Playing with FreeIPA ipa-ldap-updater

FreeIPA has a number of well-hidden utilities used to simplify administrative tasks when setting up or upgrading the master servers. Out of these utilities ipa-ldap-updater is one that is helpful for some common tasks which otherwise would require use of ldapadd/ldapmodify.

One strength of ipa-ldap-updater is in the template language it provides to abstract out deployment details. Each FreeIPA server has several constants like LDAP tree suffix, FreeIPA realm, and few more. These constants can be referred in a generic form without explicitly spelling their value. This approach makes ipa-ldap-updater a valuable tool for expressing a commonly performed actions.

ipa-ldap-updater operates on so-called "update" files. If no "update" file is specified, all files from /usr/share/ipa/update/ will be processed in the order defined by their name structure: dd-name.update where dd is a two-digit number from 01 to 90.

Let’s consider several examples where using ipa-ldap-updater is handy.

Rebuilding automember membership

For example, following 45-task-rebuild-hostgroup.update file would insert a task causing automember plugin to re-create membership of hosts according to automember rules.

dn: cn=$TIME-$FQDN-$LIBARCH,cn=automember rebuild membership,cn=tasks,cn=config
add:objectclass:top,extensibleObject
add:cn:$TIME-$FQDN-$LIBARCH
add:basedn:"cn=computers,cn=accounts,$SUFFIX"
add:filter:(fqdn=*)
add:scope:sub
add:ttl:3600

The template above uses several constants:

$TIME — number of seconds since 1970 when the template is processed
$FQDN — fully-qualified domain name of the FreeIPA master where ipa-ldap-updater is run
$LIBARCH — number (32 or 64) reflecting an architecture of the FreeIPA master where ipa-ldap-updater is run
$SUFFIX — LDAP suffix of the FreeIPA deployment, e.g. dc=f21,dc=test in the example below.

There are more constants available and syntax of the update file is described in the manual page for ipa-ldap-updater utility.

When using against a single update file, ipa-ldap-updater should be called like this:

# ipa-ldap-updater ./45-task-rebuild-hostgroup.update
Directory Manager password:

Parsing update file './45-task-rebuild-hostgroup.update'
New entry: cn=1417023146-master.f21.test-64,cn=automember rebuild membership,cn=tasks,cn=config
The ipa-ldap-updater command was successful

ipa-ldap-updater told us that a new entry was inserted into LDAP server and displayed its DN. As this entry is in the namespace of periodically executed tasks, we can check the task status by reading the entry:

[root@master ~]# ldapsearch -Dcn=directory\ manager -W -b 'cn=1417023146-master.f21.test-64,cn=automember rebuild membership,cn=tasks,cn=config'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=1417023146-master.f21.test-64,cn=automember rebuild membership,cn=tasks,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# 1417023146-master.f21.test-64, automember rebuild membership, tasks, config
dn: cn=1417023146-master.f21.test-64,cn=automember rebuild membership,cn=tasks
 ,cn=config
cn: 1417023146-master.f21.test-64
objectClass: top
objectClass: extensibleObject
basedn: cn=computers,cn=accounts,dc=f21,dc=test
filter: (fqdn=*)
ttl: 3600
scope: sub
nstaskcurrentitem: 1
nstasktotalitems: 1
nstasklog::
QXV0b21lbWJlciByZWJ1aWxkIHRhc2sgc3RhcnRpbmcgKGJhc2UgZG46IChjbj1jb2
 1wdXRlcnMsY249YWNjb3VudHMsZGM9ZjIxLGRjPXRlc3QpIGZpbHRlciAoKGZxZG49KikpLi4uCgp
 BdXRvbWVtYmVyIHJlYnVpbGQgdGFzayBmaW5pc2hlZC4gUHJvY2Vzc2VkICgxKSBlbnRyaWVzLg==
nstaskstatus: Automember rebuild task finished. Processed (1) entries.
nstaskexitcode: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

We used 'ipa-ldap-updater' to insert a task into LDAP, then query the entry reported by 'ipa-ldap-updater' to see how task did the rebuild of the host membership. If the task’s nstaskstatus attribute says task is finished, we are fine.

All tasks have similar structure and report their output as a base64-encoded value of nstasklog attribute. We can also see that the task finished successfully (nstaskexitcode value is 0).

# cat <<END|base64 -d
QXV0b21lbWJlciByZWJ1aWxkIHRhc2sgc3RhcnRpbmcgKGJhc2UgZG46IChjbj1jb2
1wdXRlcnMsY249YWNjb3VudHMsZGM9ZjIxLGRjPXRlc3QpIGZpbHRlciAoKGZxZG49KikpLi4uCgp
BdXRvbWVtYmVyIHJlYnVpbGQgdGFzayBmaW5pc2hlZC4gUHJvY2Vzc2VkICgxKSBlbnRyaWVzLg==
END
Automember rebuild task starting (base dn:
(cn=computers,cn=accounts,dc=f21,dc=test) filter ((fqdn=*))...

Automember rebuild task finished. Processed (1) entries.

Enabling weak encryption types in FreeIPA

Another useful example for ipa-ldap-updater is to modify LDAP objects which have no direct IPA commands to work on them. One typical case is enabling support for weak encryption types. While FreeIPA development team attempts to provide reasonable security defaults that favor stronger encryption standards, in some cases interoperability with older systems would require you to set security standards to a lower bar or otherwise these legacy systems would not work with FreeIPA at all.

In order to enable support for weak encryption types in FreeIPA, one has to allow Kerberos infrastructure to deal with these older encryption types. FreeIPA provides its own database driver for Kerberos KDC and this driver looks up the settings from the LDAP database rather than using configuration in kdc.conf only. This allows to easily replicate configuration across FreeIPA masters without going into file distribution dilemma.

Kerberos database driver’s configuration is stored in cn=$REALM,cn=kerberos,$SUFFIX subtree. An update file 20-weak-enctypes.update could look like this:

# 20-weak-enctypes.update
dn: cn=$REALM,cn=kerberos,$SUFFIX
add:krbSupportedEncSaltTypes:des-cbc-crc:v4

This update file adds a new value to krbSupportedEncSaltTypes attribute, allowing to use old and insecure DES-CBC-CRC:V4 encryption type:

[root master ~]# ipa-ldap-updater ./20-weak-enctypes.update
Directory Manager password:

Parsing update file './20-weak-enctypes.update'
Updating existing entry: cn=F21.TEST,cn=kerberos,dc=f21,dc=test
Done
The ipa-ldap-updater command was successful

Once LDAP entry is modified, one needs to modify krb5.conf (on all IPA clients, including IPA masters) and kdc.conf (on all IPA masters) to actually allow Kerberos code to use weak encryption types in its operations.

# /etc/krb5.conf
...
[libdefaults]
 allow_weak_crypto = true
...

# /var/kerberos/krb5kdc/kdc.conf
[realms]
F21.TEST = {
  supported_enctypes = DEFAULT +des-cbc-crc:v4
}

I’d recommend to use DEFAULT macro for supported_enctypes in kdc.conf because it allows to avoid typos and other types of errors when specifying encryption types. The syntax is described in the manual page for kdc.conf configuration file.