Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1166727
Description of problem:
SSSD should allow only the user's listed in pam_trusted_users to authenticate,
when pam_public_domains = none. This way other users from the same domain
become untrusted users who shouldn't be allowed to auth. However, untrusted
users from the same domain are also allowed to authenticate.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup openldap server and add two users, user1 & user2.
2. Configure sssd as given below:
config_file_version = 2
domains = LDAP
services = nss, pam
sbus_timeout = 30
debug_level = 0xFFF0
pam_trusted_users = user1
pam_public_domains = none
id_provider = ldap
auth_provider = ldap
debug_level = 5
cache_credentials = FALSE
ldap_uri = ldaps://seaspray.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/openldap/certs/server.pem
ldap_search_base = dc=example,dc=com
3. Setup auth section of /etc/pam.d/password-auth-ac as given below:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass domains=LDAP
auth required pam_deny.so
4. Execute authentication for both users, user1 and user2.
1. Auth succeeds for both the users.
1. Authentication should succeed for user1.
2. Authentication should fail for user2.
design_review: => 0
mark: no => 0
owner: somebody => jhrozek
priority: major => critical
review: True => 0
testsupdated: => 0
Downstream needs this fix.
milestone: NEEDS_TRIAGE => SSSD 1.12.3
patch: 0 => 1
resolution: => fixed
status: new => closed
Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.12.3
to comment on this ticket.