global catalog service implementation in freeipa
play

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy - PowerPoint PPT Presentation

Jul 13, 2023 •366 likes •669 views

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017 ABOUT:ME Sr. Principal Software Engineer at Red Hat Samba Team member since 2003 Core FreeIPA developer since 2011 2 WHAT IS THIS TALK

  1. GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

  2. ABOUT:ME Sr. Principal Software Engineer at Red Hat • Samba Team member since 2003 • Core FreeIPA developer since 2011 2

  3. WHAT IS THIS TALK ABOUT?

  4. WHAT IS THIS ABOUT? FreeIPA is a directory service for Linux and POSIX clients: • 389-ds - The LDAP directory server (and a lot of plugins) • Samba - as a traditional (NT4-style) domain controller with a twist ( smbd and winbindd ) • MIT Kerberos - Kerberos KDC • MS-KKDCP proxy • Dogtag Certifjcate Authority • Custodia (secrets management) • SSSD - client side identity (nss, PAM, D-Bus, ...) • FreeIPA management framework written in Python and running under Apache 4

  5. WHAT IS THIS ABOUT? FreeIPA supports forest trust to Active Directory: • Active Directory sees FreeIPA as a ”native Active Directory” deployment • Since Samba 4.5 it is possible to establish a trust between Samba AD and FreeIPA • Active Directory users can access resources on FreeIPA clients • FreeIPA users cannot natively access resources in Active Directory 5

  6. WHAT IS THIS ABOUT? FreeIPA users cannot access resources in Active Directory: • Access control in Active Directory uses SIDs of users/groups in ACLs • ”Security” tab in UI deals with user and group names • Windows performs user or group SID lookup • FreeIPA does not provide interfaces expected by Active Directory to perform name to SID lookups 6

  7. ANATOMY OF A NAME RESOLUTION

  8. FOUR STYLES OF CONVERSATION Active Directory has four ways of discovering SIDs of users/groups: • Domain controller LDAP ping allows user name validation ([MS-ADTS] 6.3.3.2 Domain Controller Response to an LDAP Ping) but doesn’t allow to discover SIDs • DsCrackNames is part of DRSU API, Directory Replication Service of Active Directory. It is not implemented in smbd , only in Samba AD • LsaLookupNames and SamLogon families of RPC calls • LDAP queries to Global Catalog 8

  9. DOMAIN CONTROLLER LOCATOR REQUEST LDAP ping is used by all Windows clients to discover closest domain controller. As part of it clients may request a user name validation to avoid hitting domain controllers that don’t have that user replicated 9

  10. DOMAIN CONTROLLER LOCATOR REQUEST Windows UI seems to trigger CLDAP ping requests with random user names instead of the one you entered: 10

  11. DOMAIN CONTROLLER LOCATOR REQUEST Windows UI seems to trigger CLDAP ping requests with random user names instead of the one you entered: 11

  12. DOMAIN CONTROLLER LOCATOR REQUEST Windows UI seems to trigger CLDAP ping requests with random user names instead of the one you entered: 12

  13. WHO IS ALICE?

  14. DOMAIN CONTROLLER LOCATOR REQUEST Alice is a fjne random name, along with Marvin, Heather, Student, User2, Test, and many others seen on the wire The state of user inquiries in Windows is ... interesting 14

  15. GLOBAL CATALOG SERVICE If Global Catalog service is available, Windows will attempt to connect to it: 15

  16. GLOBAL CATALOG SERVICE SEARCH RESULTS If search in a Global Catalog returns no results, Windows falls back to netr_LogonSamLogonWithFlags RPC call: 16

  17. NETLOGON RESULTS But the name passed to netr_LogonSamLogonWithFlags is totally different from what is entered in Windows UI 17

  18. NAME RESOLUTION ORDER

  19. NAME RESOLUTION ORDER • CLDAP ping is an important operation but actual name resolution is done by querying Global Catalog • If Global Catalog available, Windows will try to use that • If search in Global Catalog does return no results, Windows will fall back to RPC calls • FreeIPA does not provide a Global Catalog service • As result, Windows does not even try to fall back to RPC calls 19

  20. FREEIPA CHALLENGES

  21. https://github.com/cyrusimap/cyrus-sasl/commit/ 67ca66685e11acc0f69d5ff8013107d4b172e67f SASL GSS-SPNEGO Samba implements own SASL code, FreeIPA components rely on Cyrus-SASL • Cyrus-SASL GSS-SPNEGO implementation is compatible with itself, not Windows • GSS-SPNEGO negotiates SSF based on GSSAPI fmags, not separately • This was fjxed by Simo Sorce in February 2017: • No Cyrus-SASL release with the fjx yet but Fedora 26 has it backported 21

  22. ldap/host.example.com/example.com@EXAMPLE.COM ipa service-add-principal ldap/host.example.com@EXAMPLE.COM KERBEROS TARGET PRINCIPALS Windows TGS-REQ requests use three-component principal names: • ldap/host.example.com/example.com@EXAMPLE.COM • Real service name is ldap/host.example.com@EXAMPLE.COM • FreeIPA 4.4+ added support for Kerberos principal aliases: 22

