#2603 Make SSSD's HBAC validation more permissive if deny rules are not used
Closed: Fixed None Opened 5 years ago by jhrozek.

ldb's documentation on ldb_dn_explode() which is called by ldb_dn_validate explicitly states:

 282   explode a DN string into a ldb_dn structure
 283   based on RFC4514 except that we don't support multiple valued RDNs
 285   TODO: according to MS-ADTS: Naming Constraints
 286   DN must be compliant with RFC2253
 287 */
 288 static bool ldb_dn_explode(struct ldb_dn *dn)

This breaks if IPA runs into replication errors, which uses mutli-valued RDNs internally.

Ignoring malformed DNs would OK as long as the ipa_hbac_treat_deny_as option is set to DENY_ALL (which is the default). Otherwise, we can't ignore any malformed DN because we can't be sure if it should deny access. This would be OK for 99.99% of deployments as DENY rules are not supported on the server side since ipa-2.1.

So I propose we:
1) Add a new error code that signals that the DN is malformed. Either it failed validation or it doesn't contain the expected fields.
2) If the ipa_hbac_treat_deny_as option is set to DENY_ALL, then skip malformed DNs, but log them
3) Optionally, after dereference, only store objects of the type we're interested in.
4) In master (1.13), deprecate the ipa_hbac_treat_deny_as option and only allow DENY_ALL.

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13 alpha

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13 alpha

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3644

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.