Pushi ng users i nto the pi t of success W ar stori es f - PowerPoint PPT Presentation

Pushi ng users i nto the pi t of success W ar stori es f rom the Sam ba 4. 0 upgrade Presented by A ndrew Bartl ett of C atal yst / / 2015- 01 Pl ease ask questi ons duri ng the tal k

A bout m e ● A ndrew Bartl ett ● Sam ba Team m em ber si nce 2001 ● W orki ng on the A D D C si nce 2006 ● These vi ew s are m y ow n, but I do w i th to thank: – M y em pl oyer: C atal yst – M y f el l ow Sam ba Team m em bers

Sam ba' s A D D C ● A trul y great success f or the Sam ba proj ect ● W i ndow s desktops are sti l l a real i ty – A t l east outsi de thi s room – A nd they need A D f or m anagem ent and authenti cati on ● Sam ba' s A D D C provi des m any com pl ex servi ces – Yet i n a si m pl e, seam l ess w ay ● Sam ba' s first ' product' styl e f eature

Sam ba A D D C Features ● LD A P ● K erberos ● W i ndow s D om ai n C ontrol l er ● C entral i sed I denti ty M anagem ent Server – A uthenti cati on – A uthori sati on ● SM B / SM B2 / C I FS ● W i ndow s m achi nes j oi n A D nati vel y

I thi nk Sam ba' s A D D C i s a success ● Pushi ng users i nto the pi t of success m eans: – Even i f the sof tw are i s com pl ex – Even i f the protocol s are com pl ex – Even i f the needs of every si te are di f f erent – That the i ni ti al i nstal l i s a success

W hat i s success: j ust w orki ng ● The i ni ti al i nstal l shoul d j ust w ork – A nsw er som e questi ons, and then add your first user ● H ave al l the detai l s i n the m eanti m e taken care of – G enerati ng any requi red configurati on fil es – Scri pti ng al l the steps, l eave no steps m anual

W hat i s success: securi ty ● The i ni ti al i nstal l shoul d be ' secure' ● Passw ord pol i cy shoul d be on by def aul t – Passw ords shoul d expi re – Passw ords shoul d be com pl ex ● The adm i ni strator shoul dn' t choose the m achi ne keys ( passw ords) – These shoul d be random gi bberi sh ● Repl i cati on shoul d be secure, encrypted

W hat i s success: com pl exi ty ● N ot shyi ng aw ay f rom com pl ex protocol s l i ke K erberos ● H i di ng the detai l s by m aki ng thi ngs ' j ust w ork' ● M aki ng com pl ex sof tw are si m pl e to operate – Parti cul arl y w hen starti ng ● N ot expecti ng the adm i ni strator to be an expert – Even i f they are

Thi s shoul d not be revol uti onary ● But too of ten, w e assum e the adm i ni strator: – I s an I denti ty and Securi ty expert, and w i l l add the securi ty l ater – H ow m any securi ty bugs can you find bel ow ? add: olcSyncRepl olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog

Thi s shoul d not be revol uti onary ● But too of ten, w e assum e the adm i ni strator: – I s an I denti ty and Securi ty expert, and w i l l add the securi ty l ater – H ow m any securi ty bugs can you find bel ow ? add: olcSyncRepl olcSyncRepl: rid=0 provider= ldap ://ldap01.example.com bindmethod= simple binddn=" cn=admin,dc=example,dc=com " credentials= secret searchbase="dc=example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog

A re these not j ust m otherhood statem ents? ● Because the al ternati ves are superfici al l y easi er – Yet dangerousl y si m pl er – W i th m any gui des l eavi ng securi ty as an af terthought ● Because aski ng the adm i ni strator to m anual l y configure w hat w e can scri pt i s a w aste of everyone' s ti m e.

