#7751 add ipaapi user to the list of allowed uids in [ifp] section in sssd configuration
Closed: fixed 2 years ago Opened 2 years ago by abbra.

For smart card authentication and login to Web UI using certificates IPA framework has to be able to issue calls to SSSD infopipe. This means ipaapi user has to be in the list of allowed UIDs in SSSD configuration for [ifp] section.

Additionally, FreeIPA has to pull in libsss_simpleifp subpackage.

[ifp]
allowed_uids = 0, ipaapi

This configuration snippet can be added to /etc/sssd/conf.d/*


Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1639910

2 years ago

Original IFP integration was done via ticket https://pagure.io/freeipa/issue/6225

I'd rather not add a code snippet to /etc/sssd/conf.d but update sssd.conf. Allowed uids don't add up. SSSD's config loader is implemented as winner takes it all. If multiple config files define an option, then the last config file overrides all other settings.

Ok, whatever works. The snippet approach was suggested by @jhrozek originally.

Yes, I just thought that dropping a snippet is easier for the IPA installer. But I agree that modifying the main config file is safer from the point of view of modifying the file later.

Related to the issue: The installer code contains some extra checks to deal with unrecognized services

def sssd_enable_service(sssdconfig, service):
    try:
        sssdconfig.new_service(service)
    except SSSDConfig.ServiceAlreadyExists:
        pass
    except SSSDConfig.ServiceNotRecognizedError:
        logger.error(
            "Unable to activate the %s service in SSSD config.", service)
        logger.info(
            "Please make sure you have SSSD built with %s support "
            "installed.", service)
        logger.info(
            "Configure %s support manually in /etc/sssd/sssd.conf.", service)

    sssdconfig.activate_service(service)

However the check has a bug and fails to handle unrecognized services:

>>> from SSSDConfig import SSSDConfig
>>> from ipaclient.install.client import sssd_enable_service
>>> sssdconfig = SSSDConfig()
>>> sssdconfig.import_config()
>>> sssd_enable_service(sssdconfig, 'unsupported')
Unable to activate the unsupported service in SSSD config.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/ipaclient/install/client.py", line 1035, in sssd_enable_service
    sssdconfig.activate_service(service)
  File "/usr/lib/python3.7/site-packages/SSSDConfig/__init__.py", line 1693, in activate_service
    raise NoServiceError
SSSDConfig.NoServiceError

The server upgrade code has a more severe bug. It uses SSSDConfig to enable the ifp service, however it never writes the modified config to disk.

The ifp service shouldn't be required to be enabled automatically. It's a D-Bus service and D-Bus should be capable of activating it on its own.

On the other hand, if it's required often on the server, then there's little harm in making sure it's on all the time and might actually be safer and more performance (no startup delays, no races on idle timeout..)

Metadata Update from @cheimes:
- Issue assigned to cheimes

2 years ago

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2515

2 years ago

master:

  • 8b0f359 Allow ipaapi user to access SSSD's info pipe

ipa-4-7:

  • 785c496 Allow ipaapi user to access SSSD's info pipe

ipa-4-6:

  • 43bb1d2 Allow ipaapi user to access SSSD's info pipe

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

master:

  • 8a835da certupdate: add commentary about certmonger behaviour

ipa-4-7:

  • 683af82 certupdate: add commentary about certmonger behaviour

ipa-4-6:

  • 35e9f64 certupdate: add commentary about certmonger behaviour

master:

  • d6fd2ad Remove dead code
  • 917d81b Allow HTTPd user to access SSSD IFP
  • 0a2222e Smart card auth advise: Allow Apache user
  • a86abd3 Log stderr in run_command
  • f0e11da Test smart card advise scripts
  • f330c59 Add install/remove package helpers to advise

ipa-4-7:

  • eb0136e Remove dead code
  • 415295a Allow HTTPd user to access SSSD IFP
  • d7d17ec Smart card auth advise: Allow Apache user
  • b56db8d Log stderr in run_command
  • 97776d2 Test smart card advise scripts
  • 6ed90a2 Add install/remove package helpers to advise
  • e05ce4a Python 2 compatibility

master:

  • caffe2e Fix test_advise in nightly runs

Login to comment on this ticket.

Metadata