Hello, below is a design page for ticket https://fedorahosted.org/freeipa/ticket/3289:
http://www.freeipa.org/page/V3/Configurable_SID_Blacklists There is one question in the text. Martin ----------------------------------------------------------------------------- = Overview = Related tickets: * [https://fedorahosted.org/freeipa/ticket/3289 3289: Make SID checks for MS-PAC filter configurable] * [https://fedorahosted.org/freeipa/ticket/3231 3231: Need to relax MS-PAC checks] Microsoft Windows 2012 slightly changed what it sends in the MS-PAC, and it sends a special SID in the ExtraSids buffer. We used to not accept this MS-PAC and raise validation error, but ticket [https://fedorahosted.org/freeipa/ticket/3231 3231] introduced a static list of SIDs that are filtered and are excluded from the MS-PAC to avoid this error. A target of this RFE is to include this list in LDAP to allow Administrator to change the list and add or remove SID to filter. = Use Cases = Windows 2012 user from a trusted AD domain tries to authenticate to IPA domain, but his ticket is refused due to MS-PAC check. Administrator may want to extend the default list of SID so that the colliding SID is filtered. = Design= == Configuration granularity == SID blacklist should be configured per-trust. Administrator should be able to configure a blacklist for both ''incoming'' MS-PAC (i.e. authentication from a trusted domain to IPA domain) and ''outgoing'' MS-PAC (i.e. for transitive authentication of a user from IPA trusted domain trying to authenticate to other domain trusted by IPA, but which is not trusted directly by this domain). == Schema updates == The feature will introduce 2 new ''attributeTypes'' which will be added to ''MAY'' list of ''ipaNTTrustedDomain'' object class: attributetypes: ( 2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming' DESC 'Extra SIDs filtered out from incoming MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' ) attributetypes: ( 2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DESC 'Extra SIDs filtered out from outgoing MS-PAC' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' ) == ipa-kdb Changes == Currently, ipa-kdb uses <tt>mspac_well_known_sids</tt> static list of SIDs to filter SIDs from MS-PAC. Changes: * <tt>struct ipadb_mspac</tt> will be changed: ** <tt>well_known_sids</tt> will be renamed to <tt>sid_blacklist_incoming</tt> ** new <tt>sid_blacklist_outgoing</tt> will be added * <tt>ipadb_mspac_fill_well_known_sids</tt> function will be updated to read these new attributes from LDAP and if it finds these attributes, it will fill their value to <tt>mspac->sid_blacklist_incoming</tt> or <tt>mspac->sid_blacklist_outgoing</tt> respectively. If the attributes for the trust is missing, it will use the default value in <tt>mspac_well_known_sids</tt>. * Note that <tt>mspac->sid_blacklist_outgoing</tt> '''will be unused''' until the transitive trusts functionality is implemented. These new attributes should not cause high LDAP load as <tt>ipadb_reinit_mspac</tt> it is run at most once per minute. = Implementation = N/A = Feature Managment = === UI === UI will need to allow updating these new attributes in ''Settings'' tab in ''IPA Server'' -> ''Trusts'' section. === CLI === CLI should allow editing of these new attributes. They should not be displayed by default in ''trust-show'' or ''trust-find'' command, but only with ''--all'' option to keep clarity of trust entries in these commands. = Major configuration options and enablement = N/A = Replication = New attributes will be replicated. = Updates and Upgrades = The 2 new ''attributeTypes'' will be added and one ''ipaNTTrustedDomain'' object class will be updated. '''QUESTION''': We can either fill ''ipaNTSIDBlacklistIncoming'' and ''ipaNTSIDBlacklistIncoming'' for all current trusts during updates or fill them only for re-established and new trusts. The latter would avoid unnecessary update plugin. The prefilled list should be equal to <tt>mspac_well_known_sids</tt> list in <tt>ipa_kdb_mspac.c</tt>. = Dependencies = N/A = External Impact = N/A _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
