[Freeipa-devel] More types of replica in FreeIPA

Simo Sorce simo at redhat.com
Tue Mar 6 15:59:22 UTC 2012


On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:
> [...]
> >
> >
> > For a read-only KDC we need to investigate what's the better
> solution.
> > There are many ways we can handle the issue, one of the simplest is
> > probably to allow the RO KDC to use a special LDAP Extended
> operation
> > against a full R/W server to get the user keys to sign,
> authenticating
> > with a special R/O KDC principal. We can also investigate how MS
> does
> > internal forwarding and do something similar as I suspect that's
> > something samba4-RODC will want to implement too, so we could share
> some
> > of the development burden there.
> >
> > Simo.
> >
> 
> I do not think it is a good idea for the remote RO KDC to go back to
> the main datacenter on every authentication without some sort of
> caching. This is why I think that some kind of SSSD integration might
> be due. If RO KDC would just pass the authentication to SSSD in some
> way and SSSD would do the caching in case the office gets offline. I
> understand that authhub as is will not work as the client sends time
> stamp encrypted with password and SSSD needs plain text password as
> credential. I do not know if there is a way to solve this without
> actually sending the password in the tunnel. IMO it is more important
> to make sure that remote office can have uninterrupted operation than
> to worry about the password being sent inside the encrypted tunnel. It
> is something that deployment should decide and weight risks against
> convenience.    

This is why MS does partial replication, ie allows the RODC to have data
about the office users. It's complex and there are many ways to handle
it. We need to look at various options and see how they would work
against uses cases we want to support.
> 
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list