freeipa

Clone
Source Code
GIT

c14e385 Prevent adding IPA objects as external members of external groups

Authored and Committed by abbra 4 years ago
raw patch tree parent
2 files changed. 30 lines added. 1 lines removed.
ipaserver/dcerpc.py
file modified
+6 -1
ipatests/test_integration/test_sssd.py
file modified
+24 -0 
    Prevent adding IPA objects as external members of external groups
    
    The purpose of external groups in FreeIPA is to be able to reference
    objects only existing in trusted domains. These members get resolved
    through SSSD interfaces but there is nothing that prevents SSSD from
    resolving any IPA user or group if they have security identifiers
    associated.
    
    Enforce a check that a SID returned by SSSD does not belong to IPA
    domain and raise a validation error if this is the case. This would
    prevent adding IPA users or groups as external members of an external
    group.
    
    RN: Command 'ipa group-add-member' allowed to specify any user or group
    RN: for '--external' option. A stricter check is added to verify that
    RN: a group or user to be added as an external member does not come
    RN: from IPA domain.
    
    Fixes: https://pagure.io/freeipa/issue/8236
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
file modified
+6 -1
file modified
+24 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.