I m pressi ve because of w here w e have com e from ● I ' l l rag on the O penLD A P / Sam ba pattern qui te a bi t ● A bi t l i ke argui ng that PostgreSQ L i s w rong f or not i ncl udi ng the ' ri ght' database schem a ● O penLD A P i s not an I denti ty M anagem ent sol uti on – But no com m onl y accepted I D M sol uti on exi sts – A nd O penLD A P / Sam ba l ooks l i ke an I D M sol uti on ● M any of the thi ngs I com pl ai n about can be done – But onl y by configurati on of non- def aul t m odul es

Thi s m ay sound l i ke a sal es pi tch ● I thi nk Sam ba' s A D D C has sol ved som e of these probl em s very w el l ● Thi s i s at the expense of other thi ngs – Speci fical l y perf orm ance – A l so som e flexi bi l i ty ● I al so have hi gh prai se f or FreeI PA – M any of the sam e great patterns are there al so – Very di f f erent products, but cl ose com m uni ti es

W hat have w e done ● W e changed Sam ba' s D C m ode: – From a choose your ow n w i ki adventure – I nto a consi stent reproduci bl e pattern pattern ● W e changed the constrai nts: – From al l ow i ng al m ost anythi ng – To sensi bl e and stri ctl y defined constrai nts

W hat el se w e di d ● W e changed securi ty: – From bei ng opti onal and af ter the f act – To bei ng on by def aul t ● W e changed repl i cati on f rom bei ng – H ard to configure and easy to l eave i nsecure – To bei ng si m pl e to configure – Sadl y al so real l y, real l y com pl ex ● O penLD A P repl i cati on i s m uch si m pl er under the hood

Sam ba 3. x and O penLD A P ● A very com m on pattern – Sam ba stores users and groups i n LD A P records – Essenti al l y a N T4 D om ai n to LD A P transl ator LD A P

Sam ba 3. x / O penLD A P A dvantages ● LD A P backend provi des repl i cati on ' f or f ree' ● Sol ves key needs i n heterogeneous netw orks – W i ndow s w orkstati ons tal k to Sam ba – Li nux w orkstati ons and servi ces tal k to LD A P ● But onl y a l oose pattern – N ot a tool or scri pt – N o docum ent of best practi ses – M ay not even provi de a si ngl e passw ord!

I ntegrati on ● Som ebody El se' s Probl em ? ● O penLD A P i s ' j ust' a data store ● Sam ba uses an external l y m anaged LD A P store ● Lots of tool s and m odul es you can use – But none i nstal l ed or runni ng by def aul t ● I s the random w i ki real l y i n charge? ● C an w e do better?

H ow bad i s i t real l y? ● C an' t sm art adm i ni strators – C ol l ect the sof tw are – Fol l ow i nternet gui des – C ustom i se f or thei r ow n organi sati on? ● Succeed to: – C reate a secure, rel i abl e and f ul l y f eatured I D M – W i thout great stress and i nconveni ence? ● Sadl y N O

The m i ssi ng C onstrai nts ● Sam ba' s A D D C enf orces constrai nts ● I n Sam ba / O penLD A P constrai nts w ere typi cal l y ' som ebody el se' s probl em ' C onstrai nts

M ore than j ust constrai nts m i ssi ng ● The typi cal w i ki O penLD A P Sam ba al so m i sses: – Securi ng the LD A P di rectory ● D ef aul t A C L i s “to * by sel f w ri te” ● Thi s al l ow s you to update your ow n U I D or SI D ! ● Som e gui des of ten f orget to secure the passw ords! – Tw o- w ay passw ord sync ● Ensuri ng LD A P passw ord changes change the Sam ba passw ord too! – Passw ord pol i cy

U pgradi ng Sam ba 3 -> Sam ba 4 ● I nstal l i ng Sam ba 4. x i s real l y easy – I nstal l Sam ba – Sam ba- tool dom ai n provi si on – Start Sam ba ● U pgradi ng Sam ba turns out to be m uch m ore di f ficul t – I t shoul d have been ' sam ba- tool dom ai n cl assi cupgrade' – But our earl i er flexi bi l i ty cam e back to bi te us

G i ven I nfini te flexi bi l i ty ● O ur adm i ni strators used i t al l ● W e had: – D upl i cate SI D s – M i xed dom ai ns or I ncorrect SI D s – D upl i cate user nam es – U sers w i th the sam e nam e as groups – I nval i d account flags – Entri es created by m ul ti pl e, i ndependent tool s