URL: https://github.com/SSSD/sssd/pull/275
Author: akamensky
Title: #275: Implement access verification by rhost using ldap_access_order
rhost option
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/275/head:pr275
git checkout pr275
From dfad3dddc0ea9a14faf7cc66527f9c875937792d Mon Sep 17 00:00:00 2001
From: Alexey Kamenskiy <alexey.kamens...@chinanetcloud.com>
Date: Fri, 22 Sep 2017 16:42:41 +0800
Subject: [PATCH] Patch for issue #3458
This patch implements verification of pam_rhost against
rules stored in LDAP entry of a user.
2017-09-22: Fixed potential issue with pam_rhost being NULL
and when pam_rhost is empty (local access)
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
src/db/sysdb.h | 1 +
src/man/sssd-ldap.5.xml | 32 +++++++++++++++
src/providers/ad/ad_opts.c | 1 +
src/providers/ipa/ipa_opts.c | 1 +
src/providers/ldap/ldap_init.c | 2 +
src/providers/ldap/ldap_opts.c | 3 ++
src/providers/ldap/sdap.h | 1 +
src/providers/ldap/sdap_access.c | 68 ++++++++++++++++++++++++++++++++
src/providers/ldap/sdap_access.h | 2 +
12 files changed, 114 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index cd844ce2b..72e554549 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -343,6 +343,7 @@ option_strings = {
'ldap_user_shadow_flag' : _('shadowFlag attribute'),
'ldap_user_authorized_service' : _('Attribute listing authorized PAM services'),
'ldap_user_authorized_host' : _('Attribute listing authorized server hosts'),
+ 'ldap_user_authorized_rhost' : _('Attribute listing authorized server rhosts'),
'ldap_user_krb_last_pwd_change' : _('krbLastPwdChange attribute'),
'ldap_user_krb_password_expiration' : _('krbPasswordExpiration attribute'),
'ldap_pwd_attribute' : _('Attribute indicating that server side password policies are active'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 464346771..19e8c6678 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -658,6 +658,7 @@ option = ldap_uri
option = ldap_user_ad_account_expires
option = ldap_user_ad_user_account_control
option = ldap_user_authorized_host
+option = ldap_user_authorized_rhost
option = ldap_user_authorized_service
option = ldap_user_auth_type
option = ldap_user_certificate
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index c2ad3463d..65b6407f6 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -76,6 +76,7 @@ ldap_user_krb_last_pwd_change = str, None, false
ldap_user_krb_password_expiration = str, None, false
ldap_user_authorized_service = str, None, false
ldap_user_authorized_host = str, None, false
+ldap_user_authorized_rhost = str, None, false
ldap_pwd_attribute = str, None, false
ldap_user_ad_account_expires = str, None, false
ldap_user_ad_user_account_control = str, None, false
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 21d6cf4fc..aa6146423 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -102,6 +102,7 @@
#define SYSDB_AUTHORIZED_SERVICE "authorizedService"
#define SYSDB_AUTHORIZED_HOST "authorizedHost"
+#define SYSDB_AUTHORIZED_RHOST "authorizedRHost"
#define SYSDB_NETGROUP_TRIPLE "netgroupTriple"
#define SYSDB_ORIG_NETGROUP_MEMBER "originalMemberNisNetgroup"
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 739ae15c3..8f6f90895 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -830,6 +830,34 @@
</varlistentry>
<varlistentry>
+ <term>ldap_user_authorized_rhost (string)</term>
+ <listitem>
+ <para>
+ If access_provider=ldap and
+ ldap_access_order=rhost, SSSD will use the presence
+ of the rhost attribute in the user's LDAP entry to
+ determine access privilege. Similarly to host
+ verification process.
+ </para>
+ <para>
+ An explicit deny (!rhost) is resolved first. Second,
+ SSSD searches for explicit allow (rhost) and finally
+ for allow_all (*).
+ </para>
+ <para>
+ Please note that the ldap_access_order
+ configuration option <emphasis>must</emphasis>
+ include <quote>rhost</quote> in order for the
+ ldap_user_authorized_rhost option
+ to work.
