Bug 1008000 - [RFE] Add a new option ad_access_filter
[RFE] Add a new option ad_access_filter
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-13 14:08 EDT by Dmitri Pal
Modified: 2014-06-18 00:02 EDT (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.11.2-1.el7
Doc Type: Enhancement
Doc Text:
Feature: A new option, ad_access_filter was added to the AD provider of SSSD. Reason: Previously, only the ldap_access_filter could be used by the administrator. Setting this option with an AD provider required setting several low-level LDAP connection details. Moreover, the ldap_access_filter could only be used globally, the new ad_access_filter can be set per AD domain as well. Result (if any): If the ad_access_filter option is set in sssd.conf file, only users who match the filter are allowed access to the machine.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:41:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-09-13 14:08:26 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2082

Currently the default access provider for the AD identity provider is "permit", while the AD access provider checks if the account is expired. But many users would like the option to check the access based on a filter. Currently the only way is to configure the LDAP access provider, which is error-prone and clumsy.

We should add one more configuration option "ad_access_filter" that, if set, would augment the AD access provider so that it first checks if the account is expired and if it's not, then proceed to check if the account matches the filter without having to configure the LDAP provider.

See also ticket #1977 and #1975.
Comment 1 Jakub Hrozek 2013-09-26 05:14:51 EDT
Design was created and reviewed upstream -> ASSIGNED
Comment 2 Jakub Hrozek 2013-10-25 16:09:27 EDT
Fixed upstream.

    sssd-1-11:
        5e9833aa7b1a89cbb2c0cf667a99cb0bc4ad7963
        2cbf205f3fe25087666ff108c2ad380fd3cbfe46
        9dd62f094fb4c1bfb04128de1c3ec20933603046
        e37cbdd9be139b9949024c94ae21c12b36a6c180
        88ee068181e2b35730f6bc2c71a63c21c476cdd7
        0b23970978de5c1088a5dbdd6012800b4db94572 
    master:
        1ce58f139699dd26b8888f4131c996263b6a80a5
        67b1fc914190e12ab014c0616b7f0a642fbe6356
        efe6b4a9d374339cac2528cdeb43720957c6b7c9
        8a05fd320a44636d120a18eb7e9956c7b35b3138
        dd2f33603228005a44675f1484c294ea647dbce3
        443eb8217741df57d9f58f2098487b91e3404e71
Comment 4 Kaushik Banerjee 2013-11-23 11:34:14 EST
Verified in version 1.11.2-1.el7

Bugs logged against this feature: 1031562, 1032983, 1033133

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_01: access_provider defaults to ad
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_wrong_password user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_01: access_provider defaults to ad

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_02: access_provider=ad without any other options denies expired users
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_wrong_password user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   PASS   ] :: Running 'su_wrong_password user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   PASS   ] :: Running 'su_wrong_password user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_02: access_provider=ad without any other options denies expired users

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_03: An expired user, even though he matches the filter, is denied access
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_wrong_password user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   PASS   ] :: Running 'su_wrong_password user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   PASS   ] :: Running 'su_wrong_password user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   LOG    ] :: Duration: 16s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_03: An expired user, even though he matches the filter, is denied access

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_04: access_provider=ad without any other options allows non-expired users
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 8s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_04: access_provider=ad without any other options allows non-expired users

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_05: ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user2_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1@sssdad.com' 
:: [   PASS   ] :: Running 'su_permission_denied user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_05: ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_06: ad_access_filter=(cn=user)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user2_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1@sssdad.com' 
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user1_dom2@sssdad_tree.com' 
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user1_dom3@child1.sssdad.com' 
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_06: ad_access_filter=(cn=user)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_07: ad_access_filter=dom1:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user2_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1@sssdad.com' 
:: [   PASS   ] :: Running 'su_permission_denied user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_07: ad_access_filter=dom1:(memberOf=cn=admins,ou=groups,dc=example,dc=com)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_08: ad_access_filter=DOM:dom2:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_permission_denied user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user2_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom3@child1.sssdad.com' 
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_08: ad_access_filter=DOM:dom2:(memberOf=cn=admins,ou=groups,dc=example,dc=com)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_09: ad_access_filter=FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   FAIL   ] :: Running 'su_success user1_dom1@sssdad.com Secret123' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'su_permission_denied user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'su_permission_denied user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 1)
:: [   LOG    ] :: Duration: 1m 7s
:: [   LOG    ] :: Assertions: 0 good, 3 bad
:: [   FAIL   ] :: RESULT: ad_access_control_09: ad_access_filter=FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
Comment 5 Ludek Smid 2014-06-13 06:41:59 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.