1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
= The Schema Compatibility Plugin in IPA =
RFC 2307 defines object classes and attributes suitable for representing
various POSIX-related information in a directory. The "posixGroup"
object class, for example, models a group of accounts, including the
POSIX group's ID (as the value of the "gidNumber" attribute) and the
names of each of the members of the group (as values of the "memberUid"
attribute).
This representation is supported by the native LDAP client software
supplied with a number of Unix and Unix-like operating systems.
The draft revision of RFC 2307, known as "rfc2307bis", modifies the
contents of a group so that it no longer contains the names of its
members in the "memberUid" attribute, but rather uses the "member"
attribute to list the distinguished names of the entries which represent
the individual members. A client is typically expected to search the
named entries to determine the names of the group's member users.
It is this representation of groups which FreeIPA and RHEIPA use.
This representation is not as well-supported by the native LDAP client
software supplied with Unix and Unix-like operating systems.
When configured to consult a server which stores information this way, a
client which does not support reading group membership from the "member"
attribute will still able to look up a group and read its name and ID,
but will be unable to "see" the members of the group.
For these clients, an IPA server can be configured to use the Schema
Compatibility Plugin to resolve the group membership at the server. The
plugin will examine the group entries stored in the server and, as
configured, read the distinguished names of the members of those groups.
It will examine the named entries and read from them the names of the
members of the group. It will then use that data to create an in-memory
entry, elsewhere in the directory tree, which contains the group
membership information in a form which the client is able to process.
As configured, an IPA server provides this information, for groups whose
entries are beneath "cn=groups, cn=accounts, $SUFFIX", in an area
beneath "cn=groups, cn=compat, $SUFFIX".
= The Schema Compatibility Plugin support for trusted domains in IPA =
When used with FreeIPA 3.3 and SSSD 1.11 or later, the Schema Compatibility
Plugin allows to expose users and groups from trusted domains. These users
and groups are available on the compatibility trees and can be used for
querying their attributes and authenticating against them.
Additionally, authentication against IPA users is also supported, provided
that the Schema Compatibility Plugin is given an ordering preference in
the Directory Server configuration. By default, all Directory server plugins
are assigned plugin precedence of 50 (out of 1..99 scale, where 99 is the lowest
priority). The plugin precedence is controlled with nsslapd-pluginPrecedence
attribute in the plugin entry. More details on nsslapd-PluginPrecedence are
available in Red Hat Directory Server Administration Guide, chapter "1.8 Using
Directory Server Plug-ins".
== Configuration of the Schema Compatibility Plugin for trusted domains ==
User and groups areas should be configured separately. For each area following
parameters can be added in the tree configuration:
schema-compat-lookup-nsswitch: <user|group>
specifies that the area is responsible for user or group lookups.
schema-compat-nsswitch-min-id: <value>
specifies that the minimal numeric id of the user or group should be not less
than the value. Defaults to 1000.
When FreeIPA 3.3 is in use, ipa-adtrust-install utility will automatically configure
the Schema Compatibility Plugin to allow serving users and groups from trusted domains.
No additional configuration is needed. ipa-adtrust-install, however, will not set the
minimal numeric id for user or group.
== Authentication of the trusted domains' users ==
When the Schema Compatibility Plugin is configured to expose users from trusted
domains, their authentication is handled via PAM 'system-auth' service. This
service exists by default on Linux systems and is provided by pam package as
/etc/pam.d/system-auth. If your FreeIPA install does not have default HBAC rule
'allow_all' enabled, then make sure to define in IPA a special service called
'system-auth' and create an HBAC rule to allow access to anyone to this rule
on IPA masters.
As 'system-auth' PAM service is not used directly by any other application, it
is safe to use it for trusted domain users via compatibility path.
|
