LDAPI autobind authentication for services
******************************************


Overview
========

This design proposed to use LDAPI autobind for some internal FreeIPA
services, so they can be started and used before KRB5 KDC service is
operational. The proposal makes use of 389 DS’ existing LDAPI autobind
implementation and new LDAPI autobind DN rewriter feature, which will
be available in early 2021.

LDAPI autobind is a form of authentication that uses the effective UID
and GID of a process as credentials. It uses "SO_PEERCRED" feature of
unix socket connection and SASL EXTERNAL mechanism. Autobind enables
secure and fast authentication for local services without using KRB5
KDC.


Technical background
====================


Benefits
--------

LDAPI autobind does not depend on Kerberos/GSSAPI. This fact permits
services to authenticate and operate before KRB5 KDC is up and
running. For example DNS services can be started before KDC, so a time
sync daemon can synchronize clocks before KDC starts.

It’s faster than GSSAPI. On a test system "ldapwhoami" command with
"-Y EXTERNAL" takes around 12ms real time. On the same system "-Y
GSSAPI" over LDAPI with a cached service ticket takes between 20ms to
500ms real time.


Drawbacks
---------

On Fedora and RHEL-based systems, FreeIPA’s keytabs are not only
protected by DAC permissions (discrete access control, also known as
Unix file permissions) but also by SELinux’s mandatory access control.
For example "named.keytab" is only readable by user "named" or group
members of group "named" and processes that are allowed to open files
with SELinux type "etc_t". "SO_PEERCRED"-based authentication no
longer verifies the SELinux context of a process. It is possible to
retrieve the security context of a peer process with "SO_PEERSEC", but
389-DS does not implement the feature.

The risk is negligible for BIND named. Most process are allowed to
read files with "etc_t" any way.


Containers
----------

"SO_PEERCRED" based authentication works across containers if and only
if the 389-DS server process and LDAP client process can share a mount
point and a common user namespace. The mount point is required to
share the Unix socket file of the 389-DS process. The user namespace
must be shared, because the Kernel translates UID and GID numbers
between namespaces. Disjunct namespaces result in UID/GID "-1".


Candidates
==========

* BIND named service, so "named" and "chronyd" can be started before
  KDC.

* krb5kdc and kadmin service (after dropping root privileges)

* ipa-custodia (after dropping root privileges)


Implementation
==============

The implementation makes use of the new DN rewriter feature for
autobind. The feature enables FreeIPA to store the UID/GID mapping in
the local, non-replicated "cn=config" backend and then map succesful
binds to a DN in the replicated domain database. The approach has two
benefits:

1. FreeIPA does not depend on reserved and uniform UID/GID allocation
   across all servers. Each server can map its local UID/GID
   assignment to a principal.

2. FreeIPA can map UID/GID combination to a host-specific service
   principal. For example server "srv1" can map UID "25" / GID "25" to
   "DNS/srv1.ipa.example@IPA.EXAMPLE". "srv2" can map the same UID and
   GID to its principal "DNS/srv2.ipa.example@IPA.EXAMPLE".


global settings
---------------

LDAPI mappings, search base for UID/GID, and mapping base for
"nsslapd-authenticateAsDN" must be configured in "cn=config".

   dn: cn=config
   nsslapd-ldapimaptoentries: on
   nsslapd-ldapientrysearchbase: cn=auto_bind,cn=config
   nsslapd-ldapidnmappingbase: cn=auto_bind,cn=config


service-specific settings
-------------------------

LDAPI DN rewriter feature comes with a new object class for mapping
UID/GID to another DN. For example a mapping for BIND named would look
like this:

   dn: cn=named,cn=auto_bind,cn=config
   objectClass: top
   objectClass: nsLDAPIFixedAuthMap
   cn: named
   uidNumber: $NAMED_UID
   gidNumber: $NAMED_GID
   nsslapd-authenticateAsDN: krbprincipalname=DNS/$FQDN@$REALM,cn=services,cn=accounts,$SUFFIX

**NOTE** 389-DS does not enforce referential integrity in "cn=config".
"nsslapd-authenticateAsDN" can reference DNs that do not exist yet. A
missing target results into authenticate error.


reload LDAPI mappings
---------------------

389-DS has an internal cache for LDAPI mappings. The cache must be
refreshed after mapping are added, removed, or changed. A refresh can
be accomplished by either restarting the server process or running the
"reload ldapi mappings" task. The implementation detail will be
handled automatically by new API and "ipa-ldap-updater" framework.


backup / restore
----------------

It is possible that UID or GID can change, when a server is
reinstalled and restored from a backup. "ipa-restore" will refresh all
mappings on restore.


References
==========

* 389-DS LDAPI autobind

* LDAPI autobind DN rewriter

* 389-DS feature request GH-4381

* FreeIPA bug report pagure-8544 for replication issue due to clock
  mismatch.
