[Freeipa-devel] WIP: ipa trust command
Rob Crittenden
rcritten at redhat.com
Mon Dec 12 19:10:08 UTC 2011
Alexander Bokovoy wrote:
> Hi,
>
> I'm working on ticket #1821 to introduce FreeIPA 3.0 AD trusts
> management CLI and GUI. It is quite apparent that most of management
> commands will be similar to all future trust types (AD, IPA, etc),
> thus, it makes sense to develop a generalized `ipa trust' family of
> commands that would apply to all types of trusts.
>
> Let's start with CLI. Below is a first cut at how I see trust
> management command line interface. Comments, corrections, and critique
> are all welcomed.
>
> One of FreeIPA v3.0 major features will be support for cross-realm
> trusts with the emphasis on trusts to Active Directory domains. This
> documents attempts to design a common interface for managing trusts
> with FreeIPA tools (command line and GUI).
>
> `ipa trust'
> ===========
>
> `ipa trust' is a common family of operations on trusts. Trusts can be:
> * created (ipa trust-add)
> * listed (ipa trust-find)
> * viewed (ipa trust-show)
> * removed (ipa trust-del)
modified?
>
> 1. Adding a trust
>
> `ipa trust-add' sets up a trust agreement with another realm. The
> command requires to know realm of the trust being added, its
> administrator rights, and type of the trust to establish.
>
> Proposed syntax:
> ipa trust-add<realm> --type ads|ipa|kerberos|etc --realmadmin<Name>
> --password<Value> [type-specific parameters]
>
> Creates a trust between FreeIPA realm and another realm of selected
> type. Only 'ads' type is currently supported.
>
> For 'ads' type running `ipa trust-add' would be equivalent to
> following sequence:
> * ipa-adtrust-install
> * net rpc trust create
ipa-adtrust-install runs as root and needs to do things that the IPA
server can't do.
> 2. Listing trusts
>
> `ipa trust-find' will show all trusts with other realms corresponding
> certain criteria.
>
> Proposed syntax:
> ipa trust-find [CRITERIA] [options]
>
> where CRITERIA is tested against realms of existing trusts
>
> Options might include:
> * --type ads|ipa|kerberos|etc -- type of the trust
ok
>
>
> 3. Viewing details of trust
>
> `ipa trust-show' exposes details of the established trust agreement
> with a specified realm.
>
> Proposed syntax:
> ipa trust-show<realm> [options]
>
> Details shown will depend on the type of trust with following
> information available for all trusts:
> * realm name
> * trust type
ok
>
> 4. Removal of existing trus
>
> `ipa trust-del' removes existing trust agreement
>
> 5. Access rights
>
> Trust management requires modification of FreeIPA LDAP database
> instance and potentially external resources specific to the trust
> nature. cn=trusts,$SUFFIX is used as a container to store information
> about trusts with containers inside it for different types of trusts.
>
> Currently FreeIPA 3.0 implements cn=ad,cn=trusts,$SUFFIX tree for
> Active Directory-related trusts.
>
> Trust management implies limited access which should be implemented
> with the help of 389-ds ACIs.
>
> In order to give users access to the trust management, group of trust
> administrators would be created, thus ACI would limit exposure to
> cn=trusts,$SUFFIX tree to this group and additional trust
> implementation-specific system users defined at cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX.
>
> Currently AD trusts implement following ACIs per trust:
> 1. Trust information:
> (target = "ldap:///cn=$DOMAIN,cn=ad,cn=trusts,$SUFFIX")
> (targetattr = "ipaNTTrustType || ipaNTTrustAttributes ||
> ipaNTTrustDirection ||
> ipaNTTrustPartner || ipaNTFlatName ||
> ipaNTTrustAuthOutgoing ||
> ipaNTTrustAuthIncoming ||
> ipaNTSecurityIdentifier ||
> ipaNTTrustForestTrustInfo ||
> ipaNTTrustPosixOffset ||
> ipaNTSupportedEncryptionTypes")
> (version 3.0;acl "Allow samba user to create and delete trust accounts";
> allow (write,add,delete) userdn = "ldap:///$SAMBA_USER_DN";)
>
> 2. NT Passwords:
> (targetattr = "ipaNTHash")
> (version 3.0; acl "Samba user can read NT passwords";
> allow (read) userdn="ldap:///$SAMBA_USER_DN";)
>
> where $SAMBA_USER_DN is DN of special user defined at
> uid=samba,cn=sysaccounts,cn=etc,$SUFFIX for the purpose of reading
> ipaNTHash attribute (NT passwords) of existing users and accessing
> trust information from the ipa-sam database plugin for Samba.
>
> Current approach requires creating separate ACIs per each trust and
> using the same system user account for all of them. As a consequence,
> ACIs are added during trust creation and require Directory Manager
> privileges which should be discouraged for 'ipa trust' set of
> commands.
>
> Instead, macro ACI could be created that would allow access to the trust information
> based on the part of DN of the system user:
>
> uid=<user name>,cn=<trust type>,cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX
>
> which for AD trusts would be
>
> uid=samba,cn=ad,cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX
>
> and ACI would be modified to have follow allow stanza:
>
> (target = "ldap:///($dn),cn=trusts,$SUFFIX")
> (targetattr = "ipaNTTrustType || ipaNTTrustAttributes ||
> ipaNTTrustDirection ||
> ipaNTTrustPartner || ipaNTFlatName ||
> ipaNTTrustAuthOutgoing ||
> ipaNTTrustAuthIncoming ||
> ipaNTSecurityIdentifier ||
> ipaNTTrustForestTrustInfo ||
> ipaNTTrustPosixOffset ||
> ipaNTSupportedEncryptionTypes")
> (version 3.0;acl "Allow trust system user to create and delete trust accounts";
> allow (write,add,delete) userdn="ldap:///uid=*,($dn),cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX";)
>
> (targetattr = "ipaNTHash")
> (version 3.0; acl "Samba user can read NT passwords";
> allow (read) userdn="ldap:///uid=*,cn=ad,cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX";)
>
> And trust admins ACI:
>
> (target = "ldap:///cn=trusts,$SUFFIX")
> (targetattr = "*")
> (version 3.0; acl "Trust management";
> allow (all) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
>
>
> This approach would allow us to have a single ACI macro for system
> accounts of all types of trusts for all realms and then a single ACI
> per trust type.
>
> Macro ACI are explained at
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control-Advanced_Access_Control_Using_Macro_ACIs.html
>
>
ack on aci
More information about the Freeipa-devel
mailing list