[Freeipa-devel] service record conundrum

Rob Crittenden rcritten at redhat.com
Thu Dec 3 16:55:53 UTC 2009


Dmitri Pal wrote:
> Rob Crittenden wrote:
>> Here is sort of a tricky problem, need some advice (LONG).
>>
>> When we bootstrap an IPA server we create a number of principals for
>> the server itself. We create a host/, HTTP/ and ldap/ principal using
>> kadmin.local. By using kadmin.local this entry is put into
>> cn=kerberos,dc=example,dc=com.
>>
>> This has the nice side effect of making these records not appear as
>> service entries so they are unmodifiable by anyone, meaning an admin
>> will have a really hard time hosing their server.
>>
>> The downside is that these records do not appear as service entries,
>> so if you search for services on the IPA server you'll get nothing.
>>
> 
> How do we search? What base DN we use? One of the solutions might be to
> install these principals as is and only later apply ipaService object
> class to them so that the search for services would find them. Would be
> a bit ugly since as far as I understand these services are in a
> different location in the tree but this approach might be less painfull
> than LDIF and delete and add.
> I hope that we will get the RDN renames pretty soon so that this would
> not be an issue but it might not be soon enough for v2.
> 

We search in the baseDN of the type of object is is, so cn=services, 
cn=computers, cn=users, etc.

We also filter on the objectclasses that should be in that object.

Searching in 2 places is possible just not something we currently do.

I'm leaning towards moving the entries, more so since I haven't gotten 
any "that is the dumbest idea I've heard all week" responses :-)

We store a list of the IPA masters in the DIT somewhere, I'll have to 
see if I can find a way to maintain protection of the principals using that.

rob




More information about the Freeipa-devel mailing list