mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Add design for LDAPI autobind
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com>
This commit is contained in:
parent
16e1cbdc5e
commit
5b8f37f88f
@ -18,3 +18,4 @@ FreeIPA design documentation
|
||||
membermanager.md
|
||||
hidden-replicas.md
|
||||
disable-stale-users.md
|
||||
ldapi-autobind-services.md
|
||||
|
135
doc/designs/ldapi-autobind-services.md
Normal file
135
doc/designs/ldapi-autobind-services.md
Normal file
@ -0,0 +1,135 @@
|
||||
# LDAPI autobind authentication for services
|
||||
|
||||
## Overview
|
||||
|
||||
This design proposed to use LDAPI autobind for some internal FreeIPA
|
||||
services, so they can be started and used before KRB5 KDC service is
|
||||
operational. The proposal makes use of 389 DS' existing [LDAPI autobind](
|
||||
https://www.port389.org/docs/389ds/FAQ/ldapi-and-autobind.html)
|
||||
implementation and new [LDAPI autobind DN rewriter](
|
||||
https://www.port389.org/docs/389ds/design/ldapi-auto-auth-dn-design.html)
|
||||
feature, which will be available in early 2021.
|
||||
|
||||
LDAPI autobind is a form of authentication that uses the effective
|
||||
UID and GID of a process as credentials. It uses ``SO_PEERCRED`` feature
|
||||
of [unix socket](https://man7.org/linux/man-pages/man7/unix.7.html)
|
||||
connection and SASL EXTERNAL mechanism. Autobind enables secure and
|
||||
fast authentication for local services without using KRB5 KDC.
|
||||
|
||||
## Technical background
|
||||
|
||||
### Benefits
|
||||
|
||||
LDAPI autobind does not depend on Kerberos/GSSAPI. This fact permits
|
||||
services to authenticate and operate before KRB5 KDC is up and running.
|
||||
For example DNS services can be started before KDC, so a time sync
|
||||
daemon can synchronize clocks before KDC starts.
|
||||
|
||||
It's faster than GSSAPI. On a test system ``ldapwhoami`` command
|
||||
with ``-Y EXTERNAL`` takes around 12ms real time. On the same system
|
||||
``-Y GSSAPI`` over LDAPI with a cached service ticket takes between
|
||||
20ms to 500ms real time.
|
||||
|
||||
### Drawbacks
|
||||
|
||||
On Fedora and RHEL-based systems, FreeIPA's keytabs are not only
|
||||
protected by DAC permissions (discrete access control, also known as
|
||||
Unix file permissions) but also by SELinux's mandatory access control.
|
||||
For example ``named.keytab`` is only readable by user ``named`` or
|
||||
group members of group ``named`` and processes that are
|
||||
allowed to open files with SELinux type ``etc_t``. ``SO_PEERCRED``-based
|
||||
authentication no longer verifies the SELinux context of a process.
|
||||
It is possible to retrieve the security context of a peer process
|
||||
with ``SO_PEERSEC``, but 389-DS does not implement the feature.
|
||||
|
||||
The risk is negligible for BIND named. Most process are allowed to
|
||||
read files with ``etc_t`` any way.
|
||||
|
||||
### Containers
|
||||
|
||||
``SO_PEERCRED`` based authentication works across containers if and
|
||||
only if the 389-DS server process and LDAP client process can share a
|
||||
mount point and a common user namespace. The mount point is required
|
||||
to share the Unix socket file of the 389-DS process. The user namespace
|
||||
must be shared, because the Kernel translates UID and GID numbers
|
||||
between namespaces. Disjunct namespaces result in UID/GID ``-1``.
|
||||
|
||||
## Candidates
|
||||
|
||||
* BIND named service, so ``named`` and ``chronyd`` can be started
|
||||
before KDC.
|
||||
* krb5kdc and kadmin service (after dropping root privileges)
|
||||
* ipa-custodia (after dropping root privileges)
|
||||
|
||||
## Implementation
|
||||
|
||||
The implementation makes use of the new DN rewriter feature for
|
||||
autobind. The feature enables FreeIPA to store the UID/GID mapping in
|
||||
the local, non-replicated ``cn=config`` backend and then map succesful
|
||||
binds to a DN in the replicated domain database. The approach has two
|
||||
benefits:
|
||||
|
||||
1) FreeIPA does not depend on reserved and uniform UID/GID allocation
|
||||
across all servers. Each server can map its local UID/GID assignment
|
||||
to a principal.
|
||||
2) FreeIPA can map UID/GID combination to a host-specific service
|
||||
principal. For example server ``srv1`` can map UID ``25`` / GID
|
||||
``25`` to ``DNS/srv1.ipa.example@IPA.EXAMPLE``. ``srv2`` can map the
|
||||
same UID and GID to its principal
|
||||
``DNS/srv2.ipa.example@IPA.EXAMPLE``.
|
||||
|
||||
### global settings
|
||||
|
||||
LDAPI mappings, search base for UID/GID, and mapping base for
|
||||
``nsslapd-authenticateAsDN`` must be configured in ``cn=config``.
|
||||
|
||||
```raw
|
||||
dn: cn=config
|
||||
nsslapd-ldapimaptoentries: on
|
||||
nsslapd-ldapientrysearchbase: cn=auto_bind,cn=config
|
||||
nsslapd-ldapidnmappingbase: cn=auto_bind,cn=config
|
||||
```
|
||||
|
||||
### service-specific settings
|
||||
|
||||
LDAPI DN rewriter feature comes with a new object class for mapping
|
||||
UID/GID to another DN. For example a mapping for BIND named would look
|
||||
like this:
|
||||
|
||||
```raw
|
||||
dn: cn=named,cn=auto_bind,cn=config
|
||||
objectClass: top
|
||||
objectClass: nsLDAPIFixedAuthMap
|
||||
cn: named
|
||||
uidNumber: $NAMED_UID
|
||||
gidNumber: $NAMED_GID
|
||||
nsslapd-authenticateAsDN: krbprincipalname=DNS/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX
|
||||
```
|
||||
|
||||
**NOTE** 389-DS does not enforce referential integrity in ``cn=config``.
|
||||
``nsslapd-authenticateAsDN`` can reference DNs that do not exist yet. A
|
||||
missing target results into authenticate error.
|
||||
|
||||
### reload LDAPI mappings
|
||||
|
||||
389-DS has an internal cache for LDAPI mappings. The cache must be
|
||||
refreshed after mapping are added, removed, or changed. A refresh can
|
||||
be accomplished by either restarting the server process or running the
|
||||
`reload ldapi mappings` task. The implementation detail will be
|
||||
handled automatically by new API and ``ipa-ldap-updater`` framework.
|
||||
|
||||
### backup / restore
|
||||
|
||||
It is possible that UID or GID can change, when a server is reinstalled
|
||||
and restored from a backup. ``ipa-restore`` will refresh all mappings
|
||||
on restore.
|
||||
|
||||
## References
|
||||
|
||||
* [389-DS LDAPI autobind](
|
||||
https://www.port389.org/docs/389ds/FAQ/ldapi-and-autobind.html)
|
||||
* [LDAPI autobind DN rewriter](
|
||||
https://www.port389.org/docs/389ds/design/ldapi-auto-auth-dn-design.html)
|
||||
* 389-DS feature request [GH-4381](https://github.com/389ds/389-ds-base/issues/4381)
|
||||
* FreeIPA bug report [pagure-8544](https://pagure.io/freeipa/issue/8544)
|
||||
for replication issue due to clock mismatch.
|
Loading…
Reference in New Issue
Block a user