#2603 Make SSSD's HBAC validation more permissive if deny rules are not used
Closed: Fixed None Opened 4 years ago by jhrozek.

ldb's documentation on ldb_dn_explode() which is called by ldb_dn_validate explicitly states:

 282   explode a DN string into a ldb_dn structure
 283   based on RFC4514 except that we don't support multiple valued RDNs
 285   TODO: according to MS-ADTS: Naming Constraints
 286   DN must be compliant with RFC2253
 287 */
 288 static bool ldb_dn_explode(struct ldb_dn *dn)

This breaks if IPA runs into replication errors, which uses mutli-valued RDNs internally.

Ignoring malformed DNs would OK as long as the ipa_hbac_treat_deny_as option is set to DENY_ALL (which is the default). Otherwise, we can't ignore any malformed DN because we can't be sure if it should deny access. This would be OK for 99.99% of deployments as DENY rules are not supported on the server side since ipa-2.1.

So I propose we:
1) Add a new error code that signals that the DN is malformed. Either it failed validation or it doesn't contain the expected fields.
2) If the ipa_hbac_treat_deny_as option is set to DENY_ALL, then skip malformed DNs, but log them
3) Optionally, after dereference, only store objects of the type we're interested in.
4) In master (1.13), deprecate the ipa_hbac_treat_deny_as option and only allow DENY_ALL.

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13 alpha

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13 alpha

2 years ago

Login to comment on this ticket.