Learn more about these different git repos.
Other Git URLs
Issue related to Red Hat bugzilla 797300 and Salesforce case number 00546988 with an LDAP provider.
Using an IPA provider, trying to configure SSSD to not allow disabled IPA account to do SSH key auth:
have
UsePAM yes
in /etc/ssh/sshd_config
and tried SSH key auth on disabled IPA account without (default) and with the last 3 lines added to /etc/sssd/sssd.conf under my [domain/example.com]
... id_provider = ipa auth_provider = ipa access_provider = ipa ... # added for test ldap_account_expire_policy = ipa ldap_access_order=expire
ssh login was granted, but may be I was missing some SSSD configuration statements.
tested with:
Red Hat Enterprise Linux Server release 6.2 (Santiago) Linux ipaclient1.example.com 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux ipa-python-2.1.3-9.el6.x86_64 libipa_hbac-python-1.8.0-2.el6.beta2.x86_64 sssd-debuginfo-1.8.0-2.el6.beta2.x86_64 libipa_hbac-devel-1.8.0-2.el6.beta2.x86_64 sssd-client-1.8.0-2.el6.beta2.x86_64 sssd-tools-1.8.0-2.el6.beta2.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-admintools-2.1.3-9.el6.x86_64 libipa_hbac-1.8.0-2.el6.beta2.x86_64 sssd-1.8.0-2.el6.beta2.x86_64
adding Stephen G. comments:
Please open a bug. This is actually something we don't have implemented yet for the IPA provider. Right now you have an either-or choice. You can either use access_provider = ipa and get HBAC support for access-control, OR you can use access_provicder = ldap and use the two options you specified above.
We really need an RFE to allow using both. Probably we should just make access_provider = ldap honor ldap_access_order in addition to HBAC rules.
Fields changed
description: Issue related to Red Hat bugzilla 797300 and Salesforce case number 00546988 with an LDAP provider.
have UsePAM yes in /etc/ssh/sshd_config
and tried SSH key auth on disabled IPA account without (default) and with the last 3 lines added to /etc/sssd/sssd.conf under my [domain/example.com] ... id_provider = ipa auth_provider = ipa access_provider = ipa ...
ldap_account_expire_policy = ipa ldap_access_order=expire
adding Stephen G. comments: " Please open a bug. This is actually something we don't have implemented yet for the IPA provider. Right now you have an either-or choice. You can either use access_provider = ipa and get HBAC support for access-control, OR you can use access_provicder = ldap and use the two options you specified above.
We really need an RFE to allow using both. Probably we should just make access_provider = ldap honor ldap_access_order in addition to HBAC rules. " => Issue related to Red Hat bugzilla 797300 and Salesforce case number 00546988 with an LDAP provider.
have {{{ UsePAM yes }}} in /etc/ssh/sshd_config
and tried SSH key auth on disabled IPA account without (default) and with the last 3 lines added to /etc/sssd/sssd.conf under my [domain/example.com] {{{ ... id_provider = ipa auth_provider = ipa access_provider = ipa ...
ldap_account_expire_policy = ipa ldap_access_order=expire }}}
tested with: {{{ Red Hat Enterprise Linux Server release 6.2 (Santiago) Linux ipaclient1.example.com 2.6.32-220.el6.x86_64 #1 SMP Wed Nov 9 08:03:13 EST 2011 x86_64 x86_64 x86_64 GNU/Linux ipa-python-2.1.3-9.el6.x86_64 libipa_hbac-python-1.8.0-2.el6.beta2.x86_64 sssd-debuginfo-1.8.0-2.el6.beta2.x86_64 libipa_hbac-devel-1.8.0-2.el6.beta2.x86_64 sssd-client-1.8.0-2.el6.beta2.x86_64 sssd-tools-1.8.0-2.el6.beta2.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-admintools-2.1.3-9.el6.x86_64 libipa_hbac-1.8.0-2.el6.beta2.x86_64 sssd-1.8.0-2.el6.beta2.x86_64 }}}
component: SSSD => IPA Provider summary: rfe auth_provider ipa, ldap_account_expire_policy ipa, ldap_access_order expire, for disabled account and ssh key auth => The IPA provider should check expiration policies in addition to HBAC rules
priority: major => critical
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=797300 (Red Hat Enterprise Linux 5)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=797300 797300]
type: defect => enhancement
milestone: NEEDS_TRIAGE => SSSD 1.8.1 (LTM) type: enhancement => defect
RHEL 6.3 Bugzilla :: https://bugzilla.redhat.com/show_bug.cgi?id=801451
owner: somebody => sgallagh status: new => assigned
patch: 0 => 1
Fixed by: - master - 8372129 - d10350e - sssd-1-8 - 559ce4c - 2424e15
resolution: => fixed status: assigned => closed
Metadata Update from @msauton: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.8.1 (LTM)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2269
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.