ldap: make sure realm is set #7690
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@sumit-bose, I think this can be moved out of draft? |
madhuriupadhye
force-pushed
the
ldap_realm_fix
branch
2 times, most recently
from
ec5f63f to
444db02
Compare
In general the canonical principal will be only set in the cache after a successful authentication because in general it is not know what the canonical principal might be. For Active Directory it is known that the canonical principal is build with the sAMAccountName attribute and the Kerberos realm which is used in the patch "AD: Construct UPN from the sAMAccountName" (7a27e53). If 'id_provider = ldap' is used to access Active Directory the realm might not be set in the internal domain data and as a result a wrong principal might be created. This patch makes sure the realm is set before creating the canonical principal.
sumit-bose
force-pushed
the
ldap_realm_fix
branch
from
444db02 to
bc93bf8
Compare
danlavu
requested changes
Nov 19, 2024
madhuriupadhye
force-pushed
the
ldap_realm_fix
branch
from
bc93bf8 to
aa55a38
Compare
alexey-tikhonov
approved these changes
Nov 28, 2024
Hi, please note, tests were written by Madhuri. bye, |
src/tests/system/tests/test_ad.py
Outdated
| assert client.auth.parametrize(method).password("user1", "Secret123"), "User user1 failed login!" | ||
|
|
||
| log_str = client.fs.read("/var/log/sssd/krb5_child.log") | ||
| assert hasattr(provider.host, "domain"), "Host does not have 'domain' attribute!" |
There was a problem hiding this comment.
Why this? This is not a step/result.
There was a problem hiding this comment.
It's for the following error,
tests/test_ad.py:70: error: "BaseHost" has no attribute "domain" [attr-defined]
Found 1 error in 1 file (checked 1 source file)
But added a comment at end of line,
assert f"UPN [user1@{provider.host.domain}]" in log_str, f"'UPN [user1@{provider.host.domain}]' not in logs!" # type: ignore
jakub-vavra-cz
requested changes
Dec 6, 2024
src/tests/system/tests/test_ad.py
Outdated
| client.sssd.nss["override_homedir"] = "/home/%u" | ||
|
|
||
| if isinstance(provider, AD): | ||
| dns_parameter = "ad.test" |
There was a problem hiding this comment.
This does not seem handle dynamic domain/AD in idmci it can be ad-tb2f.test.
madhuriupadhye
force-pushed
the
ldap_realm_fix
branch
from
aa55a38 to
40ec63c
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
With AD/Samba check the authentication of user by replacing id_provider = ldap Signed-off-by: Madhuri Upadhye <[email protected]>
madhuriupadhye
force-pushed
the
ldap_realm_fix
branch
from
40ec63c to
0a2054d
Compare
jakub-vavra-cz
approved these changes
Dec 10, 2024
jakub-vavra-cz
added
Accepted
Ready to push
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.