#1227 The IPA provider should check expiration policies in addition to HBAC rules
Closed: Fixed None Opened 7 years ago by msauton.

Issue related to Red Hat bugzilla 797300 and Salesforce case number 00546988 with an LDAP provider.

Using an IPA provider, trying to configure SSSD to not allow disabled IPA account to do SSH key auth:

have

UsePAM yes

in /etc/ssh/sshd_config

and tried SSH key auth on disabled IPA account without (default) and with the last 3 lines added to
/etc/sssd/sssd.conf under my [domain/example.com]

...
id_provider = ipa
auth_provider = ipa
access_provider = ipa
...
# added for test
ldap_account_expire_policy = ipa
ldap_access_order=expire

ssh login was granted, but may be I was missing some SSSD configuration statements.

tested with:

Red Hat Enterprise Linux Server release 6.2 (Santiago)
Linux ipaclient1.example.com 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
ipa-python-2.1.3-9.el6.x86_64
libipa_hbac-python-1.8.0-2.el6.beta2.x86_64
sssd-debuginfo-1.8.0-2.el6.beta2.x86_64
libipa_hbac-devel-1.8.0-2.el6.beta2.x86_64
sssd-client-1.8.0-2.el6.beta2.x86_64
sssd-tools-1.8.0-2.el6.beta2.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-admintools-2.1.3-9.el6.x86_64
libipa_hbac-1.8.0-2.el6.beta2.x86_64
sssd-1.8.0-2.el6.beta2.x86_64

adding Stephen G. comments:

Please open a bug. This is actually something we don't have implemented
yet for the IPA provider. Right now you have an either-or choice. You
can either use access_provider = ipa and get HBAC support for
access-control, OR you can use access_provicder = ldap and use the two
options you specified above.

We really need an RFE to allow using both. Probably we should just make
access_provider = ldap honor ldap_access_order in addition to HBAC
rules.


Fields changed

description: Issue related to Red Hat bugzilla 797300 and Salesforce case number 00546988 with an LDAP provider.

Using an IPA provider, trying to configure SSSD to not allow disabled IPA account to do SSH key auth:

have
UsePAM yes
in /etc/ssh/sshd_config

and tried SSH key auth on disabled IPA account without (default) and with the last 3 lines added to
/etc/sssd/sssd.conf under my [domain/example.com]
...
id_provider = ipa
auth_provider = ipa
access_provider = ipa
...

added for test

ldap_account_expire_policy = ipa
ldap_access_order=expire

ssh login was granted, but may be I was missing some SSSD configuration statements.

tested with:

Red Hat Enterprise Linux Server release 6.2 (Santiago)
Linux ipaclient1.example.com 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
ipa-python-2.1.3-9.el6.x86_64
libipa_hbac-python-1.8.0-2.el6.beta2.x86_64
sssd-debuginfo-1.8.0-2.el6.beta2.x86_64
libipa_hbac-devel-1.8.0-2.el6.beta2.x86_64
sssd-client-1.8.0-2.el6.beta2.x86_64
sssd-tools-1.8.0-2.el6.beta2.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-admintools-2.1.3-9.el6.x86_64
libipa_hbac-1.8.0-2.el6.beta2.x86_64
sssd-1.8.0-2.el6.beta2.x86_64

adding Stephen G. comments:
"
Please open a bug. This is actually something we don't have implemented
yet for the IPA provider. Right now you have an either-or choice. You
can either use access_provider = ipa and get HBAC support for
access-control, OR you can use access_provicder = ldap and use the two
options you specified above.

We really need an RFE to allow using both. Probably we should just make
access_provider = ldap honor ldap_access_order in addition to HBAC
rules.
" => Issue related to Red Hat bugzilla 797300 and Salesforce case number 00546988 with an LDAP provider.

Using an IPA provider, trying to configure SSSD to not allow disabled IPA account to do SSH key auth:

have
{{{
UsePAM yes
}}}
in /etc/ssh/sshd_config

and tried SSH key auth on disabled IPA account without (default) and with the last 3 lines added to
/etc/sssd/sssd.conf under my [domain/example.com]
{{{
...
id_provider = ipa
auth_provider = ipa
access_provider = ipa
...

added for test

ldap_account_expire_policy = ipa
ldap_access_order=expire
}}}

ssh login was granted, but may be I was missing some SSSD configuration statements.

tested with:
{{{
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Linux ipaclient1.example.com 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
ipa-python-2.1.3-9.el6.x86_64
libipa_hbac-python-1.8.0-2.el6.beta2.x86_64
sssd-debuginfo-1.8.0-2.el6.beta2.x86_64
libipa_hbac-devel-1.8.0-2.el6.beta2.x86_64
sssd-client-1.8.0-2.el6.beta2.x86_64
sssd-tools-1.8.0-2.el6.beta2.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-admintools-2.1.3-9.el6.x86_64
libipa_hbac-1.8.0-2.el6.beta2.x86_64
sssd-1.8.0-2.el6.beta2.x86_64
}}}

adding Stephen G. comments:

Please open a bug. This is actually something we don't have implemented
yet for the IPA provider. Right now you have an either-or choice. You
can either use access_provider = ipa and get HBAC support for
access-control, OR you can use access_provicder = ldap and use the two
options you specified above.

We really need an RFE to allow using both. Probably we should just make
access_provider = ldap honor ldap_access_order in addition to HBAC
rules.

Fields changed

component: SSSD => IPA Provider
summary: rfe auth_provider ipa, ldap_account_expire_policy ipa, ldap_access_order expire, for disabled account and ssh key auth => The IPA provider should check expiration policies in addition to HBAC rules

Fields changed

priority: major => critical

Fields changed

type: defect => enhancement

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.8.1 (LTM)
type: enhancement => defect

Fields changed

owner: somebody => sgallagh
status: new => assigned

Fields changed

patch: 0 => 1

Fixed by:
- master
- 8372129
- d10350e
- sssd-1-8
- 559ce4c
- 2424e15

resolution: => fixed
status: assigned => closed

Metadata Update from @msauton:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.8.1 (LTM)

2 years ago

Login to comment on this ticket.

Metadata