On 03/02/2016 11:13 AM, Alexander Bokovoy wrote:
Hi,

http://www.freeipa.org/page/V4/External_trust_to_AD documents a design
for external trust to AD feature.

The text is included below for easier review.
-----------------------------------------------------------------------
{{Feature|version=TODO|ticket=TODO|author=Ab}}

== Overview ==
Support for external trust to a domain from Active Directory forest

An external trust is a trust relationship between Active Directory
domains that are in different Active Directory forests. While forest
trust always requires to establish trust between root domains of the
Active Directory forests, external trust can be established to any
domain within the forest.

== Use Cases ==

As an Active Directory domain admin, I want to establish trust between
IPA and my domain only. The trust between IPA and an external Active
Directory domain will be non-transitive as no users or groups from other
Active Directory domains will have access to IPA resources.

== Design==

External trust between Active Directory domains is by definition
non-transitive and enforces SID filtering between the domain boundaries.
This means only users and groups with SIDs from the trusted domain can
use the resources and be visible on IPA systems. None of other users and
groups from domains the trusted domain trusts within its own Active
Directory forest or other externally trusted domains will be allowed to
access IPA resources.

== Implementation ==

External trust feature re-uses existing forest trust infrastructure.
There are several specific changes to allow supporting external trust:
* '''Non-transitivity''': since external trust is non-transitive by
* definition, any attempt to set transitivity feature of the trust link
* with LSA SetInformationTrustedDomain() command will fail. Thus, there
* is no need to set transitivity for the external trust.

Sounds very simple :)

Do I get it right that it is possible to do it today? Because now the code just do:
   root_logger.error('unable to set trust to transitive: %s' % (str(e)))
   pass


* '''Trust attributes''': external trust can be detected by looking into
* absense of ipaNTTrustAttributes LDAP attribute of the trusted domain
* object.

== Feature Management ==

=== UI ===
An option 'external trust' needs to be added to Web UI, corresponding to
'--external' flag in 'trust-add' command in CLI.

=== CLI ===
An external trust creation can be requested by passing additional flag
'--external=true' to the 'trust-add' command. The flag defaults to
'false', e.g. no external trust would be created.

{| class="wikitable"
|-
! Command
! Options
|-
| trust-add
| --external=true/false
|}

We should also add 'external' param to output of trust_find and trust_show + corresponding change in Web UI and CLI.

=== Configuration ===
No configuration options needed.

== Upgrade ==
No changes on upgrades. The trust properties are only set up at trust
creation time.

== How to Test ==
In order to test the external trust, attempt to create a trust to
non-root domain in an Active Directory forest. It should fail without
'--external=true' option and should be able to establish the external
trust with '--external=true' option to 'trust-add' command.

A type of the trust can be seen with 'trust-show' command.

== Test Plan ==

-----------------------------------------------------------------------

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to