  23. LDAP SASL BIND MAPPING Windows always uses SASL GSS-SPNEGO for LDAP bind authentication • Successful authentication means LDAP server needs to map authenticated identity to existing LDAP object • There are no users or machines accounts from a trusted Active Directory in FreeIPA LDAP store • Luckily, Global Catalog access for out-of-domain accounts is read-only • We can map all authenticated but unknown identities to a single LDAP object with read-only rights 23

  24. LDAP SCHEMA • FreeIPA has its own LDAP schema and LDAP tree strucutre • Active Directory LDAP schema is not compatible with FreeIPA LDAP schema • Attributes and objects can be re-mapped but direct access is useless 24

  25. 389-DS LIMITATIONS • 389-ds LDAP server only allows to listen on a single port per protocol • TCP/389 for LDAP, TCP/636 for LDAPS • Global Catalog is always TCP/3268 for LDAP access 25

  26. FREEIPA GLOBAL CATALOG SERVICE

  27. GLOBAL CATALOG SERVICE • Runs as a separate 389-ds instance to serve port TCP/3268 • Transforms user and group data from primary FreeIPA LDAP instance to AD schema • Access is read-only with SASL GSS-SPNEGO authentication 27

  28. DATA TRANSFORMATION • LDAP SYNCREPL is used to pick up changes from the primary FreeIPA LDAP instance running on the same IPA master • Schema Compatibility plugin code is used to transform the changes to AD-compatible schema and DIT • https://pagure.io/slapi-nis/ 28

  29. https://www.freeipa.org/page/V4/Global_Catalog_Support CURRENT STATE • Design documents are available at • SYNCREPL plugin almost ready • Schema Compatibility plugin refactoring has started • We plan to have working prototype ready for Redmond IOLab in June 2017 29

  30. https://samba.org/ https://freeipa.org/ Questions & Answers THANK YOU

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software Engineer, Red Hat Inc. https://github.com/freeipa/ansible-freeipa/ AGENDA Project goals IPA installers vs. ansible-freeipa IPA client installation

406 views • 16 slides
FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red Hat, Inc. What is FreeIPA ? Acronym: Free Identity, Policy, Audit Purpose: Make it simpler to manage a complex problem

729 views • 28 slides
The IMS catalog: a real life implementation November 2018 Brahm Lambrechts 1 IMS Catalog: a

The IMS catalog: a real life implementation November 2018 Brahm Lambrechts 1 IMS Catalog: a

The IMS catalog: a real life implementation November 2018 Brahm Lambrechts 1 IMS Catalog: a real life implementation Agenda Introduction 1. Present situation at our client 2. Future situation at our client 3. Basic steps to enable the

215 views • 19 slides
Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1 Simo Sorce What is FreeIPA ? FreeIPA is a Directory and Authentication Server aka a Domain Controller Primarily targets at Linux servers.

487 views • 31 slides
Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0 A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts

298 views • 29 slides
Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 6 th October 2015 FreeIPA Integration of multiple identity-management tools. directory

352 views • 17 slides
TDX at UCA Client Portal Incident Form Service Catalog Knowledge Base Other Features Email

TDX at UCA Client Portal Incident Form Service Catalog Knowledge Base Other Features Email

TDX at UCA Client Portal Incident Form Service Catalog Knowledge Base Other Features Email notifications with ticket updates Clear chain-of-custody with tickets Historical records of IT fixes and service requests Future:

169 views • 6 slides
Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

January 30th, 2016 FOSDEM16 Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com ) Enterprise desktop at home with FreeIPA and GNOME 2 Enterprise? Enterprise desktop at home with FreeIPA and GNOME 3 *

978 views • 71 slides
Visiting The Catalog A Stroll Through The PostgreSQL Catalog Charles Clavadetscher Swiss

Visiting The Catalog A Stroll Through The PostgreSQL Catalog Charles Clavadetscher Swiss

Introduction Exploring The Catalog The Information Schema Some usages Wrap Up Visiting The Catalog A Stroll Through The PostgreSQL Catalog Charles Clavadetscher Swiss PostgreSQL Users Group Nordic PGDay 2019, 19.03.2019, Copenhagen, Denmark

627 views • 51 slides
FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander Bokovoy FreeIPA and cross-distribution packaging experience about:me Red Hat Sr. Principal software engineer at Red Hat Identity

792 views • 31 slides
Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Principal Software Engineer, Red Hat // Samba Team SambaXP16 Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 2

1.33k views • 106 slides
CATALOG 1 6 About Roidmi Pruducts & Solutions 2 7 Our Mission Achievements 3 8 Our

CATALOG 1 6 About Roidmi Pruducts & Solutions 2 7 Our Mission Achievements 3 8 Our

CATALOG 1 6 About Roidmi Pruducts & Solutions 2 7 Our Mission Achievements 3 8 Our Team Media 4 Our Strength 5 Global Strategy & Partner About Roidmi To be MI Chain Make driving more Enterprise comfortable,more fun.

