summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2011-07-01 16:12:58 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-07-08 15:12:24 -0400
commit98fc4cbc838615a88b9725a13ab7491e89cbac32 (patch)
tree9bbaafbb6cd19405549979a682c1fb6331e491e1 /src
parent1360b4f4d6e948023daeda8787f575e7f8117444 (diff)
downloadsssd-98fc4cbc838615a88b9725a13ab7491e89cbac32.tar.gz
sssd-98fc4cbc838615a88b9725a13ab7491e89cbac32.tar.xz
sssd-98fc4cbc838615a88b9725a13ab7491e89cbac32.zip
Add ipa_hbac_treat_deny_as option
By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period.
Diffstat (limited to 'src')
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/man/sssd-ipa.5.xml27
-rw-r--r--src/providers/ipa/ipa_access.c11
-rw-r--r--src/providers/ipa/ipa_common.c3
-rw-r--r--src/providers/ipa/ipa_common.h1
6 files changed, 42 insertions, 2 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 21a4d16c..2af4892b 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -98,6 +98,7 @@ option_strings = {
'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"),
'ipa_hbac_search_base' : _("Search base for HBAC related objects"),
'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"),
+ 'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"),
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index b1ca5027..b366b6bc 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -103,6 +103,7 @@ krb5_use_fast = str, None, false
[provider/ipa/access]
ipa_hbac_refresh = int, None, false
+ipa_hbac_treat_deny_as = str, None, false
[provider/ipa/chpass]
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index f728e9cc..8d2ba681 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -190,6 +190,33 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ipa_hbac_treat_deny_as (string)</term>
+ <listitem>
+ <para>
+ This option specifies how to treat the deprecated
+ DENY-type HBAC rules. As of FreeIPA v2.1, DENY
+ rules are no longer supported on the server. All
+ users of FreeIPA will need to migrate their rules
+ to use only the ALLOW rules. The client will
+ support two modes of operation during this
+ transition period:
+ </para>
+ <para>
+ <emphasis>DENY_ALL</emphasis>: If any HBAC DENY
+ rules are detected, all users will be denied
+ access.
+ </para>
+ <para>
+ <emphasis>IGNORE</emphasis>: SSSD will ignore any
+ DENY rules. Be very careful with this option, as
+ it may result in opening unintended access.
+ </para>
+ <para>
+ Default: DENY_ALL
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 2a6588eb..d88673f1 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -97,6 +97,7 @@ void ipa_access_handler(struct be_req *be_req)
{
struct pam_data *pd;
struct hbac_ctx *hbac_ctx;
+ const char *deny_method;
int pam_status = PAM_SYSTEM_ERR;
struct ipa_access_ctx *ipa_access_ctx;
int ret;
@@ -108,7 +109,7 @@ void ipa_access_handler(struct be_req *be_req)
DEBUG(1, ("talloc failed.\n"));
goto fail;
}
- hbac_ctx->get_deny_rules = true; /* make this a config option */
+
hbac_ctx->be_req = be_req;
hbac_ctx->pd = pd;
ipa_access_ctx = talloc_get_type(
@@ -125,6 +126,14 @@ void ipa_access_handler(struct be_req *be_req)
goto fail;
}
+ deny_method = dp_opt_get_string(hbac_ctx->ipa_options,
+ IPA_HBAC_DENY_METHOD);
+ if (strcasecmp(deny_method, "IGNORE") == 0) {
+ hbac_ctx->get_deny_rules = false;
+ } else {
+ hbac_ctx->get_deny_rules = true;
+ }
+
ret = hbac_retry(hbac_ctx);
if (ret != EOK) {
goto fail;
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 0995e0f1..55a19724 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -38,7 +38,8 @@ struct dp_option ipa_basic_opts[] = {
{ "ipa_dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
- { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }
+ { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
+ { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }
};
struct dp_option ipa_def_ldap_opts[] = {
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 1c1f7221..7fba7330 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -51,6 +51,7 @@ enum ipa_basic_opt {
IPA_HBAC_SEARCH_BASE,
IPA_KRB5_REALM,
IPA_HBAC_REFRESH,
+ IPA_HBAC_DENY_METHOD,
IPA_OPTS_BASIC /* opts counter */
};