Cloned Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=767723
Based on the result of #1618 the creation of trust should be integrated into the IPA utilities by using the samba utility 'net trust create'.
Since a trust can always be created with the samba utility directly, this is not an urgent task.
At least the GUI part can be definitely deferred.
Current draft is published to freeipa-devel@: https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
I'm copying it here as well: One of FreeIPA v3.0 major features will be support for cross-realm trusts with the emphasis on trusts to Active Directory domains. This documents attempts to design a common interface for managing trusts with FreeIPA tools (command line and GUI).
`ipa trust' is a common family of operations on trusts. Trusts can be: - created (ipa trust-add) - listed (ipa trust-find) - viewed (ipa trust-show) - removed (ipa trust-del)
`ipa trust-add' sets up a trust agreement with another realm. The command requires to know realm of the trust being added, its administrator rights, and type of the trust to establish.
Proposed syntax: ipa trust-add <realm> --type ads|ipa|kerberos|etc --realmadmin <Name> --password <Value> [type-specific parameters]
Creates a trust between FreeIPA realm and another realm of selected type. Only 'ads' type is currently supported.
For 'ads' type running `ipa trust-add' would be equivalent to following sequence: - ipa-adtrust-install - net rpc trust create
`ipa trust-find' will show all trusts with other realms corresponding certain criteria.
Proposed syntax: ipa trust-find [CRITERIA] [options]
where CRITERIA is tested against realms of existing trusts
Options might include: - --type ads|ipa|kerberos|etc -- type of the trust
`ipa trust-show' exposes details of the established trust agreement with a specified realm.
Proposed syntax: ipa trust-show <realm> [options]
Details shown will depend on the type of trust with following information available for all trusts: - realm name - trust type
`ipa trust-del' removes existing trust agreement
Trust management requires modification of FreeIPA LDAP database instance and potentially external resources specific to the trust nature. cn=trusts,$SUFFIX is used as a container to store information about trusts with containers inside it for different types of trusts.
Currently FreeIPA 3.0 implements cn=ad,cn=trusts,$SUFFIX tree for Active Directory-related trusts.
Trust management implies limited access which should be implemented with the help of 389-ds ACIs.
In order to give users access to the trust management, group of trust administrators would be created, thus ACI would limit exposure to cn=trusts,$SUFFIX tree to this group and additional trust implementation-specific system users defined at cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX.
Currently AD trusts implement following ACIs per trust: 1. Trust information:
(target = "ldap:///cn=$DOMAIN,cn=ad,cn=trusts,$SUFFIX";) (targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes") (version 3.0;acl "Allow samba user to create and delete trust accounts"; allow (write,add,delete) userdn = "ldap:///$SAMBA_USER_DN";;)
(targetattr = "ipaNTHash") (version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///$SAMBA_USER_DN";;)
where $SAMBA_USER_DN is DN of special user defined at uid=samba,cn=sysaccounts,cn=etc,$SUFFIX for the purpose of reading ipaNTHash attribute (NT passwords) of existing users and accessing trust information from the ipa-sam database plugin for Samba.
Current approach requires creating separate ACIs per each trust and using the same system user account for all of them. As a consequence, ACIs are added during trust creation and require Directory Manager privileges which should be discouraged for 'ipa trust' set of commands.
Instead, macro ACI could be created that would allow access to the trust information based on the part of DN of the system user:
uid=<user name>,cn=<trust type>,cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX
which for AD trusts would be
uid=samba,cn=ad,cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX
and ACI would be modified to have follow allow stanza:
(target = "ldap:///($dn),cn=trusts,$SUFFIX") (targetattr = "ipaNTTrustType || ipaNTTrustAttributes || ipaNTTrustDirection || ipaNTTrustPartner || ipaNTFlatName || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming || ipaNTSecurityIdentifier || ipaNTTrustForestTrustInfo || ipaNTTrustPosixOffset || ipaNTSupportedEncryptionTypes") (version 3.0;acl "Allow trust system user to create and delete trust accounts"; allow (write,add,delete) userdn="ldap:///uid=*,($dn),cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX";) (targetattr = "ipaNTHash") (version 3.0; acl "Samba user can read NT passwords"; allow (read) userdn="ldap:///uid=*,cn=ad,cn=trusts,cn=sysaccounts,cn=etc,$SUFFIX";;)
And trust admins ACI:
(target = "ldap:///cn=trusts,$SUFFIX";) (targetattr = "*") (version 3.0; acl "Trust management"; allow (all) groupdn="ldap:///cn=trust admins,cn=groups,cn=accounts,$SUFFIX";)
This approach would allow us to have a single ACI macro for system accounts of all types of trusts for all realms and then a single ACI per trust type.
Macro ACI are explained at http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control-Advanced_Access_Control_Using_Macro_ACIs.html
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=767723
https://www.redhat.com/archives/freeipa-devel/2012-April/msg00019.html
CLI part still under review with other related patches.
Done.
master: a7420c1
Metadata Update from @sbose: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2012/05
Login to comment on this ticket.