Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1166727
Description of problem:
SSSD should allow only the user's listed in pam_trusted_users to authenticate,
when pam_public_domains = none. This way other users from the same domain
become untrusted users who shouldn't be allowed to auth. However, untrusted
users from the same domain are also allowed to authenticate.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup openldap server and add two users, user1 & user2.
2. Configure sssd as given below:
config_file_version = 2
domains = LDAP
services = nss, pam
sbus_timeout = 30
debug_level = 0xFFF0
pam_trusted_users = user1
pam_public_domains = none
id_provider = ldap
auth_provider = ldap
debug_level = 5
cache_credentials = FALSE
ldap_uri = ldaps://seaspray.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/openldap/certs/server.pem
ldap_search_base = dc=example,dc=com
3. Setup auth section of /etc/pam.d/password-auth-ac as given below:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass domains=LDAP
auth required pam_deny.so
4. Execute authentication for both users, user1 and user2.
1. Auth succeeds for both the users.
1. Authentication should succeed for user1.
2. Authentication should fail for user2.
design_review: => 0
mark: no => 0
owner: somebody => jhrozek
priority: major => critical
review: True => 0
testsupdated: => 0
Downstream needs this fix.
milestone: NEEDS_TRIAGE => SSSD 1.12.3
patch: 0 => 1
resolution: => fixed
status: new => closed
Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.12.3
SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here:
If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.
Thank you for understanding. We apologize for all inconvenience.
to comment on this ticket.