544 views • 22 slides
POLITICAL Everything youll need to do to graduate is listed in your catalog SCIENCE

POLITICAL Everything youll need to do to graduate is listed in your catalog SCIENCE

SDSU 2020 THE CATALOG POLITICAL Everything youll need to do to graduate is listed in your catalog SCIENCE https://curriculum.sdsu.edu/curriculum-services/general- catalog Use this, and your degree evaluation, throughout

308 views • 6 slides
The SXS Catalog of Simulations The SXS Catalog of Simulations Mike Boyle Mike Boyle Outline

The SXS Catalog of Simulations The SXS Catalog of Simulations Mike Boyle Mike Boyle Outline

The SXS Catalog of Simulations The SXS Catalog of Simulations Mike Boyle Mike Boyle Outline Outline Simulations SpEC The numbers Post-processing The data What's included How to get it Formats Problems Solutions Software Backwards

382 views • 27 slides
CATALOG & POP CREATIVE ROUND 1: 08/02/2017 CATALOG 160 STEPS. 1 KNIFE. Every Case knife

CATALOG & POP CREATIVE ROUND 1: 08/02/2017 CATALOG 160 STEPS. 1 KNIFE. Every Case knife

CATALOG & POP CREATIVE ROUND 1: 08/02/2017 CATALOG 160 STEPS. 1 KNIFE. Every Case knife requires 160 steps to complete. These arent simply boxes to be checked. They are time-tested techniques. Each is essential to making a Case knife

639 views • 26 slides
2020 Service Implementation Plan Resolution No. R2019-27 11/7/2019 Why we are here 2020

2020 Service Implementation Plan Resolution No. R2019-27 11/7/2019 Why we are here 2020

2020 Service Implementation Plan Resolution No. R2019-27 11/7/2019 Why we are here 2020 Service Implementation Plan Review public input received on proposed major service changes introduced at September REO Present refinements to

376 views • 14 slides
LCD Displays 6. Reflective surface to send light back to with a light source.) viewer. (In a

LCD Displays 6. Reflective surface to send light back to with a light source.) viewer. (In a

11/8/10 LCD displays The linked image cannot be displayed. The file may have been moved, renamed, or deleted. Verify that the link points to the correct file and location. LCD Displays 6. Reflective surface to send light back to with a light

456 views • 12 slides
Counterfactual Donkeys Dont Get High Mike Deigan Yale University SuB22, Potsdam New Data

Counterfactual Donkeys Dont Get High Mike Deigan Yale University SuB22, Potsdam New Data

Counterfactual Donkeys Dont Get High Mike Deigan Yale University SuB22, Potsdam New Data 1 / 40 New Data Suppose Allie and Bert think Mary the potter probably didnt make anything yesterday. 1 / 40 New Data Suppose Allie and Bert

1.95k views • 178 slides
Aerospace & Defense Forum Ducommun "Creating Competitive Advantage through your Supply

Aerospace & Defense Forum Ducommun "Creating Competitive Advantage through your Supply

Aerospace & Defense Forum Ducommun "Creating Competitive Advantage through your Supply Chain Sept. 10, 2015 Ducommun The Aerospace & Defense Forum Sept 10, 2015 Agenda Introduction Joel Benkie Company Overview

364 views • 33 slides
QUAD production Fred Hartjes NIKHEF Nikhef/Bonn LepCol meeting November 19, 2018 Simplified

QUAD production Fred Hartjes NIKHEF Nikhef/Bonn LepCol meeting November 19, 2018 Simplified

QUAD production Fred Hartjes NIKHEF Nikhef/Bonn LepCol meeting November 19, 2018 Simplified overview production QUAD started Mech. Wire DAQ/HV Ready Remarks assy bonded test 10 X X X - DEMO, not electrically working 11 X X X

282 views • 5 slides
Designing a Global Name Service written by Butler W. Lampson, presented by Thomas Knauth

Designing a Global Name Service written by Butler W. Lampson, presented by Thomas Knauth

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Designing a Global Name Service written by Butler W. Lampson, presented by Thomas Knauth pizza-reading-group, summer term 2007 Introduction What is a

345 views • 11 slides
CS519: Computer Networks Lecture 6: Apr 5, 2004 Naming and DNS CS519 Any problem in

CS519: Computer Networks Lecture 6: Apr 5, 2004 Naming and DNS CS519 Any problem in

CS519: Computer Networks Lecture 6: Apr 5, 2004 Naming and DNS CS519 Any problem in computer science can be solved with another layer of indirection David Wheeler Naming is a layer of indirection CS519 What problems does it

722 views • 46 slides
Global Heat Health Information Network Global Heat Health Information Network Joy

Global Heat Health Information Network Global Heat Health Information Network Joy

Global Heat Health Information Network Global Heat Health Information Network Joy Shumake-Guillemot , WHO/WMO Joint Climate and Health Office, Geneva, Switzerland Juli Trtanj, Hunter Jones , NOAA Washington DC July 2020 GHHIN - A

258 views • 15 slides
CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /spring2018/cs683/cs683_main.htm (https://goo.gl/t396Fw) 1 Lecture 11 Public Key Distribution

650 views • 31 slides

More recommend