[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Petr Spacek
pspacek at redhat.com
Thu Jun 19 15:10:08 UTC 2014
On 19.6.2014 17:06, Martin Kosek wrote:
> On 06/19/2014 04:58 PM, Alexander Bokovoy wrote:
>> On Thu, 19 Jun 2014, Simo Sorce wrote:
>>> On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
>>>> On Thu, 19 Jun 2014, Simo Sorce wrote:
>>>>>> I may need to revive my sysaccounts module...
>>>>>
>>>>> There is one more issue though, and this one really concerns me.
>>>>> If you need to put there multiple accounts because different servers
>>>>> have different local accounts, then you open up access to unrelated
>>>>> services. Because all these uids are shared on all systems.
>>>>>
>>>>> I think this kills my own proposal of sticking these entries in
>>>>> cn=sysaccounts.
>>>>>
>>>>> However we could have something in cn=config maybe ?
>>>>> So that each server can:
>>>>> A) use the same name/DN
>>>>> B) have ids that match exactly the local named account no matter how
>>>>> many different variants we have
>>>>> C) no management issues when the server is killed from the
>>>>> infrastructure as cn=config is local to that server and goes away with
>>>>> it.
>>>>>
>>>>> What do you think ?
>>>> This is what Petr proposed too.
>>>>
>>>> 389-ds autobind code searches starting from a base defined in cn=config.
>>>> IPA defines it to be $SUFFIX. If we move these entries to cn=config,
>>>> they will not be found by the code in
>>>> ds/ldap/servers/slapd/daemon.c:slapd_bind_local_user(). If we change a
>>>> search base to something in cn=config, we wouldn't be able to use user
>>>> accounts for autobind -- something which is possible right now.
>>>>
>>>> I'm not really concerned about user accounts' autobind but this is
>>>> actually a behavior change for IPA.
>>>
>>> And I guess we can't list multiple bases for now ?
>>> We do not use autobind for anything now though, and I do not see it as
>>> useful for "normal" users on an IPA server, so I would be ok with the
>>> change, even if it breaks backward compatibility on masters themselves.
>> The only thing we use is root autobind which is handled by a separate
>> mechanism, I think.
>>
>> Thus, it suits me.
>>
>> Petr, can you please make a ticket?
>
> How can you be sure that people do not already use the autobind feature? IMO,
> it is a bad move to just break it because we have no better idea how to handle
> named autobind.
>
> I would rather like to see improved autobind capability in 389-ds-base which
> would allow us to do the autobind configuration in cn=config and do entries like:
>
> uidnumber=25+gidnumber=25,cn=autobind,cn=config
> ...
> binddn: krbprincipalname=DNS/ipa.server.test,cn=computers...
>
> And thus have a per-server configuration without breaking existent functionality.
That is my favorite! (Which is not surprising, I was proposing exactly that
almost 5 hours ago :-))
Anyway, the ticket is https://fedorahosted.org/freeipa/ticket/4388
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list