diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2011-07-01 16:12:58 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-07-08 15:12:24 -0400 |
commit | 98fc4cbc838615a88b9725a13ab7491e89cbac32 (patch) | |
tree | 9bbaafbb6cd19405549979a682c1fb6331e491e1 /src | |
parent | 1360b4f4d6e948023daeda8787f575e7f8117444 (diff) | |
download | sssd-98fc4cbc838615a88b9725a13ab7491e89cbac32.tar.gz sssd-98fc4cbc838615a88b9725a13ab7491e89cbac32.tar.xz sssd-98fc4cbc838615a88b9725a13ab7491e89cbac32.zip |
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
Diffstat (limited to 'src')
-rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 1 | ||||
-rw-r--r-- | src/man/sssd-ipa.5.xml | 27 | ||||
-rw-r--r-- | src/providers/ipa/ipa_access.c | 11 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 1 |
6 files changed, 42 insertions, 2 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 21a4d16c..2af4892b 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -98,6 +98,7 @@ option_strings = { 'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"), 'ipa_hbac_search_base' : _("Search base for HBAC related objects"), 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), + 'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index b1ca5027..b366b6bc 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -103,6 +103,7 @@ krb5_use_fast = str, None, false [provider/ipa/access] ipa_hbac_refresh = int, None, false +ipa_hbac_treat_deny_as = str, None, false [provider/ipa/chpass] diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index f728e9cc..8d2ba681 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -190,6 +190,33 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>ipa_hbac_treat_deny_as (string)</term> + <listitem> + <para> + This option specifies how to treat the deprecated + DENY-type HBAC rules. As of FreeIPA v2.1, DENY + rules are no longer supported on the server. All + users of FreeIPA will need to migrate their rules + to use only the ALLOW rules. The client will + support two modes of operation during this + transition period: + </para> + <para> + <emphasis>DENY_ALL</emphasis>: If any HBAC DENY + rules are detected, all users will be denied + access. + </para> + <para> + <emphasis>IGNORE</emphasis>: SSSD will ignore any + DENY rules. Be very careful with this option, as + it may result in opening unintended access. + </para> + <para> + Default: DENY_ALL + </para> + </listitem> + </varlistentry> </variablelist> </para> diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 2a6588eb..d88673f1 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -97,6 +97,7 @@ void ipa_access_handler(struct be_req *be_req) { struct pam_data *pd; struct hbac_ctx *hbac_ctx; + const char *deny_method; int pam_status = PAM_SYSTEM_ERR; struct ipa_access_ctx *ipa_access_ctx; int ret; @@ -108,7 +109,7 @@ void ipa_access_handler(struct be_req *be_req) DEBUG(1, ("talloc failed.\n")); goto fail; } - hbac_ctx->get_deny_rules = true; /* make this a config option */ + hbac_ctx->be_req = be_req; hbac_ctx->pd = pd; ipa_access_ctx = talloc_get_type( @@ -125,6 +126,14 @@ void ipa_access_handler(struct be_req *be_req) goto fail; } + deny_method = dp_opt_get_string(hbac_ctx->ipa_options, + IPA_HBAC_DENY_METHOD); + if (strcasecmp(deny_method, "IGNORE") == 0) { + hbac_ctx->get_deny_rules = false; + } else { + hbac_ctx->get_deny_rules = true; + } + ret = hbac_retry(hbac_ctx); if (ret != EOK) { goto fail; diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 0995e0f1..55a19724 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -38,7 +38,8 @@ struct dp_option ipa_basic_opts[] = { { "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, - { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER } + { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, + { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING } }; struct dp_option ipa_def_ldap_opts[] = { diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 1c1f7221..7fba7330 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -51,6 +51,7 @@ enum ipa_basic_opt { IPA_HBAC_SEARCH_BASE, IPA_KRB5_REALM, IPA_HBAC_REFRESH, + IPA_HBAC_DENY_METHOD, IPA_OPTS_BASIC /* opts counter */ }; |