#3904 ad_acccess_filter not working anymore in sssd 1.16.0
Closed: wontfix a year ago by pbrezina. Opened 2 years ago by automatedzombies.

Hello everyone,

I have a running sssd integration on REL/OEL 6/7 that is using running sssd 1.15.2 and using the following ad_access_filter and everything works as expected:

ad_access_filter = DOM:testad.local:(memberOf:1.2.840.113556.1.4.1941:=CN=some,OU=ACL,OU=Services,OU=Company,DC=testad,DC=local)

In Amazon Linux 2 running sssd 1.16.0 the same filter is not allowing access via SSH to the hosts.

The id lookup, sudo and everything else works as expected.
Using the simple access_provider and the same group works.

Any ideas?

No good ideas in the absence of logs.

Keep in mind the user access filter is applied atop the user entry itself. The only thing I can think of is if the sssd was contacting the GC instead of the LDAP port, maybe the search filter then doesn't work because it is hitting some domain-local groups in the middle of the group membership tree? Disabling the GC temporarily for a test (ad_enable_gc=false) might be a good thing to at least try.

In general for restricting group memberships especally given nested groups the simple access provider is a better choice. There is one problem though -- in case you bypass the PAM stack during authentication (e.g. if you authenticate with a ssh key) then the simple access provider does not check account expiration, the LDAP/AD access providers do.

Hi Jakub,

I've disabled GC and the same result, not able to login.

I've attached all the logs with lvl 9 enabled. Please take a look over them when you have the time/energy.

I need the AD provider to work as it worked in the 1.15.2.
The simple provider is very tempting but until the account expiration is supported I cannot use it.

Thank you!


Metadata Update from @pbrezina:
- Issue tagged with: Canditate to close

a year ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4889

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Attachments 1
Attached 2 years ago View Comment