Re: [Freeipa-users] HBAC rule refreshes and read-only slaves
On 06/08/2012 11:00 AM, Nathan Kinder wrote: > On 06/08/2012 07:26 AM, Dmitri Pal wrote: >> On 06/07/2012 09:22 PM, Cam McK wrote: >>> Hello >>> >>> >>> 2). We would also like to use FreeIPA in a trusted network but then >>> have perhaps a read-only slave sitting in DMZ with the possibility >>> of not containing the KDC or LDAP password stores on it, is this >>> possible? >>> (Basically authentication being done by a different PAM module, but >>> pam_sss.so still allowing HBAC via the PAM 'account' directive.) >>> Is it possible to have a 'regular' LDAP directory (in the DMZ) just >>> slurping down the required LDAP info? >>> >> I suggest using an LDAP directory that can do proxy operations or >> proxy authentications. You might consider 389 and sync in some user >> accounts and groups while using pam passtrough capabilities. I think >> recent upstream versions of 389 made this configuration possible but >> you need to check with them. #389 on freenode is your best bet. >> Openldap has some capabilities that might be of the value here too. > 389 can consult PAM to authenticate a user when performing an LDAP > BIND operation. This would probably take care of the authentication > piece of the puzzle. > > You would also need to use fractional replication to avoid replicating > things like passwords or Kerberos related attributes to the DMZ LDAP > server. Fractional replication can only trim out specific > attributes. It does not allow you to select portions of the tree to > replicate at the entry level. This would mean that all of your user > accounts would need to be replicated out to the DMZ LDAP server, but > you could trim sensitive attributes. >> >> I am not quite sure what you are trying to accomplish here so a bit >> more details would be helpful. > More details would definitely help. I don't think you can easily > accomplish what you want right now. It could be possible with a lot > of manual configuration of 389 on both the IPA and DMZ LDAP server > sides, but I don't think anyone has set things up in this way with IPA > before. > Yes, but you are definitely welcome to give it a try. We had in mind that such request would emerge one day and would like to hear from you about your progress. > -NGK >> >> >>> Many Thanks >>> Campbell >>> >>> >>> ___ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IPA project, >> Red Hat Inc. >> >> >> --- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rule refreshes and read-only slaves
On 06/08/2012 07:26 AM, Dmitri Pal wrote: On 06/07/2012 09:22 PM, Cam McK wrote: Hello 2). We would also like to use FreeIPA in a trusted network but then have perhaps a read-only slave sitting in DMZ with the possibility of not containing the KDC or LDAP password stores on it, is this possible? (Basically authentication being done by a different PAM module, but pam_sss.so still allowing HBAC via the PAM 'account' directive.) Is it possible to have a 'regular' LDAP directory (in the DMZ) just slurping down the required LDAP info? I suggest using an LDAP directory that can do proxy operations or proxy authentications. You might consider 389 and sync in some user accounts and groups while using pam passtrough capabilities. I think recent upstream versions of 389 made this configuration possible but you need to check with them. #389 on freenode is your best bet. Openldap has some capabilities that might be of the value here too. 389 can consult PAM to authenticate a user when performing an LDAP BIND operation. This would probably take care of the authentication piece of the puzzle. You would also need to use fractional replication to avoid replicating things like passwords or Kerberos related attributes to the DMZ LDAP server. Fractional replication can only trim out specific attributes. It does not allow you to select portions of the tree to replicate at the entry level. This would mean that all of your user accounts would need to be replicated out to the DMZ LDAP server, but you could trim sensitive attributes. I am not quite sure what you are trying to accomplish here so a bit more details would be helpful. More details would definitely help. I don't think you can easily accomplish what you want right now. It could be possible with a lot of manual configuration of 389 on both the IPA and DMZ LDAP server sides, but I don't think anyone has set things up in this way with IPA before. -NGK Many Thanks Campbell ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rule refreshes and read-only slaves
On 06/07/2012 09:22 PM, Cam McK wrote: > Hello > > > 2). We would also like to use FreeIPA in a trusted network but then > have perhaps a read-only slave sitting in DMZ with the possibility of > not containing the KDC or LDAP password stores on it, is this possible? > (Basically authentication being done by a different PAM module, but > pam_sss.so still allowing HBAC via the PAM 'account' directive.) > Is it possible to have a 'regular' LDAP directory (in the DMZ) just > slurping down the required LDAP info? > I suggest using an LDAP directory that can do proxy operations or proxy authentications. You might consider 389 and sync in some user accounts and groups while using pam passtrough capabilities. I think recent upstream versions of 389 made this configuration possible but you need to check with them. #389 on freenode is your best bet. Openldap has some capabilities that might be of the value here too. I am not quite sure what you are trying to accomplish here so a bit more details would be helpful. > Many Thanks > Campbell > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rule refreshes and read-only slaves
On Fri, Jun 08, 2012 at 11:22:59AM +1000, Cam McK wrote: > Hello > > Thanks for an awesome product! I have two questions that I can't seem to > find answers for... > > 1). How long is the delay between changing a HBAC rule and it coming into > affect on the host machine? > Currently this information only seems to be updated on the host after an > 'service sssd reload/restart' also are the HBAC access rules are stored > within LDAP Directory? That shouldn't be the case, in fact, the HBAC rules should be refreshed on each login. Maybe there's a misconfiguration on the client that makes it go online and then the rules are evaluated from the cache. Can you raise the debug level in the domain section of sssd.conf, restart sssd and check for hbac-related debug messages in /var/log/sssd/sssd_$domain.log ? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rule refreshes and read-only slaves
Hi, 1) HBAC update, Ive never seen a delay.so seems to be a few seconds.so Im not sure why you ned to restart sssd. 2) I also I think have asked on that.not sure what you are aiming to achieve/meanwith having no kdc / ldap stores. I'd like a read only slave capability for out in the dmz...and possibly only export certain groups from the read/write out to the slavebut maybe Im being overly paranoidbut I think AD2008r2? can do that. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Cam McK [tom...@cam34.endjunk.com] Sent: Friday, 8 June 2012 1:22 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves Hello Thanks for an awesome product! I have two questions that I can't seem to find answers for... 1). How long is the delay between changing a HBAC rule and it coming into affect on the host machine? Currently this information only seems to be updated on the host after an 'service sssd reload/restart' also are the HBAC access rules are stored within LDAP Directory? 2). We would also like to use FreeIPA in a trusted network but then have perhaps a read-only slave sitting in DMZ with the possibility of not containing the KDC or LDAP password stores on it, is this possible? (Basically authentication being done by a different PAM module, but pam_sss.so still allowing HBAC via the PAM 'account' directive.) Is it possible to have a 'regular' LDAP directory (in the DMZ) just slurping down the required LDAP info? Many Thanks Campbell ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
