[Freeipa-users] Propose FreeIPA theses: IPA support for sites

[Nordgren, Bryce L -FS]

> You *could* build a system that can work w/o synchronization, if you
> carefully restrict what protocols and applications you use (think about
> distributed filesystems) although you'd still need a local persistent map at
> least. Backups and restore to other machines would need to be done
> carefully though, and so on.

I'm not suggesting that POSIX machines stop using UIDs internally. The local persistent map to a machine dependent representation will be necessary. It will also be necessary on Windows machines. And on mobile platforms. And within web applications. The shared items (principal names) would be common to all OSes and platforms though.

People trying to create heterogeneous environments are already carefully restricting protocols and applications to those which don't require sharing a UID map. File sharing via: Samba/CIFS, NFSv4, WebDAV, sftp (and sshfs(linux)/swish(Windows)). Logging into multiple machines has never involved knowing your UID, and ssh key pairs makes it more or less effortless to execute commands on another machine whether or not your username is the same, much less your UID. Kerberos SSO is more or less the same, but ensures that a common set of identities are recognized.

Ideally, if realm admins delegate authorization to the individual machines, the machines (regardless of OS) should be capable of functioning with only Kerberos authentication and without any centralized directory services. Minimal directory services could add group definitions via LDAP. A full AD/IPA solution would be needed to centralize authorization and/or enforce policy. Yet I still am not seeing the requirement for new deployments of cross-platform environments to manage internal user representations for a single os.

> However there are also issues with operations like 'renames', what happen
> when you change a user name or a group name ? You do not want to lose
> access to files when that happen, so you still need a unique identifier that is
> not the everyday name (or forbid renames).

Presumably, you also would not want your Windows users to lose access to files after a rename, and Windows doesn't use UIDs. You also would not want to lose access to web apps, which do not use UIDs. You also don't want stale usernames to be sitting in access control lists (filesystem based or web app based). Retaining UIDs does nothing to make renaming more acceptable, because principal names are a realm-wide platform independent property, and UIDs are not.

> This is not an exhaustive list of course, and every problem can be probably
> worked around one way or another, however at the moment it is till "easier"
> to synchronize IDs than not ...

As I see it, for a cross-platform environment, every problem must be worked around regardless of whether you have to synchronize UIDs. Managing UIDs is just more work at the end, and it might be busywork. Determining whether it's busywork or not may make a good thesis topic. :)

It makes a good thesis topic because the central question is paradigm shifting: Draw a line between realm-wide properties and local machine representations of those properties, and ask "Can each machine be made responsible for performing their own localizations for internal bookkeeping purposes?" This would seem to be of particular interest to the type of crowd which would download and use a FreeIPA/sssd solution, but it may not be something they have the time to pursue.

:)
Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.