[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Simo Sorce
simo at redhat.com
Thu Jun 19 16:47:37 UTC 2014
On Thu, 2014-06-19 at 17:06 +0200, Martin Kosek wrote:
> On 06/19/2014 04:58 PM, Alexander Bokovoy wrote:
> > On Thu, 19 Jun 2014, Simo Sorce wrote:
> >> On Thu, 2014-06-19 at 17:47 +0300, Alexander Bokovoy wrote:
> >>> On Thu, 19 Jun 2014, Simo Sorce wrote:
> >>> >> I may need to revive my sysaccounts module...
> >>> >
> >>> >There is one more issue though, and this one really concerns me.
> >>> >If you need to put there multiple accounts because different servers
> >>> >have different local accounts, then you open up access to unrelated
> >>> >services. Because all these uids are shared on all systems.
> >>> >
> >>> >I think this kills my own proposal of sticking these entries in
> >>> >cn=sysaccounts.
> >>> >
> >>> >However we could have something in cn=config maybe ?
> >>> >So that each server can:
> >>> >A) use the same name/DN
> >>> >B) have ids that match exactly the local named account no matter how
> >>> >many different variants we have
> >>> >C) no management issues when the server is killed from the
> >>> >infrastructure as cn=config is local to that server and goes away with
> >>> >it.
> >>> >
> >>> >What do you think ?
> >>> This is what Petr proposed too.
> >>>
> >>> 389-ds autobind code searches starting from a base defined in cn=config.
> >>> IPA defines it to be $SUFFIX. If we move these entries to cn=config,
> >>> they will not be found by the code in
> >>> ds/ldap/servers/slapd/daemon.c:slapd_bind_local_user(). If we change a
> >>> search base to something in cn=config, we wouldn't be able to use user
> >>> accounts for autobind -- something which is possible right now.
> >>>
> >>> I'm not really concerned about user accounts' autobind but this is
> >>> actually a behavior change for IPA.
> >>
> >> And I guess we can't list multiple bases for now ?
> >> We do not use autobind for anything now though, and I do not see it as
> >> useful for "normal" users on an IPA server, so I would be ok with the
> >> change, even if it breaks backward compatibility on masters themselves.
> > The only thing we use is root autobind which is handled by a separate
> > mechanism, I think.
> >
> > Thus, it suits me.
> >
> > Petr, can you please make a ticket?
>
> How can you be sure that people do not already use the autobind feature?
Regular users should nto really log into the master anyway, so unless we
are using this feature in one of the IPA components I would say it is an
"unsupported" usage (and highly unlikely anyway as it is not a well know
feature).
> IMO,
> it is a bad move to just break it because we have no better idea how to handle
> named autobind.
Oh but we do have a better idea :)
> I would rather like to see improved autobind capability in 389-ds-base which
> would allow us to do the autobind configuration in cn=config and do entries like:
>
> uidnumber=25+gidnumber=25,cn=autobind,cn=config
> ...
> binddn: krbprincipalname=DNS/ipa.server.test,cn=computers...
>
> And thus have a per-server configuration without breaking existent functionality.
I do not think it is worth it.
Yes we could maintain the feature, but I would worry about adding code
only if we have someone with a good use case for using regular shared
users and autobind and not being able to migrate to add an entry in
cn=config.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list