handling posix attributes for trusted active directory
play

Handling POSIX attributes for trusted Active Directory users and - PowerPoint PPT Presentation

Dec 31, 2022 •8 likes •298 views

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0 A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts

  1. Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0

  2. A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 1

  3. FreeIPA

  4. POSIX attributes for Active Directory users and groups in FreeIPA FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 3

  5. FreeIPA: http://www.freeipa.org ฀ I: Identity ฀ LDAP-based store for common objects (users, groups, hosts, services, ...) ฀ 389-ds as an LDAP server with FreeIPA server-side plugins ฀ MIT Kerberos KDC with FreeIPA driver ฀ Integrated certificate management with Dogtag Certificate Authority ฀ Python-based command line and Web management tools ฀ P: Policy ฀ Delegation and separation of access ฀ Flexible delegation of editing controls ฀ Host-based access controls to services: ฀ Everything is denied by default, define rules to allow ฀ < user or group[, source host] > → < host, service > ฀ Rules enforced at client side with SSSD project ฀ A: Audit Coming ... 4

  6. FreeIPA: http://www.freeipa.org 5

  7. POSIX attributes for Active Directory users and groups in FreeIPA FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 6

  8. FreeIPA supports Active Directory native cross-forest trusts ฀ FreeIPA acts as ‘Active Directory forest root domain’ that can only establish trust but can’t join Windows machines ฀ technically: KDC + CLDAP + LSA RPCs ฀ FreeIPA provides KDC and LDAP, Samba provides LSA RPC ฀ no Global Catalog yet ฀ Works well for Active Directory users accessing FreeIPA resources 7

  9. FreeIPA v3 architecture Full overview is available at http://freeipa.org/page/IPAv3_Architecture 8

  10. Identity management with cross-forest trust ฀ Identities of Active Directory users and groups resolved with the help of SSSD ฀ SSSD on IPA master talks to AD DCs and Global Catalog ฀ Kerberos credentials of host / ipa . master @ IPA . REALM are used to authenticate against AD DCs ฀ Two-way trust is needed to allow issuing cross-realm TGTs ฀ Other IPA clients’ SSSDs talk to IPA master to resolve AD users and groups 9

  11. POSIX attributes for Active Directory users and groups in FreeIPA FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 10

  12. Original FreeIPA assumptions ฀ Linux users are in FreeIPA, single LDAP entry defines POSIX attributes ฀ SUDO rules are in FreeIPA as LDAP objects ฀ HBAC rules are in FreeIPA as LDAP objects ฀ Public SSH keys for users and hosts are in FreeIPA as well ฀ Two-factor authentication tokens are in FreeIPA as LDAP objects ฀ ... or referenced to external RADIUS servers defined as LDAP objects in FreeIPA 11

  13. Consequences ฀ Linux machines have uniform view of the information above ฀ No per-machine shell or home directory for a user ฀ No per-machine public SSH keys for users ฀ No Active Directory users or groups in LDAP 12

  14. FreeIPA is a progress ... ... in ID management on Linux but there are anomalies too: ฀ Migration from other solutions often imposes requirements: ฀ File servers might need to keep old user and group IDs for some time locally ฀ Users might want to use different shells or home directories per machine ฀ Public SSH keys access into a common account (think Gitlab or Github-like deployments) might differ per server ฀ Old application might rely on specific values of GECOS field for users 13

  15. FreeIPA is a progress ... ... in ID management on Linux but there are anomalies too: ฀ When Active Directory forest is trusted by FreeIPA: ฀ AD users and groups have templated POSIX attributes, no way to individualize them ฀ AD users cannot have associated public SSH keys ฀ When existing environment with AD synchronization is being migrated to AD Trusts ฀ AD users synchronized to IPA use UID/GID from IPA range ฀ AD users used via AD Trusts will use UID/GID generated from their SID or specific POSIX UID/GID 14

  16. We don’t like to see another Progress spin, don’t we? 15

  17. POSIX attributes for Active Directory users and groups in FreeIPA FreeIPA What is FreeIPA? Cross Forest Trusts Original FreeIPA assumptions Identity Views Demo 16

