Bug 1573509 - Auth MIQLDAP to SSSD - After conversion binds happen with admin creds in SSSD.conf file
Summary: Auth MIQLDAP to SSSD - After conversion binds happen with admin creds in SSSD...
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: 5.9.3
Assignee: Joe Vlcek
QA Contact: Matt Pusateri
Whiteboard: auth:miqldap:externalauth:security
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-01 14:50 UTC by Matt Pusateri
Modified: 2018-05-03 13:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-02 21:27:48 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:

Attachments (Terms of Use)

Description Matt Pusateri 2018-05-01 14:50:14 UTC
Description of problem:
 Auth MIQLDAP to SSSD - After conversion binds happen with admin creds in SSSD.conf file.  Binding to LDAP server as Admin should not be required, as conventional security protocols, dictate you bind with the user creds. This way the application is only reading what the user has access to in the LDAP tree. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure MIQLDAP
2. Run miqldap_to_sssd conversion script
3.  Admin creds are stored in /etc/sssd/sssd.conf as admin creds are used to bind to ldap according to Dev team.

Actual results:
LDAP Admin user is used for all binds

Expected results:
Application should use user creds to bind as they are most restrictive.

Additional info:

Comment 2 Matt Pusateri 2018-05-01 15:22:28 UTC
See also: https://bugzilla.redhat.com/show_bug.cgi?id=1573511

Comment 3 Joe Vlcek 2018-05-02 21:27:48 UTC

Sorry I seemed to have created some confusion when we spoke about this the
other day. 

I reviewed this with Gregg T and Alberto and we all agree this is working as expected.

SSSD does do the bind with the user's credentials when authenticating the user.
SSSD binds with the admin credentials when searching the directory.
SSSD needs to search the directory for things like group membership and finding
the user object. The user may not necessarily have privileges to do this.


Note You need to log in before you can comment on or make changes to this bug.