[Freeipa-devel] [PATCH] 0060 Ensure ipa-adtrust-install is run as admin user
Rob Crittenden
rcritten at redhat.com
Tue Jul 17 17:38:21 UTC 2012
Alexander Bokovoy wrote:
> On Fri, 13 Jul 2012, Alexander Bokovoy wrote:
>> Hi,
>>
>> when adding AD trusts support, we need to ensure we have valid kerberos
>> ticket of the user from 'admins' group or otherwise appropriate ACIs
>> will not be granted.
>>
>> This patch introduces a check for that. We already check if
>> ipa-adtrust-install is run by root so this complements existing checks.
>>
>> https://fedorahosted.org/freeipa/ticket/2815
> After discussing on IRC with Simo and Rob, we came to conclusion that it
> is possible to switch to LDAPI and autobind feature of dirsrv for
> authentication and remove requirement for Directory Manager credentials
> altogether.
>
> Updated patch makes use of LDAPI + autobind under root privileges to map
> automatically to Directory Manager privileges in dirsrv. Additionally it
> ensures we have Kerberos credentials to fetch keytab with CIFS service
> key.
>
> Service._ldap_mod() is extended to switch to autobind when self.ldapi is
> set to True and we are running as root.
>
> For those interested in why ACIError is mapped to 'outdated Kerberos
> credentials' error message, this is because we'll get ACIError for 'ipa
> user-show <uid>' command when authenticated by the Kerberos credentials
> for <uid> in a default ccache only when Kerberos credentials are stale --
> either belong to a user that was removed or to a previous IPA install
> that was wiped before reinstalling. The latter is how I discovered
> this case. :)
I think that this should raise an exception if one tries to use ldapi,
doesn't provide the DM password and is not root. Otherwise it won't
authenticate at all.
In reality, I think all this service code always runs as root, so it may
be a moot point, but this code is kinda convoluted.
rob
More information about the Freeipa-devel
mailing list