[Freeipa-devel] service record conundrum

Dmitri Pal dpal at redhat.com
Thu Dec 3 17:07:32 UTC 2009 

Rob Crittenden wrote:
> Dmitri Pal wrote:
>> Rob Crittenden wrote:
>>> Here is sort of a tricky problem, need some advice (LONG).
>>>
>>> When we bootstrap an IPA server we create a number of principals for
>>> the server itself. We create a host/, HTTP/ and ldap/ principal using
>>> kadmin.local. By using kadmin.local this entry is put into
>>> cn=kerberos,dc=example,dc=com.
>>>
>>> This has the nice side effect of making these records not appear as
>>> service entries so they are unmodifiable by anyone, meaning an admin
>>> will have a really hard time hosing their server.
>>>
>>> The downside is that these records do not appear as service entries,
>>> so if you search for services on the IPA server you'll get nothing.
>>>
>>
>> How do we search? What base DN we use? One of the solutions might be to
>> install these principals as is and only later apply ipaService object
>> class to them so that the search for services would find them. Would be
>> a bit ugly since as far as I understand these services are in a
>> different location in the tree but this approach might be less painfull
>> than LDIF and delete and add.
>> I hope that we will get the RDN renames pretty soon so that this would
>> not be an issue but it might not be soon enough for v2.
>>
>
> We search in the baseDN of the type of object is is, so cn=services,
> cn=computers, cn=users, etc.
>
> We also filter on the objectclasses that should be in that object.
>
> Searching in 2 places is possible just not something we currently do.
>
> I'm leaning towards moving the entries, more so since I haven't gotten
> any "that is the dumbest idea I've heard all week" responses :-)
>
> We store a list of the IPA masters in the DIT somewhere, I'll have to
> see if I can find a way to maintain protection of the principals using
> that.
>

Will it affect expectations of the KDC on where it searches for its entries?
Would we have to also update KDC DAL configuration to search the records
in a different place?

> rob


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list