freeipa/doc/designs/ldapi-autobind-services.md

136 lines
5.2 KiB
Markdown
Raw Normal View History

# LDAPI autobind authentication for services
## Overview
This design proposed to use LDAPI autobind for some internal FreeIPA
services, so they can be started and used before KRB5 KDC service is
operational. The proposal makes use of 389 DS' existing [LDAPI autobind](
https://www.port389.org/docs/389ds/FAQ/ldapi-and-autobind.html)
implementation and new [LDAPI autobind DN rewriter](
https://www.port389.org/docs/389ds/design/ldapi-auto-auth-dn-design.html)
feature, which will be available in early 2021.
LDAPI autobind is a form of authentication that uses the effective
UID and GID of a process as credentials. It uses ``SO_PEERCRED`` feature
of [unix socket](https://man7.org/linux/man-pages/man7/unix.7.html)
connection and SASL EXTERNAL mechanism. Autobind enables secure and
fast authentication for local services without using KRB5 KDC.
## Technical background
### Benefits
LDAPI autobind does not depend on Kerberos/GSSAPI. This fact permits
services to authenticate and operate before KRB5 KDC is up and running.
For example DNS services can be started before KDC, so a time sync
daemon can synchronize clocks before KDC starts.
It's faster than GSSAPI. On a test system ``ldapwhoami`` command
with ``-Y EXTERNAL`` takes around 12ms real time. On the same system
``-Y GSSAPI`` over LDAPI with a cached service ticket takes between
20ms to 500ms real time.
### Drawbacks
On Fedora and RHEL-based systems, FreeIPA's keytabs are not only
protected by DAC permissions (discrete access control, also known as
Unix file permissions) but also by SELinux's mandatory access control.
For example ``named.keytab`` is only readable by user ``named`` or
group members of group ``named`` and processes that are
allowed to open files with SELinux type ``etc_t``. ``SO_PEERCRED``-based
authentication no longer verifies the SELinux context of a process.
It is possible to retrieve the security context of a peer process
with ``SO_PEERSEC``, but 389-DS does not implement the feature.
The risk is negligible for BIND named. Most process are allowed to
read files with ``etc_t`` any way.
### Containers
``SO_PEERCRED`` based authentication works across containers if and
only if the 389-DS server process and LDAP client process can share a
mount point and a common user namespace. The mount point is required
to share the Unix socket file of the 389-DS process. The user namespace
must be shared, because the Kernel translates UID and GID numbers
between namespaces. Disjunct namespaces result in UID/GID ``-1``.
## Candidates
* BIND named service, so ``named`` and ``chronyd`` can be started
before KDC.
* krb5kdc and kadmin service (after dropping root privileges)
* ipa-custodia (after dropping root privileges)
## Implementation
The implementation makes use of the new DN rewriter feature for
autobind. The feature enables FreeIPA to store the UID/GID mapping in
the local, non-replicated ``cn=config`` backend and then map succesful
binds to a DN in the replicated domain database. The approach has two
benefits:
1) FreeIPA does not depend on reserved and uniform UID/GID allocation
across all servers. Each server can map its local UID/GID assignment
to a principal.
2) FreeIPA can map UID/GID combination to a host-specific service
principal. For example server ``srv1`` can map UID ``25`` / GID
``25`` to ``DNS/srv1.ipa.example@IPA.EXAMPLE``. ``srv2`` can map the
same UID and GID to its principal
``DNS/srv2.ipa.example@IPA.EXAMPLE``.
### global settings
LDAPI mappings, search base for UID/GID, and mapping base for
``nsslapd-authenticateAsDN`` must be configured in ``cn=config``.
```raw
dn: cn=config
nsslapd-ldapimaptoentries: on
nsslapd-ldapientrysearchbase: cn=auto_bind,cn=config
nsslapd-ldapidnmappingbase: cn=auto_bind,cn=config
```
### service-specific settings
LDAPI DN rewriter feature comes with a new object class for mapping
UID/GID to another DN. For example a mapping for BIND named would look
like this:
```raw
dn: cn=named,cn=auto_bind,cn=config
objectClass: top
objectClass: nsLDAPIFixedAuthMap
cn: named
uidNumber: $NAMED_UID
gidNumber: $NAMED_GID
nsslapd-authenticateAsDN: krbprincipalname=DNS/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
```
**NOTE** 389-DS does not enforce referential integrity in ``cn=config``.
``nsslapd-authenticateAsDN`` can reference DNs that do not exist yet. A
missing target results into authenticate error.
### reload LDAPI mappings
389-DS has an internal cache for LDAPI mappings. The cache must be
refreshed after mapping are added, removed, or changed. A refresh can
be accomplished by either restarting the server process or running the
`reload ldapi mappings` task. The implementation detail will be
handled automatically by new API and ``ipa-ldap-updater`` framework.
### backup / restore
It is possible that UID or GID can change, when a server is reinstalled
and restored from a backup. ``ipa-restore`` will refresh all mappings
on restore.
## References
* [389-DS LDAPI autobind](
https://www.port389.org/docs/389ds/FAQ/ldapi-and-autobind.html)
* [LDAPI autobind DN rewriter](
https://www.port389.org/docs/389ds/design/ldapi-auto-auth-dn-design.html)
* 389-DS feature request [GH-4381](https://github.com/389ds/389-ds-base/issues/4381)
* FreeIPA bug report [pagure-8544](https://pagure.io/freeipa/issue/8544)
for replication issue due to clock mismatch.