@lists.fedorahosted.org Van: Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahos ted.org> Hi Winfried,
On to, 06 heinä 2017, Winfried de Heiden via FreeIPA-users wrote:
Hi all,
There's a nice litle article on http://www.freeipa.org/page/V3/Multit en ancy:
Multi-tenancy is an aspect of Identity Management (IdM) where multiple parties use the same resource without learn any information about each other. The example is two rival companies who both operate servers hosted in a public cloud. Neither company should be aware of the existance of the other users presence in the web using, and they definitely should not be able to enumerate either the users or the hosts of the other company due to information leaks inside the cloud services.
The article is rather old and Multitenancy seems not possible in FreeIPA 4.x.
Is there any progress on this, future plans? Multitenancy for IPA should be a very nice feature!
While it may sound as a nice feature, it is very hard to implement, as that article tells you that it would go against current FreeIPA LDAP DIT design and assumptions in the code.
We are not planning to work on that feature in short to mid-term time. In fact, we are planning to reduce amount of new features being added for next few major releases, to concentrate on making FreeIPA bullet- proof:
- better handling of error conditions - better support for various installation needs with Ansible - better diagnosing tools - etc
we have enough features already for most common use cases that concentrating on day to day operations' predictability becomes important before we move forward.
This does not mean we would stop with new features. Rather, we want to make a solid platform to deliver features as add-ons at some point in future.
-- / Alexander Bokovoy _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted. org
Winfried de Heiden via FreeIPA-users wrote:
There's a nice litle article on http://www.freeipa.org/page/V3/Multitenancy:
/Multi-tenancy is an aspect of Identity Management (IdM) where multiple parties use the same resource without learn any information about each other. The example is two rival companies who both operate servers hosted in a public cloud. Neither company should be aware of the existance of the other users presence in the web using, and they definitely should not be able to enumerate either the users or the hosts of the other company due to information leaks inside the cloud services. /
The article is rather old and Multitenancy seems not possible in FreeIPA 4.x.
Is there any progress on this, future plans? Multitenancy for IPA should be a very nice feature!
Are you really asking for strict multi-tenancy as described above where the tenants even don't know about the existence of each other? If yes, what's wrong with running multiple FreeIPA instances with own domain/realm name?
The hard part is to let tenant users/admins cooperate/merge partially. But that's not the definition mentioned above.
Ciao, Michael.
freeipa-users@lists.fedorahosted.org