On Thu, 2014-05-29 at 18:50 +0200, Petr Spacek wrote: > On 29.5.2014 13:48, Sumit Bose wrote: > > == slapi-nis plugin/compat tree == > > The compat tree offers a simplified LDAP tree with user and group data > > for legacy clients. No data for this tree is stored on disk but it is > > always created on the fly. It has to be noted that legacy clients might > > be one of the major users of the user-views because chances are that > > they were attached to the legacy systems with legacy ID management which > > should be replaced by IPA. > > > > In contrast to the extdom plugin it is not possible to determine the > > client based on the DN because connection might be anonymous. The > > Slapi_PBlock contains the IP address of the client in > > SLAPI_CONN_CLIENTNETADDR. Finding the matching client object in the IPA > > tree requires a reverse-DNS lookup which might be unreliable. If the > > reverse-DNS lookup was successful the slapi-nos plugin can follow the > > same steps as the extdom plugin to lookup up and apply the view. > > Do we really want to base security decisions on reverse DNS resolution?
No we do not want to play these games. > That > will be insecure. Attacker could tamper with reverse DNS to change UID/GID > mapping ... Maybe we can store IP->view mapping in the LDAP database. That > should be reliable if we assume that only TCP is used for connection to LDAP > database. It is not just about it being insecure, it is about it being wrong. As soon as you have a bunch of clients behind a NAT this pans goes belly up. > > As a alternative slapi-nis can provide one tree for each view. This is the only alternative, if we decide to pursue it. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