  18. Identity Views ฀ FreeIPA 4.1 introduced a way to redefine POSIX attributes for a group of machines ฀ ID View ฀ A container of ’corrected’ POSIX attributes for users or groups ฀ Can be applied to a host or a group of hosts, or to all hosts ฀ Each entry in the view is an override of the original attributes ฀ Defaults ฀ For FreeIPA users and groups the default values are in their primary entry ฀ For Active Directory users and groups there is a ’Default Trust View’ ฀ Overrides from the default trust view apply to all FreeIPA clients 17

  19. ID View overrides ฀ Each override applies to a single user or group User Group ฀ Description ฀ Description ฀ User login ฀ Group name ฀ User ID (uid) ฀ Group ID (gid) ฀ User GECOS field ฀ User group ID (gid) ฀ User home directory ฀ User shell ฀ User public SSH key 18

  20. How ID override looks like in LDAP? 19

  21. Application of ID views ฀ ID Views are applied on the IPA master and IPA client sides by SSSD ฀ Host-specific views applied on the IPA client directly ฀ Default trusted view applied by the IPA master ฀ It is not possible to use host-specific view on IPA master ฀ Key logic is performed by SSSD 1.12.2 or later ฀ Available in Fedora 21+, RHEL 6.7 beta, RHEL 7.1, CentOS 7.1 ฀ Legacy clients supported through the compat tree 20

  22. Application of ID views: IPA master ฀ Default Trust View overrides are always applied to Active Directory users and groups ฀ IPA clients always use IPA masters to resolve AD users and groups ฀ POSIX attributes from Default Trust View will be returned to all SSSD clients (Fedora, RHEL 6.x, RHEL 7.0, RHEL 7.1) ฀ Public SSH keys from Default Trust View will be returned to new SSSD clients (Fedora 21+, RHEL 7.1, RHEL 6.7) 21

  23. Application of ID views: IPA client ฀ IPA client’s SSSD applies host-specific ID view ฀ All attributes from the assigned ID View are applied ฀ ID overrides are applied per attribute per user ฀ Host-specific view is always applied last ฀ If no ID override exist for the attribute of the user in all views, original value is used 22

  24. Application of ID views: Legacy clients ฀ Legacy clients are those without SSSD supporting AD trusts ฀ RHEL 5.x, RHEL 6.x, AIX, Solaris, FreeBSD, other Linux machines without SSSD 1.12+ ฀ Legacy clients use compat tree for all requests ฀ Base DN: cn=compat,$SUFFIX ฀ RFC2307 schema, no public SSH keys ฀ Default Trust View is applied by IPA server automatically, no need to change anything on the legacy client ฀ To use host-specific view on top of that, change base DN on the client to cn=viewname,cn=views,cn=compat,$SUFFIX 23

  25. Caveats ฀ OTP tokens cannot be attached to Active Directory users in FreeIPA 4.1 yet ฀ RADIUS server authentication cannot be used for Active Directory users in FreeIPA 4.1 yet ฀ With SSSD before 1.12.2 ID overrides only be actual for groups at the user’s login time, not before ฀ Removing host-specific ID view from the host requires clean up of the SSSD cache and restart of SSSD on that host 24

  26. Resources ฀ Upstream design page ฀ http://www.freeipa.org/page/V4/Migrating_ existing_environments_to_Trust ฀ Red Hat Enterprise Linux Windows Integration Guide ฀ https://access.redhat.com/documentation/en-US/ Red_Hat_Enterprise_Linux/7/html/Windows_ Integration_Guide/ 25

  27. Demo

  28. Demo videos will be published on Youtube after Red Hat Summit in June 2015 27

  29. Questions & Answers ฀ Slides http://www.samba.org/~ab/sambaxp/2015/ 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory

Integration with Active Directory Jeremy Allison Samba Team Benefits of using Active Directory Unlike the earlier Microsoft Windows NT 4.x Domain directory service which used proprietary DCE/RPC calls, Active Directory is based on standard

