On Tue, Jul 16, 2013 at 04:22:01PM +0300, Alexander Bokovoy wrote:
> On Tue, 16 Jul 2013, Jakub Hrozek wrote:
> >the patch looks mostly good to me. I only have some small nitpicks:
> >>+++ b/install/tools/man/ipa-adtrust-install.1
> >>@@ -106,6 +106,24 @@ The password of the user with administrative
> >>privileges for this IPA server. Wil
> >> .TP
> >> The credentials of the admin user will be used to obtain Kerberos ticket
> >> before configuring cross-realm trusts support and afterwards, to ensure
> >> that the ticket contains MS-PAC information required to actually add a
> >> trust with Active Directory domain via 'ipa trust-add --type=ad' command.
> >> .TP
> >>+Enables support for trusted domains users for old clients through Schema
> >>Compatibility plugin.
> >>+SSSD supports trusted domains natively starting with version 1.9 platform.
> >>For platforms that
> > ^^^^^^^^
> > The word "platform"
> > looks a little
> > extra here to me.
> Removed. I initially had statement there to talk about Linux and
> non-Linux platforms, this word slipped when I edited platform talk out.
> >>+lack SSSD or run older SSSD version one needs to use this option. When
> >>enabled, slapi\-nis package
> >>+needs to be installed and schema\-compat\-plugin will be configured to
> >>provide lookup of
> >>+users and groups from trusted domains via SSSD on IPA server. These users
> >>and groups will be
> >>+available under \fBcn=users,cn=compat,$SUFFIX\fR and
> >>\fBcn=groups,cn=compat,$SUFFIX\fR trees.
> >>+SSSD will normalize names of users and groups to lower case.
> >>+In addition to providing these users and groups through the compat tree,
> >>this option enables
> >>+authentication over LDAP for trusted domain users with DN under compat
> >>tree, i.e. using bind DN
> >>+\fBuidemail@example.com,cn=users,cn=compat,$SUFFIX\fR. This
> >>authentication is related
> >>+to PAM stack using '\fBsystem\-auth\fR' PAM service. If you have disabled
> >>HBAC rule 'allow_all', then
> >>+make sure there is special service called '\fBsystem\-auth\fR' created and
> >>HBAC rule to allow
> >>+access to anyone to this rule on IPA masters is added. Please note that
> >>system-auth PAM service
> >>+is not used directly by any other application, therefore it is safe to
> >>create one specifically
> >>+to support trusted domain users via compatibility path.
> >The last sentence wasn't really clear to me, were you suggesting to
> >create a special PAM service?
> I refactored the statement.
> system-auth is a PAM service (/etc/pam.d/system-auth) provided by pam
> RPM package. You don't need to create it as it is created and maintained
> by the system (and authconfig).
> What this sentence talks about is that PAM authentication means also
> verifying HBAC rules. If you have disable 'allow_all' HBAC rule, then
> for all PAM services there should be HBAC rule that allows access to it
> if that is required. As in case of trusted AD users they don't exist in
> LDAP, we cannot really refer to them in HBAC rules so we only can have
> an HBAC rule that allows 'all' to access 'system-auth' service on 'ipa
> masters' host group.
> system-auth PAM service is not used by any other application directly.
> Instead, their own PAM services include system-auth through PAM stack.
> That's why I selected system-auth -- enabling HBAC rules to access it
> does not compromise any other service because of the way how PAM
> stacking works -- access to an app is granted through PAM service name
> that application runs against. I.e. ssh runs against /etc/pam.d/ssh, so
> HBAC rule would need to be created against 'ssh' service. /etc/pam.d/ssh
> is including system-auth through PAM stack and system-auth is configured
> to use pam_sss but 'system-auth' as service name is never seen or used
> by anyone through PAM API.
I know how system-auth works and how PAM services work, but it wasn't
clear to me what you were suggesting in the man page :) Now it's much
clearer, thank you.
> >>+ if self.enable_compat:
> >>+ self.step("Enabling trusted domains support for older clients
> >>via Schema Compatibility plugin",
> > ^^^^
> > Nitpick: all the other steps begin with lowercased
> > letter. Only this one is uppercased, which makes the
> > tool output looks inconsistent:
> >[15/21]: adding special DNS service records
> >[16/21]: Enabling trusted domains support for older clients via Schema
> >Compatibility plugin
> >[17/21]: restarting Directory Server to take MS PAC and LDAP plugins changes
> >into account
> Thanks. Lowcased it.
> Updated patch is attached.
Maybe it would be nice if some native English speaker read the man page
change as well. To me it sounds like there are some articles missing. But
the code works correctly and sets up the SSSD compat attributes during
install when told to.
Ack from me, however.
Freeipa-devel mailing list