#8236 Enforce a check to prevent adding objects from IPA as external members of external groups
Closed: fixed 2 years ago by abbra. Opened 2 years ago by abbra.

The purpose of external groups in FreeIPA is to be able to reference objects only existing in trusted domains. These members get resolved through SSSD interfaces but there is nothing that prevents SSSD from resolving any IPA user or group if they have security identifiers
associated.

Enforce a check that a SID returned by SSSD does not belong to IPA domain and raise a validation error if this is the case. This would prevent adding IPA users or groups as external members of an external group.


Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1809835

2 years ago

master:

  • 2997a74 Prevent adding IPA objects as external members of external groups

ipa-4-8:

  • 127b8d9 Prevent adding IPA objects as external members of external groups

ipa-4-7:

  • 5a2f27f Prevent adding IPA objects as external members of external groups

ipa-4-6:

  • c14e385 Prevent adding IPA objects as external members of external groups

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

master:

  • c1c45df ipatests: always skip additional input for group-add-member --external

ipa-4-7:

  • 935c356 ipatests: always skip additional input for group-add-member --external

ipa-4-8:

  • 74f36e7 ipatests: always skip additional input for group-add-member --external

ipa-4-6:

bce5097 ipatests: fix KeyError in test_sssd
7b9cdfb ipatests: fix group-add-member in test_sssd

ipa-4-6:

  • bce5097 ipatests: fix KeyError in test_sssd
  • 7b9cdfb ipatests: fix group-add-member in test_sssd

Login to comment on this ticket.

Metadata