SlideShare une entreprise Scribd logo

SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba

Alexander Bokovoy
Alexander Bokovoy

My talk from SambaXP 2014 about FreeIPA cross-realm trusts to Active Directory.

Présentations et discours publicsTechnologie
1  sur  25
Télécharger pour lire hors ligne
Trusting Active Directory with FreeIPA: a story beyond Samba Alexander Bokovoy <ab@samba.org> Red Hat May 15th, 2014
Trusting Active Directory with FreeIPA 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
FreeIPA: http://www.freeipa.org I: Identity LDAP-based store for common objects (users, groups, hosts, services, ...) 389-ds as an LDAP server with FreeIPA server-side plugins MIT Kerberos KDC with FreeIPA driver Integrated certificate management with Dogtag Certificate Authority Python-based command line and Web management tools P: Policy Delegation and separation of access Flexible delegation of editing controls Host-based access controls to services: Everything is denied by default, define rules to allow <user or group[, source host]>→<host, service> Rules enforced at client side with SSSD project A: Audit Coming...
FreeIPA: http://www.freeipa.org
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Kerberos cross-forest trusts FreeIPA deployment is a fully managed Kerberos realm Can be integrated with Windows as RFC4120-compliant Kerberos realm Traditional Kerberos trust management applies: on GNU/Linux side ~/.k5login should be defined to impersonate users with identities Does not scale well for thousands of users and hosts: a foreign realm principal impersonates our realm’s user requires additional management of special users to impersonate doubling the management effort mapping has to happen on every single machine. Manually?
Active Directory native cross forest trusts Require two Active Directory domains AD domain establishes trust with another AD domain via LSA RPC AD uses LSA RPC to map incoming principals to SIDs technically: KDC + CLDAP + LSA RPC FreeIPA provides KDC and LDAP, Samba provides LSA RPC
FreeIPA v3 architecture Full overview is available at http://freeipa.org/page/IPAv3_Architecture
FreeIPA passdb backend Expansion of traditional LDAP passdb backend New schema objects and attributes to support trusted domain information Support for uid/gid ranges for multi-master replicas Kerberos principal creation for foreign domain account
FreeIPA KDC backend Generates MS PAC information out of LDAP info and add to the ticket Allows to accept principals and tickets from a trusted cross forest realm Filters out SIDs for both incoming and outgoing trust paths Verifies and signs MS PAC coming from a trusted cross forest realm Checks authentication paths for non-hierarchical cross-realm
FreeIPA configuration tools FreeIPA has command line (CLI) and Web user interfaces ipa trust-add creates new cross-forest trust CLI operates with Kerberos authentication Request is sent to FreeIPA server via XML-RPC over HTTPS with Kerberos auth FreeIPA uses S4U2Proxy Kerberos feature to allow constrained delegation Samba 4 Python bindings are used to establish trust Code runs under non-privileged account (apache) Uses Kerberos ticket obtained via XML-RPC with the help of mod kerb auth Issues Kerberos-authenticated LSA RPC requests to a local smbd Uses AD credentials or shared secret passed via XML-RPC request to talk to AD DC
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Using FreeIPA services with AD credentials Use of FreeIPA client system with AD cross forest credentials: Client system is provisioned with ipa-client-install SSSD is configured during provisioning to talk to FreeIPA LDAP krb5.conf is configured to perform mapping of cross forest trusted realm principal to user name 1:1 without removing the realm, e.g. Administrator@AD.SAMBAXP becomes user ’Administrator@ad.sambaxp’ Manual auth to local rules in krb5.conf will not be needed with MIT Kerberos 1.12 once SSSD will provide a plugin to fetch these rules from the FreeIPA server
Using FreeIPA services with AD credentials
Using FreeIPA services with AD credentials On the IPA client, an SSH log-in causes following activity: SSH checks if user exists on the system SSSD handles the request and sees the user is not local. From IPA client SSSD sends LDAP extended operation to FreeIPA LDAP server. Extended operation on LDAP server results in calls to SSSD on the server to perform external domain user/group mapping in FreeIPA 3.0 SSSD uses Winbind on IPA server to resolve the mapping in FreeIPA 3.3 SSSD on IPA server performs the mapping natively against AD DCs UID/GID are returned to SSH, GSSAPI is used to log-in that ’local’ user SSSD uses MS PAC from the Kerberos ticket to fill up groups information, converting SIDs to groups using FreeIPA LDAP extended operation
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Using FreeIPA services with AD credentials SSSD plays crucial role: it forwards ID resolution of AD users to IPA server and performs MS-PAC analysis Support for FreeIPA LDAP extended operation was added in SSSD 1.9 Older versions or machines without SSSD can’t use the feature, are we lost?
Supporting ‘legacy clients’ FreeIPA provides a compatibility LDAP tree, cn=compat,cn=ipa,cn=sambaxp Compatibility tree re-exports IPA users for systems that cannot be configured against the primary tree When cross-forest trust is enabled, the compatibility tree shows AD users ipa-advise tool can be used to get configuration recipes for legacy clients
Supporting ‘legacy clients’ A request comes from nss ldap, nslcd, or old version of SSSD over compatibility tree: Internally, search is performed over the primary tree If search does not succeed, FreeIPA decodes the request (uid=username ) is recognized as a user search by name (uidNumber=number ) is recognized as a user search by ID (&(cn=groupname )(objectClass=posixGroup)) is recognized as a group search by name (gidNumber=number ) is recognized as a group search by ID (memberuid=username ) is recognized as a group search by a member name Request is sent to SSSD for lookup, result is inserted into the compatibility tree LDAP bind operation is translated into PAM authentication request
Supporting ‘legacy clients’ Compatibility tree works fine with any Linux or UNIX-like systems that supports PAM and NSS API However, there are caveats: AD user name is fully qualified: Administrator@AD.SAMBAXP = 24 characters FreeBSD systems have by default limit for user names of 16 letters even in FreeBSD 9+ The limit is kernel compile-time, http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133926 Other *BSD systems have similar issues Kerberos authentication might not be possible unless krb5.conf is explicitly configured on the client to recognize AD realms All authentication for legacy logons with AD credentials happens on IPA server
Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
Compatibility with Active Directory FreeIPA 3.3 was tested by a Microsoft team in summer 2013 against Windows Server 2012 build 9200. FreeIPA as a trusted realm to AD, passed 106/117 tests Failed only Claims or Compound Identity tests which Samba doesn’t support yet FreeIPA as a local realm to a Windows client, passed 69/117 tests Main issues: FreeIPA cannot return the correct error code (8 cases) FreeIPA does not contain attributes in AD (11 cases) FreeIPA does not support Claims or Compound Identity (11 cases) FreeIPA KDCOption and Flags Issue (7 cases) FreeIPA missing PA-DATA (1 case) FreeIPA configuration issue (2 cases) FreeIPA KDC is case sensitive (1 case) We plan to make a new test run with FreeIPA 4.0 in autumn 2014
DEMO
Questions & Answers Slides http://www.samba.org/~ab/sambaxp/2014/

