Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1166727
Description of problem: SSSD should allow only the user's listed in pam_trusted_users to authenticate, when pam_public_domains = none. This way other users from the same domain become untrusted users who shouldn't be allowed to auth. However, untrusted users from the same domain are also allowed to authenticate. Version-Release number of selected component (if applicable): sssd-1.12.2-12.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Setup openldap server and add two users, user1 & user2. 2. Configure sssd as given below: [sssd] config_file_version = 2 domains = LDAP services = nss, pam sbus_timeout = 30 [pam] debug_level = 0xFFF0 pam_trusted_users = user1 pam_public_domains = none [domain/LDAP] id_provider = ldap auth_provider = ldap debug_level = 5 cache_credentials = FALSE ldap_uri = ldaps://seaspray.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/openldap/certs/server.pem ldap_search_base = dc=example,dc=com 3. Setup auth section of /etc/pam.d/password-auth-ac as given below: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass domains=LDAP auth required pam_deny.so 4. Execute authentication for both users, user1 and user2. Actual results: 1. Auth succeeds for both the users. Expected results: 1. Authentication should succeed for user1. 2. Authentication should fail for user2. Additional info:
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => jhrozek priority: major => critical review: True => 0 selected: => testsupdated: => 0
Downstream needs this fix.
milestone: NEEDS_TRIAGE => SSSD 1.12.3
patch: 0 => 1
resolution: => fixed status: new => closed
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.12.3
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3543
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.