commit 5b7c2e704b2ac1e134418b51932f76075535cba6
Author: Carmen Rata <email address hidden>
Date: Tue Apr 30 03:15:06 2024 +0000
Fix SSSD ldap_access_filter
The SSSD "ldap_access_filter" configuration for WAD domain,
does not perform as expected. Instead of allowing access only
for the members of the configured group, as part of the
"ldap_access_filter" parameter setting, it allows access with
no restrictions to any ldap user in the domain. So basically,
the "ldap_access_filter" configuration is ignored.
The fix is setting the proper pam configuration in file
"/etc/pam.d/common-account" to enforce "ldap_access_filter"
access control and at the same time to allow local users to
login when SSSD is failing to connect.
Test Plan:
PASS: Verify the "/etc/pam.d/common-account" has been updated on
a deployed AIO-SX system configuration and SSSD service is running.
PASS: Create a WAD group and add 2 ldap users as members of the
group. Set the "ldap_access_filter" to allow access to the only 2
users in the group. Login with a ldap user that is a member
of the allowed group and the user should login.
PASS: Login with a user that is not a member of the
allowed group configured in the previous test and the user should
fail authentication.
PASS: Stop SSSD service and test that a local user, e.g. sysadmin,
can login when SSSD is not running. Also test that sudo works for
sysadmin user.
PASS: Restart SSSD service and test that a new local ldap user gets
prompted to change password at first login.
Pass: Tested successfully on a DC system, both on system controller
and on the subcloud all the above tests performed on an AIO-SX
system configuration.
Closes-Bug: 2064171
Signed-off-by: Carmen Rata <email address hidden>
Change-Id: Ia6ae3e0d825c358992b92784b4e10fbfb688de2d
Reviewed: https:/ /review. opendev. org/c/starlingx /config- files/+ /917513 /opendev. org/starlingx/ config- files/commit/ 5b7c2e704b2ac1e 134418b51932f76 075535cba6
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 5b7c2e704b2ac1e 134418b51932f76 075535cba6
Author: Carmen Rata <email address hidden>
Date: Tue Apr 30 03:15:06 2024 +0000
Fix SSSD ldap_access_filter
The SSSD "ldap_access_ filter" configuration for WAD domain, access_ filter" parameter setting, it allows access with filter" configuration is ignored. pam.d/common- account" to enforce "ldap_access_ filter"
does not perform as expected. Instead of allowing access only
for the members of the configured group, as part of the
"ldap_
no restrictions to any ldap user in the domain. So basically,
the "ldap_access_
The fix is setting the proper pam configuration in file
"/etc/
access control and at the same time to allow local users to
login when SSSD is failing to connect.
Test Plan: d/common- account" has been updated on filter" to allow access to the only 2
PASS: Verify the "/etc/pam.
a deployed AIO-SX system configuration and SSSD service is running.
PASS: Create a WAD group and add 2 ldap users as members of the
group. Set the "ldap_access_
users in the group. Login with a ldap user that is a member
of the allowed group and the user should login.
PASS: Login with a user that is not a member of the
allowed group configured in the previous test and the user should
fail authentication.
PASS: Stop SSSD service and test that a local user, e.g. sysadmin,
can login when SSSD is not running. Also test that sudo works for
sysadmin user.
PASS: Restart SSSD service and test that a new local ldap user gets
prompted to change password at first login.
Pass: Tested successfully on a DC system, both on system controller
and on the subcloud all the above tests performed on an AIO-SX
system configuration.
Closes-Bug: 2064171
Signed-off-by: Carmen Rata <email address hidden> 8992b92784b4e10 fbfb688de2d
Change-Id: Ia6ae3e0d825c35