Howto/FreeIPA with integrated BIND inside chroot
IPA with integrated BIND inside chroot
This how-to was created on RHEL 6.4 with IPA 3.0.
Please see this note about chroots.
- Install IPA as usual and add package bind-chroot:
- yum install ipa-server bind bind-chroot bind-dyndb-ldap -y
- ipa-server-install --setup-dns
- Add required libraries to chroot environment (use do copy or link, whatever you prefer)
- Following script should copy all necessary files to "$CHROOT":
CP="cp -Lpcvr" ARCH="64" # empty string should work for x86_32 architecture CHROOT="/var/named/chroot" LIB="$CHROOT/lib$ARCH/" USRLIB="$CHROOT/usr/lib$ARCH/" BINDLIB="$CHROOT/usr/lib$ARCH/bind/" ETC="$CHROOT/etc/" # urandom is required by Kerberos libraries $CP /dev/urandom "$CHROOT/dev/" # add libraries mkdir -p "$LIB" $CP /lib$ARCH/libldap-2.4.so.2 "$LIB" $CP /lib$ARCH/liblber-2.4.so.2 "$LIB" $CP /lib$ARCH/libplds4.so "$LIB" $CP /lib$ARCH/libplc4.so "$LIB" $CP /lib$ARCH/libnspr4.so "$LIB" $CP /lib$ARCH/libcrypt.so.1 "$LIB" $CP /lib$ARCH/libfreebl3.so "$LIB" mkdir -p "$USRLIB" $CP /usr/lib$ARCH/libssl3.so "$USRLIB" $CP /usr/lib$ARCH/libsmime3.so "$USRLIB" $CP /usr/lib$ARCH/libnss3.so "$USRLIB" $CP /usr/lib$ARCH/libnssutil3.so "$USRLIB" $CP /usr/lib$ARCH/libsasl2.so.2 "$USRLIB" $CP /usr/lib$ARCH/krb5 "$USRLIB" $CP /usr/lib$ARCH/sasl2 "$USRLIB" # add bind-dyndb-ldap library $CP /usr/lib$ARCH/bind/ldap.so "$BINDLIB" # add BIND and Kerberos configuration $CP /etc/named.* "$ETC" $CP /etc/rndc.* "$ETC" # add Kerberos configuration $CP /etc/krb5.conf "$ETC" mkdir -p /etc/ipa $CP /etc/ipa/ca.crt "$ETC/ipa" # Kerberos needs also name->IP mapping for KDC $CP /etc/hosts "$ETC"
- In (chrooted) /etc/named.conf and replace LDAPI socket with localhost:
arg "uri ldap://127.0.0.1:389
- In (chrooted) /etc/krb5.conf comment out includedir line.
- Krb5 library initialization will fail if include directory is not accesible. TODO: Find some nicer way how to handle this problem.
- BIND should be able to start now.
This article is enhanced version of Dale's post on freeipa-users list.
NOTE: Chroot should not be considered a security feature
A chroot jail is often described as being a security feature. In reality a chrooted environment is no more secure than a non-chrooted environment. The root user is able to "break out" of a chroot jail, which is not unexpected behavior of the super user. Non root users are not able to escape from a chroot jail, but due to the nature of security, one has to assume that an attacker who is sophisticated enough to gain local access to a chrooted environment is also sophisticated enough to gain root privileges. A chrooted environment is ideal for running a process in a minimal environement, it should not be considered more secure than a non chrooted environment. Proper Discretionary Access Control (DAC) permissions provide the same basic level of security as a chrooted environment.