#6621 Zero config for client API on unenrolled hosts
Opened 2 years ago by cheimes. Modified 9 months ago

With recent improvements in MIT KRB5 and planned move from NSS to OpenSSL on the client side, it became feasible to remove the need for /etc/krb5.conf and /etc/ipa/nssdb. It should even be possible to remove all IPA related configuration completely in order to make unenrolled clients truly zero config (sans CA).

Kerberos

  • In the absense of default_realm, MIT KRB5 1.15 uses the domain name to get the realm (e.g. kinit user on host.ipa.example -> DNS TXT lookup on _kerberos.ipa.example -> kinit user@IPA.EXAMPLE).
  • In the absence of a realm definition in /etc/krb5.conf, MIT KRB5 1.15 performs a DNS URI lookup on _kerberos (e.g. _kerberos.ipa.example).
  • For MSKKDCP and PKINIT, it defaults to the system trust store.
  • When /etc/krb5.conf is absent or libdefaults stanzas for DNS lookup are not present, DNS lookup for realm and KDC is enabled by default.

IPA

ipaclient.ipadiscovery.IPADiscovery can auto-discover server, KDC, LDAP etc. The KDC auto-discovery feature uses the old SRV lookup on _kerberos._udp 88, though. It needs to be enhanced to perform URI lookup.

TODO

  • Introduce a zero config mode that does not load any config file at all. api.confdir, api.conf_default and related should be None.
  • Unless told otherwise, API initialization should perform auto-discovery of services ASAP. In case auto-discovery fails, it should fail with an easily understandable error message. Auto-discovery must not require any credentials (see #6408).
  • Auto-discovery must fill common fields in api.env with the discovered values (basedn, realm, domain, server, host, xmlrpc_uri, ldap_uri etc.)
  • Add an option to trust the system root CA to eliminate the need for a /etc/ipa/ca.crt.

Example

from ipalib import api
api.bootstrap(autodiscover=True)

Metadata Update from @cheimes:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

2 years ago

Metadata Update from @cheimes:
- Custom field affects_doc reset
- Custom field component reset
- Custom field rhbz reset
- Custom field type reset
- Issue close_status updated to: None
- Issue set to the milestone: None (was: Future Releases)
- Issue tagged with: integration

2 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

a year ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.

Metadata