[Freeipa-devel] LDAPI + autobind instead of Kerberos (for named)?
Alexander Bokovoy
abokovoy at redhat.com
Thu Jun 19 09:02:52 UTC 2014
On Thu, 19 Jun 2014, Petr Spacek wrote:
>Hello list,
>
>the thread "named's LDAP connection hangs" on freeipa-users list [1]
>opened question "Why do we use Kerberos for named<->DS connection?
>Named connects over LDAPI to local DS instance anyway."
>
>Maybe we can get rid of Kerberos for this particular connection and
>use autobind instead. It would make it more reliable and effective.
>
>As a side effect, named will be able to start even if KDC is down for
>some reason. It partially solves chicken-egg problem during IPA
>start-up.
>
>I wasn't around when it bind-dyndb-ldap was designed so I don't know
>historical reasons.
My primary worry is the fact that any break in named/bind-dyndb-ldap
could be then exploited to have access to all key material. In the case of
GSSAPI you are confined to whatever ACIs allow for dns/ principal.
Samba case goes further -- I specifically added GSSAPI bind to Samba
code LDAP code to allow splitting DCs and file servers while being able
to use the same ipasam module securely, in addition to the usual
ACI limitations.
For named what we could do is to have named+ldapi:// access mapped to
specific DN uidNumber=<named>+gidNumbe=<named>,cn=peercred,cn=external,cn=auth
achieving essentially the same thing, if we would use
dn: cn=config
nsslapd-ldapimaptoentries: on
nsslapd-ldapiuidnumbertype: uidNumber
nsslapd-ldapigidnumbertype: gidNumber
nsslapd-ldapientrysearchbase: cn=accounts,$SUFFIX
and
dn: krbprincipalname=dns/$master@$REALM,cn=services,cn=accounts,$SUFFIX
uidNumber: <uid for named>
gidNumber: <gid for named>
and then define ACIs equal to what we have for DNS service now.
There is an issue of uid/gid being different on different platforms,
though but it is doable.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list