StarlingX

SSSD pam configuration causes ldap_access_filter to be ignored

Bug #2064171 reported by Carmen Rata on 2024-04-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Carmen Rata

Bug Description

Brief Description
-----------------

The SSSD "ldap_access_filter" configuration for WAD domain, does not perform as expected. Instead of allowing access only for the configured group, it allows access with no restrictions to any user.

Severity
--------

Major

Steps to Reproduce
------------------

Configure ldap_access_filter parameter of a WAD domain in the /etc/sssd/sssd.conf with a group to restrict access to only the users of that group.
Try to login to the wrcp platform with a user in that group and access is allowed.
Try to login with a user from outside of the group and the access should be denied but the user is able to login.

Expected Behavior
------------------

The users that are not members of the allowed access group should be denied access.

Actual Behavior
----------------

Users that are not in the allowed access group are allowed to login.

Reproducibility
---------------

100% reproducible

System Configuration
--------------------
AIO-SX

Workaround
----------
Update /etc/pam.d/common-account by replacing line:

account [default=ignore success=ok user_unknown=ignore new_authtok_reqd=bad] pam_sss.so

with the following 2 lines:

account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore new_authtok_reqd=bad] pam_sss.so

This WA needs to be done to all nodes that run sssd.

Tags:

Carmen Rata (crata) on 2024-04-29

Changed in starlingx:
assignee:	nobody → Carmen Rata (crata)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-04-30: Fix proposed to config-files (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config-files/+/917513

Ghada Khalil (gkhalil) on 2024-04-30

Changed in starlingx:
importance:	Undecided → Medium
tags:	added: stx.10.0 stx.config stx.security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-05-06: Fix merged to config-files (master)

Reviewed: https://review.opendev.org/c/starlingx/config-files/+/917513
Committed: https://opendev.org/starlingx/config-files/commit/5b7c2e704b2ac1e134418b51932f76075535cba6
Submitter: "Zuul (22348)"
Branch: master

commit 5b7c2e704b2ac1e134418b51932f76075535cba6
Author: Carmen Rata <email address hidden>
Date: Tue Apr 30 03:15:06 2024 +0000

Fix SSSD ldap_access_filter

    The SSSD "ldap_access_filter" configuration for WAD domain,
    does not perform as expected. Instead of allowing access only
    for the members of the configured group, as part of the
    "ldap_access_filter" parameter setting, it allows access with
    no restrictions to any ldap user in the domain. So basically,
    the "ldap_access_filter" configuration is ignored.
    The fix is setting the proper pam configuration in file
    "/etc/pam.d/common-account" to enforce "ldap_access_filter"
    access control and at the same time to allow local users to
    login when SSSD is failing to connect.

    Test Plan:
    PASS: Verify the "/etc/pam.d/common-account" has been updated on
    a deployed AIO-SX system configuration and SSSD service is running.
    PASS: Create a WAD group and add 2 ldap users as members of the
    group. Set the "ldap_access_filter" to allow access to the only 2
    users in the group. Login with a ldap user that is a member
    of the allowed group and the user should login.
    PASS: Login with a user that is not a member of the
    allowed group configured in the previous test and the user should
    fail authentication.
    PASS: Stop SSSD service and test that a local user, e.g. sysadmin,
    can login when SSSD is not running. Also test that sudo works for
    sysadmin user.
    PASS: Restart SSSD service and test that a new local ldap user gets
    prompted to change password at first login.
    Pass: Tested successfully on a DC system, both on system controller
    and on the subcloud all the above tests performed on an AIO-SX
    system configuration.

Closes-Bug: 2064171

Signed-off-by: Carmen Rata <email address hidden>
Change-Id: Ia6ae3e0d825c358992b92784b4e10fbfb688de2d

Reviewed:  https://review.opendev.org/c/starlingx/config-files/+/917513
Committed: https://opendev.org/starlingx/config-files/commit/5b7c2e704b2ac1e134418b51932f76075535cba6
Submitter: "Zuul (22348)"
Branch:    master

commit 5b7c2e704b2ac1e134418b51932f76075535cba6
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Tue Apr 30 03:15:06 2024 +0000

Fix SSSD ldap_access_filter
    
    The SSSD "ldap_access_filter" configuration for WAD domain,
    does not perform as expected. Instead of allowing access only
    for the members of the configured group, as part of the
    "ldap_access_filter" parameter setting, it allows access with
    no restrictions to any ldap user in the domain. So basically,
    the "ldap_access_filter" configuration is ignored.
    The fix is setting the proper pam configuration in file
    "/etc/pam.d/common-account" to enforce "ldap_access_filter"
    access control and at the same time to allow local users to
    login when SSSD is failing to connect.
    
    Test Plan:
    PASS: Verify the "/etc/pam.d/common-account" has been updated on
    a deployed AIO-SX system configuration and SSSD service is running.
    PASS: Create a WAD group and add 2 ldap users as members of the
    group. Set the "ldap_access_filter" to allow access to the only 2
    users in the group. Login with a ldap user that is a member
    of the allowed group and the user should login.
    PASS: Login with a user that is not a member of the
    allowed group configured in the previous test and the user should
    fail authentication.
    PASS: Stop SSSD service and test that a local user, e.g. sysadmin,
    can login when SSSD is not running. Also  test that sudo works for
    sysadmin user.
    PASS: Restart SSSD service and test that a new local ldap user gets
    prompted to change password at first login.
    Pass: Tested successfully on a DC system, both on system controller
    and on the subcloud all the above tests performed on an AIO-SX
    system configuration.
    
    Closes-Bug: 2064171
    
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
    Change-Id: Ia6ae3e0d825c358992b92784b4e10fbfb688de2d

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.