Allow HTTPd user to access SSSD IFP

For smart card and certificate authentication, Apache's mod_lookup_identity module must be able to acess SSSD IFP. The module accesses IFP as Apache user, not as ipaapi user. Apache is not allowed to use IFP by default. The update code uses the service's ok-to-auth-as-delegate flag to detect smart card / cert auth. See: https://pagure.io/freeipa/issue/7751 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-11-16 14:51:23 +01:00
parent d6fd2ad4f2
commit 917d81b832
2 changed files with 19 additions and 2 deletions
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -45,6 +45,7 @@ from ipalib.util import (
    verify_host_resolvable,
 )
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 from ipapython import certdb, kernel_keyring, ipaldap, ipautil
@@ -1036,8 +1037,13 @@ def sssd_enable_service(sssdconfig, name):
    return sssdconfig.get_service(name)


-def sssd_enable_ifp(sssdconfig):
+def sssd_enable_ifp(sssdconfig, allow_httpd=False):
    """Enable and configure libsss_simpleifp plugin
+
+    Allow the ``ipaapi`` user to access IFP. In case allow_httpd is true,
+    the Apache HTTPd user is also allowed to access IFP. For smart card
+    authentication, mod_lookup_identity must be allowed to access user
+    information.
    """
    service = sssd_enable_service(sssdconfig, 'ifp')
    if service is None:
@@ -1056,6 +1062,8 @@ def sssd_enable_ifp(sssdconfig):
        uids.add('root')
    # allow IPA API to access IFP
    uids.add(IPAAPI_USER)
+    if allow_httpd:
+        uids.add(constants.HTTPD_USER)
    service.set_option('allowed_uids', ', '.join(sorted(uids)))
    sssdconfig.save_service(service)