Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionJan Pazdziora (Red Hat)
2017-05-24 14:47:27 UTC
Description of problem:
When integrating with Web applications that run for example PAM authentication, SSSD will find the user in one of the domains but we don't have a way to get the domain information during PAM authentication and thus to normalize the identity of the user (what was entered by the user in the logon form -> what SSSD actually authenticated). The issue is tracked in
https://pagure.io/SSSD/sssd/issue/2476https://pagure.io/SSSD/sssd/issue/2589
To provide some mechanism for addressing the issue, and to also support non-authentication use cases, here's a new requirement to make the domain name of the user identity available and retrievable as an attribute over the ifp D-Bus call GetUserAttr.
That would allow us to just configure mod_lookup_identity to return the domain name among other attributes, and let the Web application do the normalization.
Please note that one of the use cases is to support migration of existing application databases with user identities retrieved from AD LDAPs (by application) to setups with SSSD and machine being joined to AD domain.
At the same time, non-POSIX identities also have to be supported.
Version-Release number of selected component (if applicable):
sssd-1.15.2-35.el7
How reproducible:
Deterministic.
Steps to Reproduce:
1. Have Web application configured with mod_authnz_pam and mod_lookup_identity, with SSSD configured against two domains "domain1.com" and "domain2.com", with two LDAP servers where each server will have user "bob".
2. Authenticate as "bob" via PAM.
3. Try to figure out SSSD and Apache configuration which will allow the application to decide if the user that logged in is "bob" or "bob".
Actual results:
It's currently not possible.
Expected results:
It should be possible.
Additional info:
Comment 3Jan Pazdziora (Red Hat)
2017-05-24 14:53:49 UTC
Alternatively the attribute might be the canonical name of the user, something like "bob", not just the domain.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2017:2294