[Freeipa-devel] [RFC] Serving legacy systems cliens for trusts

Sumit Bose sbose at redhat.com
Wed May 29 10:06:47 UTC 2013

On Tue, May 28, 2013 at 02:50:59PM +0300, Alexander Bokovoy wrote:
> Hi,
> http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts
> = Overview =
> Since version 3.0 FreeIPA supports cross-realm trusts with Active
> Directory. In order to allow AD users to utilize services on IPA
> clients, up to date version of SSSD should be configured at the IPA
> client. In case it is not possible to install and configure SSSD > 1.09,
> Active Directory users cannot access services on IPA clients.
> This feature is designed to bridge the gap and provide minimal
> compatibility level that allows to log-in to IPA clients for AD users.
> IPA clients will be able to use any reasonable nss_ldap/pam_ldap/sssd
> version.
> = Use Cases =
> Access to IPA client machine resources for AD users in case IPA client
> cannot utilize up to date version of SSSD with native support for IPA
> cross-realm trusts.
> = Design=
> Since IPA client is configured with the use of older SSSD or
> nss_ldap/pam_ldap, all work should be performed at the IPA master.
> Primary design decision is to provide a separate LDAP tree, similar to
> compat tree, that has following features:
> * information about both IPA and AD users can be queried;
> * it ispossible to enumerate members of IPA and AD groups;
> * authentication bind to IPA LDAP as AD users should automatically
> * trigger obtaining ticket from AD DC; in case TGT is obtained,
> * authentication bind should be treated as successful.
> From a client perspective, use of the separate LDAP tree is viewed as
> traditional nss_ldap/pam_ldap configuration.
> Proposed base for the LDAP tree:
> '''cn=users,cn=trust-accounts,dc=example,dc=com'''

I guess older SSSD versions, e.g. 1.8. might be the most difficult use
cases because they already support some specific features for IPA users
and groups, e.g. HBAC, netgroups, SELinux and automount maps. Since most
of them depends on DNs one way or the other I think older SSSD version
must continue to use the main tree for IPA users and groups and local
look at the new tree for trusted accounts. Luckily multiple search bases
were introduced in SSSD 1.7, I wonder if older version have to be
supported as well? But if multiple search bases are used the IPA users
and groups should not be visible in the new tree for trusted accounts.

Maybe the new plugin can offer different trees like
 - cn=users,cn=trust-accounts,dc=example,dc=com
 - cn=users,cn=trust-accounts-sssd,dc=example,dc=com

where the first contains IPA and AD accounts as mentioned above and the
latter only the AD accounts? Since we are planning to do the lookups on
the fly I think both trees can be handled in the same code path and the
path name is just config option which switches the IPA accounts on and
off respectively.

With iyet another tree it might be also possible to support either rfc2307 or
rfc2037bis. I assume that the plan is that the new tree will use
rfc2307bis but I wonder if we have to support clients which only support

> = Implementation =
> # IPA server sets SSSD configuration to 'ipa_server_mode = true' on install or upgrade
> # ipa-adtrust-install configures additional directory server plugin to serve trusted domains tree
> # Directory server plugin uses  getpwnam_r(), getgrnam_r() and related calls to obtain information about AD user. For IPA users the information is fetched directly from the LDAP.
> # IPA KDC database driver adds MS-PAC information into ticket granting ticket for host/fqdn at REALM principal of IPA master. This is required to allow SSSD on IPA master to authenticate against AD using host/fqdn at REALM principal.
> For SSSD design see
> https://fedorahosted.org/sssd/wiki/DesignDocs/IPAServerMode
> = Feature Management =
> === UI ===
> The feature is transparent and not exposed in UI
> === CLI ===
> The feature is not directly exposed in CLI.
> IPA idrange management is expanded to specify idrange type (IPA local,
> AD trust, AD with winsync, IPA trust, ..) to affect the way how AD users
> SIDs are mapped to POSIX IDs.
> = Major configuration options and enablement =
> sssd.conf will have 'ipa_server_mode = true' set for IPA master.
> = Replication =
> No effect on replication. Since directory server plugin is only
> configured when ipa-adtrust-install is run, IPA masters may opt out from
> serving AD clients.
> = Updates and Upgrades =
> During upgrade of IPA master, sssd.conf should be updated to set
> 'ipa_server_mode = true'.
> = Dependencies =
> Depends on SSSD implementing IPA server mode (sssd 1.10.x)
> = External Impact =
> https://fedorahosted.org/sssd/wiki/DesignDocs/IPAServerMode
> = Backup and Restore =
> No external configuration files are affected
> = Test Plan =
> Testing the feature will require following:
> # Configure IPA to serve AD trusts
> # Establish trust with AD domain
> # Configure a client to use nss_ldap/pam_ldap against AD-compatible tree
> # Attempt to log-in to the client as AD user
> = RFE Author =
> [[User:Ab|ab]] ([[User talk:Ab|talk]])
> -- 
> / Alexander Bokovoy
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

More information about the Freeipa-devel mailing list