+ </para>
+ <para>
+ Default: rhost
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_user_certificate (string)</term>
<listitem>
<para>
@@ -2089,6 +2117,10 @@ ldap_access_filter = (employeeType=admin)
to determine access
</para>
<para>
+ <emphasis>rhost</emphasis>: use the rhost attribute
+ to determine whether remote host can access
+ </para>
+ <para>
Default: filter
</para>
<para>
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index fc1dc6733..ac7163d56 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -213,6 +213,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = {
{ "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL},
{ "ldap_ns_account_lock", NULL, SYSDB_NS_ACCOUNT_LOCK, NULL},
{ "ldap_user_authorized_host", NULL, SYSDB_AUTHORIZED_HOST, NULL },
+ { "ldap_user_authorized_rhost", NULL, SYSDB_AUTHORIZED_RHOST, NULL },
{ "ldap_user_nds_login_disabled", NULL, SYSDB_NDS_LOGIN_DISABLED, NULL },
{ "ldap_user_nds_login_expiration_time", NULL, SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
{ "ldap_user_nds_login_allowed_time_map", NULL, SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index f9f3a2a69..43f4a85a8 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -198,6 +198,7 @@ struct sdap_attr_map ipa_user_map[] = {
{ "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL},
{ "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL},
{ "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL },
+ { "ldap_user_authorized_rhost", NULL, SYSDB_AUTHORIZED_RHOST, NULL },
{ "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL },
{ "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
{ "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index b7102adb8..43d905893 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -286,6 +286,8 @@ static errno_t set_access_rules(TALLOC_CTX *mem_ctx,
access_ctx->access_rule[c] = LDAP_ACCESS_SERVICE;
} else if (strcasecmp(order_list[c], LDAP_ACCESS_HOST_NAME) == 0) {
access_ctx->access_rule[c] = LDAP_ACCESS_HOST;
+ } else if (strcasecmp(order_list[c], LDAP_ACCESS_RHOST_NAME) == 0) {
+ access_ctx->access_rule[c] = LDAP_ACCESS_RHOST;
} else if (strcasecmp(order_list[c], LDAP_ACCESS_LOCK_NAME) == 0) {
access_ctx->access_rule[c] = LDAP_ACCESS_LOCKOUT;
} else if (strcasecmp(order_list[c],
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
index c6efe332f..2236f2005 100644
--- a/src/providers/ldap/ldap_opts.c
+++ b/src/providers/ldap/ldap_opts.c
@@ -174,6 +174,7 @@ struct sdap_attr_map rfc2307_user_map[] = {
{ "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL},
{ "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL},
{ "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL },
+ { "ldap_user_authorized_rhost", "rhost", SYSDB_AUTHORIZED_RHOST, NULL },
{ "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL },
{ "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
{ "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
@@ -232,6 +233,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
{ "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL},
{ "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL},
{ "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL },
+ { "ldap_user_authorized_rhost", "rhost", SYSDB_AUTHORIZED_RHOST, NULL },
{ "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL },
{ "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
{ "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
@@ -290,6 +292,7 @@ struct sdap_attr_map gen_ad2008r2_user_map[] = {
{ "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL},
{ "ldap_ns_account_lock", NULL, SYSDB_NS_ACCOUNT_LOCK, NULL},
{ "ldap_user_authorized_host", NULL, SYSDB_AUTHORIZED_HOST, NULL },
+ { "ldap_user_authorized_rhost", NULL, SYSDB_AUTHORIZED_RHOST, NULL },
{ "ldap_user_nds_login_disabled", NULL, SYSDB_NDS_LOGIN_DISABLED, NULL },
{ "ldap_user_nds_login_expiration_time", NULL, SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL },
{ "ldap_user_nds_login_allowed_time_map", NULL, SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index afdc01948..3a5505311 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -279,6 +279,7 @@ enum sdap_user_attrs {
SDAP_AT_AD_USER_ACCOUNT_CONTROL,
SDAP_AT_NS_ACCOUNT_LOCK,
