[Freeipa-users] HBAC

Martin Kosek mkosek at redhat.com
Wed Sep 30 12:12:00 UTC 2015 

On 09/30/2015 07:50 AM, Alexander Bokovoy wrote:
> On Tue, 29 Sep 2015, TomK wrote:
>> Hey Guy's,
>>
>> (Sending this again as I didn't have this email included in the freeipa-users
>> mailing list so not sure if the other message will get posted.)
>>
>> Before I post a ticket to RH Support for an RFE, I'll post the request here
>> to get some feedback on options and what ideas folks have.  I've a situation
>> as follows.  I have the following setup in WS 2012 AD DC:
>>
>> TomK (user)
>> TomK Groups:
>>                unixg
>>                windowsg
>>
>> unixg has the 'host' attribute defined 'lab01,lab02,lab03,lab04'
>> windowsg has the 'host' attribute defined 'lab06,lab07,lab08,lab09'
>>
>> TomK(user) also has the 'host' attribute defined as per the proper RFC for
>> LDAP.  With SSSD rules I can define the rules to read the user 'host'
>> attribute but not the group 'host' attribute:
>>
>>
>> |access_provider = ldap ldap_access_order = host ldap_user_authorized_host =
>> host|
>>
>>
>> Essentially TomK to be given access to hosts listed in the 'host' attribute
>> but denied entry into lab05 for example (not listed in any group 'host'
>> attribute above) to the server.   If I have a new user that has joined that
>> particular team at our organization, I can simply add her/him to the above
>> groups and this user would get access only to the listed servers in 'host'
>> attribute by default. I don't need to specify new groups in customized
>> sssd.conf or ldap.conf files or in sshd config files.  Hence less to update
>> with Salt or any other CM suite.  I've managed to setup SUDO rules and with
>> the openssh-ldap.diff schema SSH public keys could be stored in AD as well
>> and be read by OpenSSH.  So aside from the HBAC capability on groups,
>> virtually all our needs are handled by the WS2012 AD DC as it has to follow
>> the OpenLDAP standard anyway.  Now to get this we considered and are still
>> considering FreeIPA.  However this idea poses a set of challenges:
>>
>> 1) In large organizations where the AD support department are only trained in
>> Windows AD setup and configuration (Only windows guy's) this would require a
>> minimal of 3 bodies to support that know LDAP/Linux.  This is a large cost.
>>
>> 2) The additional server requires the same hardening as the Windows AD DC
>> servers meaning a new procedure has to be carved out for the 2+ FreeIPA
>> servers to be supported, hardened and maintained (upgraded).
>>
>> Now I probably sound somewhat anti-FreeIPA, however the challenges of
>> implementing it in large organizations surface after some deliberation, so
>> probably better to list then as it may help direct development of the product
>> to contend with the challenges (Like having a document fully dedicated to
>> hardening a FreeIPA server with selinux and other technologies in easy to
>> maintain configuration).   I could be mistaken but some folks mention that
>> it's 'better' to implement this sort of HBAC through other means (?? iptables
>> ??) but never tried the alternatives yet.
>>
>> So, cutting to the end, would it be possible to add an attribute like:
>>
>> |ldap_user_authorized_host|
>>
>> but perhaps called 'ldap_group_authorized_host' to the SSSD code to enable
>> reading the 'host' attribute on AD/LDAP defined groups?
> In FreeIPA we support HBAC rules for AD users and groups. What exactly
> is wrong with that?
> 
> See 'ipa help trust' for details how to map AD groups to IPA groups and
> then 'ipa help hbacrule' for how to limit access of those groups to
> specific hosts and services on them.
> 
> This is all covered well in the guide:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html

More reading on External groups used for AD access control:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/active-directory-trust.html#trust-win-groups

I would also suggest a video with HBAC and Trust in action:

https://www.youtube.com/watch?v=sQnNFJOzwa8

HTH,
Martin

More information about the Freeipa-users mailing list