Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport][ipa-4-6] Index certmap attributes #3408

Closed
wants to merge 4 commits into from
Closed

[Backport][ipa-4-6] Index certmap attributes #3408

wants to merge 4 commits into from

Conversation

abbra
Copy link
Contributor

@abbra abbra commented Jul 17, 2019

This PR was opened automatically because PR #3110 was pushed to master and backport to ipa-4-6 is required.

@abbra
Add altSecurityIdentities attribute from MS-WSPP schema definition
908e044 
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.

FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.

Define altSecurityIdentities attribute to allow specifying indexing
rules for it.

Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
@abbra
Create indexes for altSecurityIdentities and ipaCertmapData attributes
648478f 
During an investigation into filter optimisation in 389DS it was
discovered that two attributes of the certmap query are unindexed.
Due to the nature of LDAP filters, if any member of an OR query is
unindexed, the entire OR becomes unindexed.

This is then basically a full-table scan, which applies the filter test
to the contained members.

Fixes: https://pagure.io/freeipa/issue/7932
Fixes: https://pagure.io/freeipa/issue/7933
@abbra
certmap rules: altSecurityIdentities should only be used for trusted …
ee84906 
…domains

IPA LDAP has no altSecurityIdentities in use, it only should apply to
identities in trusted Active Directory domains.

Add checks to enforce proper certmap rule attribution for specific
Active Directory domains.

Related: https://pagure.io/freeipa/issue/7932
@abbra
certmaprule: add negative test for altSecurityIdentities
4faaabc 
Try to create a certmap rule that mentiones altSecurityIdentities in its
mapping rule but uses IPA domain to apply to. It should fail with
ValidationError.

Related: https://pagure.io/freeipa/issue/7932
@abbra abbra added the ack Pull Request approved, can be merged label Jul 17, 2019
@abbra
Copy link
Contributor Author

abbra commented Jul 17, 2019

PR was ACKed automatically because this is backport of PR #3110. Wait for CI to finish before pushing. In case of questions or problems contact @abbra who is author of the original PR.

@abbra abbra added the pushed Pull Request has already been pushed label Jul 18, 2019
@abbra
Copy link
Contributor Author

abbra commented Jul 18, 2019

ipa-4-6:

  • f8fccd5 Add altSecurityIdentities attribute from MS-WSPP schema definition
  • dc81689 Create indexes for altSecurityIdentities and ipaCertmapData attributes
  • 219fb1f certmap rules: altSecurityIdentities should only be used for trusted domains
  • 0cc8ce2 certmaprule: add negative test for altSecurityIdentities

@abbra abbra closed this Jul 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
1 participant
@abbra