Learn more about these different git repos.
Other Git URLs
Description of problem:
A flaw in the SSSD's access-provider logic causes the result of the HBAC rule
processing to be ignored in the event that the access-provider is also handling
the setup of the user's SELinux user context.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up a FreeIPA server
2. Enroll a client with ipa-client-install
3. Configure FreeIPA with HBAC rules denying access to a user
3. Configure the FreeIPA server to provide an SELinux user context rule for the
4. Configure SSSD with session_provider = ipa
5. Log in as the above user
User is granted access and has the assigned SELinux user context.
User should be denied by the HBAC rules.
Upstream has a patch ready for this issue.
milestone: NEEDS_TRIAGE => SSSD 1.9.0 RC1
tests: => 0
testsupdated: => 0
upgrade: => 0
owner: somebody => jhrozek
resolution: => fixed
status: new => closed
Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.0 beta 7
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.