Professional Documents
Culture Documents
BP Lesko Kristian Archive
BP Lesko Kristian Archive
FACULTY OF INFORMATICS
freeipa-manager
BACHELOR'S THESIS
Kristián Leško
freeipa-manager
BACHELOR'S THESIS
Kristián Leško
Kristián Leško
i
Acknowledgement
iii
Abstract
iv
Keywords
FreelPA, identity management, L D A P , R B A C , access control
v
Contents
Introduction 1
3 FreelPA 9
3.1 Features 9
3.2 Entity representation 11
3.3 Usage at GoodData 12
4 GoodData requirements 15
4.1 Entity structure management 15
4.2 Backup and restore capabilities 16
4.3 Inter-team cooperation 17
4.4 Audit 18
5 freeipa-manager implementation 19
5.1 Brief history 19
5.2 Design decisions 20
5.3 Features 22
Conclusion 27
Bibliography 29
vii
Introduction
1
1 Identity management (IdM)
1.1 Motivation
3
i . IDENTITY M A N A G E M E N T ( I D M )
1.2 Concepts
A vast majority of enterprises adhere to a handful of security princi-
ples to ensure adequate protection of their resources from possible
damages caused by users, either by negligence or malicious behavior.
The principle of least privilege states that each user should only be
granted access to systems they necessarily require to carry out their
assigned work. The goal is to stop users from damaging the company
systems by not granting them extra powers they might abuse [2]. A d d i -
tionally, the application of this principle may prevent situations where
a user might accidentally access and break a system they do not use
as part of their work.
The related concept of segregation of duties is the idea that no single user
should possess so much power that abusing it would be detrimental to
the company [3]. This implies defining processes such as code review,
where each change to the produced software made by one user needs
to be verified by another one, or distribution of access to critically
important systems to different groups of users.
4
2 IdM technologies overview
1. https://docs.microsoft.com/en-us/previous-versions/windows/
it-pro/windows-2000-server/bb727030(v=technet.10)
2. h t t p s : / / d i r e c t o r y . f e d o r a p r o j e c t . o r g /
3. h t t p s : / / d i r e c t o r y . a p a c h e . o r g /
5
2. I D M TECHNOLOGIES OVERVIEW
2.2 LDAP
Lightweight Directory Access Protocol (LDAP) is the chief protocol cur-
rently used for access to directory servers. Based on the older family of
X.500 protocols, L D A P was originally created as their lightweight al-
ternative allowing T C P / I P usage but has since evolved to a standalone
format [5].
L D A P stores resources i n a hierarchical structure identified by their
distinguished names (DN), constructed from a pre-defined attribute of
an entry and its path inside the directory tree. The entries have an
attribute-value format:
dn: cn=user1,cn=users,dc=domain,dc=com
cn: u s e r l
name: Firstname
sn: Lastname
phone: +123 456 789
2.3.1 OpenLDAP
6
2. I D M TECHNOLOGIES OVERVIEW
4. http://www.openldap.org/doc/admin24/
5. h t t p s : / / d o c s . m i c r o s o f t . c o m / e n - u s / a z u r e / a c t i v e - d i r e c t o r y /
fundamentals/active-directory-whatis
7
2. I D M TECHNOLOGIES OVERVIEW
6. https://jumpcloud.com/product/
8
3 FreelPA
3.1 Features
1. h t t p s : / / d i r e c t o r y . f e d o r a p r o j e c t . o r g /
2. https://www.freeipa.org/page/Directory_Server
3. https://www.freeipa.org/page/DNS
9
3. F R E E I P A
rolled to the directory can then obtain certificates from the server
and use them for SSL verification purposes (such as when deploying
a web server on a host). The server supports granting, renewal and
revokation of certificates.
The certificate server may either function as a certificate authority
(CA) w i t h a self-signed certificate, or it can be provided a certificate
from an external authority. A FreeIPA domain may also be configured
in a CA-less mode where no certificate management occurs.
4. https://www.freeipa.org/page/Kerberos
5. https://www.freeipa.org/page/PKI
10
3. F R E E I P A
Users and hosts (or servers) form the most basic level of entities, with
access to hosts being the ultimate objective of the provided access
control services and users being the receivers of this access.
