[Freeipa-devel] [RFC] Migrating existing environments to Trust - v2: reverse DNS lookup

[Petr Spacek]

On 29.5.2014 13:48, Sumit Bose wrote:
> == slapi-nis plugin/compat tree ==
> The compat tree offers a simplified LDAP tree with user and group data
> for legacy clients. No data for this tree is stored on disk but it is
> always created on the fly. It has to be noted that legacy clients might
> be one of the major users of the user-views because chances are that
> they were attached to the legacy systems with legacy ID management which
> should be replaced by IPA.
>
> In contrast to the extdom plugin it is not possible to determine the
> client based on the DN because connection might be anonymous. The
> Slapi_PBlock contains the IP address of the client in
> SLAPI_CONN_CLIENTNETADDR. Finding the matching client object in the IPA
> tree requires a reverse-DNS lookup which might be unreliable. If the
> reverse-DNS lookup was successful the slapi-nos plugin can follow the
> same steps as the extdom plugin to lookup up and apply the view.

Do we really want to base security decisions on reverse DNS resolution? That 
will be insecure. Attacker could tamper with reverse DNS to change UID/GID 
mapping ... Maybe we can store IP->view mapping in the LDAP database. That 
should be reliable if we assume that only TCP is used for connection to LDAP 
database.

> As a alternative slapi-nis can provide one tree for each view.
>
> The first approach has the advantage that everything can be manages on
> the server and no change on the legacy clients is needed, even if the
> are assigned to a different view, but requires reverse-DNS and has more
> search overhead. With the second approach every legacy system which
> should get a specific view different from the default view has to be
> pointed to the new tree. Using both in parallel is possible but might
> not be worth the additional effort.

-- 
Petr^2 Spacek