Recommandé

Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...LDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPALDAPCon
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...MongoDB
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsLDAPCon
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerLDAPCon
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and HadoopKai Zheng
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?LDAPCon
 

Recommandé

Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...LDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPALDAPCon
 
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...
Securing Your Deployment with MongoDB and Red Hat's Identity Management in Re...MongoDB
 
Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3Fortress Open Source IAM on LDAPv3
Fortress Open Source IAM on LDAPv3LDAPCon
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsLDAPCon
 
Build your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerBuild your LDAP Web Interface with LinID Directory Manager
Build your LDAP Web Interface with LinID Directory ManagerLDAPCon
 
Kerberos, Token and Hadoop
Kerberos, Token and HadoopKerberos, Token and Hadoop
Kerberos, Token and HadoopKai Zheng
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?LDAPCon
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka Security
Kafka SecurityKafka Security
Kafka SecuritySriharsha Chintalapani
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Ram
RamRam
RamRami reddy
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAPCon
 
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembBuilding a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembStreamNative
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and ThenSATOSHI TAGOMORI
 
Nginx
NginxNginx
NginxDhrubaji Mandal ♛
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in AlfrescoAngel Borroy López
 
Consul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive ProgrammingConsul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive ProgrammingRick Hightower
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_securityAdam Muise
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesMongoDB
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementMarketingArrowECS_CZ
 
