SSSD pam configuration causes ldap_access_filter to be ignored
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Carmen Rata |
Bug Description
Brief Description
-----------------
The SSSD "ldap_access_
Severity
--------
Major
Steps to Reproduce
------------------
Configure ldap_access_filter parameter of a WAD domain in the /etc/sssd/sssd.conf with a group to restrict access to only the users of that group.
Try to login to the wrcp platform with a user in that group and access is allowed.
Try to login with a user from outside of the group and the access should be denied but the user is able to login.
Expected Behavior
------------------
The users that are not members of the allowed access group should be denied access.
Actual Behavior
----------------
Users that are not in the allowed access group are allowed to login.
Reproducibility
---------------
100% reproducible
System Configuration
-------
AIO-SX
Workaround
----------
Update /etc/pam.
account [default=ignore success=ok user_unknown=ignore new_authtok_
with the following 2 lines:
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore new_authtok_
This WA needs to be done to all nodes that run sssd.
Changed in starlingx: | |
assignee: | nobody → Carmen Rata (crata) |
status: | New → In Progress |
Changed in starlingx: | |
importance: | Undecided → Medium |
tags: | added: stx.10.0 stx.config stx.security |
Fix proposed to branch: master /review. opendev. org/c/starlingx /config- files/+ /917513
Review: https:/