Re: [Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
On Thu, 2011-12-08 at 16:55 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 2011-12-05 at 18:37 -0500, Simo Sorce wrote: > >> On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote: > >>> On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > Hello all, > > > > with this set of patches it is possible to allow constrained delegation > > of credentials so that a service can impersonate a user when > >>> > >>> [..] > >>> > In the third patch in ipadb_get_delegation_acl() you can just fall > through to the return. > >>> > >>> Removed useless check. > >>> I also noticed I had added the prototype declaration for the new vtable > >>> function in the 2nd patch instead of the 3rd where it belongs by > >>> mistake. > >>> > >>> So I fixed that too. > >>> > I think the content of this e-mail should be added as a README to the > source tree. > >>> > >>> Ok, I dumped and adapted the email content into a README file and added > >>> it to the third patch. > >>> > >>> I also fixed the patch names as per policy. > >>> > >>> Simo. > >> > >> > >> We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of > >> the 'artificial' test done by kvno. > >> > >> I pushed a patch to handle part of the problem as a new krb5 package in > >> ipa-devel. > >> > >> Soon we will have a patch for mod_auth_kerb that handles an issue there. > >> > >> But we still have an unresolved issue when using the adtrust > >> functionality and our KDC releases PACs. > >> > >> The attached patch can be used to deal with that case. As you can see > >> this is not intended for production, but can be used until we have a > >> better fix on the KDC side. > >> > >> Simo. > > > > Rebased patch 468 to apply to current master. > > > > Simo. > > > > ACK x3 Pushed to master. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
Simo Sorce wrote: On Mon, 2011-12-05 at 18:37 -0500, Simo Sorce wrote: On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote: On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote: Simo Sorce wrote: Hello all, with this set of patches it is possible to allow constrained delegation of credentials so that a service can impersonate a user when [..] In the third patch in ipadb_get_delegation_acl() you can just fall through to the return. Removed useless check. I also noticed I had added the prototype declaration for the new vtable function in the 2nd patch instead of the 3rd where it belongs by mistake. So I fixed that too. I think the content of this e-mail should be added as a README to the source tree. Ok, I dumped and adapted the email content into a README file and added it to the third patch. I also fixed the patch names as per policy. Simo. We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of the 'artificial' test done by kvno. I pushed a patch to handle part of the problem as a new krb5 package in ipa-devel. Soon we will have a patch for mod_auth_kerb that handles an issue there. But we still have an unresolved issue when using the adtrust functionality and our KDC releases PACs. The attached patch can be used to deal with that case. As you can see this is not intended for production, but can be used until we have a better fix on the KDC side. Simo. Rebased patch 468 to apply to current master. Simo. ACK x3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
On Mon, 2011-12-05 at 18:37 -0500, Simo Sorce wrote: > On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote: > > On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote: > > > Simo Sorce wrote: > > > > Hello all, > > > > > > > > with this set of patches it is possible to allow constrained delegation > > > > of credentials so that a service can impersonate a user when > > > > [..] > > > > > In the third patch in ipadb_get_delegation_acl() you can just fall > > > through to the return. > > > > Removed useless check. > > I also noticed I had added the prototype declaration for the new vtable > > function in the 2nd patch instead of the 3rd where it belongs by > > mistake. > > > > So I fixed that too. > > > > > I think the content of this e-mail should be added as a README to the > > > source tree. > > > > Ok, I dumped and adapted the email content into a README file and added > > it to the third patch. > > > > I also fixed the patch names as per policy. > > > > Simo. > > > We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of > the 'artificial' test done by kvno. > > I pushed a patch to handle part of the problem as a new krb5 package in > ipa-devel. > > Soon we will have a patch for mod_auth_kerb that handles an issue there. > > But we still have an unresolved issue when using the adtrust > functionality and our KDC releases PACs. > > The attached patch can be used to deal with that case. As you can see > this is not intended for production, but can be used until we have a > better fix on the KDC side. > > Simo. Rebased patch 468 to apply to current master. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 1ecdb11ba9a11707278e03fb54cff5693bd626ce Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 20 Nov 2011 17:04:05 -0500 Subject: [PATCH] ipa-kdb: Delegation ACL schema --- install/share/60basev3.ldif |5 + 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 0e4303b1e2b247f751fad3aaeb2b418d3ffa16eb..104cffb2b70d97d4b83b9215234171801cf59b64 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -23,8 +23,13 @@ attributeTypes: ( 2.16.840.1.113730.3.8.11.16 NAME 'ipaNTTrustAuthIncoming' DESC attributeTypes: ( 2.16.840.1.113730.3.8.11.17 NAME 'ipaNTTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 2.16.840.1.113730.3.8.11.18 NAME 'ipaNTTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 2.16.840.1.113730.3.8.11.19 NAME 'ipaNTSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.20 NAME 'memberPrincipal' DESC 'Principal names member of a groupOfPrincipals group' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA-v3') +attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC 'Principals that can be impersonated' SUP distinguishedName X-ORIGIN 'IPA-v3') +attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3') objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTSecurityIdentifier $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes) ) +objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) -- 1.7.7.1 ___ Freeipa-devel mailing list Freei
Re: [Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote:
> On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > > Hello all,
> > >
> > > with this set of patches it is possible to allow constrained delegation
> > > of credentials so that a service can impersonate a user when
>
> [..]
