[sssd PR#700][opened] LDAP: Only authenticate the auth connection if we need to look up user information
by jhrozek
URL: https://github.com/SSSD/sssd/pull/700
Author: jhrozek
Title: #700: LDAP: Only authenticate the auth connection if we need to look up user information
Action: opened
PR body:
"""
Related: https://pagure.io/SSSD/sssd/issue/3451
Commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b initially addressed #3451
by using the full sdap_cli_connect() request during LDAP authentication.
This was a good idea as it addressed the case where the authentication
connection must also look up some user information (typically with
id_provider=proxy where you don't know the DN to bind as during
authentication), but this approach also broke the use-case of
id_provider=ldap and auth_provider=ldap with ldap_sasl_auth=gssapi.
This is because (for reason I don't know) AD doesn't like if you use both
GSSAPI and startTLS on the same connection. But the code would force TLS
during the authentication as a general measure to not transmit passwords in
the clear, but then, the connection would also see that
ldap_sasl_auth=gssapi is set and also bind with GSSAPI.
This patch checks if the user DN is already known and if yes, then doesn't
authenticate the connection as the connection will then only be used for
the user simple bind.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/700/head:pr700
git checkout pr700
5 years, 4 months
[sssd PR#644][opened] When multiple UIDs exist, use the username provided by the user as the first lookup
by joeFischetti
URL: https://github.com/SSSD/sssd/pull/644
Author: joeFischetti
Title: #644: When multiple UIDs exist, use the username provided by the user as the first lookup
Action: opened
PR body:
"""
The current state of the code has no way of determining the "correct" UID to use when there are multiple values. If there are multiple values, and the RDN doesn't match, this update checks the UID's returned against the username that was provided by the user at the prompt. If that matches, it's used. If that doesn't match, it falls back to the existing code.
Example:
My ldap record includes multiple uid values, ["genericemployee1", "itstaff1"]
I need access to machines as "itstaff1". "genericemployee1" is used as an identifier in other systems/services.
If I log in with "itstaff1" at the prompt, and my ldap lookup with filter (uid=itstaff1) is successful, the array of UID's are checked against "itstaff1" and that's what *_primary is set to.
With the current code, if I try to log in with "itstaff1" at the prompt, I'm actually logged into the system as "genericemployee1". Based on the order that the values are returned... some other staff are logged into their "genericemployee" or the "itstaff" accounts.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/644/head:pr644
git checkout pr644
5 years, 4 months