On Tue, 17 Jul 2012, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Fri, 13 Jul 2012, Alexander Bokovoy wrote:
Hi,

when adding AD trusts support, we need to ensure we have valid kerberos
ticket of the user from 'admins' group or otherwise appropriate ACIs
will not be granted.

This patch introduces a check for that. We already check if
ipa-adtrust-install is run by root so this complements existing checks.

https://fedorahosted.org/freeipa/ticket/2815
After discussing on IRC with Simo and Rob, we came to conclusion that it
is possible to switch to LDAPI and autobind feature of dirsrv for
authentication and remove requirement for Directory Manager credentials
altogether.

Updated patch makes use of LDAPI + autobind under root privileges to map
automatically to Directory Manager privileges in dirsrv. Additionally it
ensures we have Kerberos credentials to fetch keytab with CIFS service
key.

Service._ldap_mod() is extended to switch to autobind when self.ldapi is
set to True and we are running as root.

For those interested in why ACIError is mapped to 'outdated Kerberos
credentials' error message, this is because we'll get ACIError for 'ipa
user-show <uid>' command when authenticated by the Kerberos credentials
for <uid> in a default ccache only when Kerberos credentials are stale --
either belong to a user that was removed or to a previous IPA install
that was wiped before reinstalling. The latter is how I discovered
this case. :)

I think that this should raise an exception if one tries to use ldapi, doesn't provide the DM password and is not root. Otherwise it won't authenticate at all.
This is not exactly true.

$ id
uid=757000001(abokovoy) gid=757000001(abokovoy) groups=757000001(abokovoy)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ ldapsearch -vvv -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket '*' 
>/dev/null
ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-IPA-LOCAL.socket/??base )
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Inappropriate authentication (48)
        additional info: SASL EXTERNAL bind requires an SSL connection

$ ldapsearch -vvv -Y GSSAPI -H ldapi://%2fvar%2frun%2fslapd-IPA-LOCAL.socket '*' 
>/dev/null
ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-IPA-LOCAL.socket/??base )
SASL/GSSAPI authentication started
SASL username: abokovoy@IPA.LOCAL
SASL SSF: 56
SASL data security layer installed.
filter: (objectclass=*)
requesting: *
So GSSAPI auth works with LDAPI access. I can simply enforce -Y GSSAPI
when non-root and no dm_password regardless of self.ldapi, this would
extend previously available logic to following:

- ldapi: use -H ldapi://url instead of -h hostname
- dm_password: add Directory Manager auth
- root without dm_password: use autobind
- non-root without dm_password: use GSSAPI

In reality, I think all this service code always runs as root, so it may be a moot point, but this code is kinda convoluted.
Yep.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to