557 views • 27 slides
Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and

Directory Services A service that stores collections of bindings between names and attributes, and looks up entries that match attribute-based specifications (e.g., Microsoft's Active Directory Service, X.500 and LDAP) Case Study - X.500

515 views • 12 slides
Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory

Active Directory By: Kishor Datar 10/25/2007 What is a directory service? Directory Collection of related objects Files, Printers, Fax servers etc. Directory Service Information needed to use and manage the objects. Source

438 views • 27 slides
Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher

Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher

Trusted Domain Support as Active Directory Domain Controller Stefan Metzmacher &lt;metze@samba.org&gt; Samba Team / SerNet 2018-06-07 https://samba.org/~metze/presentations/2018/SambaXP/ Talks at SambaXP/SDC 2017 Last year I gave talks

388 views • 27 slides
Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active

Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active

Restore von Active Directory mit einer von HP entwickelten Lsung (Recovering from Active Directory Disasters) Guido Grillenmeier Senior Consultant Technology Solutions Group Hewlett-Packard Agenda What is a Disaster? Authoritative

363 views • 19 slides
Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min

Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min

Active Directory as a powerful LDAP server: the unknown tips Alban Meunier SmartWave SA 45 min Introduction Active Directory context NT inheritance SAM (Security Account Manager, Samba V3) Active Directory (2000 2003)

429 views • 27 slides
Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in

Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in

Azure Active Directory Provider The Azure Provider can be used to congure infrastructure in Azure Active Directory (https://azure.microsoft.com/en- us/services/active-directory/) using the Azure Resource Manager API's. Documentation regarding

925 views • 46 slides
Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of

Directories and directory implementation Introduction to directory implementation and the art of attributes Miroslav Milinovic, University Computing Centre, University of Zagreb Jasmina Hodzic, Center for Information Technology Services,

1.65k views • 20 slides
Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights

Statewide Provider Directory Project Overview Mar 2017 1 Provider Directory Highlights Directory of accurate, trusted provider data available to vetted healthcare entities (Not consumer-facing) Authoritative data sources that feed the

529 views • 11 slides
POSIX IPC: Overview primitive POSIX function description message queues create or access

POSIX IPC: Overview primitive POSIX function description message queues create or access

CPSC-313: Introduction to Computer Systems POSIX IPC POSIX Inter-Process Communication (IPC) Message Queues Shared Memory Semaphores Reading: R&amp;R, Ch 15 POSIX IPC: Overview primitive POSIX function description message

392 views • 6 slides
Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features

Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features

25. DECUS Symposium 16.04.2002 Windows.NET Beta 3 Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features Active Active Directory New Features Wolfgang Werner Wolfgang Werner Compaq Compaq Decus Bonn

588 views • 31 slides
Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com

Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com

Active Directory Security: The Journey Sean Metcalf (@Pyrotek3) s e a n [@] TrimarcSecurity.com www.ADSecurity.org TrimarcSecurity.com ABOUT Founder Trimarc, a security company. Microsoft Certified Master (MCM) Directory Services

1.35k views • 100 slides
Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory

Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory

Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory Terms Domain: A directory of users, groups, roles, etc... User: An individual accounts Group: A collection of other users and groups Role: Something that

492 views • 22 slides
XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling Overview by Yuri Demchenko On behalf of OSG/EGEE AuthZ Interoperability WG and Phosphorus project SNE Group, University of Amsterdam TF-EMC2 Meeting 3

633 views • 50 slides
www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read,

POSIX I/O High Performance Computing Extensions Brent Welch (Speaker) Panasas www.pdl.cmu.edu/posix/ December 14, 2005 APIs for HPC IO POSIX IO APIs (open, close, read, write, stat) have semantics that can make it hard to achieve high

674 views • 24 slides
Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers

Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers

21/05/2013 Creating Organizational Units, Accounts, and Groups Tom Brett Active Directory Users and Computers (ADUC) Active Directory Users and Computers (ADUC) After installing AD DS, the next task is to create your Organizational Units,

