V4/Trust GC support
Global Catalog service support for AD trusts
Primary ticket: https://fedorahosted.org/freeipa/ticket/3125
- Active Directory administrators want to share resources with IPA users
- Setting up access rights in Security tab of a properties dialog on Windows machine
- Log-on to Windows Machines using IPA user credentials
Global Catalog service is a read-only view of the users and groups in an Active Directory implementation. It is exposed as an LDAP server on a separate non-standard port 3268 and contains full information about the domain the controller manages and partial read-only information of the other domains from the same forest. The information includes schema and user/group information for the respective domains.
Details on how Global Catalog service works in Microsoft's Active Directory implementation can be found here: http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work%28v=ws.10%29.aspx
We differentiate below Global Catalog service as implemented in Microsoft's Active Directory and Global Catalog service in FreeIPA by talking about *GC service intance* in the latter case.
FreeIPA implementation of GC service will use following approach:
- a separate Directory Server instance will be created to contain read-only memory-only copy of the data about IPA's domain
- Directory Server cannot listen on multiple ports for the same protocol (389 vs 3268)
- GC service instance will use a different schema than original FreeIPA schema since GC schema is incompatible with IPA schema.
- GC service instance will use modified slapi-nis plugin to search an original IPA directory server instance for entries instead of an internal search
- Updates from the original IPA directory server instance will be tracked with the help of SYNCREPL protocol
- slapi-nis plugin will be configured to present entries from the original IPA directory server instance as GC service instance entries
- additional plugins will be created to handle schema correctness enforcement as multiple inheritance (auxiliary classes) and tree structure cannot be expressed through 389-ds schema syntax
GC schema mapping
Global Catalog instance schema is derived from a schema published by Microsoft through WSPP programme as MS-ADSC document, http://msdn.microsoft.com/en-us/library/cc221630.aspx. Schema files are available in LDIF format from http://go.microsoft.com/fwlink/?LinkId=212555 and processed with the help of a converting script. The script to convert schema to 389-ds format is based on a similar script from Samba (ms_schema.py) which only supports non-validating output for LDB database. FreeIPA's version has to generate valid schema in 389-ds format and thus adds mapping between schema attribute definitions existing in 389-ds and MS-ADSC. In particular, attribute types, their ordering and matching functions mapped to those of 389-ds.
|Original syntax||Mapped syntax|
|Original syntax||Mapped syntax|
Active Directory schema supports multiple inheritance through use of auxiliaryClass and systemAuxiliaryClass attributes. 389-ds does not support mechanism to specify multiple superior classes in the schema. In result, we need to explicitly add these classes to the objects of a specific objectClass type on creation.
Tree structure correctness
Active Directory schema describes types of objects that may contain the object of a type through systemPossSuperiors and possSuperiors attributes. 389-ds does not support this type enforcement. In result, we need to explicitly check these requirements on object creation.
How the feature will be manged via the UI
Overview of the CLI commands
Major configuration options and enablement
Any configuration options? Any commands to enable/disable the feature or turn on/off its parts?
Any impact on replication?
Updates and Upgrades
Any impact on updates and upgrades?
Any new package and library dependencies.
Impact on other development teams and components
Backup and Restore
Any files or configuration that needs to be taken care of in backup or restore procedure.
Test scenarios that will be transformed to test cases for FreeIPA Continuous Integration during implementation or review phase.