Re: [Freeipa-devel] Management of the CS instances.
On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote: Hi, Before we went too far with implementing the CS decoupling here is a stupid idea I have. We can proceed with the plans described in tickets: https://fedorahosted.org/freeipa/ticket/1250 https://fedorahosted.org/freeipa/ticket/1251 https://fedorahosted.org/freeipa/ticket/1252 However what we can do is store the CS instance DM password encrypted in the main instance. Then the management utility (ticket 1250) would first have to fetch this encrypted attribute from the main instance. We would be able to define ACIs on it and use the kerberos authentication against the main instance instead of prompting user for the DM password. It is a little bit more work but much better and consistent user experience and administrative model. What do you think? This is something we can try I guess. But in order to do something like that we will have to create a special extend operation or add a special search control in the password-extop plugin so that it can perform access control and decrypt the secret before handing it back. Although if we are going this route we could also see if we can use some temporary token instead that allows access to the CS instance for a few minutes w/o giving away the actual DM password. I will think a bit how hard it would be. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Management of the CS instances.
On Sat, 2011-06-18 at 11:18 -0400, Simo Sorce wrote: On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote: Hi, Before we went too far with implementing the CS decoupling here is a stupid idea I have. We can proceed with the plans described in tickets: https://fedorahosted.org/freeipa/ticket/1250 https://fedorahosted.org/freeipa/ticket/1251 https://fedorahosted.org/freeipa/ticket/1252 However what we can do is store the CS instance DM password encrypted in the main instance. Then the management utility (ticket 1250) would first have to fetch this encrypted attribute from the main instance. We would be able to define ACIs on it and use the kerberos authentication against the main instance instead of prompting user for the DM password. It is a little bit more work but much better and consistent user experience and administrative model. What do you think? This is something we can try I guess. But in order to do something like that we will have to create a special extend operation or add a special search control in the password-extop plugin so that it can perform access control and decrypt the secret before handing it back. Although if we are going this route we could also see if we can use some temporary token instead that allows access to the CS instance for a few minutes w/o giving away the actual DM password. I will think a bit how hard it would be. I have created ticket https://fedorahosted.org/freeipa/ticket/1353 to capture this task. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Management of the CS instances.
On 06/17/2011 06:59 PM, Dmitri Pal wrote: Hi, Before we went too far with implementing the CS decoupling here is a stupid idea I have. We can proceed with the plans described in tickets: https://fedorahosted.org/freeipa/ticket/1250 https://fedorahosted.org/freeipa/ticket/1251 https://fedorahosted.org/freeipa/ticket/1252 However what we can do is store the CS instance DM password encrypted in the main instance. Then the management utility (ticket 1250) would first have to fetch this encrypted attribute from the main instance. We would be able to define ACIs on it and use the kerberos authentication against the main instance instead of prompting user for the DM password. It is a little bit more work but much better and consistent user experience and administrative model. Makes sense at a first pass. I haven't worked that deeply with the CS stuff to say for sure, but treting the IPA DS as cannonical and thus giving it the keys to the kingdom seems to be the right call.It all depends on which (CS or IPA) you want to treat as the most critical to lock down. I see nothing wrong with keeping IPA in that role. What do you think? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel