[Freeipa-devel] WIP: ipa trust command
Simo Sorce
simo at redhat.com
Mon Dec 12 19:09:54 UTC 2011
On Mon, 2011-12-12 at 19:49 +0200, Alexander Bokovoy wrote:
> Hi,
>
> I'm working on ticket #1821 to introduce FreeIPA 3.0 AD trusts
> management CLI and GUI. It is quite apparent that most of management
> commands will be similar to all future trust types (AD, IPA, etc),
> thus, it makes sense to develop a generalized `ipa trust' family of
> commands that would apply to all types of trusts.
>
> Let's start with CLI. Below is a first cut at how I see trust
> management command line interface. Comments, corrections, and critique
> are all welcomed.
>
> One of FreeIPA v3.0 major features will be support for cross-realm
> trusts with the emphasis on trusts to Active Directory domains. This
> documents attempts to design a common interface for managing trusts
> with FreeIPA tools (command line and GUI).
>
> `ipa trust'
> ===========
>
> `ipa trust' is a common family of operations on trusts. Trusts can be:
> * created (ipa trust-add)
> * listed (ipa trust-find)
> * viewed (ipa trust-show)
> * removed (ipa trust-del)
>
> 1. Adding a trust
>
> `ipa trust-add' sets up a trust agreement with another realm. The
> command requires to know realm of the trust being added, its
> administrator rights, and type of the trust to establish.
>
> Proposed syntax:
> ipa trust-add <realm> --type ads|ipa|kerberos|etc --realmadmin <Name>
> --password <Value> [type-specific parameters]
>
> Creates a trust between FreeIPA realm and another realm of selected
> type. Only 'ads' type is currently supported.
>
> For 'ads' type running `ipa trust-add' would be equivalent to
> following sequence:
> * ipa-adtrust-install
> * net rpc trust create
I think this is problematic in one regard. It can work only on one
specific server (a general problem of ipa-adtrust-install).
I am not sure how to fix it though. Ideally once you create a trust all
IPA servers in the domain should be able to properly handle it. But at
this moment only servers on which you explicitly run
ipa-adtrust-instalkl can.
Actually even worse, I think ipa-adtrust-install will fail with multiple
servers because the uid=samba user have a random password that cannot be
communicated to other servers ...
> 2. Listing trusts
>
> `ipa trust-find' will show all trusts with other realms corresponding
> certain criteria.
>
> Proposed syntax:
> ipa trust-find [CRITERIA] [options]
>
> where CRITERIA is tested against realms of existing trusts
>
> Options might include:
> * --type ads|ipa|kerberos|etc -- type of the trust
>
>
> 3. Viewing details of trust
>
> `ipa trust-show' exposes details of the established trust agreement
> with a specified realm.
>
> Proposed syntax:
> ipa trust-show <realm> [options]
>
> Details shown will depend on the type of trust with following
> information available for all trusts:
> * realm name
> * trust type
You may want to add trust direction here. I think we may want to support
incoming only trusts with AD in future (ie we trust AD but AD admins do
not want to trust IPA).
> 4. Removal of existing trus
>
> `ipa trust-del' removes existing trust agreement
>
> 5. Access rights
>
> Trust management requires modification of FreeIPA LDAP database
> instance and potentially external resources specific to the trust
> nature. cn=trusts,$SUFFIX is used as a container to store information
> about trusts with containers inside it for different types of trusts.
>
> Currently FreeIPA 3.0 implements cn=ad,cn=trusts,$SUFFIX tree for
> Active Directory-related trusts.
>
> Trust management implies limited access which should be implemented
> with the help of 389-ds ACIs.
>
> In order to give users access to the trust management, group of trust
> administrators would be created, thus ACI would limit exposure to
> cn=trusts,$SUFFIX tree to this group and additional trust
> implementation-specific system users defined at cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX.
>
> Currently AD trusts implement following ACIs per trust:
> 1. Trust information:
> (target = "ldap:///cn=$DOMAIN,cn=ad,cn=trusts,$SUFFIX")
> (targetattr = "ipaNTTrustType || ipaNTTrustAttributes ||
> ipaNTTrustDirection ||
> ipaNTTrustPartner || ipaNTFlatName ||
> ipaNTTrustAuthOutgoing ||
> ipaNTTrustAuthIncoming ||
> ipaNTSecurityIdentifier ||
> ipaNTTrustForestTrustInfo ||
> ipaNTTrustPosixOffset ||
> ipaNTSupportedEncryptionTypes")
> (version 3.0;acl "Allow samba user to create and delete trust accounts";
> allow (write,add,delete) userdn = "ldap:///$SAMBA_USER_DN";)
>
> 2. NT Passwords:
> (targetattr = "ipaNTHash")
> (version 3.0; acl "Samba user can read NT passwords";
> allow (read) userdn="ldap:///$SAMBA_USER_DN";)
>
> where $SAMBA_USER_DN is DN of special user defined at
> uid=samba,cn=sysaccounts,cn=etc,$SUFFIX for the purpose of reading
> ipaNTHash attribute (NT passwords) of existing users and accessing
> trust information from the ipa-sam database plugin for Samba.
>
> Current approach requires creating separate ACIs per each trust and
> using the same system user account for all of them. As a consequence,
> ACIs are added during trust creation and require Directory Manager
> privileges which should be discouraged for 'ipa trust' set of
> commands.
We should just use cn=* in the ACI instead of CN=$DOMAIN and add ACIs
only once.
> Instead, macro ACI could be created that would allow access to the trust information
> based on the part of DN of the system user:
>
> uid=<user name>,cn=<trust type>,cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX
>
> which for AD trusts would be
>
> uid=samba,cn=ad,cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX
>
> and ACI would be modified to have follow allow stanza:
>
> (target = "ldap:///($dn),cn=trusts,$SUFFIX")
> (targetattr = "ipaNTTrustType || ipaNTTrustAttributes ||
> ipaNTTrustDirection ||
> ipaNTTrustPartner || ipaNTFlatName ||
> ipaNTTrustAuthOutgoing ||
> ipaNTTrustAuthIncoming ||
> ipaNTSecurityIdentifier ||
> ipaNTTrustForestTrustInfo ||
> ipaNTTrustPosixOffset ||
> ipaNTSupportedEncryptionTypes")
> (version 3.0;acl "Allow trust system user to create and delete trust accounts";
> allow (write,add,delete) userdn="ldap:///uid=*,($dn),cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX";)
>
> (targetattr = "ipaNTHash")
> (version 3.0; acl "Samba user can read NT passwords";
> allow (read) userdn="ldap:///uid=*,cn=ad,cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX";)
>
> And trust admins ACI:
>
> (target = "ldap:///cn=trusts,$SUFFIX")
> (targetattr = "*")
> (version 3.0; acl "Trust management";
> allow (all) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
Although I think we need 'trust admins' ACIs, I do not think we need the
macro ACI for uid=samba. We do not need multiple users for trusts, only
trusts that involve samba needs a separate user at this moment.
So I'd say ACK for the second part and NACK for the first.
> This approach would allow us to have a single ACI macro for system
> accounts of all types of trusts for all realms and then a single ACI
> per trust type.
We need a single ACI, just not with macros, we can have all we need with
a simpler ACI, and simpler always wins :)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list