Re: [Freeipa-devel] Management of the CS instances.

2011-06-18 Thread Simo Sorce
On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote:
 Hi,
 
 Before we went too far with implementing the CS decoupling here is a
 stupid idea I have.
 
 We can proceed with the plans described in tickets:
 https://fedorahosted.org/freeipa/ticket/1250
 https://fedorahosted.org/freeipa/ticket/1251
 https://fedorahosted.org/freeipa/ticket/1252
 
 However what we can do is store the CS instance DM password encrypted in
 the main instance.
 Then the management utility (ticket 1250) would first have to fetch this
 encrypted attribute from the main instance.
 We would be able to define ACIs on it and use the kerberos
 authentication against the main instance instead of prompting user for
 the DM password.
 It is a little bit more work but much better and consistent user
 experience and administrative model. 
 
 What do you think?

This is something we can try I guess.
But in order to do something like that we will have to create a special
extend operation or add a special search control in the password-extop
plugin so that it can perform access control and decrypt the secret
before handing it back.

Although if we are going this route we could also see if we can use some
temporary token instead that allows access to the CS instance for a few
minutes w/o giving away the actual DM password.

I will think a bit how hard it would be.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] Management of the CS instances.

2011-06-18 Thread Simo Sorce
On Sat, 2011-06-18 at 11:18 -0400, Simo Sorce wrote:
 On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote:
  Hi,
  
  Before we went too far with implementing the CS decoupling here is a
  stupid idea I have.
  
  We can proceed with the plans described in tickets:
  https://fedorahosted.org/freeipa/ticket/1250
  https://fedorahosted.org/freeipa/ticket/1251
  https://fedorahosted.org/freeipa/ticket/1252
  
  However what we can do is store the CS instance DM password encrypted in
  the main instance.
  Then the management utility (ticket 1250) would first have to fetch this
  encrypted attribute from the main instance.
  We would be able to define ACIs on it and use the kerberos
  authentication against the main instance instead of prompting user for
  the DM password.
  It is a little bit more work but much better and consistent user
  experience and administrative model. 
  
  What do you think?
 
 This is something we can try I guess.
 But in order to do something like that we will have to create a special
 extend operation or add a special search control in the password-extop
 plugin so that it can perform access control and decrypt the secret
 before handing it back.
 
 Although if we are going this route we could also see if we can use some
 temporary token instead that allows access to the CS instance for a few
 minutes w/o giving away the actual DM password.
 
 I will think a bit how hard it would be.

I have created ticket https://fedorahosted.org/freeipa/ticket/1353 to
capture this task.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] Management of the CS instances.

2011-06-17 Thread Adam Young

On 06/17/2011 06:59 PM, Dmitri Pal wrote:

Hi,

Before we went too far with implementing the CS decoupling here is a
stupid idea I have.

We can proceed with the plans described in tickets:
https://fedorahosted.org/freeipa/ticket/1250
https://fedorahosted.org/freeipa/ticket/1251
https://fedorahosted.org/freeipa/ticket/1252

However what we can do is store the CS instance DM password encrypted in
the main instance.
Then the management utility (ticket 1250) would first have to fetch this
encrypted attribute from the main instance.
We would be able to define ACIs on it and use the kerberos
authentication against the main instance instead of prompting user for
the DM password.
It is a little bit more work but much better and consistent user
experience and administrative model.


Makes sense at a first pass.  I haven't worked that deeply with the CS 
stuff to say for sure, but treting the IPA DS as cannonical and thus 
giving it the keys to the kingdom seems to be the right call.It all 
depends on which (CS or IPA) you want to treat as the most critical to 
lock down.  I see nothing wrong with keeping IPA in that role.



What do you think?



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel