From 917d81b83259ef8f4f21fda7dfeb4d32eac61f5f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 16 Nov 2018 14:51:23 +0100 Subject: [PATCH] Allow HTTPd user to access SSSD IFP For smart card and certificate authentication, Apache's mod_lookup_identity module must be able to acess SSSD IFP. The module accesses IFP as Apache user, not as ipaapi user. Apache is not allowed to use IFP by default. The update code uses the service's ok-to-auth-as-delegate flag to detect smart card / cert auth. See: https://pagure.io/freeipa/issue/7751 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- ipaclient/install/client.py | 10 +++++++++- ipaserver/install/server/upgrade.py | 11 ++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index fe3f0bb2b..28f23ecc5 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -45,6 +45,7 @@ from ipalib.util import ( verify_host_resolvable, ) from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform.tasks import tasks from ipapython import certdb, kernel_keyring, ipaldap, ipautil @@ -1036,8 +1037,13 @@ def sssd_enable_service(sssdconfig, name): return sssdconfig.get_service(name) -def sssd_enable_ifp(sssdconfig): +def sssd_enable_ifp(sssdconfig, allow_httpd=False): """Enable and configure libsss_simpleifp plugin + + Allow the ``ipaapi`` user to access IFP. In case allow_httpd is true, + the Apache HTTPd user is also allowed to access IFP. For smart card + authentication, mod_lookup_identity must be allowed to access user + information. """ service = sssd_enable_service(sssdconfig, 'ifp') if service is None: @@ -1056,6 +1062,8 @@ def sssd_enable_ifp(sssdconfig): uids.add('root') # allow IPA API to access IFP uids.add(IPAAPI_USER) + if allow_httpd: + uids.add(constants.HTTPD_USER) service.set_option('allowed_uids', ', '.join(sorted(uids))) sssdconfig.save_service(service) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 71bdd3670..4de7fd974 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1407,8 +1407,17 @@ def sssd_update(): domain.set_option('ipa_server_mode', 'True') domain.set_option('ipa_server', api.env.host) sssdconfig.save_domain(domain) + # check if service has ok_to_auth_as_delegate + service = 'HTTP/{}'.format(api.env.host) + result = api.Command.service_show(service, all=True) + flag = result['result'].get('ipakrboktoauthasdelegate', False) + if flag: + logger.debug( + "%s has ok_to_auth_as_delegate, allow Apache to access IFP", + services + ) # enable and configure IFP plugin - sssd_enable_ifp(sssdconfig) + sssd_enable_ifp(sssdconfig, allow_httpd=flag) # write config and restart service sssdconfig.write(paths.SSSD_CONF) sssd = services.service('sssd', api)