Bug 1784620
Summary: | Force LDAPS over 636 with AD Access Provider | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Gaurav Swami <gswami> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.8 | CC: | afox, apeddire, asakure, cobrown, ddas, grajaiya, imran, jhrozek, lslebodn, mark.crossland, mkosek, mzidek, pbrezina, pdwyer, sbose, sgadekar, sgoveas, sssd-maint, tborcin, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | sssd-1.16.4-36 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-31 19:44:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Comment 3
Sumit Bose
2019-12-18 07:29:19 UTC
* `master` * 24387e19f065e6a585b1120d5568cb4df271d102 - ad: set min and max ssf for ldaps * 78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5 - ldap: add new option ldap_sasl_maxssf * 341ba49b0deb42e17d535744824786c2499656b7 - ad: add ad_use_ldaps * 090cf77a0fd5f300a753667658af3ed763a88e83 - ad: allow booleans for ad_inherit_opts_if_needed() * `sssd-1-16` * 9b875b87fda7dab1c92022b5c2e3b11cd5fffa4f - ad: set min and max ssf for ldaps * 07d19249a88d90135dce21e3d112caf70629ef02 - ldap: add new option ldap_sasl_maxssf * b2aca1f7d7aa4a11f86d977ad00481aeb1f9a436 - ad: add ad_use_ldaps * 44e76055d4413e56a33a90185161b6cfa4062d03 - ad: allow booleans for ad_inherit_opts_if_needed() Tested with following data: [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# rpm -q sssd sssd-1.16.4-37.el7.x86_64 ----------------- Before using certificates and without ad_use_ldaps option ----------------- [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# cat /etc/sssd/sssd.conf [sssd] domains = ad.baseos.qe config_file_version = 2 services = nss, pam [domain/ad.baseos.qe] ad_domain = ad.baseos.qe krb5_realm = AD.BASEOS.QE realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_sasl_authid = CI-VM-10-0-139-$ ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad #ad_use_ldaps = True #ldap_tls_cacert = /etc/openldap/certs/ad_cert.pem [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# id administrator.qe uid=1366200500(administrator) gid=1366200513(domain users) groups=1366200513(domain users),1366200512(domain admins),1366200519(enterprise admins),1366200520(group policy creator owners),1366200572(denied rodc password replication group),1366200518(schema admins) [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# id administrator.qe uid=1366200500(administrator) gid=1366200513(domain users) groups=1366200513(domain users),1366200512(domain admins),1366200519(enterprise admins),1366200520(group policy creator owners),1366200572(denied rodc password replication group),1366200518(schema admins) tmp.Xo3HlLskm0]# egrep sdap_print_server /var/log/sssd/sssd_ad.baseos.qe.log (Tue Jan 28 06:01:10 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:10 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:12 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:12 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:12 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:12 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:12 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:12 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:12 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:12 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:13 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:13 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:3268 (Tue Jan 28 06:01:14 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:14 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 (Tue Jan 28 06:01:14 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:389 ----------------- Blocking port 389 with firewall rule ----------------- [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# iptables -A OUTPUT -p tcp --destination-port 389 -j DROP [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpt:ldap [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# id administrator.qe id: administrator.qe: no such user ----------------- After configuring certificates and enabling ad_use_ldaps option ----------------- [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# vim /etc/sssd/sssd.conf [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# cat /etc/sssd/sssd.conf [sssd] domains = ad.baseos.qe config_file_version = 2 services = nss, pam [domain/ad.baseos.qe] ad_domain = ad.baseos.qe krb5_realm = AD.BASEOS.QE realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_sasl_authid = CI-VM-10-0-139-$ ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad ad_use_ldaps = True ldap_tls_cacert = /etc/openldap/certs/ad_cert.pem [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# sleep 10 [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# id administrator.qe uid=1366200500(administrator) gid=1366200513(domain users) groups=1366200513(domain users),1366200512(domain admins),1366200519(enterprise admins),1366200520(group policy creator owners),1366200572(denied rodc password replication group),1366200518(schema admins) [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# egrep sdap_print_server /var/log/sssd/sssd_ad.baseos.qe.log (Tue Jan 28 05:57:56 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:57 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:58 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:58 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:58 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:58 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:58 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:58 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:58 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:59 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 (Tue Jan 28 05:57:59 2020) [sssd[be[ad.baseos.qe]]] [sdap_print_server] (0x2000): Searching 10.37.152.14:636 [root@ci-vm-10-0-139-117 tmp.Xo3HlLskm0]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd Marking bz verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1053 |