Simo Sorce wrote:
On Thu, 2015-08-20 at 10:09 -0400, Stephen Gallagher wrote:
> On Thu, 2015-08-20 at 00:54 +0200, Michael Ströder wrote:
>> Dmitri Pal wrote:
>>> On 08/19/2015 03:53 PM, Jakub Hrozek wrote:
>>>> On Wed, Aug 19, 2015 at 09:49:22PM +0530, Rajnesh Kumar Siwal
>>>> wrote:
>>>>> Any suggested workaround .
>>>> You can use nss-pam-ldapd just for the hosts database and sssd
>>>> for the
>>>> rest, you can use different views or different servers altogether
>>>> for
>>>> public/private views.
>>>>
>>>> btw this is the first time I've heard a request for hosts support
>>>> in
>>>> sssd, so I don't think it's something that can be expected,
>>>> unless
>>>> someone steps in and implements the maps.
>>>
>>> People usually use DNS for that and it is the recommended way of
>>> doing
>>> things.
>>> BTW if you want LDAP managed host entries you can use FreeIPA and
>>> it comes with DNS to solve this issue.
>>
>> But DNS is not subject to access control. Yes, I also already thought
>> about making host entries visible only to specific hosts.
>
> Hmm, access-control is the first good argument I've heard for
> supporting hosts in LDAP as opposed to DNS[SEC]. Historically, we've
> ignored the hosts map in SSSD because we reasoned that dnsmasq was a
> better caching solution for hosts than LDAP. However, being able to
> restrict what machines have access to the hosts is actually an
> interesting use-case.
>
> If you have a RHEL subscription, I'd encourage you to contact your
> support representative to make a formal request for inclusion of the
> hosts map in SSSD. If you do not, please file an RFE at
>
https://fedorahosted.org/sssd with this justification and upstream will
> consider it for inclusion in a future release.
Although a case can be made, it sounds an awful lot like security
through obscurity ...
I'm not trying to push this as *the* solution.
But it can be another line of defense.
It may be better to use DNS and ACLS in bind to restrict who (as in
IP
addresses) can see a zone.
YMMV. But imagine a deployment where each host has to strongly authenticate
anyway and is authorized to see only specific users, groups, sudoers entries.
In such a scenario it's not such a big deal to add some OpenLDAP ACLs for
hosts visibility.
In contrast to that implementing bind ACLs is an additional data structure and
authentication can only be done IP-based. Ok, you can sync data to bind of course.
Ciao, Michael.