Bug 1573509

Summary: Auth MIQLDAP to SSSD - After conversion binds happen with admin creds in SSSD.conf file
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED NOTABUG QA Contact: Matt Pusateri <mpusater>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.9.0CC: abellott, cpelland, obarenbo, yrudman
Target Milestone: GA   
Target Release: 5.9.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:miqldap:externalauth:security
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-02 21:27:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Pusateri 2018-05-01 14:50:14 UTC 
Description of problem:
 Auth MIQLDAP to SSSD - After conversion binds happen with admin creds in SSSD.conf file.  Binding to LDAP server as Admin should not be required, as conventional security protocols, dictate you bind with the user creds. This way the application is only reading what the user has access to in the LDAP tree. 

Version-Release number of selected component (if applicable):
5.9.2.3

How reproducible:


Steps to Reproduce:
1. Configure MIQLDAP
2. Run miqldap_to_sssd conversion script
3.  Admin creds are stored in /etc/sssd/sssd.conf as admin creds are used to bind to ldap according to Dev team.

Actual results:
LDAP Admin user is used for all binds

Expected results:
Application should use user creds to bind as they are most restrictive.

Additional info:
Comment 2 Matt Pusateri 2018-05-01 15:22:28 UTC 
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1573511
Comment 3 Joe Vlcek 2018-05-02 21:27:48 UTC 
Matt, 

Sorry I seemed to have created some confusion when we spoke about this the
other day. 

I reviewed this with Gregg T and Alberto and we all agree this is working as expected.

SSSD does do the bind with the user's credentials when authenticating the user.
SSSD binds with the admin credentials when searching the directory.
SSSD needs to search the directory for things like group membership and finding
the user object. The user may not necessarily have privileges to do this.


Closing NOTABUG