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel AvivVPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel AvivAmazon Web Services
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web serverMd Waresul Islam
 
Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...Pivorak MeetUp
 
Consul: Service-oriented at Scale
Consul: Service-oriented at ScaleConsul: Service-oriented at Scale
Consul: Service-oriented at ScaleC4Media
 
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Wen Zhu
 
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet
 

Contenu connexe

Tendances

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAPCon
 
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembBuilding a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembStreamNative
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and ThenSATOSHI TAGOMORI
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in AlfrescoAngel Borroy López
 
Consul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive ProgrammingConsul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive ProgrammingRick Hightower
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_securityAdam Muise
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggStreamNative
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesMongoDB
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementMarketingArrowECS_CZ
 
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel AvivVPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel AvivAmazon Web Services
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web serverMd Waresul Islam
 
Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...Pivorak MeetUp
 
Consul: Service-oriented at Scale
Consul: Service-oriented at ScaleConsul: Service-oriented at Scale
Consul: Service-oriented at ScaleC4Media
 

Tendances (20)

Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Ram
RamRam
Ram
 
LDAP Development Using Spring LDAP
LDAP Development Using Spring LDAPLDAP Development Using Spring LDAP
LDAP Development Using Spring LDAP
 
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembBuilding a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
 
Nginx
NginxNginx
Nginx
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco
 
Consul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive ProgrammingConsul: Microservice Enabling Microservices and Reactive Programming
Consul: Microservice Enabling Microservices and Reactive Programming
 
2014 sept 4_hadoop_security
2014 sept 4_hadoop_security2014 sept 4_hadoop_security
2014 sept 4_hadoop_security
 
Securing your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris KelloggSecuring your Pulsar Cluster with Vault_Chris Kellogg
Securing your Pulsar Cluster with Vault_Chris Kellogg
 
Webinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security FeaturesWebinar: MongoDB 2.6 New Security Features
Webinar: MongoDB 2.6 New Security Features
 
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud ManagementOracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
Oracle Enterprise Manager - EM12c R5 Hybrid Cloud Management
 
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel AvivVPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
VPC Fundamentals & Connectivity - Pop-up Loft Tel Aviv
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
 
Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...Introduction to service discovery and self-organizing cluster orchestration. ...
Introduction to service discovery and self-organizing cluster orchestration. ...
 
Consul: Service-oriented at Scale
Consul: Service-oriented at ScaleConsul: Service-oriented at Scale
Consul: Service-oriented at Scale
 

En vedette

Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Wen Zhu
 
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet
 
Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015Steve Pember
 
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...mfrancis
 
Apache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the boxApache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the boxClaus Ibsen
 
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...Mark West
 
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix OverviewApache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix OverviewMarcelo Jabali
 
Creating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQCreating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQiCiDIGITAL
 
Microservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karafMicroservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karafAchim Nierbeck
 
Cloud Foundry Deployment Tools: BOSH vs Juju Charms
Cloud Foundry Deployment Tools: BOSH vs Juju CharmsCloud Foundry Deployment Tools: BOSH vs Juju Charms
Cloud Foundry Deployment Tools: BOSH vs Juju CharmsAltoros
 
Deployment Automation on OpenStack with TOSCA and Cloudify
Deployment Automation on OpenStack with TOSCA and CloudifyDeployment Automation on OpenStack with TOSCA and Cloudify
Deployment Automation on OpenStack with TOSCA and CloudifyCloudify Community
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016ManageIQ
 
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...Daniel Krook
 
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateCloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateAnimesh Singh
 
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...Kai Wähner
 
Template Languages for OpenStack - Heat and TOSCA
Template Languages for OpenStack - Heat and TOSCATemplate Languages for OpenStack - Heat and TOSCA
Template Languages for OpenStack - Heat and TOSCACloud Native Day Tel Aviv
 

En vedette (17)

Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
Enhancing The Role Of A Large Us Federal Agency As An Intermediary In The Fed...
 
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
Puppet Camp Boston 2014: Securely Managing Secrets with FreeIPA and Puppet (I...
 
Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015Advanced Microservices - Greach 2015
Advanced Microservices - Greach 2015
 
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...The OSGi Service Platform in Integrated Management Environments - Cristina Di...
The OSGi Service Platform in Integrated Management Environments - Cristina Di...
 
Apache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the boxApache Camel Introduction & What's in the box
Apache Camel Introduction & What's in the box
 
Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016Cloud Foundry Roadmap in 2016
Cloud Foundry Roadmap in 2016
 
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
NTNU Tech Talks : Smartening up a Pi Zero Security Camera with Amazon Web Ser...
 
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix OverviewApache ActiveMQ, Camel, CXF and ServiceMix Overview
Apache ActiveMQ, Camel, CXF and ServiceMix Overview
 
Creating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQCreating Real-Time Data Mashups with Node.JS and Adobe CQ
Creating Real-Time Data Mashups with Node.JS and Adobe CQ
 
Microservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karafMicroservices OSGi-running-with-apache-karaf
Microservices OSGi-running-with-apache-karaf
 
Cloud Foundry Deployment Tools: BOSH vs Juju Charms
Cloud Foundry Deployment Tools: BOSH vs Juju CharmsCloud Foundry Deployment Tools: BOSH vs Juju Charms
Cloud Foundry Deployment Tools: BOSH vs Juju Charms
 
Deployment Automation on OpenStack with TOSCA and Cloudify
Deployment Automation on OpenStack with TOSCA and CloudifyDeployment Automation on OpenStack with TOSCA and Cloudify
Deployment Automation on OpenStack with TOSCA and Cloudify
 
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
Authentication - Alberto Bellotti - ManageIQ Design Summit 2016
 
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
 
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source TriumvirateCloud foundry Docker Openstack - Leading Open Source Triumvirate
Cloud foundry Docker Openstack - Leading Open Source Triumvirate
 
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
Microservices, Containers, Docker and a Cloud-Native Architecture in the Midd...
 
Template Languages for OpenStack - Heat and TOSCA
Template Languages for OpenStack - Heat and TOSCATemplate Languages for OpenStack - Heat and TOSCA
Template Languages for OpenStack - Heat and TOSCA
 

Similaire à SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba

Ldap2010
Ldap2010Ldap2010
Ldap2010CYJ
 
MongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
MongoDB.local Dallas 2019: MongoDB Atlas for Your EnterpriseMongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
MongoDB.local Dallas 2019: MongoDB Atlas for Your EnterpriseMongoDB
 
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your EnterpriseMongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your EnterpriseMongoDB
 
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...Amazon Web Services
 
Confluent kafka meetupseattle jan2017
Confluent kafka meetupseattle jan2017Confluent kafka meetupseattle jan2017
Confluent kafka meetupseattle jan2017Nitin Kumar
 
Webinar | Better Together: Apache Cassandra and Apache Kafka
Webinar | Better Together: Apache Cassandra and Apache KafkaWebinar | Better Together: Apache Cassandra and Apache Kafka
Webinar | Better Together: Apache Cassandra and Apache KafkaDataStax
 
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your EnterpriseMongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your EnterpriseMongoDB
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaRedis Labs
 
Cloudera Sandbox Event Guidelines For Workflow
Cloudera Sandbox Event Guidelines For WorkflowCloudera Sandbox Event Guidelines For Workflow
Cloudera Sandbox Event Guidelines For WorkflowTimothy Spann
 
batbern43 Self Service on a Big Data Platform
batbern43 Self Service on a Big Data Platformbatbern43 Self Service on a Big Data Platform
batbern43 Self Service on a Big Data PlatformBATbern
 
MongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
MongoDB.local Austin 2018: MongoDB Atlas for Your EnterpriseMongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
MongoDB.local Austin 2018: MongoDB Atlas for Your EnterpriseMongoDB
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleMariaDB plc
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Vinaykumar Hebballi
 
Securing Hadoop in an Enterprise Context (v2)
Securing Hadoop in an Enterprise Context (v2)Securing Hadoop in an Enterprise Context (v2)
Securing Hadoop in an Enterprise Context (v2)Hellmar Becker
 

Similaire à SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba (20)

Ldap2010
Ldap2010Ldap2010
Ldap2010
 
MongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
MongoDB.local Dallas 2019: MongoDB Atlas for Your EnterpriseMongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
MongoDB.local Dallas 2019: MongoDB Atlas for Your Enterprise
 
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your EnterpriseMongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
MongoDB.local Seattle 2019: Introduction to MongoDB Atlas for Your Enterprise
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
Optimizing the Data Tier for Serverless Web Applications - March 2017 Online ...
 