SDAP_AT_AUTHORIZED_HOST,
+ SDAP_AT_AUTHORIZED_RHOST,
SDAP_AT_NDS_LOGIN_DISABLED,
SDAP_AT_NDS_LOGIN_EXPIRATION_TIME,
SDAP_AT_NDS_LOGIN_ALLOWED_TIME_MAP,
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 4f3357a79..24d3f8742 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -97,6 +97,8 @@ static errno_t sdap_access_service(struct pam_data *pd,
static errno_t sdap_access_host(struct ldb_message *user_entry);
+static errno_t sdap_access_rhost(struct ldb_message *user_entry, char *rhost);
+
enum sdap_access_control_type {
SDAP_ACCESS_CONTROL_FILTER,
SDAP_ACCESS_CONTROL_PPOLICY_LOCK,
@@ -309,6 +311,10 @@ static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state,
ret = sdap_access_host(state->user_entry);
break;
+ case LDAP_ACCESS_RHOST:
+ ret = sdap_access_rhost(state->user_entry, state->pd->rhost);
+ break;
+
default:
DEBUG(SSSDBG_CRIT_FAILURE,
"Unexpected access rule type. Access denied.\n");
@@ -1298,6 +1304,68 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
return ret;
}
+static errno_t sdap_access_rhost(struct ldb_message *user_entry, char *pam_rhost)
+{
+ errno_t ret;
+ struct ldb_message_element *el;
+ char *be_rhost_rule;
+ unsigned int i;
+
+ /* If pam_rhost is NULL do not perform any checks */
+ if (pam_rhost == NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "pam_rhost is NULL, no rhost check is possible\n");
+ return EOK;
+ }
+
+ /* When the access is local we get empty string as pam_rhost
+ in which case we should not evaluate rhost access rules */
+ /* FIXME: I think ideally should have LDAP to define what to do in this case */
+ if (pam_rhost[0] == '\0') {
+ DEBUG(SSSDBG_CONF_SETTINGS, "pam_rhost is empty, possible local access, no rhost check possible\n");
+ return EOK;
+ }
+
+ /* If rhost validation is enabled and entry has no relevant attribute - deny access */
+ el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_RHOST);
+ if (!el || el->num_values == 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing rhost entries. Access denied\n");
+ return ERR_ACCESS_DENIED;
+ }
+
+ ret = ENOENT;
+
+ for (i = 0; i < el->num_values; i++) {
+ be_rhost_rule = (char *)el->values[i].data;
+ if (be_rhost_rule[0] == '!' && strcasecmp(pam_rhost, be_rhost_rule+1) == 0) {
+ /* This rhost is explicitly denied */
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access from [%s] denied by [%s]\n", pam_rhost, be_rhost_rule);
+ /* A denial trumps all. Break here */
+ return ERR_ACCESS_DENIED;
+ } else if (strcasecmp(pam_rhost, be_rhost_rule) == 0) {
+ /* This rhost is explicitly allowed */
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access from [%s] granted by [%s]\n", pam_rhost, be_rhost_rule);
+ /* We still need to loop through to make sure
+ * that it's not also explicitly denied
+ */
+ ret = EOK;
+ } else if (strcmp("*", be_rhost_rule) == 0) {
+ /* This user has access from anywhere */
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access from [%s] granted by [*]\n", pam_rhost);
+ /* We still need to loop through to make sure
+ * that it's not also explicitly denied
+ */
+ ret = EOK;
+ }
+ }
+
+ if (ret == ENOENT) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "No matching rhost rules found\n");
+ ret = ERR_ACCESS_DENIED;
+ }
+
+ return ret;
+}
+
static void sdap_access_ppolicy_get_lockout_done(struct tevent_req *subreq);
static int sdap_access_ppolicy_retry(struct tevent_req *req);
static errno_t sdap_access_ppolicy_step(struct tevent_req *req);
diff --git a/src/providers/ldap/sdap_access.h b/src/providers/ldap/sdap_access.h
index 049daced6..86969d442 100644
--- a/src/providers/ldap/sdap_access.h
+++ b/src/providers/ldap/sdap_access.h
@@ -45,6 +45,7 @@
#define LDAP_ACCESS_EXPIRE_POLICY_RENEW_NAME "pwd_expire_policy_renew"
#define LDAP_ACCESS_SERVICE_NAME "authorized_service"
#define LDAP_ACCESS_HOST_NAME "host"
+#define LDAP_ACCESS_RHOST_NAME "rhost"
#define LDAP_ACCESS_LOCK_NAME "lockout"
#define LDAP_ACCESS_PPOLICY_NAME "ppolicy"
@@ -61,6 +62,7 @@ enum ldap_access_rule {
LDAP_ACCESS_EXPIRE,
LDAP_ACCESS_SERVICE,
LDAP_ACCESS_HOST,
+ LDAP_ACCESS_RHOST,
LDAP_ACCESS_LOCKOUT,
LDAP_ACCESS_EXPIRE_POLICY_REJECT,
LDAP_ACCESS_EXPIRE_POLICY_WARN,
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