>
> > In the third patch in ipadb_get_delegation_acl() you can just fall
> > through to the return.
>
> Removed useless check.
> I also noticed I had added the prototype declaration for the new vtable
> function in the 2nd patch instead of the 3rd where it belongs by
> mistake.
>
> So I fixed that too.
>
> > I think the content of this e-mail should be added as a README to the
> > source tree.
>
> Ok, I dumped and adapted the email content into a README file and added
> it to the third patch.
>
> I also fixed the patch names as per policy.
>
> Simo.
We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of
the 'artificial' test done by kvno.
I pushed a patch to handle part of the problem as a new krb5 package in
ipa-devel.
Soon we will have a patch for mod_auth_kerb that handles an issue there.
But we still have an unresolved issue when using the adtrust
functionality and our KDC releases PACs.
The attached patch can be used to deal with that case. As you can see
this is not intended for production, but can be used until we have a
better fix on the KDC side.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From 33aebb5702fd77926340d1d0fb6556299a3831c0 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 5 Dec 2011 15:46:59 -0500
Subject: [PATCH] ipa-kdb: temporary workaround for s4u2proxy ops
---
daemons/ipa-kdb/ipa_kdb_mspac.c |6 +-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 160974ceb9cede21a3709316551fa5e1f1c5d5df..62b11becf2fa94cf88e9edf221ece36def758b6f 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -683,7 +683,11 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
}
}
-if (!is_as_req) {
+if (!is_as_req &&
+!(flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
+/* FIXME: flags check is temporary,
+ * remove once KDC code properly passes us keys for s4u2 ops */
+/* WARNING: THIS IS A SECURITY ISSUE, DO NOT SHIP WITH THIS HACK */
kerr = ipadb_verify_pac(context, flags,
ks_client_princ, client,
server_key, krbtgt_key,
--
1.7.7.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > Hello all, > > > > with this set of patches it is possible to allow constrained delegation > > of credentials so that a service can impersonate a user when [..] > In the third patch in ipadb_get_delegation_acl() you can just fall > through to the return. Removed useless check. I also noticed I had added the prototype declaration for the new vtable function in the 2nd patch instead of the 3rd where it belongs by mistake. So I fixed that too. > I think the content of this e-mail should be added as a README to the > source tree. Ok, I dumped and adapted the email content into a README file and added it to the third patch. I also fixed the patch names as per policy. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 6361de2b8a08a2ca8787300bd4672af1c855a857 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 20 Nov 2011 17:04:05 -0500 Subject: [PATCH 1/3] ipa-kdb: Delegation ACL schema --- install/share/60basev3.ldif |5 + 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index f518541586b2df9ed08718098a7f170563aa4e1d..b31a3d4dd77be57adcc0d97d24e23ecf71025756 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -14,7 +14,12 @@ attributeTypes: (2.16.840.1.113730.3.8.11.7 NAME 'ipaNTProfilePath' DESC 'User P attributeTypes: (2.16.840.1.113730.3.8.11.8 NAME 'ipaNTHomeDirectory' DESC 'User Home Directory Path' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.9 NAME 'ipaNTHomeDirectoryDrive' DESC 'User Home Drive Letter' EQUALITY caseIgnoreMatch OREDRING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.10 NAME 'ipaNTDomainGUID' DESC 'NT Domain GUID' EQUALITY caseIgnoreIA5Match OREDRING caseIgnoreIA5OrderingMatch SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v3' ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.20 NAME 'memberPrincipal' DESC 'Principal names member of a groupOfPrincipals group' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA-v3') +attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC 'Principals that can be impersonated' SUP distinguishedName X-ORIGIN 'IPA-v3') +attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3') objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) -- 1.7.7.1 >From 3a15f52a95aae218f66d6aba06dfa1ce874aa855 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 20 Nov 2011 20:50:27 -0500 Subject: [PATCH 2/3] ipa-kdb: enhance deref searches Allow to deref more than one attribute. The attrs searched are the same for all deref attributes at this time. --- daemons/ipa-kdb/ipa_kdb.h|7 +-- daemons/ipa-kdb/ipa_kdb_common.c | 34 +- daemons/ipa-kdb/ipa_kdb_mspac.c | 11 +-- 3 files changed, 39 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 8c907c448d0f497786f7b66fb4e17e6590d4cc29..33b74a28ab9a283d635b050e93ee3760c1a55ec6 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -123,8 +123,11 @@ krb5_error_code ipadb_simple_modify(struct ipadb_context *ipactx, krb5_error_code ipadb_simple_delete_val(struct ipadb_context *ipactx, char *dn, char *attr, char *value); krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx, - char *entry_dn, char **entry_attr
