Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSSD Idmapping with upn mapping #131

Merged
merged 10 commits into from
May 16, 2024
Merged

SSSD Idmapping with upn mapping #131

merged 10 commits into from
May 16, 2024

Conversation

dmulder
Copy link
Collaborator

@dmulder dmulder commented May 16, 2024
edited
Loading

Fixes #71. Fixes #124.

This replaces the default idmapping. Previously idmapping was based on object id (uuid), but it is now based on user upn by default. The default idmap range has also changed. To return to the previous default (in order to keep idmapping consistent with version 0.3.x), set the following configuration variables:

[global]
id_attr_map = uuid
idmap_range = 1000000-6999999

Be aware that reverting to uuid idmapping prevents users from accessing the host via SSH (on systems which use OpenSSH Server).

Checklist

  • This pr contains no AI generated code
  • cargo fmt has been run
  • cargo clippy has been run
  • A functionality test has been added
  • make test has been run and passes

@dmulder dmulder force-pushed the dmulder/sssd_idmap branch from 1f61a1e to 70deb57 Compare May 16, 2024 17:19
@dmulder dmulder changed the title WIP: SSSD Idmapping with upn mapping SSSD Idmapping with upn mapping May 16, 2024
@dmulder dmulder force-pushed the dmulder/sssd_idmap branch 6 times, most recently from 794064e to 76aa717 Compare May 16, 2024 19:42
dmulder added 9 commits May 16, 2024 13:50
@dmulder
Use the SSSD Idmap code in Himmelblau
efd1805 
This builds Sumit's experimental idmapping code
for EntraID.

Signed-off-by: David Mulder <[email protected]>
@dmulder
Ensure duplicate providers are not started
efad733 
This has been an issue for a while, but we always
picked the first one in the list, so it didn't
matter, it seems. Now it is relevant, because
the duplicate provider is causing the SSSD
idmapping to error due to overlapping ranges.

Signed-off-by: David Mulder <[email protected]>
@dmulder
Test the new and legacy idmapping
e38f3c1 
Signed-off-by: David Mulder <[email protected]>
@dmulder
Add CI job for cargo test
aebd9d5 
Signed-off-by: David Mulder <[email protected]>
@dmulder
Modify CI workflows to handle idmap build
5b1927c 
Signed-off-by: David Mulder <[email protected]>
@dmulder
Update Kanidm tracking
c15f18d 
This fixes some issues with PAM prompts, as well
as resolving some clippy warnings.

Signed-off-by: David Mulder <[email protected]>
@dmulder
Don't stop an MR based on a clippy warning
bf6edfc 
These warning are often found in Kanidm code,
which I don't directly control. Best if these
warnings don't block an MR.

Signed-off-by: David Mulder <[email protected]>
@dmulder
Remove the initial uid hack, use name mapping
cd3371c 
Rather than providing a hacky fake uid to satisfy
OpenSSH, eliminate this and just use upn
idmapping here. If Uuid id mapping is enabled,
then just bail out. We can set a stipulation that
SSH only works with upn/name id mapping.

Signed-off-by: David Mulder <[email protected]>
@dmulder
Fix clippy warning about inefficient use of clone()
47549c5 
Signed-off-by: David Mulder <[email protected]>
@dmulder dmulder force-pushed the dmulder/sssd_idmap branch from 76aa717 to 47549c5 Compare May 16, 2024 19:50
@dmulder dmulder merged commit f0a79fc into main May 16, 2024
4 checks passed
@dmulder dmulder deleted the dmulder/sssd_idmap branch May 16, 2024 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Initial auth fails via SSH Use SSSD idmapping
1 participant
@dmulder