For smart card authentication and login to Web UI using certificates IPA framework has to be able to issue calls to SSSD infopipe. This means ipaapi user has to be in the list of allowed UIDs in SSSD configuration for [ifp] section.
ipaapi
[ifp]
Additionally, FreeIPA has to pull in libsss_simpleifp subpackage.
libsss_simpleifp
[ifp] allowed_uids = 0, ipaapi
This configuration snippet can be added to /etc/sssd/conf.d/*
/etc/sssd/conf.d/*
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1639910
Original IFP integration was done via ticket https://pagure.io/freeipa/issue/6225
I'd rather not add a code snippet to /etc/sssd/conf.d but update sssd.conf. Allowed uids don't add up. SSSD's config loader is implemented as winner takes it all. If multiple config files define an option, then the last config file overrides all other settings.
/etc/sssd/conf.d
sssd.conf
Ok, whatever works. The snippet approach was suggested by @jhrozek originally.
Yes, I just thought that dropping a snippet is easier for the IPA installer. But I agree that modifying the main config file is safer from the point of view of modifying the file later.
Related to the issue: The installer code contains some extra checks to deal with unrecognized services
def sssd_enable_service(sssdconfig, service): try: sssdconfig.new_service(service) except SSSDConfig.ServiceAlreadyExists: pass except SSSDConfig.ServiceNotRecognizedError: logger.error( "Unable to activate the %s service in SSSD config.", service) logger.info( "Please make sure you have SSSD built with %s support " "installed.", service) logger.info( "Configure %s support manually in /etc/sssd/sssd.conf.", service) sssdconfig.activate_service(service)
However the check has a bug and fails to handle unrecognized services:
>>> from SSSDConfig import SSSDConfig >>> from ipaclient.install.client import sssd_enable_service >>> sssdconfig = SSSDConfig() >>> sssdconfig.import_config() >>> sssd_enable_service(sssdconfig, 'unsupported') Unable to activate the unsupported service in SSSD config. Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.7/site-packages/ipaclient/install/client.py", line 1035, in sssd_enable_service sssdconfig.activate_service(service) File "/usr/lib/python3.7/site-packages/SSSDConfig/__init__.py", line 1693, in activate_service raise NoServiceError SSSDConfig.NoServiceError
The server upgrade code has a more severe bug. It uses SSSDConfig to enable the ifp service, however it never writes the modified config to disk.
SSSDConfig
ifp
The ifp service shouldn't be required to be enabled automatically. It's a D-Bus service and D-Bus should be capable of activating it on its own.
On the other hand, if it's required often on the server, then there's little harm in making sure it's on all the time and might actually be safer and more performance (no startup delays, no races on idle timeout..)
Metadata Update from @cheimes: - Issue assigned to cheimes
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2515
master:
ipa-4-7:
ipa-4-6:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.