Securing Spark Applications
Securing Spark ApplicationsSecuring Spark Applications
Securing Spark Applications
 
Confluent kafka meetupseattle jan2017
Confluent kafka meetupseattle jan2017Confluent kafka meetupseattle jan2017
Confluent kafka meetupseattle jan2017
 
Webinar | Better Together: Apache Cassandra and Apache Kafka
Webinar | Better Together: Apache Cassandra and Apache KafkaWebinar | Better Together: Apache Cassandra and Apache Kafka
Webinar | Better Together: Apache Cassandra and Apache Kafka
 
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your EnterpriseMongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
 
Cloudera Sandbox Event Guidelines For Workflow
Cloudera Sandbox Event Guidelines For WorkflowCloudera Sandbox Event Guidelines For Workflow
Cloudera Sandbox Event Guidelines For Workflow
 
batbern43 Self Service on a Big Data Platform
batbern43 Self Service on a Big Data Platformbatbern43 Self Service on a Big Data Platform
batbern43 Self Service on a Big Data Platform
 
SSO with kerberos
SSO with kerberosSSO with kerberos
SSO with kerberos
 
MongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
MongoDB.local Austin 2018: MongoDB Atlas for Your EnterpriseMongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
MongoDB.local Austin 2018: MongoDB Atlas for Your Enterprise
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
 
How to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScaleHow to Manage Scale-Out Environments with MariaDB MaxScale
How to Manage Scale-Out Environments with MariaDB MaxScale
 
Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2Open Ldap Integration and Configuration with Lifray 6.2
Open Ldap Integration and Configuration with Lifray 6.2
 
Securing Hadoop in an Enterprise Context (v2)
Securing Hadoop in an Enterprise Context (v2)Securing Hadoop in an Enterprise Context (v2)
Securing Hadoop in an Enterprise Context (v2)
 
Securing Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise ContextSecuring Hadoop in an Enterprise Context
Securing Hadoop in an Enterprise Context
 

Dernier

A Guide to Choosing the Ideal Air Cooler
A Guide to Choosing the Ideal Air CoolerA Guide to Choosing the Ideal Air Cooler
A Guide to Choosing the Ideal Air Coolerenquirieskenstar
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...漢銘 謝
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxogubuikealex
 
General Elections Final Press Noteas per M
General Elections Final Press Noteas per MGeneral Elections Final Press Noteas per M
General Elections Final Press Noteas per MVidyaAdsule1
 
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptxerickamwana1
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxRoquia Salam
 
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Sebastiano Panichella
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRachelAnnTenibroAmaz
 
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Sebastiano Panichella
 
cse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber securitycse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber securitysandeepnani2260
 
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityDon't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityApp Ethena
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxAsifArshad8
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerkumenegertelayegrama
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SESaleh Ibne Omar
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRsarwankumar4524
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMCharmi13
 

Dernier (17)

A Guide to Choosing the Ideal Air Cooler
A Guide to Choosing the Ideal Air CoolerA Guide to Choosing the Ideal Air Cooler
A Guide to Choosing the Ideal Air Cooler
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
 
Chizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptxChizaram's Women Tech Makers Deck. .pptx
Chizaram's Women Tech Makers Deck. .pptx
 
General Elections Final Press Noteas per M
General Elections Final Press Noteas per MGeneral Elections Final Press Noteas per M
General Elections Final Press Noteas per M
 
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
05.02 MMC - Assignment 4 - Image Attribution Lovepreet.pptx
 
Application of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptxApplication of GIS in Landslide Disaster Response.pptx
Application of GIS in Landslide Disaster Response.pptx
 
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
Testing and Development Challenges for Complex Cyber-Physical Systems: Insigh...
 
