Alexander Bokovoy wrote:
On Fri, 13 Jul 2012, Alexander Bokovoy wrote:

when adding AD trusts support, we need to ensure we have valid kerberos
ticket of the user from 'admins' group or otherwise appropriate ACIs
will not be granted.

This patch introduces a check for that. We already check if
ipa-adtrust-install is run by root so this complements existing checks.
After discussing on IRC with Simo and Rob, we came to conclusion that it
is possible to switch to LDAPI and autobind feature of dirsrv for
authentication and remove requirement for Directory Manager credentials

Updated patch makes use of LDAPI + autobind under root privileges to map
automatically to Directory Manager privileges in dirsrv. Additionally it
ensures we have Kerberos credentials to fetch keytab with CIFS service

Service._ldap_mod() is extended to switch to autobind when self.ldapi is
set to True and we are running as root.

For those interested in why ACIError is mapped to 'outdated Kerberos
credentials' error message, this is because we'll get ACIError for 'ipa
user-show <uid>' command when authenticated by the Kerberos credentials
for <uid> in a default ccache only when Kerberos credentials are stale --
either belong to a user that was removed or to a previous IPA install
that was wiped before reinstalling. The latter is how I discovered
this case. :)

I think that this should raise an exception if one tries to use ldapi, doesn't provide the DM password and is not root. Otherwise it won't authenticate at all.

In reality, I think all this service code always runs as root, so it may be a moot point, but this code is kinda convoluted.


Freeipa-devel mailing list

Reply via email to