Allow HTTPd user to access SSSD IFP

For smart card and certificate authentication, Apache's
mod_lookup_identity module must be able to acess SSSD IFP. The module
accesses IFP as Apache user, not as ipaapi user.

Apache is not allowed to use IFP by default. The update code uses the
service's ok-to-auth-as-delegate flag to detect smart card / cert auth.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes 2018-11-16 14:51:23 +01:00
parent d6fd2ad4f2
commit 917d81b832
2 changed files with 19 additions and 2 deletions

View File

@ -45,6 +45,7 @@ from ipalib.util import (
verify_host_resolvable,
)
from ipaplatform import services
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
from ipapython import certdb, kernel_keyring, ipaldap, ipautil
@ -1036,8 +1037,13 @@ def sssd_enable_service(sssdconfig, name):
return sssdconfig.get_service(name)
def sssd_enable_ifp(sssdconfig):
def sssd_enable_ifp(sssdconfig, allow_httpd=False):
"""Enable and configure libsss_simpleifp plugin
Allow the ``ipaapi`` user to access IFP. In case allow_httpd is true,
the Apache HTTPd user is also allowed to access IFP. For smart card
authentication, mod_lookup_identity must be allowed to access user
information.
"""
service = sssd_enable_service(sssdconfig, 'ifp')
if service is None:
@ -1056,6 +1062,8 @@ def sssd_enable_ifp(sssdconfig):
uids.add('root')
# allow IPA API to access IFP
uids.add(IPAAPI_USER)
if allow_httpd:
uids.add(constants.HTTPD_USER)
service.set_option('allowed_uids', ', '.join(sorted(uids)))
sssdconfig.save_service(service)

View File

@ -1407,8 +1407,17 @@ def sssd_update():
domain.set_option('ipa_server_mode', 'True')
domain.set_option('ipa_server', api.env.host)
sssdconfig.save_domain(domain)
# check if service has ok_to_auth_as_delegate
service = 'HTTP/{}'.format(api.env.host)
result = api.Command.service_show(service, all=True)
flag = result['result'].get('ipakrboktoauthasdelegate', False)
if flag:
logger.debug(
"%s has ok_to_auth_as_delegate, allow Apache to access IFP",
services
)
# enable and configure IFP plugin
sssd_enable_ifp(sssdconfig)
sssd_enable_ifp(sssdconfig, allow_httpd=flag)
# write config and restart service
sssdconfig.write(paths.SSSD_CONF)
sssd = services.service('sssd', api)