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATIONRACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
RACHEL-ANN M. TENIBRO PRODUCT RESEARCH PRESENTATION
 
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
Testing with Fewer Resources: Toward Adaptive Approaches for Cost-effective ...
 
cse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber securitycse-csp batch4 review-1.1.pptx cyber security
cse-csp batch4 review-1.1.pptx cyber security
 
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunityDon't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
Don't Miss Out: Strategies for Making the Most of the Ethena DigitalOpportunity
 
GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024GESCO SE Press and Analyst Conference on Financial Results 2024
GESCO SE Press and Analyst Conference on Financial Results 2024
 
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptxEngaging Eid Ul Fitr Presentation for Kindergartners.pptx
Engaging Eid Ul Fitr Presentation for Kindergartners.pptx
 
proposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeegerproposal kumeneger edited.docx A kumeeger
proposal kumeneger edited.docx A kumeeger
 
Internship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SEInternship Presentation | PPT | CSE | SE
Internship Presentation | PPT | CSE | SE
 
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRRINDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
INDIAN GCP GUIDELINE. for Regulatory affair 1st sem CRR
 
Quality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEMQuality by design.. ppt for RA (1ST SEM
Quality by design.. ppt for RA (1ST SEM
 

SambaXP 2014: Trusting Active Directory with FreeIPA: a story beyond Samba

  • 1. Trusting Active Directory with FreeIPA: a story beyond Samba Alexander Bokovoy <ab@samba.org> Red Hat May 15th, 2014
  • 2. Trusting Active Directory with FreeIPA 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 3. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 4. FreeIPA: http://www.freeipa.org I: Identity LDAP-based store for common objects (users, groups, hosts, services, ...) 389-ds as an LDAP server with FreeIPA server-side plugins MIT Kerberos KDC with FreeIPA driver Integrated certificate management with Dogtag Certificate Authority Python-based command line and Web management tools P: Policy Delegation and separation of access Flexible delegation of editing controls Host-based access controls to services: Everything is denied by default, define rules to allow <user or group[, source host]>→<host, service> Rules enforced at client side with SSSD project A: Audit Coming...
  • 6. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 7. Kerberos cross-forest trusts FreeIPA deployment is a fully managed Kerberos realm Can be integrated with Windows as RFC4120-compliant Kerberos realm Traditional Kerberos trust management applies: on GNU/Linux side ~/.k5login should be defined to impersonate users with identities Does not scale well for thousands of users and hosts: a foreign realm principal impersonates our realm’s user requires additional management of special users to impersonate doubling the management effort mapping has to happen on every single machine. Manually?
  • 8. Active Directory native cross forest trusts Require two Active Directory domains AD domain establishes trust with another AD domain via LSA RPC AD uses LSA RPC to map incoming principals to SIDs technically: KDC + CLDAP + LSA RPC FreeIPA provides KDC and LDAP, Samba provides LSA RPC
  • 9. FreeIPA v3 architecture Full overview is available at http://freeipa.org/page/IPAv3_Architecture
  • 10. FreeIPA passdb backend Expansion of traditional LDAP passdb backend New schema objects and attributes to support trusted domain information Support for uid/gid ranges for multi-master replicas Kerberos principal creation for foreign domain account
  • 11. FreeIPA KDC backend Generates MS PAC information out of LDAP info and add to the ticket Allows to accept principals and tickets from a trusted cross forest realm Filters out SIDs for both incoming and outgoing trust paths Verifies and signs MS PAC coming from a trusted cross forest realm Checks authentication paths for non-hierarchical cross-realm
  • 12. FreeIPA configuration tools FreeIPA has command line (CLI) and Web user interfaces ipa trust-add creates new cross-forest trust CLI operates with Kerberos authentication Request is sent to FreeIPA server via XML-RPC over HTTPS with Kerberos auth FreeIPA uses S4U2Proxy Kerberos feature to allow constrained delegation Samba 4 Python bindings are used to establish trust Code runs under non-privileged account (apache) Uses Kerberos ticket obtained via XML-RPC with the help of mod kerb auth Issues Kerberos-authenticated LSA RPC requests to a local smbd Uses AD credentials or shared secret passed via XML-RPC request to talk to AD DC
  • 13. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 14. Using FreeIPA services with AD credentials Use of FreeIPA client system with AD cross forest credentials: Client system is provisioned with ipa-client-install SSSD is configured during provisioning to talk to FreeIPA LDAP krb5.conf is configured to perform mapping of cross forest trusted realm principal to user name 1:1 without removing the realm, e.g. Administrator@AD.SAMBAXP becomes user ’Administrator@ad.sambaxp’ Manual auth to local rules in krb5.conf will not be needed with MIT Kerberos 1.12 once SSSD will provide a plugin to fetch these rules from the FreeIPA server
  • 15. Using FreeIPA services with AD credentials
  • 16. Using FreeIPA services with AD credentials On the IPA client, an SSH log-in causes following activity: SSH checks if user exists on the system SSSD handles the request and sees the user is not local. From IPA client SSSD sends LDAP extended operation to FreeIPA LDAP server. Extended operation on LDAP server results in calls to SSSD on the server to perform external domain user/group mapping in FreeIPA 3.0 SSSD uses Winbind on IPA server to resolve the mapping in FreeIPA 3.3 SSSD on IPA server performs the mapping natively against AD DCs UID/GID are returned to SSH, GSSAPI is used to log-in that ’local’ user SSSD uses MS PAC from the Kerberos ticket to fill up groups information, converting SIDs to groups using FreeIPA LDAP extended operation
  • 17. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 18. Using FreeIPA services with AD credentials SSSD plays crucial role: it forwards ID resolution of AD users to IPA server and performs MS-PAC analysis Support for FreeIPA LDAP extended operation was added in SSSD 1.9 Older versions or machines without SSSD can’t use the feature, are we lost?
  • 19. Supporting ‘legacy clients’ FreeIPA provides a compatibility LDAP tree, cn=compat,cn=ipa,cn=sambaxp Compatibility tree re-exports IPA users for systems that cannot be configured against the primary tree When cross-forest trust is enabled, the compatibility tree shows AD users ipa-advise tool can be used to get configuration recipes for legacy clients
  • 20. Supporting ‘legacy clients’ A request comes from nss ldap, nslcd, or old version of SSSD over compatibility tree: Internally, search is performed over the primary tree If search does not succeed, FreeIPA decodes the request (uid=username ) is recognized as a user search by name (uidNumber=number ) is recognized as a user search by ID (&(cn=groupname )(objectClass=posixGroup)) is recognized as a group search by name (gidNumber=number ) is recognized as a group search by ID (memberuid=username ) is recognized as a group search by a member name Request is sent to SSSD for lookup, result is inserted into the compatibility tree LDAP bind operation is translated into PAM authentication request
  • 21. Supporting ‘legacy clients’ Compatibility tree works fine with any Linux or UNIX-like systems that supports PAM and NSS API However, there are caveats: AD user name is fully qualified: Administrator@AD.SAMBAXP = 24 characters FreeBSD systems have by default limit for user names of 16 letters even in FreeBSD 9+ The limit is kernel compile-time, http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133926 Other *BSD systems have similar issues Kerberos authentication might not be possible unless krb5.conf is explicitly configured on the client to recognize AD realms All authentication for legacy logons with AD credentials happens on IPA server
  • 22. Trusting Active Directory with FreeIPA A story beyond Samba 1 FreeIPA What is FreeIPA? Cross Forest Trusts Using trust to access FreeIPA Using trust to access legacy clients Compatibility with Active Directory 2 Demo
  • 23. Compatibility with Active Directory FreeIPA 3.3 was tested by a Microsoft team in summer 2013 against Windows Server 2012 build 9200. FreeIPA as a trusted realm to AD, passed 106/117 tests Failed only Claims or Compound Identity tests which Samba doesn’t support yet FreeIPA as a local realm to a Windows client, passed 69/117 tests Main issues: FreeIPA cannot return the correct error code (8 cases) FreeIPA does not contain attributes in AD (11 cases) FreeIPA does not support Claims or Compound Identity (11 cases) FreeIPA KDCOption and Flags Issue (7 cases) FreeIPA missing PA-DATA (1 case) FreeIPA configuration issue (2 cases) FreeIPA KDC is case sensitive (1 case) We plan to make a new test run with FreeIPA 4.0 in autumn 2014
  • 24. DEMO
  • 25. Questions & Answers Slides http://www.samba.org/~ab/sambaxp/2014/