[Freeipa-devel] [RFC] Migrating existing environments to Trust - v2: reverse DNS lookup

[Simo Sorce]

On Thu, 2014-05-29 at 18:50 +0200, Petr Spacek wrote:
> On 29.5.2014 13:48, Sumit Bose wrote:
> > == slapi-nis plugin/compat tree ==
> > The compat tree offers a simplified LDAP tree with user and group data
> > for legacy clients. No data for this tree is stored on disk but it is
> > always created on the fly. It has to be noted that legacy clients might
> > be one of the major users of the user-views because chances are that
> > they were attached to the legacy systems with legacy ID management which
> > should be replaced by IPA.
> >
> > In contrast to the extdom plugin it is not possible to determine the
> > client based on the DN because connection might be anonymous. The
> > Slapi_PBlock contains the IP address of the client in
> > SLAPI_CONN_CLIENTNETADDR. Finding the matching client object in the IPA
> > tree requires a reverse-DNS lookup which might be unreliable. If the
> > reverse-DNS lookup was successful the slapi-nos plugin can follow the
> > same steps as the extdom plugin to lookup up and apply the view.
> 
> Do we really want to base security decisions on reverse DNS resolution?

No we do not want to play these games.

> That 
> will be insecure. Attacker could tamper with reverse DNS to change UID/GID 
> mapping ... Maybe we can store IP->view mapping in the LDAP database. That 
> should be reliable if we assume that only TCP is used for connection to LDAP 
> database.

It is not just about it being insecure, it is about it being wrong.
As soon as you have a bunch of clients behind a NAT this pans goes belly
up.

> > As a alternative slapi-nis can provide one tree for each view.

This is the only alternative, if we decide to pursue it.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York