Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPO access control might fail if ldap_user_name is set #7590

Closed
sumit-bose opened this issue Sep 13, 2024 · 3 comments
Closed

GPO access control might fail if ldap_user_name is set #7590

sumit-bose opened this issue Sep 13, 2024 · 3 comments
Assignees
@sumit-bose
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@sumit-bose
Copy link
Contributor

To determine the group memberships of a host for GPO evaluation the code to lookup the group memberships of a user is used. If the ldap_user_name option is set and points to an LDAP attribute other than sAMAccountName the GPO access control might fail if this other attribute is not present for the host object or does not contain the NetBIOS hostname with a $ at the end.
@sumit-bose sumit-bose self-assigned this Sep 13, 2024
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Sep 13, 2024
@sumit-bose
sdap: allow to provide user_map when looking up group memberships
266e620 
To allow to lookup group memberships of other objects similar to user
objects but with different attribute mappings, e.g. host objects in AD,
a new option to provide an alternative attribute map is added.

Resolves: SSSD#7590
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Sep 13, 2024
@sumit-bose
ad: use default user_map when looking of host groups for GPO
837cf6b 
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.

Resolves: SSSD#7590
@sumit-bose sumit-bose mentioned this issue Sep 13, 2024
Closed
@alexey-tikhonov
Copy link
Member

https://issues.redhat.com/browse/RHEL-50912

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Sep 18, 2024
@sumit-bose
sdap: allow to provide user_map when looking up group memberships
4b6c3a3 
To allow to lookup group memberships of other objects similar to user
objects but with different attribute mappings, e.g. host objects in AD,
a new option to provide an alternative attribute map is added.

Resolves: SSSD#7590
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Sep 18, 2024
@sumit-bose
ad: use default user_map when looking of host groups for GPO
e260313 
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.

Resolves: SSSD#7590
alexey-tikhonov pushed a commit that referenced this issue Sep 24, 2024
@sumit-bose @alexey-tikhonov
ad: use default user_map when looking of host groups for GPO
5f5077a 
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.

Resolves: #7590

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
alexey-tikhonov pushed a commit that referenced this issue Sep 24, 2024
@sumit-bose @alexey-tikhonov
sdap: allow to provide user_map when looking up group memberships
321ca19 
To allow to lookup group memberships of other objects similar to user
objects but with different attribute mappings, e.g. host objects in AD,
a new option to provide an alternative attribute map is added.

Resolves: #7590

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 69f63f1)
alexey-tikhonov pushed a commit that referenced this issue Sep 24, 2024
@sumit-bose @alexey-tikhonov
ad: use default user_map when looking of host groups for GPO
2c23363 
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.

Resolves: #7590

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 5f5077a)
@alexey-tikhonov
Copy link
Member

Pushed PR: #7591

  • master
    • 5f5077a - ad: use default user_map when looking of host groups for GPO
    • 69f63f1 - sdap: allow to provide user_map when looking up group memberships
  • sssd-2-9
    • 2c23363 - ad: use default user_map when looking of host groups for GPO
    • 321ca19 - sdap: allow to provide user_map when looking up group memberships

@alexey-tikhonov alexey-tikhonov added the Closed: Fixed Issue was closed as fixed. label Sep 24, 2024
alexey-tikhonov pushed a commit to alexey-tikhonov/sssd that referenced this issue Nov 19, 2024
@sumit-bose @alexey-tikhonov
sdap: allow to provide user_map when looking up group memberships
7849906 
To allow to lookup group memberships of other objects similar to user
objects but with different attribute mappings, e.g. host objects in AD,
a new option to provide an alternative attribute map is added.

Resolves: SSSD#7590

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 69f63f1)
(cherry picked from commit 321ca19)
alexey-tikhonov pushed a commit to alexey-tikhonov/sssd that referenced this issue Nov 19, 2024
@sumit-bose @alexey-tikhonov
ad: use default user_map when looking of host groups for GPO
b95a3fd 
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.

Resolves: SSSD#7590

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 5f5077a)
(cherry picked from commit 2c23363)
alexey-tikhonov pushed a commit that referenced this issue Nov 21, 2024
@sumit-bose @alexey-tikhonov
sdap: allow to provide user_map when looking up group memberships
ebbde00 
To allow to lookup group memberships of other objects similar to user
objects but with different attribute mappings, e.g. host objects in AD,
a new option to provide an alternative attribute map is added.

Resolves: #7590

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 69f63f1)
(cherry picked from commit 321ca19)

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
alexey-tikhonov pushed a commit that referenced this issue Nov 21, 2024
@sumit-bose @alexey-tikhonov
ad: use default user_map when looking of host groups for GPO
9ff2e55 
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.

Resolves: #7590

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 5f5077a)
(cherry picked from commit 2c23363)

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
@alexey-tikhonov
Copy link
Member

Pushed PR: #7706

  • sssd-2-9-4
    • aa81ab0 - DEBUG: reduce log level in case a responder asks for unknown domain
    • acd5da5 - ldap: add 'exop_force' value for ldap_pwmodify_mode
    • 0e86f1a - sysdb: do not fail to add non-posix user to MPG domain
    • 9ff2e55 - ad: use default user_map when looking of host groups for GPO
    • ebbde00 - sdap: allow to provide user_map when looking up group memberships

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ad: use default user_map when looking of host groups for GPO sumit-bose/sssd
2 participants
@sumit-bose @alexey-tikhonov