[Freeipa-devel] [PATCH] 352-354 Add support for AD users to hbactest command
Martin Kosek
mkosek at redhat.com
Fri Jan 18 17:24:49 UTC 2013
How this works:
1. When a trusted domain user is tested, AD GC is searched
for the user entry Distinguished Name
2. The user entry is then read from AD GC and its SID and SIDs
of all its assigned groups (tokenGroups attribute) are retrieved
3. The SIDs are then used to search IPA LDAP database to find
all external groups which have any of these SIDs as external
members
4. All these groups having these groups as direct or indirect
members are added to hbactest allowing it to perform the search
LIMITATIONS:
- user SID in hbactest --user parameter is not supported
- only Trusted Admins group members can use this function as it
uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
of the trusted domain
https://fedorahosted.org/freeipa/ticket/2997
------------------------
There are also 2 patches changing current dcerpc.py code to make it usable both
for group-add-member trusted domain user resolution and also for purposes of
the trusted domain user hbactest.
Example of the new hbactest ability:
# ipa hbacrule-show can_login
Rule name: can_login
Host category: all
Source host category: all
Enabled: TRUE
User Groups: admins, ad_test_admins
Services: login, sshd
# ipa group-show ad_test_admins
Group name: ad_test_admins
Description: AD.TEST admins
GID: 179000011
Member groups: ext_all_admins
Member of HBAC rule: can_login
# ipa group-show ext_all_admins
Group name: ext_all_admins
Description: All AD.TEST admins
Member of groups: ad_test_admins
Indirect Member of HBAC rule: can_login
External member: S-1-5-21-3035198329-144811719-1378114514-512
# ipa hbactest --user='AD\Administrator' --host=`hostname` --service=sshd
--------------------
Access granted: True
--------------------
Matched rules: can_login
There may still be dragons, I am sending what I have now, still need to run
more tests.
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-352-generalize-ad-gc-search.patch
Type: text/x-patch
Size: 10514 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130118/092c40c0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-353-do-not-hide-sid-resolver-error-in-group-add-member.patch
Type: text/x-patch
Size: 1378 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130118/092c40c0/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-354-add-support-for-ad-users-to-hbactest-command.patch
Type: text/x-patch
Size: 8041 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130118/092c40c0/attachment-0002.bin>
More information about the Freeipa-devel
mailing list