Re: [Freeipa-users] sssd shows deleted users as well
Thanks Jan.. I will give that a try On Fri, Jul 29, 2016 at 7:05 PM, Jan Pazdziora wrote: > On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > > My specific requirement for having "enumerate=TRUE" was , we have a build > > server with the jenkins set up. > > And for authentication jenkins tries to get the localusers on the system. > > > > I should be able to get through that by configuring Jenkins to use LDAP > > instead of the local users. > > Alternatively you could use Apache HTTP frontend for authentication > per > > > https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security > > and use for example mod_authnz_pam configured with PAM service > that pam_sss.so / SSSD will handle. > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd shows deleted users as well
On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > My specific requirement for having "enumerate=TRUE" was , we have a build > server with the jenkins set up. > And for authentication jenkins tries to get the localusers on the system. > > I should be able to get through that by configuring Jenkins to use LDAP > instead of the local users. Alternatively you could use Apache HTTP frontend for authentication per https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security and use for example mod_authnz_pam configured with PAM service that pam_sss.so / SSSD will handle. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd shows deleted users as well
under the "configure global security part" of jenkins, we can specify how jenkins will fetch users for authentication. One option is "Unix user/group database" . wherein, it will do a getent passwd and fetch users from there. Other is to specify ldap. There are few other ways as well but haven't explored it yet. Thanks Rakesh On Fri, Jul 22, 2016 at 6:54 PM, Jakub Hrozek wrote: > On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > > My specific requirement for having "enumerate=TRUE" was , we have a build > > server with the jenkins set up. > > And for authentication jenkins tries to get the localusers on the system. > > I'm not sure what you mean by localusers, but does Jenkins really use > some sort of interface that lists all users through the system > interface? IIRC Jenkins is written in Java, so I would expect some > native Java connector instead.. > > > > > I should be able to get through that by configuring Jenkins to use LDAP > > instead of the local users. > > > > But are there any other reasons for recommending against > "enumerate=TRUE", > > i recall reading somewhere as well not to use this specific setting. > > - performance > - in general (because it's not the default and few people use > enumeration), less tested than the defaul > - idviews don't work > - trusted AD users can't be enumerated at all > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd shows deleted users as well
On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > My specific requirement for having "enumerate=TRUE" was , we have a build > server with the jenkins set up. > And for authentication jenkins tries to get the localusers on the system. I'm not sure what you mean by localusers, but does Jenkins really use some sort of interface that lists all users through the system interface? IIRC Jenkins is written in Java, so I would expect some native Java connector instead.. > > I should be able to get through that by configuring Jenkins to use LDAP > instead of the local users. > > But are there any other reasons for recommending against "enumerate=TRUE", > i recall reading somewhere as well not to use this specific setting. - performance - in general (because it's not the default and few people use enumeration), less tested than the defaul - idviews don't work - trusted AD users can't be enumerated at all -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd shows deleted users as well
My specific requirement for having "enumerate=TRUE" was , we have a build server with the jenkins set up. And for authentication jenkins tries to get the localusers on the system. I should be able to get through that by configuring Jenkins to use LDAP instead of the local users. But are there any other reasons for recommending against "enumerate=TRUE", i recall reading somewhere as well not to use this specific setting. Thanks, Rakesh On Fri, Jul 22, 2016 at 2:11 PM, Jakub Hrozek wrote: > On Fri, Jul 22, 2016 at 10:28:30AM +0200, Lukas Slebodnik wrote: > > On (22/07/16 13:25), Rakesh Rajasekharan wrote: > > >Hi, > > > > > >I am running freeipa version 4.2.0 and sssd version 1.13.0 > > > > > >I have set "enumerate=True" to show IPA users as well in getent passwd. > > > > > >However, the getent passwd continues to show users that have got > deleted as > > >well. > > > > > >Heres my sssd config file > > >[domain/xyz.com] > > >enumerate = TRUE > > >krb5_auth_timeout = 30 > > > > > >cache_credentials = True > > >krb5_store_password_if_offline = True > > >ipa_domain = xyz.com > > >id_provider = ipa > > >auth_provider = ipa > > >access_provider = ipa > > >ldap_tls_cacert = /etc/ipa/ca.crt > > >ipa_hostname = 10.16.11.134 > > >chpass_provider = ipa > > >ipa_server = _srv_, ipa-master-int.xyz.com > > >dns_discovery_domain = xyz.com > > >[sssd] > > >services = nss, sudo, pam, ssh > > >config_file_version = 2 > > > > > >domains = xyz.com > > >[nss] > > >homedir_substring = /home > > > > > >[pam] > > > > > >[sudo] > > > > > >[autofs] > > > > > >[ssh] > > > > > >[pac] > > > > > >[ifp] > > > > > >Is this an expected behaviour or am i missing something in my config > > > > > When user is