Re: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?

2016-05-13 Thread Marc Boorshtein 
Thanks Alexander.  I wasn't looking to get anything developed, just
curious if it would work or even if it there was something I could try
on my end like a change to a directory setting to see if it would even
work.  Understood that there's more in the connection between the
ipaclient and the DC then just LDAP.

Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity


On Fri, May 13, 2016 at 5:46 AM, Alexander Bokovoy  wrote:
> On Wed, 11 May 2016, Marc Boorshtein wrote:
>>
>> I've got a potential use case where I want to authenticate users using
>> their AD credentials, store accounts and permissions in FreeIPA but
>> not have a cross forest trust.  One way to do this is to have SSSD
>> talk LDAP to a virtual directory which would route the bind to AD but
>> all other operations to the 389 backing IPA.  Kerberos wouldn't work,
>> but if you're interested in password or ssh key based auth it should
>> work, right?  Then you'd still get the HBAC benefits?
>
> There is more than just look up in LDAP when talking to AD DCs. Trust
> ensures we have enough correctly set security descriptors on the objects
> we use to represent our identity to access AD DCs. If that part is
> missing, you get all kinds of problems.
>
> Replacing trust by something that is effectively attempting to simulate
> trust but not being a trust scenario is, of course, possible. However, I
> don't see this as something we'd like to put any reasonable time to
> develop because it is a corner case with disproportional amount of
> development time investment. You may disagree and that's fine, but this
> doesn't change the fact that somebody needs to invest time into it.
> --
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?

2016-05-13 Thread Alexander Bokovoy 

On Wed, 11 May 2016, Marc Boorshtein wrote:

I've got a potential use case where I want to authenticate users using
their AD credentials, store accounts and permissions in FreeIPA but
not have a cross forest trust.  One way to do this is to have SSSD
talk LDAP to a virtual directory which would route the bind to AD but
all other operations to the 389 backing IPA.  Kerberos wouldn't work,
but if you're interested in password or ssh key based auth it should
work, right?  Then you'd still get the HBAC benefits?

There is more than just look up in LDAP when talking to AD DCs. Trust
ensures we have enough correctly set security descriptors on the objects
we use to represent our identity to access AD DCs. If that part is
missing, you get all kinds of problems.

Replacing trust by something that is effectively attempting to simulate
trust but not being a trust scenario is, of course, possible. However, I
don't see this as something we'd like to put any reasonable time to
develop because it is a corner case with disproportional amount of
development time investment. You may disagree and that's fine, but this
doesn't change the fact that somebody needs to invest time into it.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Possible to tell SSSD to talk to virtual directory instead of directly to 389?

2016-05-11 Thread Marc Boorshtein 
I've got a potential use case where I want to authenticate users using
their AD credentials, store accounts and permissions in FreeIPA but
not have a cross forest trust.  One way to do this is to have SSSD
talk LDAP to a virtual directory which would route the bind to AD but
all other operations to the 389 backing IPA.  Kerberos wouldn't work,
but if you're interested in password or ssh key based auth it should
work, right?  Then you'd still get the HBAC benefits?

Thanks


Marc Boorshtein
CTO Tremolo Security
marc.boorsht...@tremolosecurity.com
Twitter - @mlbiam / @tremolosecurity

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project