Both user and host entities generally need to be created by a system
administrator; an initial password is generated during the creation
process. Users can then perfom a self-service change this credential via
the web U I , while the ipa-client-install utility is used on hosts, w h i c h
switches the host to Kerberos authentication for any future operations.
A host can additionally be defined to be managed by another host,
which grants the latter host the power to represent the former one for
some applications.
3.2.2 Services
11
3. F R E E I P A
3.2.3 Groups
There are two types of groups supported by FreeIPA: user groups
(called simply groups in FreeIPA terminology) and host groups (called
hostgroups). Groups represent an arbitrary logical grouping of entities
of a given type, and can also be nested to represent more complicated
relationships between entities. Host groups are purely internal to
FreeIPA and serve only for the purpose of defining access control
rules, while user groups can also be configured to receive a POSIX
group ID and exist as regular user groups on client machines.
3.2.4 Rules
12
3. F R E E I P A
13
4 GoodData requirements
15
4. G O O D D A T A REQUIREMENTS
16
4. G O O D D A T A REQUIREMENTS
O n the other hand, once we keep the entity state in a place separate
from the FreelPA installation itself, such as a version control repository,
we can proclaim this repository to be the authoritative source of entity
configuration. Implementing an interface to store entities from FreelPA
to this repository, as well as pushing them back to the server, enables
us to handle the aforementioned use cases more efficiently
It is important to note that freeipa-manager does not make all pur-
poses of FreelPA's built-in backup functionality obsolete. The main
reason is that the tool only works with representation of entities, while
ignoring other components of FreelPA, such as certificates or D N S
records. Therefore, it still makes sense to maintain regular backups
of a FreelPA installation even where this tool is employed for entity
pulling.
17
4. G O O D D A T A REQUIREMENTS
4.4 Audit
18
5 freeipa-manager implementation
1. https://github.com/gooddata/freeipa-manager/commit/8e84e70
2. https://github.com/gooddata/freeipa-manager/commit/3a6d5f9
3. https://github.com/gooddata/freeipa-manager/commit/c231000
4. https://github.com/gooddata/freeipa-manager/commit/3f8196b
5. https://github.com/gooddata/freeipa-manager/commit/4a68432
6. https://github.com/gooddata/freeipa-manager/commit/5ea4f74
19
5. freeipa-manager IMPLEMENTATION
20
5. freeipa-manager IMPLEMENTATION
However, this d i d not prove viable due to the high level of differences
in the nature of the particular entity types. It therefore followed that
each entity type we wished to represent i n the tool would have to be
implemented separately, which meant that a compromise was needed
between investing resources into implementation and the practicality
of being able to manage each particular entity type using the tooling.
For the initial deployment of the tool, a set of five entity types -
users, user groups, host groups, H B A C rules and sudo rules - was
selected for implementation. It might intuitively be expected that hosts
would be a logical addition to this entity type set; however, due to the
dynamic nature of our hosts' lifecycle, we decided early on that we did
not w i s h to represent them i n the freeipa-manager config; we merely
chose to use separate measures to ensure that hosts are assigned to
the correct host groups when deployed, and to manage the access to
them on the host group level only.
The support for other entity types, such as services and roles, was
implemented later in the development process . Since the purpose of
7
The decision regarding the mode of the tool's operation was a ma-
jor turning point i n its design. A s described earlier, there were four
different groups of FreelPA users i n our company at the time of i m -
plementation. Varying use cases and difficulties i n their adaptation
to process changes required us to find compromises i n the way we
planned to deploy and use freeipa-manager, even causing us to imple-
ment two separate manners of the tool's operation - the push and pull
modes.
The ideal goal behind the tool's conception was to proclaim its
configuration files as the source of truth about FreelPA entities, and
to utilize it to fully manage those entities i n the given FreelPA instal-
7. https://github.com/gooddata/freeipa-manager/commit/4a68432
21
5. freeipa-manager IMPLEMENTATION
5.3 Features
groups/
group_one.yaml
group_two.yaml
domain2/
22
5. freeipa-manager IMPLEMENTATION
user.one:
f irstName : User
l a s t N a m e : One
email: user.oneOexample.com
memberOf:
group:
- group-one
- group-two
- group-three
The name of the attributes generally follows the relevant L D A P schemas
utilized by FreelPA for the definition of each entity type. However,
some of the more obscure namings have been replaced by more read-
able ones (e.g., L D A P ' s sn attribute, standing for surname, has been
replaced by lastName) and are automatically mapped to the correct
L D A P keys.
A vast majority of the possible attributes are optional, mirroring
the requirements of FreelPA; namely, only the first and last name must
be specified while all other entity types' attributes may be omitted.
The definition of the config schema for each entity type can be
found i n the ipamanger.schemas module of the implemented tool . 9
8. https://yaml.org
9. https://github.com/gooddata/freeipa-manager/blob/0d40e64/
ipamanager/schemas.py
23
5. freeipa-manager IMPLEMENTATION
user.one:
memberOf :
group:
- group-one
- group-two
- group-three
H B A C and sudo rules, on the other hand, require a memberHost and
memberMser attributes to be specified, such as the following:
rule.one:
memberHost : h o s t g r o u p l
memberUser : u s e r g r o u p 2
For historical reasons arising from our deployment's specific needs
when developing the tooling, the membership possibilities offered are
stricter than allowed by FreelPA:
• users are only allowed to be members of user groups, and not
of other entity types like H B A C and sudo rules;
• H B A C and sudo rules can only have exactly one host group
and one user group as members (as opposed to any number
allowed by FreelPA).
24
5. freeipa-manager IMPLEMENTATION
10. https://github.com/gooddata/freeipa-manager/blob/0d40e64/
ipamanager/integrity_checker.py
11. https://github.com/gooddata/freeipa-manager/blob/0d40e64/
ipamanager/tools/query_tool.py
25
5. freeipa-manager IMPLEMENTATION
gins that collect the logging messages and forward them to another
service.
Currently, the only implemented p l u g i n allows dispatching the
tool's runtime status and logs to a server using the NSCA protocol . 13
12. https://github.com/gooddata/freeipa-manager/tree/0d40e64/
ipamanager/alerting
13. https://github.com/NagiosEnterprises/nsca
26
Conclusion
27
Bibliography
1. E L I S A B E R T I N O A N D K E N J I T A K A H A S H I . Identity Manage-
ment : Concepts, Technologies, and Systems. Boston, M A : Artech
House, Inc., 2010. ISBN 978-1-60807-039-8.
2. TIAN PUYANG, QINGNI SHEN, Y A N G LUO, W U LUO A N D
Z H O N G H A I W U . M a k i n g least privilege the low-hanging fruit
i n clouds. 2017 IEEE International Conference on Communications
(ICC). 2017. ISBN 978-1-4673-8999-0. ISSN 1938-1883.
3. N I C K S Z A B O . Patterns of Integrity - Separation of Duties [on-
line]. 1994 [visited on 2019-05-19]. Available from: http :
//www. f on. hum. uva. n l / r o b / C o u r s e s / I n f ormationlnSpeech/
CDR0M/Literature /L0Twinterschool2006/szabo . best . vwh .
net/separationofduties.html.
4. DAVID FERRAIOLO, D. R I C H A R D K U H N A N D R A -
M A S W A M Y C H A N D R A M O U L I . Role-based Access Con-
trol. 2nd ed. Boston, M A : Artech House, Inc., 2007. ISBN
9781596931138.
5. B R I A N A R K I L L S . LDAP directories explained: an introduction and
analysis. Boston, M A : Addison-Wesley, 2003. ISBN 0-201-78792-X.
6. N E I L W I L S O N . Understanding LDAP Schema [online] [visited on
2019-10-24]. Available from: https : / / l d a p . com/understanding-
ldap-schema/.
7. R E D D I T . openLDAP, freelPA, AD, whats the difference? [online]
[visited on 2019-10-23]. Available from: https : //www. r e d d i t .
com/r/linuxadmin/comments/5yelvt/openldap_freeipa_ad_
whats_the_difference/.
8. R E D HAT, INC. Ways to Integrate Active Directory and Linux Envi-
ronments [online] [visited on 2019-10-23]. Available from: h t t p s :
/ / access . redhat . com / documentation / en - us / red _ hat _
e n t e r p r i s e _ l i n u x / 7 / html / windows _ i n t e g r a t i o n _ guide /
introduction.
9. MIT. Kerberos: The Network Authentication Protocol [online] [vis-
ited o n 2019-10-23]. Available from: https : / /web . mit . e d u /
kerberos/.
29
BIBLIOGRAPHY
30