#2904 [RFE] It should be possible to use uid/gid defined in AD instead of SIDs
Closed: Fixed None Opened 9 years ago by dpal.

The first implementation of the trusts solution takes SID of the user entry and uses a special algorithm to create unique UID for the user. The similar approach is used for GID. This works fine for the deployments that do not have POSIX attributes defined in AD. In the cases when POSIX attributes are defined in AD there are usually already clients that leverage these attributes so switching to the SID->UIS/GID model is not acceptable. Instead IPA and SSSD should be able to respect the POSIX attributes defined in the AD.

SSSD ticket https://fedorahosted.org/sssd/ticket/1408

On the server side this might be realized with the help of a second type of id-range for trusted domains. The current one will be used for algorithmic mappings and the new one will tell the mapping plugin to search the local tree first for a mapping.

The local tree can either be populated once, e.g. with the help of an ldif file, or continuously, e.g. with winsync solution.

Bumping priority, this is one of the target features of 3.3.

Rename "trusts" component to "Trusts" to achieve correct sorting.

Moving to next month bucket.

Moving open tickets to next month bucket.

Assigning. This looks abandoned when it's really not.

All relevant subtickets for this feature are implemented, tested and pushed. Closing as fixed.

For reference:

Extend idrange commands to support new range origin types

Following values of ipaRangeType attribute are supported
and translated accordingly in the idrange commands:

 'ipa-local': 'local domain range'[[BR]]
 'ipa-ad-winsync': 'Active Directory winsync range'[[BR]]
 'ipa-ad-trust': 'Active Directory domain range'[[BR]]
 'ipa-ad-trust-posix': 'Active Directory trust range with POSIX attributes'[[BR]]
 'ipa-ipa-trust': 'IPA trust range'[[BR]]

Add update plugin to fill in ipaRangeType attribute

Previously, we deduced the range type from the range objectclass
and filled in virtual attribute in post_callback phase.

Having a ipaRangeType attributeType in schema, we need to fill
the attribute values to ranges created in previous IPA versions.

The plugin follows the same approach, setting ipa-local or
ipa-ad-trust value to the ipaRangeType attribute according
to the objectclass of the range.

Part of https://fedorahosted.org/freeipa/ticket/3647

Add ipaRangeType attribute to LDAP Schema

This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730. to the LDAP Schema.

ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.

Part of https://fedorahosted.org/freeipa/ticket/3647

Add --range-type option that forces range type of the trusted domain (e4437a3)

Adds --range-type option to ipa trust-add command. It takes two
allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'.

When --range-type option is not specified, the range type should be
determined by ID range discovery.


ipa-kdb: reinit mspac on HTTP TGT acquisition to aid trust-add case (84b2269)

When trust is established, we also create idrange for the trusted domain.
With FreeIPA 3.3 these ranges can have different types, and in order to
detect which one is to create, we need to do lookup at AD LDAP server.

Such lookup requires authenticated bind. We cannot bind as user because
IPA framework operates under constrained delegation using the user's
credentials and allowing HTTP/ipa.server@REALM to impersonate the user
against trusted domain's services would require two major things:

- first, as we don't really know exact AD LDAP server names (any AD DC
    can be used), constrained delegation would have to be defined against
    a wild-card

- second, constrained delegation requires that target principal exists
    in IPA LDAP as DN.

These two together limit use of user's ticket for the purpose of IPA
framework looking up AD LDAP.

Additionally, immediately after trust is established, issuing TGT with
MS-PAC to HTTP/ipa.server@REALM may fail due to the fact that KDB driver
did not yet refreshed its list of trusted domains -- we have limited
refresh rate of 60 seconds by default.

This patch makes possible to force re-initialization of trusted domains'
view in KDB driver if we are asked for TGT for HTTP/ipa.server@REALM.

We will need to improve refresh of trusted domains' view in KDB driver
in future to notice changes in cn=etc,$SUFFIX tree automatically.

This improvement is tracked in https://fedorahosted.org/freeipa/ticket/1302 and

Part of https://fedorahosted.org/freeipa/ticket/3649

Use AD LDAP probing to create trusted domain ID range

When creating a trusted domain ID range, probe AD DC to get
information about ID space leveraged by POSIX users already
defined in AD, and create an ID range with according parameters.

For more details:

Metadata Update from @dpal:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.3 - 2013/07

4 years ago

Login to comment on this ticket.