Re: [Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
Simo Sorce wrote: Hello all, with this set of patches it is possible to allow constrained delegation of credentials so that a service can impersonate a user when communicating with another service w/o requiring the user to actually forward their TGT. This makes for a much better method of delegating credentials as it prevents exposure of the short term secret of the user. Plus, I added a relatively simple access control method that allow the KDC to decide exactly which services are allowed to impersonate which users against other services. A simple grouping mechanism is used so that large environments clusters and otherwise classes of services can be much more easily managed. The grouping mechanism has been built so that lookup is highly optimized and is basically reduced to a single search that uses the derefernce control. Speed is very important in this case because KDC operations time out very quickly and unless we add a caching layer in ipa-kdb we must keep the number of searches down to avoid client timeouts. The grouping mechanism is very simple a groupOfPrincipals object is introduced, this Auxiliary class have a single optional attribute called memberPrincipal which is a string containing a principal name. A separate objectclass is also introduced called ipaKrb5DelegationACL, it is a subclass of groupOfPrincipals and is a Structural class. It has 2 additional optional attributes: ipaAllowedTarget and ipaAllowToImpersonate. They are both DNs The memberPrincipal attribute in this class contains the list of principals that are being considered as 'proxies', that is the principals of the services that want to impersonate users against other services. The ipaAllowedToImpersonate must point to a groupOfPrincipal based object that contains the list of users that can be impersonated by this service. If the attribute is missing than the service is allowed to impersonate *any* user. The ipaAllowedTarget DN must point to a groupOfPrincipal based object that contains the list of services that the proxy service is allowed taret when impersonating users. A target must be specified in order to allow a service to access it impersonating another principal. At the moment no wildcarding is implemented so services have to be explicitly listed in their respective groups. I have some idea of adding wildcard support at least for the ipaAllowedToImpersonate group in order to separate user principals by REALM. So you can say all users of REALM1 can be impersonated by this service but no users of REALM2. It is unclear how this wildcarding may be implemented, but it must be simple to avoid potentially very expensive computations every time a ticket for the target services is requested. I have briefly tested this patch by manually creating a few objects then using the kvno command to test that I could get a ldap ticket just using the HTTP credentials (in order to do this I had to allow also s4u2self operations for the HTTP service, but this is *not* generally required and it is *not* desired in the IPA framework implementation). This patchset does not contain any CLI or UI nor installation changes to create ipaKrb5DelegationACL obujects. It is indeed yet unclear where we want to store them (suggestions are welcome) and how/when we may want to expose this mechanism through UI/CLI for general usage. The initial intended usage is to allow us to move away from using forwarded TGTs in the IPA framework and instead use S4U2Proxy in order to access the ldap service. In order to do this some changes will need to be made in installation scripts and replica management scripts later. How to test: Create 2 objects like these: dn: cn=ipa-http-delegation,... objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals cn: ipa-http-delegation memberPrincipal: HTTP/ipaserver.example@example.com ipaAllowedTarget: cn=ipa-ldap-delegation-targets,... dn: cn=ipa-ldap-delegation-targets,... objectClass: groupOfPrincipals cn: ipa-ldap-delegation-targets memberPrincipal: ldap/ipaserver.example@example.com In order to test with kvno which pretend to do s4u2self too you will need to allow the HTTP service to impersonate arbitrary users. This is done with: kdamin.local modprinc +ok_to_auth_as_delegate HTTP/ipaserver.example.com Then run kvno as follows: # Init credntials as HTTP kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.example.com # Perform S4U2Self kvno -U admin HTTP/ipaserver.example.com # Perform S4U2Proxy kvno -k /etc/httpd/conf/ipa.keytab -U admin -P HTTP/ipaserver.example.com ldap/ipaserver.example.com If this works it means you successfully impersonated the admin user with the HTTP service against the ldap service. Simo. In the third patch in ipadb_get_delegation_acl() you can just fall through to the return. I think the content of this e-mail should be added as a README to the source tree. rob ___ Freeipa-devel mailing list Freeipa-dev
