StarlingX

Bug #2064171
Comment #2

Comment 2 for bug 2064171

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-05-06: Fix merged to config-files (master)

Reviewed: https://review.opendev.org/c/starlingx/config-files/+/917513
Committed: https://opendev.org/starlingx/config-files/commit/5b7c2e704b2ac1e134418b51932f76075535cba6
Submitter: "Zuul (22348)"
Branch: master

commit 5b7c2e704b2ac1e134418b51932f76075535cba6
Author: Carmen Rata <email address hidden>
Date: Tue Apr 30 03:15:06 2024 +0000

Fix SSSD ldap_access_filter

    The SSSD "ldap_access_filter" configuration for WAD domain,
    does not perform as expected. Instead of allowing access only
    for the members of the configured group, as part of the
    "ldap_access_filter" parameter setting, it allows access with
    no restrictions to any ldap user in the domain. So basically,
    the "ldap_access_filter" configuration is ignored.
    The fix is setting the proper pam configuration in file
    "/etc/pam.d/common-account" to enforce "ldap_access_filter"
    access control and at the same time to allow local users to
    login when SSSD is failing to connect.

    Test Plan:
    PASS: Verify the "/etc/pam.d/common-account" has been updated on
    a deployed AIO-SX system configuration and SSSD service is running.
    PASS: Create a WAD group and add 2 ldap users as members of the
    group. Set the "ldap_access_filter" to allow access to the only 2
    users in the group. Login with a ldap user that is a member
    of the allowed group and the user should login.
    PASS: Login with a user that is not a member of the
    allowed group configured in the previous test and the user should
    fail authentication.
    PASS: Stop SSSD service and test that a local user, e.g. sysadmin,
    can login when SSSD is not running. Also test that sudo works for
    sysadmin user.
    PASS: Restart SSSD service and test that a new local ldap user gets
    prompted to change password at first login.
    Pass: Tested successfully on a DC system, both on system controller
    and on the subcloud all the above tests performed on an AIO-SX
    system configuration.

Closes-Bug: 2064171

Signed-off-by: Carmen Rata <email address hidden>
Change-Id: Ia6ae3e0d825c358992b92784b4e10fbfb688de2d

Reviewed:  https://review.opendev.org/c/starlingx/config-files/+/917513
Committed: https://opendev.org/starlingx/config-files/commit/5b7c2e704b2ac1e134418b51932f76075535cba6
Submitter: "Zuul (22348)"
Branch:    master

commit 5b7c2e704b2ac1e134418b51932f76075535cba6
Author: Carmen Rata <carmen.rata@windriver.com>
Date:   Tue Apr 30 03:15:06 2024 +0000

Fix SSSD ldap_access_filter
    
    The SSSD "ldap_access_filter" configuration for WAD domain,
    does not perform as expected. Instead of allowing access only
    for the members of the configured group, as part of the
    "ldap_access_filter" parameter setting, it allows access with
    no restrictions to any ldap user in the domain. So basically,
    the "ldap_access_filter" configuration is ignored.
    The fix is setting the proper pam configuration in file
    "/etc/pam.d/common-account" to enforce "ldap_access_filter"
    access control and at the same time to allow local users to
    login when SSSD is failing to connect.
    
    Test Plan:
    PASS: Verify the "/etc/pam.d/common-account" has been updated on
    a deployed AIO-SX system configuration and SSSD service is running.
    PASS: Create a WAD group and add 2 ldap users as members of the
    group. Set the "ldap_access_filter" to allow access to the only 2
    users in the group. Login with a ldap user that is a member
    of the allowed group and the user should login.
    PASS: Login with a user that is not a member of the
    allowed group configured in the previous test and the user should
    fail authentication.
    PASS: Stop SSSD service and test that a local user, e.g. sysadmin,
    can login when SSSD is not running. Also  test that sudo works for
    sysadmin user.
    PASS: Restart SSSD service and test that a new local ldap user gets
    prompted to change password at first login.
    Pass: Tested successfully on a DC system, both on system controller
    and on the subcloud all the above tests performed on an AIO-SX
    system configuration.
    
    Closes-Bug: 2064171
    
    Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
    Change-Id: Ia6ae3e0d825c358992b92784b4e10fbfb688de2d