Page 1 of 1
Multidomain
Published: May 28, 2018 - 12:28
by AlbanUCA
Hello,
We are currently testing the Pro version of WAPT on a Debian 9 system.
We are able to connect our machines without any problems.
We have several domains in our architecture. These are clearly visible in the console.
How can we restrict package installation to certain users?
We would like:
GroupAdmin1 to only be able to install in domain1.domain
, GroupAdmin2 to only be able to install in domain2.domain
, etc.
Is it possible to create this restriction from the console or the server?
Thank you for your help.
Alban
Re: Multidomain
Published: May 30, 2018 - 8:00 PM
by sfonteneau
Hello,
in WAPT you manage permissions in the console using keys.
You need to generate three CAs (Certificates of Authenticity): one for each domain plus one global CA.
You will push CA1 to domain 1 and CA2 to domain 2, and you will push CA3 to both domains
(in the wapt\ssl directory).
This way, all keys from CA1 will be able to push actions on domain 1.
All keys from CA2 will have access to domain 2.
All keys from CA3 will be able to push actions on both domains.
Ideally, the keys from CA1 and CA2 should not be code-signing.
Ideally, only keys from CA3 should be able to create packages, as I assume the packages will be common to both sites. (The same applies to groups.)
Regarding the concept of LDAP groups, it's possible, but only by running the installations with waptselfservice.
Re: Multidomain
Published: June 1, 2018 - 08:17
by AlbanUCA
Hello,
thank you for the explanation, I think I've got it.
Now all that's left is to test it.
Thank you very much.
Alban
Re: [RESOLVED] Multidomain
Published: June 5, 2018 - 4:00 PM
by AlbanUCA
Hello again,
I'm reopening this topic because I might not have understood everything... :/ Sorry!
I can't seem to grasp how it all works.
Could you explain this part in more detail?
Either I'm too focused on the details, or I'm missing something.
For console authentication, do I need to add all the technicians to the waptadmins group?
To differentiate between domain1 and domain2, I must admit I don't see how wapt understands who has access to which domain. Should the "Organization" field when creating CAs correspond to the domain name?
We agree that when creating my certificate for domain1, I use my first self-signed certificate as both the key and certificate?
I don't see the connection between the CA and AD authentication.
Thank you for any answers you can provide.
Alban