[Freeipa-devel] [PATCHES] Implement support for S4U2Proxy delegation in IPA
Hello all, with this set of patches it is possible to allow constrained delegation of credentials so that a service can impersonate a user when communicating with another service w/o requiring the user to actually forward their TGT. This makes for a much better method of delegating credentials as it prevents exposure of the short term secret of the user. Plus, I added a relatively simple access control method that allow the KDC to decide exactly which services are allowed to impersonate which users against other services. A simple grouping mechanism is used so that large environments clusters and otherwise classes of services can be much more easily managed. The grouping mechanism has been built so that lookup is highly optimized and is basically reduced to a single search that uses the derefernce control. Speed is very important in this case because KDC operations time out very quickly and unless we add a caching layer in ipa-kdb we must keep the number of searches down to avoid client timeouts. The grouping mechanism is very simple a groupOfPrincipals object is introduced, this Auxiliary class have a single optional attribute called memberPrincipal which is a string containing a principal name. A separate objectclass is also introduced called ipaKrb5DelegationACL, it is a subclass of groupOfPrincipals and is a Structural class. It has 2 additional optional attributes: ipaAllowedTarget and ipaAllowToImpersonate. They are both DNs The memberPrincipal attribute in this class contains the list of principals that are being considered as 'proxies', that is the principals of the services that want to impersonate users against other services. The ipaAllowedToImpersonate must point to a groupOfPrincipal based object that contains the list of users that can be impersonated by this service. If the attribute is missing than the service is allowed to impersonate *any* user. The ipaAllowedTarget DN must point to a groupOfPrincipal based object that contains the list of services that the proxy service is allowed taret when impersonating users. A target must be specified in order to allow a service to access it impersonating another principal. At the moment no wildcarding is implemented so services have to be explicitly listed in their respective groups. I have some idea of adding wildcard support at least for the ipaAllowedToImpersonate group in order to separate user principals by REALM. So you can say all users of REALM1 can be impersonated by this service but no users of REALM2. It is unclear how this wildcarding may be implemented, but it must be simple to avoid potentially very expensive computations every time a ticket for the target services is requested. I have briefly tested this patch by manually creating a few objects then using the kvno command to test that I could get a ldap ticket just using the HTTP credentials (in order to do this I had to allow also s4u2self operations for the HTTP service, but this is *not* generally required and it is *not* desired in the IPA framework implementation). This patchset does not contain any CLI or UI nor installation changes to create ipaKrb5DelegationACL obujects. It is indeed yet unclear where we want to store them (suggestions are welcome) and how/when we may want to expose this mechanism through UI/CLI for general usage. The initial intended usage is to allow us to move away from using forwarded TGTs in the IPA framework and instead use S4U2Proxy in order to access the ldap service. In order to do this some changes will need to be made in installation scripts and replica management scripts later. How to test: Create 2 objects like these: dn: cn=ipa-http-delegation,... objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals cn: ipa-http-delegation memberPrincipal: HTTP/ipaserver.example@example.com ipaAllowedTarget: cn=ipa-ldap-delegation-targets,... dn: cn=ipa-ldap-delegation-targets,... objectClass: groupOfPrincipals cn: ipa-ldap-delegation-targets memberPrincipal: ldap/ipaserver.example@example.com In order to test with kvno which pretend to do s4u2self too you will need to allow the HTTP service to impersonate arbitrary users. This is done with: kdamin.local modprinc +ok_to_auth_as_delegate HTTP/ipaserver.example.com Then run kvno as follows: # Init credntials as HTTP kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.example.com # Perform S4U2Self kvno -U admin HTTP/ipaserver.example.com # Perform S4U2Proxy kvno -k /etc/httpd/conf/ipa.keytab -U admin -P HTTP/ipaserver.example.com ldap/ipaserver.example.com If this works it means you successfully impersonated the admin user with the HTTP service against the ldap service. Simo. -- Simo Sorce * Red Hat, Inc * New York >From f953d45f87837c41965767a1ff311131f7d37abb Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 20 Nov 2011 17:04:05 -0500 Subject: [PATCH 1/3] ipa-kdb: Delegation ACL schema --- install/share/60basev3.ldif |5 + 1 files changed, 5 inser
