RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1008000 - [RFE] Add a new option ad_access_filter
Summary: [RFE] Add a new option ad_access_filter
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-13 18:08 UTC by Dmitri Pal
Modified: 2020-05-02 17:28 UTC (History)
5 users (show)

Fixed In Version: sssd-1.11.2-1.el7
Doc Type: Enhancement
Doc Text:
Feature: A new option, ad_access_filter was added to the AD provider of SSSD. Reason: Previously, only the ldap_access_filter could be used by the administrator. Setting this option with an AD provider required setting several low-level LDAP connection details. Moreover, the ldap_access_filter could only be used globally, the new ad_access_filter can be set per AD domain as well. Result (if any): If the ad_access_filter option is set in sssd.conf file, only users who match the filter are allowed access to the machine.
Clone Of:
Environment:
Last Closed: 2014-06-13 10:41:59 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3124 0 None None None 2020-05-02 17:28:23 UTC

Description Dmitri Pal 2013-09-13 18:08:26 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2082

Currently the default access provider for the AD identity provider is "permit", while the AD access provider checks if the account is expired. But many users would like the option to check the access based on a filter. Currently the only way is to configure the LDAP access provider, which is error-prone and clumsy.

We should add one more configuration option "ad_access_filter" that, if set, would augment the AD access provider so that it first checks if the account is expired and if it's not, then proceed to check if the account matches the filter without having to configure the LDAP provider.

See also ticket #1977 and #1975.
Comment 1 Jakub Hrozek 2013-09-26 09:14:51 UTC 
Design was created and reviewed upstream -> ASSIGNED
Comment 2 Jakub Hrozek 2013-10-25 20:09:27 UTC 
Fixed upstream.

    sssd-1-11:
        5e9833aa7b1a89cbb2c0cf667a99cb0bc4ad7963
        2cbf205f3fe25087666ff108c2ad380fd3cbfe46
        9dd62f094fb4c1bfb04128de1c3ec20933603046
        e37cbdd9be139b9949024c94ae21c12b36a6c180
        88ee068181e2b35730f6bc2c71a63c21c476cdd7
        0b23970978de5c1088a5dbdd6012800b4db94572 
    master:
        1ce58f139699dd26b8888f4131c996263b6a80a5
        67b1fc914190e12ab014c0616b7f0a642fbe6356
        efe6b4a9d374339cac2528cdeb43720957c6b7c9
        8a05fd320a44636d120a18eb7e9956c7b35b3138
        dd2f33603228005a44675f1484c294ea647dbce3
        443eb8217741df57d9f58f2098487b91e3404e71
Comment 4 Kaushik Banerjee 2013-11-23 16:34:14 UTC 
Verified in version 1.11.2-1.el7

Bugs logged against this feature: 1031562, 1032983, 1033133

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_01: access_provider defaults to ad
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_wrong_password user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_wrong_password user1_dom3.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_01: access_provider defaults to ad

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_02: access_provider=ad without any other options denies expired users
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_wrong_password user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   PASS   ] :: Running 'su_wrong_password user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   PASS   ] :: Running 'su_wrong_password user1_dom3.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_02: access_provider=ad without any other options denies expired users

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_03: An expired user, even though he matches the filter, is denied access
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_wrong_password user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   PASS   ] :: Running 'su_wrong_password user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   PASS   ] :: Running 'su_wrong_password user1_dom3.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [   LOG    ] :: Duration: 16s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_03: An expired user, even though he matches the filter, is denied access

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_04: access_provider=ad without any other options allows non-expired users
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success user1_dom3.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 8s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_04: access_provider=ad without any other options allows non-expired users

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_05: ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1' 
:: [   PASS   ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_05: ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_06: ad_access_filter=(cn=user)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1' 
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user1_dom2' 
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user1_dom3.com' 
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_06: ad_access_filter=(cn=user)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_07: ad_access_filter=dom1:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom1' 
:: [   PASS   ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_07: ad_access_filter=dom1:(memberOf=cn=admins,ou=groups,dc=example,dc=com)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_08: ad_access_filter=DOM:dom2:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_permission_denied user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success user1_dom3.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user2_dom3.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'Access denied for user user2_dom3.com' 
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ad_access_control_08: ad_access_filter=DOM:dom2:(memberOf=cn=admins,ou=groups,dc=example,dc=com)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_access_control_09: ad_access_filter=FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   FAIL   ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'su_permission_denied user1_dom2 Secret123' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'su_permission_denied user1_dom3.com Secret123' (Expected 0, got 1)
:: [   LOG    ] :: Duration: 1m 7s
:: [   LOG    ] :: Assertions: 0 good, 3 bad
:: [   FAIL   ] :: RESULT: ad_access_control_09: ad_access_filter=FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
Comment 5 Ludek Smid 2014-06-13 10:41:59 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.