On 01/31/2012 06:45 AM, Sumit Bose wrote:
> Hi,
>
> for the IPAv3 trust feature we have to add the objectclass
> ipaNTUserAttrs/ipaNTGroupAttrs to every user/group which should be
> visible on the Windows side of the trust. The only MUST attribute of
> both objectclasses is ipaNTSecurityIdentifier the SID or the user or
> group. We would like to manage the SIDS with the DNA plugin since they
> have to be unique in the IPA domain.
>
> The trust support will typically be added to a running IPA domain,
> because we do not plan to install it by default and we have to consider
> updated v2 environments as well. So the question arises what is the most
> preferred way to add a DNA configuration to an existing Directory Server
> setup with replication.
>
> Nathan suggested to create the configuration with the full range on the
> first master, configure the other master with no available values
> and let the DNA plugin transfer the ranges between the masters.
>
> This will lead to the following steps:
>
> 1. Check if there are already shared configuration entries in
>    cn=sids,cn=dna,cn=ipa,cn=etc,$SUFFIX
>
> 2a. if not we can create the initial configuration on the current
>     master:
>
> dn: cn=SIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> changetype: add
> objectclass: top
> objectclass: extensibleObject
> cn: SIDs
> dnaType: ipaNTSecurityIdentifier
> dnaNextValue: 1000
> dnaMaxValue: eval($SIDMAX)    # Maybe 200k ?
> dnaMagicRegen: 999
> dnaFilter: (|(objectclass=ipaNTUserAttrs)(objectClass=ipaNTGroupAttrs))
> dnaScope: $SUFFIX
> dnaThreshold: 500
> dnaSharedCfgDN: cn=sids,cn=dna,cn=ipa,cn=etc,$SUFFIX
>
> 3a. Add ipaNTUserAttrs/ipaNTGroupAttrs to all users/groups with
>     ipaNTSecurityIdentifier=999 on the current master
>
> 4a. Done on the first master
>
> 2b. if there are already entries we can create the configuration for an
>     additional master:
>
> dn: cn=SIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> changetype: add
> objectclass: top
> objectclass: extensibleObject
> cn: SIDs
> dnaType: ipaNTSecurityIdentifier
> dnaNextValue: 1101
> dnaMaxValue: 1100
> dnaMagicRegen: 999
> dnaFilter: (|(objectclass=ipaNTUserAttrs)(objectClass=ipaNTGroupAttrs))
> dnaScope: $SUFFIX
> dnaThreshold: 500
> dnaSharedCfgDN: cn=sids,cn=dna,cn=ipa,cn=etc,$SUFFIX
>
> 3b. Done on the additional master, DNA plugin will sort out the rest
>
>
>
> Do these steps make sense?
>
> Is it necessary to add a lock to prevent a race condition btween step 1
> and 2a, i.e. two admins try to prepare IPA for trusts independently at
> the same time?
>
> Do I understand it correctly that if dnaMaxValue is set to e.g. 2^32 on
> the first master, the range on the second master will start at 2^31? So
> the usage of the full range will be quite sparse if dnaMaxValue is set
> too high.
>
> Step 3a on the first master might need some time to finish. Is it
> necessary to set some kind of lock to prevent the configuration of the
> DNA plugin on other masters while this task is running or is it safe to
> add another master at any time?
>
> Are there other ways to introduce the DNA configuration? Nathan
> suggested also that the ranges can be configured manually without
> overlap, but if possible I would prefer the automatic way.
>
> Thank you for your help.
>
> bye,
> Sumit
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>

Couple comments.
1) What is the impact on the replication?
2) How we can prevent the case when in the distributed topology the
change starts from two ends?
3) What is the speed of the propagation of this configuration in a 20
replica architecture?
4) Would it be better to generate the SIDs on every replica? We already
have UID/GID and GUIDs for the entries. If SID is derived from entry
GUID the change can be made locally and does not require replication.
The GUIDs are already replicated so the SID can be generated locally
like we do with the other non replicated attributes. In this case you
just need to install a new plugin on your replicas and change
configuration entry to enable it. As soon as this entry is replicated
the plugin will kick in and would start adding SIDs to users and groups
in the background on every replica. Overall there will be less traffic
and no need to deal with DNA ranges. Is it possible to derive SID from
other attribute in the User or group object?
5) If we go with the way Summit suggested we also need to have a special
handling in the ipa-replica-prepare depending upon whether the SID
support is on or off.   

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to