Date: Tue, 3 Dec 2013 07:41:48 GMT From: Andrey <akuz84@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/184464: security/sssd host auth doesn't work correctly Message-ID: <201312030741.rB37fmbb078211@oldred.freebsd.org> Resent-Message-ID: <201312030750.rB37o0us031338@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 184464 >Category: ports >Synopsis: security/sssd host auth doesn't work correctly >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Dec 03 07:50:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Andrey >Release: 9.2-RELEASE >Organization: >Environment: FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013 root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 >Description: Users are stored in LDAP, for example: uid=user,ou=accounts,dc=domain,dc=com cn: John Smith givenName: John sn: Smith uid: jsmith uid: testuser homeDirectory: /home/testuser mail: jsmith@dev.local loginShell: /bin/bash userPassword: skiped tal@amnesiac.net sshPublicKey: skiped gidNumber: 20000 uidNumber: 20000 objectClass: hostObject objectClass: inetOrgPerson objectClass: ldapPublicKey objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: top host: server3.test.com I use sssd-1.9.6 from ports, in sssd.conf i have: access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host Hostname of server: server6.test.com, i expect that the user will not be able to login via ssh to server server6.test.com ( that scheme works on RHEL 6.x ), but despite ldap_user_authorized_host = host user with record host: server3.test.com able to login to server server6.test.com >How-To-Repeat: Install, configure sssd, openldap, create user in LDAP, add to sssd.conf: access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host try to login to server that is not registered in the users LDAP record >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201312030741.rB37fmbb078211>