535 views • 41 slides
L ECTURE 12 Deleveraging and Balance Sheet Effects November 16, 2011 I . I NTRODUCTION What Do

L ECTURE 12 Deleveraging and Balance Sheet Effects November 16, 2011 I . I NTRODUCTION What Do

Economics 210c/236a Christina Romer Fall 2011 David

854 views • 53 slides
Seamless In-App Ad Blocking on Stock Android Michael Backes, Sven Bugiel, Philipp von

Seamless In-App Ad Blocking on Stock Android Michael Backes, Sven Bugiel, Philipp von

Seamless In-App Ad Blocking on Stock Android Michael Backes, Sven Bugiel, Philipp von Styp-Rekowsky, and Marvin Wifeld CISPA, Saarland University Mobile Security T echnologies (MoST) Workshop San Jose, California, M ay 25, 2017 Motivation

434 views • 28 slides
What Mobile Ads Know About Mobile Users Sooel Son joint work with Daehyeok Kim and Vitaly

What Mobile Ads Know About Mobile Users Sooel Son joint work with Daehyeok Kim and Vitaly

What Mobile Ads Know About Mobile Users Sooel Son joint work with Daehyeok Kim and Vitaly Shma&lt;kov 1 Overview Background Mobile adver&lt;sing library ACack model: malicious adver&lt;ser Informa&lt;on available to the aCacker

940 views • 31 slides
CS 744: DATAFLOW Shivaram Venkataraman Fall 2020 ADMINISTRIVIA - Assignment 2

CS 744: DATAFLOW Shivaram Venkataraman Fall 2020 ADMINISTRIVIA - Assignment 2

! welcome CS 744: DATAFLOW Shivaram Venkataraman Fall 2020 ADMINISTRIVIA - Assignment 2 grades are up! Canvas - Midterm grading in progress - Course project proposal comments week tis Thursday feedback Peer feedback

342 views • 22 slides
Annoyed Users: Ads and Ad-Block Usage in the Wild Enric Pujol Oliver Hohlfeld Anja Feldmann TU

Annoyed Users: Ads and Ad-Block Usage in the Wild Enric Pujol Oliver Hohlfeld Anja Feldmann TU

Annoyed Users: Ads and Ad-Block Usage in the Wild Enric Pujol Oliver Hohlfeld Anja Feldmann TU Berlin RWTH Aachen TU Berlin IMC15 Tokyo, Japan 2 http://www.journalism.org/2015/04/29/digital-news-revenue-fact-sheet Page Fair and Adobe

832 views • 32 slides
1 2 + Why are we at this workshop? + What are we hoping to get from it? + What are we hoping to

1 2 + Why are we at this workshop? + What are we hoping to get from it? + What are we hoping to

1 2 + Why are we at this workshop? + What are we hoping to get from it? + What are we hoping to contribute to it? 3 Most important reason (with homage/apologies to Vanilla Ice) + Vendor - SemWeb expertise in applications in enterprise

342 views • 18 slides
CARES Act Grants: Submission and Review May 14, 2020 Chat Feature Select the Chat icon to make

CARES Act Grants: Submission and Review May 14, 2020 Chat Feature Select the Chat icon to make

CARES Act Grants: Submission and Review May 14, 2020 Chat Feature Select the Chat icon to make a comment or ask a question . Be certain the To field is set to All Participants An orange dot on the Chat icon indicates that you have unread

825 views • 33 slides
Secure Computation without Coordination Amos Beimel (BGU) Yuval Ishai (Technion, UCLA) Eyal

Secure Computation without Coordination Amos Beimel (BGU) Yuval Ishai (Technion, UCLA) Eyal

Ad Hoc PSM Protocols: Secure Computation without Coordination Amos Beimel (BGU) Yuval Ishai (Technion, UCLA) Eyal Kushilevitz (Technion) Eurocrypt 2017 Ad Hoc MPC [BGIK16] The (basic) problem: Universe of n (honest but curious) parties.

419 views • 14 slides

More recommend