removed from IPA then it is not automatically removed from > sssd. > > SSSD has few levels of caches which are indirectly used by "getent > passwd". > > The user or group will be removed after next look-up in IPA which > > is usually after extpiration of entry in sssd cache. > > Deleted users are only detected when they are looked up directly or when > a cleanup task is ran, because in order to avoid fetching the whole > directory all the time, enumeration tries to only download entries with > higher lastUSN than seen last time. So as Lukas said, it can be expected > that entries show up. > > I think the most important lesson here should be don't use > enumerate=true" :-) > > > > > Another way how to force removing entries from sssd cache is > > to authenticate with user. SSSD fetch latest data from LDAP/IPA > > with each authentication for security reasons. > > > > You can also invalidate user in sssd cache "sss_cache -u someuser" > > and SSSD will detect removed user in IPA after attempt to refresh data > > in sssd cache. > > > > LS > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd shows deleted users as well
On Fri, Jul 22, 2016 at 10:28:30AM +0200, Lukas Slebodnik wrote: > On (22/07/16 13:25), Rakesh Rajasekharan wrote: > >Hi, > > > >I am running freeipa version 4.2.0 and sssd version 1.13.0 > > > >I have set "enumerate=True" to show IPA users as well in getent passwd. > > > >However, the getent passwd continues to show users that have got deleted as > >well. > > > >Heres my sssd config file > >[domain/xyz.com] > >enumerate = TRUE > >krb5_auth_timeout = 30 > > > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = xyz.com > >id_provider = ipa > >auth_provider = ipa > >access_provider = ipa > >ldap_tls_cacert = /etc/ipa/ca.crt > >ipa_hostname = 10.16.11.134 > >chpass_provider = ipa > >ipa_server = _srv_, ipa-master-int.xyz.com > >dns_discovery_domain = xyz.com > >[sssd] > >services = nss, sudo, pam, ssh > >config_file_version = 2 > > > >domains = xyz.com > >[nss] > >homedir_substring = /home > > > >[pam] > > > >[sudo] > > > >[autofs] > > > >[ssh] > > > >[pac] > > > >[ifp] > > > >Is this an expected behaviour or am i missing something in my config > > > When user is removed from IPA then it is not automatically removed from sssd. > SSSD has few levels of caches which are indirectly used by "getent passwd". > The user or group will be removed after next look-up in IPA which > is usually after extpiration of entry in sssd cache. Deleted users are only detected when they are looked up directly or when a cleanup task is ran, because in order to avoid fetching the whole directory all the time, enumeration tries to only download entries with higher lastUSN than seen last time. So as Lukas said, it can be expected that entries show up. I think the most important lesson here should be don't use enumerate=true" :-) > > Another way how to force removing entries from sssd cache is > to authenticate with user. SSSD fetch latest data from LDAP/IPA > with each authentication for security reasons. > > You can also invalidate user in sssd cache "sss_cache -u someuser" > and SSSD will detect removed user in IPA after attempt to refresh data > in sssd cache. > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd shows deleted users as well
On (22/07/16 13:25), Rakesh Rajasekharan wrote: >Hi, > >I am running freeipa version 4.2.0 and sssd version 1.13.0 > >I have set "enumerate=True" to show IPA users as well in getent passwd. > >However, the getent passwd continues to show users that have got deleted as >well. > >Heres my sssd config file >[domain/xyz.com] >enumerate = TRUE >krb5_auth_timeout = 30 > >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = xyz.com >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ldap_tls_cacert = /etc/ipa/ca.crt >ipa_hostname = 10.16.11.134 >chpass_provider = ipa >ipa_server = _srv_, ipa-master-int.xyz.com >dns_discovery_domain = xyz.com >[sssd] >services = nss, sudo, pam, ssh >config_file_version = 2 > >domains = xyz.com >[nss] >homedir_substring = /home > >[pam] > >[sudo] > >[autofs] > >[ssh] > >[pac] > >[ifp] > >Is this an expected behaviour or am i missing something in my config > When user is removed from IPA then it is not automatically removed from sssd. SSSD has few levels of caches which are indirectly used by "getent passwd". The user or group will be removed after next look-up in IPA which is usually after extpiration of entry in sssd cache. Another way how to force removing entries from sssd cache is to authenticate with user. SSSD fetch latest data from LDAP/IPA with each authentication for security reasons. You can also invalidate user in sssd cache "sss_cache -u someuser" and SSSD will detect removed user in IPA after attempt to refresh data in sssd cache. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sssd shows deleted users as well
Hi, I am running freeipa version 4.2.0 and sssd version 1.13.0 I have set "enumerate=True" to show IPA users as well in getent passwd. However, the getent passwd continues to show users that have got deleted as well. Heres my sssd config file [domain/xyz.com] enumerate = TRUE krb5_auth_timeout = 30 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = xyz.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = 10.16.11.134 chpass_provider = ipa ipa_server = _srv_, ipa-master-int.xyz.com dns_discovery_domain = xyz.com [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = xyz.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] Is this an expected behaviour or am i missing something in my config Thanks, Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
