"Fossies" - the Fresh Open Source Software Archive
Member "freeipa-4.8.8/daemons/ipa-kdb/README.s4u2proxy.txt" (15 Jun 2020, 5766 Bytes) of package /linux/misc/freeipa-4.8.8.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard
) with prefixed line numbers.
Alternatively you can here view
the uninterpreted source code file.
1 It is now possible to allow constrained delegation of credentials so
2 that a service can impersonate a user when communicating with another
3 service w/o requiring the user to actually forward their TGT.
4 This makes for a much better method of delegating credentials as it
5 prevents exposure of the short term secret of the user.
7 I added a relatively simple access control method that allow the KDC to
8 decide exactly which services are allowed to impersonate which users
9 against other services. A simple grouping mechanism is used so that in
10 large environments, clusters and otherwise classes of services can be
11 much more easily managed.
13 The grouping mechanism has been built so that lookup is highly optimized
14 and is basically reduced to a single search that uses the derefernce
15 control. Speed is very important in this case because KDC operations
16 time out very quickly and unless we add a caching layer in ipa-kdb we
17 must keep the number of searches down to avoid client timeouts.
19 The grouping mechanism is very simple a groupOfPrincipals object is
20 introduced, this Auxiliary class have a single optional attribute called
21 memberPrincipal which is a string containing a principal name.
23 A separate objectclass is also introduced called ipaKrb5DelegationACL,
24 it is a subclass of groupOfPrincipals and is a Structural class.
26 It has 2 additional optional attributes: ipaAllowedTarget and
27 ipaAllowToImpersonate. They are both DNs.
29 The memberPrincipal attribute in this class contains the list of
30 principals that are being considered proxies. That is: the
31 principals of the services that want to impersonate client principals
32 against other services.
34 The ipaAllowToImpersonate must point to a groupOfPrincipal based
35 object that contains the list of client principals (normally these are
36 user principals) that can be impersonated by this service.
37 If the attribute is missing than the service is allowed to impersonate
38 *any* user.
40 The ipaAllowedTarget DN must point to a groupOfPrincipal based object
41 that contains the list of service principals that the proxy service is
42 allowed target when impersonating users. A target must be specified in
43 order to allow a service to access it impersonating another principal.
46 At the moment no wildcarding is implemented so services have to be
47 explicitly listed in their respective groups.
48 I have some idea of adding wildcard support at least for the
49 ipaAllowToImpersonate group in order to separate user principals by
50 REALM. So you can say all users of REALM1 can be impersonated by this
51 service but no users of REALM2.
53 It is unclear how this wildcarding may be implemented, but it must be
54 simple to avoid potentially very expensive computations every time a
55 ticket for the target services is requested.
57 I have briefly tested this patch by manually creating a few objects then
58 using the kvno command to test that I could get a ldap ticket just using
59 the HTTP credentials (in order to do this I had to allow also s4u2self
60 operations for the HTTP service, but this is *not* generally required
61 and it is *not* desired in the IPA framework implementation).
63 This patchset does not contain any CLI or UI nor installation changes to
64 create ipaKrb5DelegationACL obujects. It is indeed yet unclear where we
65 want to store them (suggestions are welcome) and how/when we may want to
66 expose this mechanism through UI/CLI for general usage.
68 The initial intended usage is to allow us to move away from using
69 forwarded TGTs in the IPA framework and instead use S4U2Proxy in order
70 to access the ldap service. In order to do this some changes will need
71 to be made in installation scripts and replica management scripts later.
73 How to test:
75 Create 2 objects like these:
77 dn: cn=ipa-http-delegation,...
78 objectClass: ipaKrb5DelegationACL
79 objectClass: groupOfPrincipals
80 cn: ipa-http-delegation
81 memberPrincipal: HTTP/ipaserver.example.com@EXAMPLE.COM
82 ipaAllowedTarget: cn=ipa-ldap-delegation-targets,...
84 dn: cn=ipa-ldap-delegation-targets,...
85 objectClass: groupOfPrincipals
86 cn: ipa-ldap-delegation-targets
87 memberPrincipal: ldap/ipaserver.example.com@EXAMPLE.COM
90 In order to test with kvno which pretend to do s4u2self too you will
91 need to allow the HTTP service to impersonate arbitrary users.
93 This is done with:
95 modprinc +ok_to_auth_as_delegate HTTP/ipaserver.example.com
97 NOTE: Do not grant +ok_to_auth_as_delegate in production without
98 carefully considering the outcome. This flags grants a service the
99 ability to impersonate any user to itself, which, combined with the
100 permission to proxy, means it will be allowed to impersonate any user
101 to the target service w/o any explicit user permission/delegation.
102 This flag is *NOT* necessary to permit proxying, it is used in this
103 example only because the kvno utility is hardwired to test both s4u2self
104 and s4u2proxy at the same time and would fail to operate without it.
106 Then run kvno as follows:
108 # Init credntials as HTTP
109 kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.example.com
111 # Perform S4U2Self
112 kvno -U admin HTTP/ipaserver.example.com
114 # Perform S4U2Proxy
115 kvno -k /etc/httpd/conf/ipa.keytab -U admin -P HTTP/ipaserver.example.com
119 If this works it means you successfully impersonated the admin user with
120 the HTTP service against the ldap service.
122 Cleanup by removing the self-impersonation flag:
123 modprinc -ok_to_auth_as_delegate HTTP/ipaserver.example.com
129 Note that here I use the term proxy in a different way than it is used in
130 the krb interfaces. It may seem a bit confusing but I think people will
131 understand it better this way.
133 In this document 'client' connects to 'proxy' which impersonates 'client'
134 against 'service'.
135 In the Code/API the 'client' connects to 'server' which impersonates
136 'client' against 'proxy'.