| Summary: | [RFE] Add a new option ad_access_filter | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | grajaiya, jgalipea, lslebodn, mkosek, pbrezina |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.11.2-1.el7 | Doc Type: | Enhancement |
| Doc Text: |
Feature: A new option, ad_access_filter was added to the AD provider of SSSD.
Reason: Previously, only the ldap_access_filter could be used by the administrator. Setting this option with an AD provider required setting several low-level LDAP connection details. Moreover, the ldap_access_filter could only be used globally, the new ad_access_filter can be set per AD domain as well.
Result (if any): If the ad_access_filter option is set in sssd.conf file, only users who match the filter are allowed access to the machine.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 10:41:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Dmitri Pal
2013-09-13 18:08:26 UTC
Design was created and reviewed upstream -> ASSIGNED Fixed upstream.
sssd-1-11:
5e9833aa7b1a89cbb2c0cf667a99cb0bc4ad7963
2cbf205f3fe25087666ff108c2ad380fd3cbfe46
9dd62f094fb4c1bfb04128de1c3ec20933603046
e37cbdd9be139b9949024c94ae21c12b36a6c180
88ee068181e2b35730f6bc2c71a63c21c476cdd7
0b23970978de5c1088a5dbdd6012800b4db94572
master:
1ce58f139699dd26b8888f4131c996263b6a80a5
67b1fc914190e12ab014c0616b7f0a642fbe6356
efe6b4a9d374339cac2528cdeb43720957c6b7c9
8a05fd320a44636d120a18eb7e9956c7b35b3138
dd2f33603228005a44675f1484c294ea647dbce3
443eb8217741df57d9f58f2098487b91e3404e71
Verified in version 1.11.2-1.el7 Bugs logged against this feature: 1031562, 1032983, 1033133 Output from beaker automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_01: access_provider defaults to ad :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_wrong_password user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_wrong_password user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_wrong_password user1_dom3.com Secret123' (Expected 0, got 0) :: [ LOG ] :: Duration: 14s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_01: access_provider defaults to ad :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_02: access_provider=ad without any other options denies expired users :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_wrong_password user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ PASS ] :: Running 'su_wrong_password user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ PASS ] :: Running 'su_wrong_password user1_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ LOG ] :: Duration: 14s :: [ LOG ] :: Assertions: 6 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_02: access_provider=ad without any other options denies expired users :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_03: An expired user, even though he matches the filter, is denied access :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_wrong_password user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ PASS ] :: Running 'su_wrong_password user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ PASS ] :: Running 'su_wrong_password user1_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ LOG ] :: Duration: 16s :: [ LOG ] :: Assertions: 6 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_03: An expired user, even though he matches the filter, is denied access :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_04: access_provider=ad without any other options allows non-expired users :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_success user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_success user1_dom3.com Secret123' (Expected 0, got 0) :: [ LOG ] :: Duration: 8s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_04: access_provider=ad without any other options allows non-expired users :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_05: ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1' :: [ PASS ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 0) :: [ LOG ] :: Duration: 11s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_05: ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_06: ad_access_filter=(cn=user) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1' :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user1_dom2' :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user1_dom3.com' :: [ LOG ] :: Duration: 12s :: [ LOG ] :: Assertions: 7 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_06: ad_access_filter=(cn=user) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_07: ad_access_filter=dom1:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1' :: [ PASS ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 0) :: [ LOG ] :: Duration: 11s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_07: ad_access_filter=dom1:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_08: ad_access_filter=DOM:dom2:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'su_permission_denied user1_dom1 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_success user1_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: Running 'su_permission_denied user2_dom3.com Secret123' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom3.com' :: [ LOG ] :: Duration: 11s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ad_access_control_08: ad_access_filter=DOM:dom2:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_access_control_09: ad_access_filter=FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ FAIL ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 1) :: [ FAIL ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 1) :: [ FAIL ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 1) :: [ LOG ] :: Duration: 1m 7s :: [ LOG ] :: Assertions: 0 good, 3 bad :: [ FAIL ] :: RESULT: ad_access_control_09: ad_access_filter=FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |