[Freeipa-devel] [RFC] Migrating existing environments to Trust - v2: reverse DNS lookup
Sumit Bose
sbose at redhat.com
Fri May 30 07:04:11 UTC 2014
On Thu, May 29, 2014 at 01:31:04PM -0400, Simo Sorce wrote:
> On Thu, 2014-05-29 at 18:50 +0200, Petr Spacek wrote:
> > On 29.5.2014 13:48, Sumit Bose wrote:
> > > == slapi-nis plugin/compat tree ==
> > > The compat tree offers a simplified LDAP tree with user and group data
> > > for legacy clients. No data for this tree is stored on disk but it is
> > > always created on the fly. It has to be noted that legacy clients might
> > > be one of the major users of the user-views because chances are that
> > > they were attached to the legacy systems with legacy ID management which
> > > should be replaced by IPA.
> > >
> > > In contrast to the extdom plugin it is not possible to determine the
> > > client based on the DN because connection might be anonymous. The
> > > Slapi_PBlock contains the IP address of the client in
> > > SLAPI_CONN_CLIENTNETADDR. Finding the matching client object in the IPA
> > > tree requires a reverse-DNS lookup which might be unreliable. If the
> > > reverse-DNS lookup was successful the slapi-nos plugin can follow the
> > > same steps as the extdom plugin to lookup up and apply the view.
> >
> > Do we really want to base security decisions on reverse DNS resolution?
>
> No we do not want to play these games.
>
> > That
> > will be insecure. Attacker could tamper with reverse DNS to change UID/GID
> > mapping ... Maybe we can store IP->view mapping in the LDAP database. That
> > should be reliable if we assume that only TCP is used for connection to LDAP
> > database.
>
> It is not just about it being insecure, it is about it being wrong.
> As soon as you have a bunch of clients behind a NAT this pans goes belly
> up.
I do not like this one either. I just wanted to list to options I could
think of because I think supporting user-views on legacy clients is one
of the major use-cases for this feature.
bye,
Sumit
>
> > > As a alternative slapi-nis can provide one tree for each view.
>
> This is the only alternative, if we decide to pursue it.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list