[Freeipa-devel] [PATCH 0072] Provide ipa-client-advise tool

Thu Jun 20 07:35:50 UTC 2013

On 06/20/2013 09:29 AM, Petr Spacek wrote:
> On 19.6.2013 20:56, Alexander Bokovoy wrote:
>> On Wed, 19 Jun 2013, Rob Crittenden wrote:
>>> Tomas Babej wrote:
>>>> [big snip]
>>>>
>>>> Providing new version which should address mentioned issues:
>>>>   - advice plugins now inherit directly from Plugin, initial approach
>>>> via Method class was abandoned
>>>>   - new Namespace api.Advice collects all the advice plugins
>>>>   - tool renamed to ipa-advise to express a more general use case
>>>>
>>>> Additional improvements:
>>>>   - keywords are now generated out of Advice class's name, where
>>>> underscores are replaced by hyphens
>>>>   - rewritten the example plugin in the docs, and provided more
>>>> information there
>>>>   - instead of --setup option to provide configuration, ipa-advise
>>>> takes one positional argument
>>>>   - renamed to ipa-advise
>>>>
>>>> Concerns:
>>>>   - man page might need more improvements
>>>>
>>>> I'll craft a design page for plugin authors, might be useful, even if
>>>> the info is in the package docs.
>>>>
>>>> -----------------------------------------------
>>>> Here's a little preview:
>>>>
>>>> [tbabej at vm-001 ~]$ sudo ipa-advise fedora-authconfig
>>>> ------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> Authconfig instructions for configuring Fedora 18/19 client with IPA
>>>> server without use of SSSD.
>>>> ------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> /sbin/authconfig --enableldap --ldapserver=vm-001.idm.com
>>>> --enablerfc2307bis --enablekrb5
>>>>
>>>> [tbabej at vm-001 ~]$ sudo ipa-advise fedora-authconfig4
>>>> invalid 'setup': No instructions are available for 'fedora_authconfig4'.
>>>> See the list of available configuration advices using the --list option.
>>>>
>>>> [tbabej at vm-001 ~]$ sudo ipa-advise
>>>> -------------------------
>>>> List of available advices
>>>> -------------------------
>>>>     fedora-authconfig : Authconfig instructions for configuring Fedora
>>>> 18/19 client with IPA server without use of SSSD.
>>>
>>> If it's just providing advise why does it need root access? Or is it
>>> expected to provide advise based on current configuration?
>> Exactly. Getting ranges, configured trusts, etc. Not all of that
>> information may be available under non-privileged account, especially if
>> somebody would decide to plug in advices for backup or CA
>> handling/configuration of advanced features.
> 
> I think that ipa-advise should not require root access *implicitly*. It would
> prevent lower-level admins from ipa-advise tool.
> 
> IMHO plugins should try to get required information and print an 'Insufficient
> access rights, try it again as root/admin' error when appropriate.
> 
> As a result, basic 'advices' (like recommended client configuration) will be
> accessible anybody and special 'advices' (something related to AD trusts etc.)
> will be accessible only to admins.

+1

I think the reason why Tomas did it as root was that he can that autobind to
the DS. But he could easily operate in 2 modes, similarly to ipa-ldap-updater
and simply just auth wuth GSSAPI when he is not logged as a root.

Martin