[Freeipa-devel] [RFE] Configurable SID Blacklists
Martin Kosek
mkosek at redhat.com
Tue Feb 5 16:25:55 UTC 2013
Hello,
below is a design page for ticket https://fedorahosted.org/freeipa/ticket/3289:
http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
There is one question in the text.
Martin
-----------------------------------------------------------------------------
= Overview =
Related tickets:
* [https://fedorahosted.org/freeipa/ticket/3289 3289: Make SID checks for
MS-PAC filter configurable]
* [https://fedorahosted.org/freeipa/ticket/3231 3231: Need to relax MS-PAC checks]
Microsoft Windows 2012 slightly changed what it sends in the MS-PAC, and it
sends a special SID in the ExtraSids buffer. We used to not accept this MS-PAC
and raise validation error, but ticket
[https://fedorahosted.org/freeipa/ticket/3231 3231] introduced a static list of
SIDs that are filtered and are excluded from the MS-PAC to avoid this error. A
target of this RFE is to include this list in LDAP to allow Administrator to
change the list and add or remove SID to filter.
= Use Cases =
Windows 2012 user from a trusted AD domain tries to authenticate to IPA domain,
but his ticket is refused due to MS-PAC check. Administrator may want to extend
the default list of SID so that the colliding SID is filtered.
= Design=
== Configuration granularity ==
SID blacklist should be configured per-trust. Administrator should be able to
configure a blacklist for both ''incoming'' MS-PAC (i.e. authentication from a
trusted domain to IPA domain) and ''outgoing'' MS-PAC (i.e. for transitive
authentication of a user from IPA trusted domain trying to authenticate to
other domain trusted by IPA, but which is not trusted directly by this domain).
== Schema updates ==
The feature will introduce 2 new ''attributeTypes'' which will be added to
''MAY'' list of ''ipaNTTrustedDomain'' object class:
attributetypes: ( 2.16.840.1.113730.3.8.11.38 NAME 'ipaNTSIDBlacklistIncoming'
DESC 'Extra SIDs filtered out from incoming MS-PAC'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
attributetypes: ( 2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing'
DESC 'Extra SIDs filtered out from outgoing MS-PAC'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
== ipa-kdb Changes ==
Currently, ipa-kdb uses <tt>mspac_well_known_sids</tt> static list of SIDs to
filter SIDs from MS-PAC. Changes:
* <tt>struct ipadb_mspac</tt> will be changed:
** <tt>well_known_sids</tt> will be renamed to <tt>sid_blacklist_incoming</tt>
** new <tt>sid_blacklist_outgoing</tt> will be added
* <tt>ipadb_mspac_fill_well_known_sids</tt> function will be updated to read
these new attributes from LDAP and if it finds these attributes, it will fill
their value to <tt>mspac->sid_blacklist_incoming</tt> or
<tt>mspac->sid_blacklist_outgoing</tt> respectively. If the attributes for the
trust is missing, it will use the default value in <tt>mspac_well_known_sids</tt>.
* Note that <tt>mspac->sid_blacklist_outgoing</tt> '''will be unused''' until
the transitive trusts functionality is implemented.
These new attributes should not cause high LDAP load as
<tt>ipadb_reinit_mspac</tt> it is run at most once per minute.
= Implementation =
N/A
= Feature Managment =
=== UI ===
UI will need to allow updating these new attributes in ''Settings'' tab in
''IPA Server'' -> ''Trusts'' section.
=== CLI ===
CLI should allow editing of these new attributes. They should not be displayed
by default in ''trust-show'' or ''trust-find'' command, but only with ''--all''
option to keep clarity of trust entries in these commands.
= Major configuration options and enablement =
N/A
= Replication =
New attributes will be replicated.
= Updates and Upgrades =
The 2 new ''attributeTypes'' will be added and one ''ipaNTTrustedDomain''
object class will be updated.
'''QUESTION''': We can either fill ''ipaNTSIDBlacklistIncoming'' and
''ipaNTSIDBlacklistIncoming'' for all current trusts during updates or fill
them only for re-established and new trusts. The latter would avoid unnecessary
update plugin.
The prefilled list should be equal to <tt>mspac_well_known_sids</tt> list in
<tt>ipa_kdb_mspac.c</tt>.
= Dependencies =
N/A
= External Impact =
N/A
More information about the Freeipa-devel
mailing list