[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command
Simo Sorce
simo at redhat.com
Sat Jan 19 18:35:28 UTC 2013
On Fri, 2013-01-18 at 18:24 +0100, Martin Kosek wrote:
> How this works:
> 1. When a trusted domain user is tested, AD GC is searched
> for the user entry Distinguished Name
My head is not clear today but it looks to me you are doing 2 searches.
One to go from samAccountName -> DNa dn then a second for DN -> SID.
Why are you doing 2 searches ? The first one can return you the
ObjectSid already.
Simo.
> 2. The user entry is then read from AD GC and its SID and SIDs
> of all its assigned groups (tokenGroups attribute) are retrieved
> 3. The SIDs are then used to search IPA LDAP database to find
> all external groups which have any of these SIDs as external
> members
> 4. All these groups having these groups as direct or indirect
> members are added to hbactest allowing it to perform the search
>
> LIMITATIONS:
> - user SID in hbactest --user parameter is not supported
> - only Trusted Admins group members can use this function as it
> uses secret for IPA-Trusted domain link
> - List of group SIDs does not contain group memberships outside
> of the trusted domain
>
> https://fedorahosted.org/freeipa/ticket/2997
>
> ------------------------
>
> There are also 2 patches changing current dcerpc.py code to make it usable both
> for group-add-member trusted domain user resolution and also for purposes of
> the trusted domain user hbactest.
>
> Example of the new hbactest ability:
> # ipa hbacrule-show can_login
> Rule name: can_login
> Host category: all
> Source host category: all
> Enabled: TRUE
> User Groups: admins, ad_test_admins
> Services: login, sshd
> # ipa group-show ad_test_admins
> Group name: ad_test_admins
> Description: AD.TEST admins
> GID: 179000011
> Member groups: ext_all_admins
> Member of HBAC rule: can_login
> # ipa group-show ext_all_admins
> Group name: ext_all_admins
> Description: All AD.TEST admins
> Member of groups: ad_test_admins
> Indirect Member of HBAC rule: can_login
> External member: S-1-5-21-3035198329-144811719-1378114514-512
>
> # ipa hbactest --user='AD\Administrator' --host=`hostname` --service=sshd
> --------------------
> Access granted: True
> --------------------
> Matched rules: can_login
>
> There may still be dragons, I am sending what I have now, still need to run
> more tests.
>
> Martin
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list