Bug 1342058
Summary: | In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Marcel Kolaja <mkolaja> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.7 | CC: | enewland, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sssd-maint, tscherf |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.13.3-22.el6_8.3 | Doc Type: | Bug Fix |
Doc Text: |
If an Active Directory (AD) user with a disabled user account attempts to log in, Identity Management (IdM) is expected to deny access. Previously, the login attempt succeeded when the user used a login method other than the standard password login, such as an SSH key. To fix this problem, IdM no longer checks only the IdM-specific account lockout attributes, but also the AD lockout attributes. As a result, an AD user with a disabled user account is no longer permitted to log in with an SSH key.
|
Story Points: | --- |
Clone Of: | 1335400 | Environment: | |
Last Closed: | 2016-07-12 18:36:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1335400 | ||
Bug Blocks: |
Description
Marcel Kolaja
2016-06-02 11:07:49 UTC
Verified. [root@dhcp207-58 ~]# rpm -q sssd sssd-1.13.3-22.el6_8.4.x86_64 [root@dhcp207-58 ~]# Snip from console output. ========================= [root@dhcp207-58 ~]# ssh -i /home/ipaad2012r2.test/aduser1/.ssh/id_rsa aduser1@dhcp207-62.testrelm.test Connection closed by UNKNOWN [root@dhcp207-58 ~]# ldapsearch -x -h x.x.x.x -D "Administrator" -W -b "cn=Aduser1 user,cn=users,dc=ipaad2012r2,dc=test" -s sub "userAccountControl" Enter LDAP Password: .... ..... # Aduser1 user, Users, ipaad2012r2.test dn: CN=Aduser1 user,CN=Users,DC=ipaad2012r2,DC=test userAccountControl: 66050 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@dhcp207-58 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1407 |