Re: [ldapext] RFC2307, netgroups, DBIS
Mark R Bannister <dbis@proseconsulting.co.uk> Wed, 11 February 2015 11:56 UTC
Return-Path: <dbis@proseconsulting.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B716C1A885E for <ldapext@ietfa.amsl.com>; Wed, 11 Feb 2015 03:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.1
X-Spam-Level: *
X-Spam-Status: No, score=1.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUkPzJf8TtqR for <ldapext@ietfa.amsl.com>; Wed, 11 Feb 2015 03:56:50 -0800 (PST)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.64]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4D31A00EF for <ldapext@ietf.org>; Wed, 11 Feb 2015 03:56:50 -0800 (PST)
Received: from host86-178-119-74.range86-178.btcentralplus.com ([86.178.119.74] helo=[192.168.1.67]) by mail5.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <dbis@proseconsulting.co.uk>) id 1YLVuS-0004NN-EV; Wed, 11 Feb 2015 11:56:48 +0000
Message-ID: <54DB437C.4050501@proseconsulting.co.uk>
Date: Wed, 11 Feb 2015 11:56:44 +0000
From: Mark R Bannister <dbis@proseconsulting.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Michael Ströder <michael@stroeder.com>, ldapext@ietf.org
References: <etPan.54c553b0.19e21bb2.1f2@lpm.local> <54C77E7A.6010506@proseconsulting.co.uk> <54C7B32A.7050709@stroeder.com> <54C7FA23.7000101@proseconsulting.co.uk> <54C80DB9.10901@stroeder.com> <54C81EBD.3020804@proseconsulting.co.uk> <54C921AB.1090309@stroeder.com> <54CEADBC.5070902@proseconsulting.co.uk> <54CF4F66.5000001@stroeder.com> <54D291ED.1080803@proseconsulting.co.uk> <54D2A608.6050907@stroeder.com>
In-Reply-To: <54D2A608.6050907@stroeder.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailcore-Auth: 12040446
X-Mailcore-Domain: 1286164
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/_5dvtYudwgcyYXH8lFX_YBdFV0o>
Subject: Re: [ldapext] RFC2307, netgroups, DBIS
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2015 11:56:53 -0000
On 04/02/2015 23:06, Michael Ströder wrote: > Mark R Bannister wrote: >> michael@stroeder.com wrote: >>> Mark R Bannister wrote: >>>> Agreed, great for access control. But I don't see how that will work for the >>>> other netgroup use-cases. >>> Which particular netgroup use-cases do you see? >>> One example is sufficient. >> Generically, application roles. A specific example: sudo, where sudo rules >> are enabled for users based on netgroup membership. The LDAP server does not >> know the user requesting sudo access, only the client system knows that, so >> server-side ACLs are not going to help. > The server only sees 'sudoRole' entries assigned as visible for its particular > server/host/service group(s). Which particular command a user can execute is > indeed subject to fine-grained control by sudo on the client (based on > attribute 'sudoUser' which with my approach is restricted to only referencing > user groups). So you've come up with a point solution for 'sudo' that would replace the need for sudo to use netgroups, because you don't like netgroups. Great for sudo, perhaps, but netgroups are of generic use to multiple applications, whereas 'sudoRole' and 'sudoUser' are specific to sudo only. I don't think it's a great idea to replace a solution of generic applicability with one that addresses the need of one specific use-case only. >> I do need to give a second example, because the first is specific to users. >> Here is one specific to hosts: NFS, where an NFS server might grant read-only >> access to every host on the network except for those that are members of a >> specific netgroup, which get read-write access. The NFS server needs to know >> when a client request comes in whether this host is a member of the netgroup >> that grants read-write access or not, and this cannot be implemented by >> server-side ACLs, because only the NFS server knows the identity of the client >> requesting access to the fileshare. > In my model such a NFS client host would be also simply an authenticated > (system) user and member of user groups. The NFS server only sees user groups > assigned as visible for its particular server/host/service group. And > furthermore it only sees the members of those user groups (NFS clients in this > example). I'm not the world's biggest fan of "service accounts", as users should be users in my mind, not systems, but they're prevalent everywhere and I'm not going to solve that one. However, replacing another example of where netgroups fit nicely with one that requires every NFS client to have its own authenticated user account is not practical in an enterprise environment with 80,000 user accounts already and 60,000 hosts. NFSv4 has already solved the NFS authentication problem, and that requires nothing more than the user who attempts to access the files having a valid Kerberos ticket. > >> In the deployments I see, typically every user can login to every host, and >> any application could run anywhere, therefore any compromised machine will of >> course yield all NSS data. > Yes. But not with my approach. Why not? If everyone can login everywhere, your approach solves nothing? It just adds an extra layer of complexity and an extra hurdle to those attempting to troubleshoot issues. > >> However, the NSS data isn't particularly sensitive anyway, > I disagree. If everyone can login everywhere, what NSS data is sensitive? > >> and quite often the LDAP directories are open for anyone with a network >> device to query over port 389 anyway, > Yes in general, but not with my approach. ;-} Yes but I'm trying to see how your approach can be made applicable for all, I don't see how it could be put out for general use, and therefore I don't see how it can be compared with DBIS or RFC2307, both of which are designed for wide adoption. > >> so I haven't worked in an organisation yet where applying server-side ACLs >> to NSS maps would actually be of any practical use. > Well, this system is in production use. :-) So is a lot of software, good and bad. > >> What was the use-case you saw for it? > Role separation with separate credentials (especially passwords for sudo > access), and paranoid protection of information I consider sensitive because > it could be used to plan next steps (e.g. social engineering). So what if I login one of your hosts and type 'getent passwd'. What will I see? Enough data to do some social engineering? > And furthermore you can keep the client configuration and map evaluation very > simple because the visibility of users and user groups is constrained by > access control based on server/host/service group membership of the NSS client. At the cost of added complexity, a false sense of security unless you are very careful how you design who can login to which hosts, and at best you've just shifted the target point for hackers to the LDAP servers instead. Best regards, Mark.
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- [ldapext] LDAP work at IETF... Ludovic Poitou
- Re: [ldapext] LDAP work at IETF... Gavin Henry
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Clément OUDOT
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Andrew Findlay
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- Re: [ldapext] LDAP work at IETF... Mark R Bannister
- [ldapext] RFC2307, netgroups, DBIS (was: LDAP wor… michael-catchall@mail.stroeder.local (POP3)
- [ldapext] RFC2307, netgroups, DBIS (was: LDAP wor… michael-catchall@mail.stroeder.local (POP3)
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] LDAP work at IETF... Clément OUDOT
- Re: [ldapext] LDAP work at IETF... Ludovic Poitou
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Mark R Bannister
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] RFC2307, netgroups, DBIS Michael Ströder
- Re: [ldapext] LDAP work at IETF... Barry Leiba
- Re: [ldapext] LDAP work at IETF... Barry Leiba
- Re: [ldapext] LDAP work at IETF... Michael Ströder
- Re: [ldapext] LDAP work at IETF... Ludovic Poitou