[Freeipa-devel] More types of replicas in FreeIPA

Ondrej Hamada ondrej at hamada.cz
Fri Feb 15 23:39:46 UTC 2013 

Dne 13.2.2013 20:10, Simo Sorce napsal(a):
> On Wed, 2013-02-13 at 19:34 +0100, Ondrej Hamada wrote:
>> Dne 13.2.2013 14:36, Simo Sorce napsal(a):
>>> On Tue, 2013-02-12 at 19:30 -0500, Dmitri Pal wrote:
>>>
>>>> It looks like thinks are starting to boil down to building a Kerberos proxy.
>>>> Is this something that fits within your thesis agenda Ondra?
>>> I guess that's for Ondrej to say, if it is too much we can simply start
>>> working on the LDAP/replication side with rekeying and what not, and
>>> deal with the KDC part at a later time.
>>>
>>> Simo.
>>>
>> Working on the LDAP/repl side fits the thesis agenda better, so I would
>> like to go that way.
>>
>> Rekeying - do you mean some sort of plugin for transporting the krb keys
>> from masters to consumers?
>>
>> Besides securing transport of keys what else should be done in ldap?
>> I've only partial replication in my mind - I mean replication of entries
>> selected by some kind of ldap filters.
> We would need to re-encrypt keys so that we do not need to hand off to
> remote KDCs the same master key.
> This way a compromise in a branch office replica would not compromise
> the central infrastructure, but only affect the remote branch.
>
> Simo.
>
Just a small summary from IRC chat:
Master servers must posses all RO replicas master keys in order to able 
to re-encrypt the keys. Probably replica long-term key (or any other key 
known only to replica) could be used.

If the hubs are used, then they must also posses the RO replicas keys. 
Under such circumstances the compromised hub is almost the same threat 
as compromised master. Additionally the hub does not bring much 
functionality we can not supply by master server. So it seems as a 
better idea to don't create special hub replicas and use the master 
server instead (just don't expose it to clients).


As a next step I'm going to look at the ipa password plugin for dirsrv - 
do you think it is a good source of inspiration for the rekeying plugin?

More information about the Freeipa-devel mailing list