[Freeipa-devel] [PATCH] 0108 Add support for compatibility tree for trusted domain users

Jakub Hrozek jhrozek at redhat.com
Tue Jul 16 12:54:47 UTC 2013 

On Mon, Jul 15, 2013 at 08:14:52PM +0300, Alexander Bokovoy wrote:
> Hi!
> 
> Attached patch allows to enable serving trusted domain users and groups
> through Schema Compatibilty plugin.
> 
> The patch only does FreeIPA master configuration settings, the real work
> is done by the changes to slapi-nis plugin (in a separate email).
> 
> Since ipa-adtrust-install can safely be run multiple times, one can
> re-run it on the IPA master to enable serving old clients, by specifying
> 
> ipa-adtrust-install --enable-compat
> 
> or answering 'yes' to the interactive question.
> 
> I have expanded man page for ipa-adtrust-install to cover this option.
> 
> Once enabled, following is possible:
> ---------------------------------------------------------------------------
> # ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li '(&(cn=domain admins at ad.lan)(objectclass=posixgroup))'
> SASL/GSSAPI authentication started
> SASL username: admin at VDA.LI
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=compat,dc=vda,dc=li> with scope subtree
> # filter: (&(cn=domain admins at ad.lan)(objectclass=posixgroup))
> # requesting: ALL
> #
> 
> # domain admins at ad.lan, groups, compat, vda.li
> dn: cn=domain admins at ad.lan,cn=groups,cn=compat,dc=vda,dc=li
> objectClass: posixGroup
> objectClass: extensibleObject
> objectClass: top
> gidNumber: 1442800512
> memberUid: uid=administrator at ad.lan,cn=users,cn=compat,dc=vda,dc=li
> schema-compat-origin: sssd
> ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-512
> cn: domain admins at ad.lan
> 
> # search result
> search: 4
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> ---------------------------------------------------------------------------
> 
> and for users:
> ---------------------------------------------------------------------------
> # ldapsearch -Y GSSAPI -b cn=compat,dc=vda,dc=li
> # '(uid=administrator at ad.lan)'
> SASL/GSSAPI authentication started
> SASL username: admin at VDA.LI
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=compat,dc=vda,dc=li> with scope subtree
> # filter: (uid=administrator at ad.lan)
> # requesting: ALL
> #
> 
> # administrator at ad.lan, users, compat, vda.li
> dn: uid=administrator at ad.lan,cn=users,cn=compat,dc=vda,dc=li
> objectClass: posixAccount
> objectClass: extensibleObject
> objectClass: top
> gecos: Administrator
> cn: Administrator
> uidNumber: 1442800500
> gidNumber: 1442800500
> homeDirectory: /
> schema-compat-origin: sssd
> ipaNTSecurityIdentifier: S-1-5-21-3502988750-125904550-3683905862-500
> uid: administrator at ad.lan
> 
> # search result
> search: 4
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> ----------------------------------------------------------------------------
> 
> Currently PAM authentication is a bit broken due to yet-to-hunt bug in
> SSSD or my environment (Jakub was unable to reproduce it) where SSSD
> thinks that AD DC is offline during authentication step.
> 
> However, if you don't hit the bug, you can check authentication by doing
> following bind and entering a password for your AD administrator:
> # ldapsearch -D uid=administrator at ad.lan,cn=users,cn=compat,dc=vda,dc=li \
>  -W -x -C -a always  -b dc=vda,dc=li '(uid=admin)'
> 
> The bind operation needs to be performed _after_ user lookup.
> 
> All these commands are only examples, I'm currently working on seeing
> how to configure pam_ldap/nss_ldap to use compat plugin this way.
> -- 
> / Alexander Bokovoy

Hi,

the patch looks mostly good to me. I only have some small nitpicks:

> +++ b/install/tools/man/ipa-adtrust-install.1
> @@ -106,6 +106,24 @@ The password of the user with administrative privileges for this IPA server. Wil
>  .TP
>  The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
>  .TP
> +\fB\-\-enable\-compat\fR
> +Enables support for trusted domains users for old clients through Schema Compatibility plugin.
> +SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that
                                                                    ^^^^^^^^
                                                          The word "platform"
                                                          looks a little
                                                          extra here to me.
                                                               
