[Freeipa-devel] More types of replica in FreeIPA

Dmitri Pal dpal at redhat.com
Tue Mar 6 16:47:11 UTC 2012 

On 03/06/2012 10:59 AM, Simo Sorce wrote:
> On Tue, 2012-03-06 at 10:56 -0500, Dmitri Pal wrote:
>> [...]
>>>
>>> For a read-only KDC we need to investigate what's the better
>> solution.
>>> There are many ways we can handle the issue, one of the simplest is
>>> probably to allow the RO KDC to use a special LDAP Extended
>> operation
>>> against a full R/W server to get the user keys to sign,
>> authenticating
>>> with a special R/O KDC principal. We can also investigate how MS
>> does
>>> internal forwarding and do something similar as I suspect that's
>>> something samba4-RODC will want to implement too, so we could share
>> some
>>> of the development burden there.
>>>
>>> Simo.
>>>
>> I do not think it is a good idea for the remote RO KDC to go back to
>> the main datacenter on every authentication without some sort of
>> caching. This is why I think that some kind of SSSD integration might
>> be due. If RO KDC would just pass the authentication to SSSD in some
>> way and SSSD would do the caching in case the office gets offline. I
>> understand that authhub as is will not work as the client sends time
>> stamp encrypted with password and SSSD needs plain text password as
>> credential. I do not know if there is a way to solve this without
>> actually sending the password in the tunnel. IMO it is more important
>> to make sure that remote office can have uninterrupted operation than
>> to worry about the password being sent inside the encrypted tunnel. It
>> is something that deployment should decide and weight risks against
>> convenience.    
> This is why MS does partial replication, ie allows the RODC to have data
> about the office users. It's complex and there are many ways to handle
> it. We need to look at various options and see how they would work
> against uses cases we want to support.
> Simo.
>
Then may be Ondrej should start with formulating use cases and
requirements based on this discussion.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list