Bug 1455254

Summary: Make domain available as user attribute
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: dpal, grajaiya, jhrozek, jpazdziora, ksiddiqu, lmiksik, lslebodn, mkosek, mzidek, pbrezina, sgoveas, spoore, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.15.2-47.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:06:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2017-05-24 14:47:27 UTC 
Description of problem:

When integrating with Web applications that run for example PAM authentication, SSSD will find the user in one of the domains but we don't have a way to get the domain information during PAM authentication and thus to normalize the identity of the user (what was entered by the user in the logon form -> what SSSD actually authenticated). The issue is tracked in

   https://pagure.io/SSSD/sssd/issue/2476
   https://pagure.io/SSSD/sssd/issue/2589

To provide some mechanism for addressing the issue, and to also support non-authentication use cases, here's a new requirement to make the domain name of the user identity available and retrievable as an attribute over the ifp D-Bus call GetUserAttr.

That would allow us to just configure mod_lookup_identity to return the domain name among other attributes, and let the Web application do the normalization.

Please note that one of the use cases is to support migration of existing application databases with user identities retrieved from AD LDAPs (by application) to setups with SSSD and machine being joined to AD domain.

At the same time, non-POSIX identities also have to be supported.

Version-Release number of selected component (if applicable):

sssd-1.15.2-35.el7

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Web application configured with mod_authnz_pam and mod_lookup_identity, with SSSD configured against two domains "domain1.com" and "domain2.com", with two LDAP servers where each server will have user "bob".
2. Authenticate as "bob" via PAM.
3. Try to figure out SSSD and Apache configuration which will allow the application to decide if the user that logged in is "bob" or "bob".

Actual results:

It's currently not possible.

Expected results:

It should be possible.

Additional info:
Comment 3 Jan Pazdziora (Red Hat) 2017-05-24 14:53:49 UTC 
Alternatively the attribute might be the canonical name of the user, something like "bob", not just the domain.
Comment 27 Jakub Hrozek 2017-06-13 08:13:15 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/2714
Comment 28 Jakub Hrozek 2017-06-13 08:16:17 UTC 
* master: 37d2194cc9ea4d0254c88a3419e2376572562bab
Comment 31 Kaleem 2017-06-19 09:37:14 UTC 
Verified.


sssd version:
=============

[root@dhcp207-177 ~]# rpm -q sssd
sssd-1.15.2-47.el7.x86_64
[root@dhcp207-177 ~]#

Verification Steps :
====================

[root@dhcp207-177 ~]# dbus-send --system --print-reply  --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByName string:"admin"
method return sender=:1.101 -> dest=:1.130 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/779400000"
[root@dhcp207-177 ~]# 

[root@dhcp207-177 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/testrelm_2etest/779400000 org.freedesktop.DBus.Properties.Get string:"org.freedesktop.sssd.infopipe.Users.User" string:"domain"
method return sender=:1.101 -> dest=:1.131 reply_serial=2
   variant       object path "/org/freedesktop/sssd/infopipe/Domains/testrelm_2etest"
[root@dhcp207-177 ~]# 


[root@dhcp207-177 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/testrelm_2etest/779400000 org.freedesktop.DBus.Properties.Get string:"org.freedesktop.sssd.infopipe.Users.User" string:"domainname"
method return sender=:1.101 -> dest=:1.132 reply_serial=2
   variant       string "testrelm.test"
[root@dhcp207-177 ~]#


[root@dhcp207-177 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:"admin" array:string:domainname
method return sender=:1.101 -> dest=:1.133 reply_serial=2
   array [
      dict entry(
         string "domainname"
         variant             array [
               string "testrelm.test"
            ]
      )
   ]
[root@dhcp207-177 ~]#
Comment 32 errata-xmlrpc 2017-08-01 09:06:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294