[Freeipa-devel] [RFC] Migrating existing environments to Trust - v2: reverse DNS lookup

Dmitri Pal dpal at redhat.com
Fri May 30 13:13:18 UTC 2014 

On 05/30/2014 03:04 AM, Sumit Bose wrote:
> On Thu, May 29, 2014 at 01:31:04PM -0400, Simo Sorce wrote:
>> On Thu, 2014-05-29 at 18:50 +0200, Petr Spacek wrote:
>>> On 29.5.2014 13:48, Sumit Bose wrote:
>>>> == slapi-nis plugin/compat tree ==
>>>> The compat tree offers a simplified LDAP tree with user and group data
>>>> for legacy clients. No data for this tree is stored on disk but it is
>>>> always created on the fly. It has to be noted that legacy clients might
>>>> be one of the major users of the user-views because chances are that
>>>> they were attached to the legacy systems with legacy ID management which
>>>> should be replaced by IPA.
>>>>
>>>> In contrast to the extdom plugin it is not possible to determine the
>>>> client based on the DN because connection might be anonymous. The
>>>> Slapi_PBlock contains the IP address of the client in
>>>> SLAPI_CONN_CLIENTNETADDR. Finding the matching client object in the IPA
>>>> tree requires a reverse-DNS lookup which might be unreliable. If the
>>>> reverse-DNS lookup was successful the slapi-nos plugin can follow the
>>>> same steps as the extdom plugin to lookup up and apply the view.
>>> Do we really want to base security decisions on reverse DNS resolution?
>> No we do not want to play these games.
>>
>>> That
>>> will be insecure. Attacker could tamper with reverse DNS to change UID/GID
>>> mapping ... Maybe we can store IP->view mapping in the LDAP database. That
>>> should be reliable if we assume that only TCP is used for connection to LDAP
>>> database.
>> It is not just about it being insecure, it is about it being wrong.
>> As soon as you have a bunch of clients behind a NAT this pans goes belly
>> up.
> I do not like this one either. I just wanted to list to options I could
> think of because I think supporting user-views on legacy clients is one
> of the major use-cases for this feature.
>
> bye,
> Sumit
>
>>>> As a alternative slapi-nis can provide one tree for each view.
>> This is the only alternative, if we decide to pursue it.
>>
>> Simo.
>>
>> -- 
>> Simo Sorce * Red Hat, Inc * New York
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

Please correct me as I might be confused.
We have the compat tree now for legacy clients. It is also used by 
latest SSSD clients to do special lookups, right?
The data in this tree comes from the SSSD on the server running in 
server mode.
I wonder if we can say: here are replicas A, B, C that have vanilla 
"default view", here are replicas K, L, M where the data is overwritten 
with a special view (i.e. UID/GID fro ma special area) and then we have 
replicas X,Y,Z that have a different overlay view.
It will be assumed that replicas A,B,C, serve clients in one "zone", new 
and legacy, while K, L, M serve another zone and X, Y, Z serve the other 
one.
Would that work?



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-devel mailing list