I’d think that if you can remote-enrol hosts as IPA clients, it would be real easy to also enrol them as VPN clients first. Heck, even Wireguard would be good enough, even without a full audit. You’d just add a single route to the route table for that VPN to the IPA server and you’re good to go.
> On 22 May 2019, at 18:05, Stepan Vardanyan via FreeIPA-users > <[email protected]> wrote: > > But Directory Server is just plain LDAP, without policies (hbac, sudo), isn't > it? > Policies are the reason why we moved from OpenLDAP. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
