Bug 1638295
| Summary: | sssctl user-checks does not show custom IFP user_attributes | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Ondrej <ondrej.valousek> |
| Component: | sssd | Assignee: | Tomas Halman <thalman> |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | dbula, dlavu, grajaiya, jhrozek, lslebodn, mupadhye, mzidek, pbrezina, sgoveas, tscherf |
| Target Milestone: | pre-dev-freeze | ||
| Target Release: | 8.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-2.1.0-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:33:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1682305 | ||
| Bug Blocks: | |||
Initial triage notes: - the IFP interface seems to publish the list of the extra attributes, so the sssctl tool might read them this way and display the attributes. This should be doable for both 1.16 and 2.0 - using non-root is a separate issue though. While we /should/ make it possible for every user to display info about 'self', this would probably mean we need to finish the polkit integration. It is also not very likely that this work will be backportable to 1.16 as only the D-Bus changes Pavel did in 2.0 allow us for the right level of granularity. Upstream ticket: https://pagure.io/SSSD/sssd/issue/3866 * master: ee9fdb08f73571683b272f06b6ea25630a2dbe01 Verified with: # rpm -qa sssd sssd-2.2.0-18.el8.x86_64 Verifications steps: 1) Setup sssd client 2) Update sssd.conf # cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = example1 [domain/example1] debug_level = 9 use_fully_qualified_names = True ldap_user_home_directory = /home/%u ldap_uri = ldaps://ipaqavmh.idmqe.lab.eng.bos.redhat.com ldap_search_base = dc=example,dc=test id_provider = ldap auth_provider = ldap ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem [ifp] debug_level = 9 allowed_uids = root, foo1@example1 user_attributes = +mail, +telephoneNumber, +givenname, +sn Case 1: Test with allowed_uids = root and foo1@example1 [ifp] debug_level = 9 allowed_uids = root, madhuri user_attributes = +mail, +telephoneNumber, +givenname, +sn [root@vm-idm-018 ~]# sssctl user-checks foo1@example1 user: foo1@example1 action: acct service: system-auth SSSD nss user lookup result: - user name: foo1@example1 - user id: 14583101 - group id: 14564100 - gecos: foo1 User - home directory: - shell: /bin/bash SSSD InfoPipe user lookup result: - name: foo1@example1 - uidNumber: 14583101 - gidNumber: 14564100 - gecos: foo1 User - homeDirectory: not set - loginShell: /bin/bash - mail: foo1 testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - case 2: Test with allowed_uids = 0 and ldapuser's uid [ifp] debug_level = 9 allowed_uids = 0, 14583101 user_attributes = +mail, +telephoneNumber, +givenname, +sn # sssctl user-checks foo1@example1 user: foo1@example1 action: acct service: system-auth SSSD nss user lookup result: - user name: foo1@example1 - user id: 14583101 - group id: 14564100 - gecos: foo1 User - home directory: - shell: /bin/bash SSSD InfoPipe user lookup result: - name: foo1@example1 - uidNumber: 14583101 - gidNumber: 14564100 - gecos: foo1 User - homeDirectory: not set - loginShell: /bin/bash - mail: foo1 testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - case 3: Test with allowed_uids = root and localuser [ifp] debug_level = 9 allowed_uids = root, madhuri user_attributes = +mail, +telephoneNumber, +givenname, +sn [root@vm-idm-018 ~]# sssctl user-checks madhuri user: madhuri action: acct service: system-auth SSSD nss user lookup result: - user name: madhuri - user id: 1001 - group id: 1001 - gecos: - home directory: /home/madhuri - shell: /bin/bash SSSD InfoPipe user lookup result: - name: madhuri - uidNumber: 1001 - gidNumber: 1001 - gecos: not set - homeDirectory: /home/madhuri - loginShell: /bin/bash testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - case 4: Test with allowed_uids = 0 and localuser's uid [ifp] debug_level = 9 allowed_uids = 0, 1001 user_attributes = +mail, +telephoneNumber, +givenname, +sn [root@vm-idm-018 ~]# sssctl user-checks madhuri user: madhuri action: acct service: system-auth SSSD nss user lookup result: - user name: madhuri - user id: 1001 - group id: 1001 - gecos: - home directory: /home/madhuri - shell: /bin/bash SSSD InfoPipe user lookup result: - name: madhuri - uidNumber: 1001 - gidNumber: 1001 - gecos: not set - homeDirectory: /home/madhuri - loginShell: /bin/bash testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - By mistake I copied wrong sssd.conf Here is correct sssd.conf [root@vm-idm-018 ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam, ifp domains = example1 [domain/example1] debug_level = 9 use_fully_qualified_names = True ldap_user_home_directory = /home/%u ldap_uri = ldaps://ipaqavmh.idmqe.lab.eng.bos.redhat.com ldap_search_base = dc=example,dc=test id_provider = ldap auth_provider = ldap ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem [ifp] debug_level = 9 allowed_uids = 0, 1001 user_attributes = +mail, +telephoneNumber, +givenname, +sn Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3651 |
Description of problem: "sssctl user-checks" also query the IFP interface of sssd. The problem is, that this command only displays POSIX user attrs, no matter if we configured the InfoPipe for additional user attributes. for example, if I have the following configuration snippet: [ifp] debug_level = 9 allowed_uids = ondrejv, root user_attributes = +mail, +telephoneNumber, +givenname, +sn I would expect the "sssctl user-checks" command will - also return the value of "mail, telephoneNumber, givenname, sn" attributes - ideally, we could make the "sssctl user-checks" also available for non-root users (ondrejv in the example above), but I guess I am asking too much :-) I know I could get the results with dbus-send or the Python dbus module, but parsing the output of sssctl is better parseable for a simple bash script.