mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
Allow HTTPd user to access SSSD IFP
For smart card and certificate authentication, Apache's mod_lookup_identity module must be able to acess SSSD IFP. The module accesses IFP as Apache user, not as ipaapi user. Apache is not allowed to use IFP by default. The update code uses the service's ok-to-auth-as-delegate flag to detect smart card / cert auth. See: https://pagure.io/freeipa/issue/7751 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
d6fd2ad4f2
commit
917d81b832
@ -45,6 +45,7 @@ from ipalib.util import (
|
||||
verify_host_resolvable,
|
||||
)
|
||||
from ipaplatform import services
|
||||
from ipaplatform.constants import constants
|
||||
from ipaplatform.paths import paths
|
||||
from ipaplatform.tasks import tasks
|
||||
from ipapython import certdb, kernel_keyring, ipaldap, ipautil
|
||||
@ -1036,8 +1037,13 @@ def sssd_enable_service(sssdconfig, name):
|
||||
return sssdconfig.get_service(name)
|
||||
|
||||
|
||||
def sssd_enable_ifp(sssdconfig):
|
||||
def sssd_enable_ifp(sssdconfig, allow_httpd=False):
|
||||
"""Enable and configure libsss_simpleifp plugin
|
||||
|
||||
Allow the ``ipaapi`` user to access IFP. In case allow_httpd is true,
|
||||
the Apache HTTPd user is also allowed to access IFP. For smart card
|
||||
authentication, mod_lookup_identity must be allowed to access user
|
||||
information.
|
||||
"""
|
||||
service = sssd_enable_service(sssdconfig, 'ifp')
|
||||
if service is None:
|
||||
@ -1056,6 +1062,8 @@ def sssd_enable_ifp(sssdconfig):
|
||||
uids.add('root')
|
||||
# allow IPA API to access IFP
|
||||
uids.add(IPAAPI_USER)
|
||||
if allow_httpd:
|
||||
uids.add(constants.HTTPD_USER)
|
||||
service.set_option('allowed_uids', ', '.join(sorted(uids)))
|
||||
sssdconfig.save_service(service)
|
||||
|
||||
|
@ -1407,8 +1407,17 @@ def sssd_update():
|
||||
domain.set_option('ipa_server_mode', 'True')
|
||||
domain.set_option('ipa_server', api.env.host)
|
||||
sssdconfig.save_domain(domain)
|
||||
# check if service has ok_to_auth_as_delegate
|
||||
service = 'HTTP/{}'.format(api.env.host)
|
||||
result = api.Command.service_show(service, all=True)
|
||||
flag = result['result'].get('ipakrboktoauthasdelegate', False)
|
||||
if flag:
|
||||
logger.debug(
|
||||
"%s has ok_to_auth_as_delegate, allow Apache to access IFP",
|
||||
services
|
||||
)
|
||||
# enable and configure IFP plugin
|
||||
sssd_enable_ifp(sssdconfig)
|
||||
sssd_enable_ifp(sssdconfig, allow_httpd=flag)
|
||||
# write config and restart service
|
||||
sssdconfig.write(paths.SSSD_CONF)
|
||||
sssd = services.service('sssd', api)
|
||||
|
Loading…
Reference in New Issue
Block a user