[Freeipa-devel] Adding a new DNA plugin configuration in IPAv3

Sumit Bose sbose at redhat.com
Tue Jan 31 11:45:31 UTC 2012 

Hi,

for the IPAv3 trust feature we have to add the objectclass
ipaNTUserAttrs/ipaNTGroupAttrs to every user/group which should be
visible on the Windows side of the trust. The only MUST attribute of
both objectclasses is ipaNTSecurityIdentifier the SID or the user or
group. We would like to manage the SIDS with the DNA plugin since they
have to be unique in the IPA domain.

The trust support will typically be added to a running IPA domain,
because we do not plan to install it by default and we have to consider
updated v2 environments as well. So the question arises what is the most
preferred way to add a DNA configuration to an existing Directory Server
setup with replication.

Nathan suggested to create the configuration with the full range on the
first master, configure the other master with no available values
and let the DNA plugin transfer the ranges between the masters.

This will lead to the following steps:

1. Check if there are already shared configuration entries in
   cn=sids,cn=dna,cn=ipa,cn=etc,$SUFFIX

2a. if not we can create the initial configuration on the current
    master:

dn: cn=SIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: SIDs
dnaType: ipaNTSecurityIdentifier
dnaNextValue: 1000
dnaMaxValue: eval($SIDMAX)    # Maybe 200k ?
dnaMagicRegen: 999
dnaFilter: (|(objectclass=ipaNTUserAttrs)(objectClass=ipaNTGroupAttrs))
dnaScope: $SUFFIX
dnaThreshold: 500
dnaSharedCfgDN: cn=sids,cn=dna,cn=ipa,cn=etc,$SUFFIX

3a. Add ipaNTUserAttrs/ipaNTGroupAttrs to all users/groups with
    ipaNTSecurityIdentifier=999 on the current master

4a. Done on the first master

2b. if there are already entries we can create the configuration for an
    additional master:

dn: cn=SIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: SIDs
dnaType: ipaNTSecurityIdentifier
dnaNextValue: 1101
dnaMaxValue: 1100
dnaMagicRegen: 999
dnaFilter: (|(objectclass=ipaNTUserAttrs)(objectClass=ipaNTGroupAttrs))
dnaScope: $SUFFIX
dnaThreshold: 500
dnaSharedCfgDN: cn=sids,cn=dna,cn=ipa,cn=etc,$SUFFIX

3b. Done on the additional master, DNA plugin will sort out the rest



Do these steps make sense?

Is it necessary to add a lock to prevent a race condition btween step 1
and 2a, i.e. two admins try to prepare IPA for trusts independently at
the same time?

Do I understand it correctly that if dnaMaxValue is set to e.g. 2^32 on
the first master, the range on the second master will start at 2^31? So
the usage of the full range will be quite sparse if dnaMaxValue is set
too high.

Step 3a on the first master might need some time to finish. Is it
necessary to set some kind of lock to prevent the configuration of the
DNA plugin on other masters while this task is running or is it safe to
add another master at any time?

Are there other ways to introduce the DNA configuration? Nathan
suggested also that the ranges can be configured manually without
overlap, but if possible I would prefer the automatic way.

Thank you for your help.

bye,
Sumit

More information about the Freeipa-devel mailing list