On Thu, May 29, 2014 at 01:31:04PM -0400, Simo Sorce wrote: > On Thu, 2014-05-29 at 18:50 +0200, Petr Spacek wrote: > > On 29.5.2014 13:48, Sumit Bose wrote: > > > == slapi-nis plugin/compat tree == > > > The compat tree offers a simplified LDAP tree with user and group data > > > for legacy clients. No data for this tree is stored on disk but it is > > > always created on the fly. It has to be noted that legacy clients might > > > be one of the major users of the user-views because chances are that > > > they were attached to the legacy systems with legacy ID management which > > > should be replaced by IPA. > > > > > > In contrast to the extdom plugin it is not possible to determine the > > > client based on the DN because connection might be anonymous. The > > > Slapi_PBlock contains the IP address of the client in > > > SLAPI_CONN_CLIENTNETADDR. Finding the matching client object in the IPA > > > tree requires a reverse-DNS lookup which might be unreliable. If the > > > reverse-DNS lookup was successful the slapi-nos plugin can follow the > > > same steps as the extdom plugin to lookup up and apply the view. > > > > Do we really want to base security decisions on reverse DNS resolution? > > No we do not want to play these games. > > > That > > will be insecure. Attacker could tamper with reverse DNS to change UID/GID > > mapping ... Maybe we can store IP->view mapping in the LDAP database. That > > should be reliable if we assume that only TCP is used for connection to > > LDAP > > database. > > It is not just about it being insecure, it is about it being wrong. > As soon as you have a bunch of clients behind a NAT this pans goes belly > up.
I do not like this one either. I just wanted to list to options I could think of because I think supporting user-views on legacy clients is one of the major use-cases for this feature. bye, Sumit > > > > As a alternative slapi-nis can provide one tree for each view. > > This is the only alternative, if we decide to pursue it. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-devel mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
