#3133 RFE to add option of check user access in SSSD.
Closed: duplicate 6 years ago Opened 7 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1366340

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
RFE to add option of check user access in SSSD.

SSSD should have option to check user access from ID/Auth provider.
It should be similar to ipa hbactest option.

# sssctl accesstest --user=test1 --host=machine1.example.com --service=sshd

Apart from adding a new command to sssctl, the tool would more or less just call (pseudocode):

pam_start()
pam_acct_mgmg()
pam_end()

And provide a nice textual representation of the result. What might be tricky, though is that the stack normally also contains other modules than pam_sss.so, so if the access was denied by pam_unix or any other module, the user couldn't tell which module denied access.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
keywords: => easyfix
mark: no => 0
review: True => 0
selected: =>
testsupdated: => 0

But this should be fine if the expectation that it validates only SSSD part clearly spelled.
This actually gives a hint if SSSD test passes but user can't login that another module is to blame.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.16 beta

Fields changed

milestone: SSSD Future releases (no date set yet) => SSSD 1.15.2

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.2

7 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset
- Custom field mark reset
- Custom field patch reset
- Custom field review reset
- Custom field sensitive reset
- Custom field testsupdated reset
- Issue close_status updated to: None
- Issue set to the milestone: SSSD 1.15.3 (was: SSSD 1.15.2)

7 years ago

This might be a duplicate of #3292 (general troubleshooting tool). With sss_pam_test_client from https://github.com/SSSD/sssd/pull/200 a call like

sss_pam_test_client username acct

would check if the user is allowed to access to local system via the 'system-auth' PAM server. If a different PAM service should be checked the name can be given as third option.

Metadata Update from @sbose:
- Custom field design_review reset
- Custom field mark reset
- Custom field patch reset
- Custom field review reset
- Custom field sensitive reset
- Custom field testsupdated reset

7 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue assigned to sbose

7 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch adjusted to on (was: false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

7 years ago

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4166

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata