Bug 1008000
Summary: | [RFE] Add a new option ad_access_filter | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaushik Banerjee <kbanerje> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | grajaiya, jgalipea, lslebodn, mkosek, pbrezina |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.11.2-1.el7 | Doc Type: | Enhancement |
Doc Text: |
Feature: A new option, ad_access_filter was added to the AD provider of SSSD.
Reason: Previously, only the ldap_access_filter could be used by the administrator. Setting this option with an AD provider required setting several low-level LDAP connection details. Moreover, the ldap_access_filter could only be used globally, the new ad_access_filter can be set per AD domain as well.
Result (if any): If the ad_access_filter option is set in sssd.conf file, only users who match the filter are allowed access to the machine.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 10:41:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dmitri Pal
2013-09-13 18:08:26 UTC
Design was created and reviewed upstream -> ASSIGNED Fixed upstream. sssd-1-11: 5e9833aa7b1a89cbb2c0cf667a99cb0bc4ad7963 2cbf205f3fe25087666ff108c2ad380fd3cbfe46 9dd62f094fb4c1bfb04128de1c3ec20933603046 e37cbdd9be139b9949024c94ae21c12b36a6c180 88ee068181e2b35730f6bc2c71a63c21c476cdd7 0b23970978de5c1088a5dbdd6012800b4db94572 master: 1ce58f139699dd26b8888f4131c996263b6a80a5 67b1fc914190e12ab014c0616b7f0a642fbe6356 efe6b4a9d374339cac2528cdeb43720957c6b7c9 8a05fd320a44636d120a18eb7e9956c7b35b3138 dd2f33603228005a44675f1484c294ea647dbce3 443eb8217741df57d9f58f2098487b91e3404e71 Verified in version 1.11.2-1.el7 Bugs logged against this feature: 1031562, 1032983, 1033133 Output from beaker automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_01: access_provider defaults to ad :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_wrong_password user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_wrong_password user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_wrong_password user1_dom3.com Secret123' (Expected 0, got 0) :: [ LOG ] :: Duration: 14s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_01: access_provider defaults to ad :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_02: access_provider=ad without any other options denies expired users :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_wrong_password user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ PASS ] :: Running 'su_wrong_password user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ PASS ] :: Running 'su_wrong_password user1_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ LOG ] :: Duration: 14s :: [ LOG ] :: Assertions: 6 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_02: access_provider=ad without any other options denies expired users :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_03: An expired user, even though he matches the filter, is denied access :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_wrong_password user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ PASS ] :: Running 'su_wrong_password user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ PASS ] :: Running 'su_wrong_password user1_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ LOG ] :: Duration: 16s :: [ LOG ] :: Assertions: 6 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_03: An expired user, even though he matches the filter, is denied access :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_04: access_provider=ad without any other options allows non-expired users :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_success user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_success user1_dom3.com Secret123' (Expected 0, got 0) :: [ LOG ] :: Duration: 8s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_04: access_provider=ad without any other options allows non-expired users :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_05: ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1' :: [ PASS ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 0) :: [ LOG ] :: Duration: 11s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_05: ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_06: ad_access_filter=(cn=user) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1' :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user1_dom2' :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user1_dom3.com' :: [ LOG ] :: Duration: 12s :: [ LOG ] :: Assertions: 7 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_06: ad_access_filter=(cn=user) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_07: ad_access_filter=dom1:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1' :: [ PASS ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 0) :: [ LOG ] :: Duration: 11s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_07: ad_access_filter=dom1:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_08: ad_access_filter=DOM:dom2:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_permission_denied user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_success user1_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user2_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom3.com' :: [ LOG ] :: Duration: 11s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_08: ad_access_filter=DOM:dom2:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_09: ad_access_filter=FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ FAIL ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 1) :: [ FAIL ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 1) :: [ FAIL ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 1) :: [ LOG ] :: Duration: 1m 7s :: [ LOG ] :: Assertions: 0 good, 3 bad :: [ FAIL ] :: RESULT: ad_access_control_09: ad_access_filter=FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |