Bug 818642
Summary: | Auth fails for user with non-default attribute names | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Kaushik Banerjee <kbanerje> |
Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | unspecified | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.3 | CC: | grajaiya, jgalipea, prc |
Target Milestone: | rc | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.8.0-26.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: When reading data about a user for use in authentication, in several places we were expecting the default attribute name to be used.
Consequence: If a user's data was specified in non-standard LDAP attributes, they would fail authentication.
Fix: The code was updated to properly use the configured attributes instead of the default values.
Result: Authentication of users now works when they are configured with non-standard attributes.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-20 11:56:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kaushik Banerjee
2012-05-03 15:47:30 UTC
Upstream ticket: https://fedorahosted.org/sssd/ticket/1320 Verified in version sssd-1.8.0-27 Output of automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: non-default-attribute_001: enumerate user and group and auth :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: adding new entry "uid=nd_user1,dc=example,dc=com" adding new entry "cn=nd_user1_grp1,dc=example,dc=com" :: [ PASS ] :: Running 'ldapadd -x -H ldap://dell-pesc1425-01.rhts.eng.bos.redhat.com -D "cn=Manager,dc=example,dc=com" -w Secret123 -f /tmp/non-default-user1.ldif' 12321 :: [ PASS ] :: Running 'getent -s sss passwd nd_user1 | awk -F: '{print $3}' | grep 12321' 12321 :: [ PASS ] :: Running 'getent -s sss passwd nd_user1 | awk -F: '{print $4}' | grep 12321' NONDEFAULT USER1 :: [ PASS ] :: Running 'getent -s sss passwd nd_user1 | awk -F: '{print $5}' | grep "NONDEFAULT USER1"' /home/nd_user1 :: [ PASS ] :: Running 'getent -s sss passwd nd_user1 | awk -F: '{print $6}' | grep /home/nd_user1' /bin/bash :: [ PASS ] :: Running 'getent -s sss passwd nd_user1 | awk -F: '{print $7}' | grep /bin/bash' nd_user1_grp1:*:12321:nd_user1 :: [ PASS ] :: Running 'getent -s sss group nd_user1_grp1' nd_user1_grp1 :: [ PASS ] :: Running 'id -gn nd_user1 | grep nd_user1_grp1' spawn ssh -q -l nd_user1 localhost echo 'login successful' nd_user1@localhost's password: Could not chdir to home directory /home/nd_user1: No such file or directory login successful :: [ PASS ] :: Authentication successful, as expected :: [ PASS ] :: Running 'auth_success nd_user1 Secret123' '37fb6325-4085-4d9d-9c48-8e7b9031cdce' non-default-attribute-001 result: PASS Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: When reading data about a user for use in authentication, in several places we were expecting the default attribute name to be used. Consequence: If a user's data was specified in non-standard LDAP attributes, they would fail authentication. Fix: The code was updated to properly use the configured attributes instead of the default values. Result: Authentication of users now works when they are configured with non-standard attributes. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html |