> +lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
> +needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
> +users and groups from trusted domains via SSSD on IPA server. These users and groups will be
> +available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
> +SSSD will normalize names of users and groups to lower case.
> +.IP
> +In addition to providing these users and groups through the compat tree, this option enables
> +authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
> +\fBuid=administrator at ad.domain,cn=users,cn=compat,$SUFFIX\fR. This authentication is related
> +to PAM stack using '\fBsystem\-auth\fR' PAM service. If you have disabled HBAC rule 'allow_all', then
> +make sure there is special service called '\fBsystem\-auth\fR' created and HBAC rule to allow
> +access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service
> +is not used directly by any other application, therefore it is safe to create one specifically
> +to support trusted domain users via compatibility path.

The last sentence wasn't really clear to me, were you suggesting to
create a special PAM service?

> +.TP
>  .SH "EXIT STATUS"
>  0 if the installation was successful
>  
> diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
> index 4eb20d9..9ecc7e9 100644
> --- a/ipaserver/install/adtrustinstance.py
> +++ b/ipaserver/install/adtrustinstance.py
> @@ -664,6 +664,20 @@ class ADTRUSTInstance(service.Service):
>          except Exception, e:
>              root_logger.critical("Checking replicas for cifs principals failed with error '%s'" % e)
>  
> +    def __enable_compat_tree(self):
> +        try:
> +            compat_plugin_dn = DN("cn=Schema Compatibility,cn=plugins,cn=config")
> +            lookup_sssd_name = "schema-compat-lookup-sssd"
> +            for config in (("cn=users", "user"), ("cn=groups", "group")):
> +                entry_dn = DN(config[0], compat_plugin_dn)
> +                current = self.admin_conn.get_entry(entry_dn)
> +                lookup_sssd = current.get(lookup_sssd_name, [])
> +                if not(config[1] in lookup_sssd):
> +                    current[lookup_sssd_name] = [config[1]]
> +                    self.admin_conn.update_entry(entry_dn, current)
> +        except Exception, e:
> +            root_logger.critical("Enabling SSSD support in slapi-nis failed with error '%s'" % e)
> +
>      def __start(self):
>          try:
>              self.start()
> @@ -713,7 +727,7 @@ class ADTRUSTInstance(service.Service):
>  
>      def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
>                reset_netbios_name, rid_base, secondary_rid_base,
> -              no_msdcs=False, add_sids=False, smbd_user="samba"):
> +              no_msdcs=False, add_sids=False, smbd_user="samba", enable_compat=False):
>          self.fqdn = fqdn
>          self.ip_address = ip_address
>          self.realm = realm_name
> @@ -724,6 +738,7 @@ class ADTRUSTInstance(service.Service):
>          self.secondary_rid_base = secondary_rid_base
>          self.no_msdcs = no_msdcs
>          self.add_sids = add_sids
> +        self.enable_compat = enable_compat
>          self.smbd_user = smbd_user
>          self.suffix = ipautil.realm_to_suffix(self.realm)
>          self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
> @@ -811,6 +826,11 @@ class ADTRUSTInstance(service.Service):
>          self.step("configuring smbd to start on boot", self.__enable)
>          self.step("adding special DNS service records", \
>                    self.__add_dns_service_records)
> +
> +        if self.enable_compat:
> +            self.step("Enabling trusted domains support for older clients via Schema Compatibility plugin",

                         ^^^^
                Nitpick: all the other steps begin with lowercased
                letter. Only this one is uppercased, which makes the
                tool output looks inconsistent:
 [15/21]: adding special DNS service records
 [16/21]: Enabling trusted domains support for older clients via Schema Compatibility plugin
 [17/21]: restarting Directory Server to take MS PAC and LDAP plugins changes into account

> +                      self.__enable_compat_tree)
> +
>          self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \
>                    self.__restart_dirsrv)
>          self.step("adding fallback group", self.__add_fallback_group)
> -- 
> 1.8.3.1
> 

Othwerwise looks good to me and seems to be working fine.

More information about the Freeipa-devel mailing list