From e356cbbefb36371111ba1accdaaf77d0ec5722d7 Mon Sep 17 00:00:00 2001 From: Carmen Rata Date: Tue, 16 May 2023 14:51:55 +0000 Subject: [PATCH] Set Linux IDs for WAD users/groups created with SSSD WAD groups discovered by SSSD and imported in the stx platform need to have Linux IDs so that WAD users in these groups can perform privileged operations according to the group permissions. An example would be the "sys_protected" group. In order to be able to allow the WAD "sys_protected" user to execute privileged operations with the stx platform applications, the same way as a native stx platform user would do, the "sys_protected" group needs to be assigned the GID number "345" when discovered with SSSD. This commit is configuring SSSD to achieve that because by default the the WAD users/groups are mapped to Linux users/groups on stx platform using Windows Security Identifiers (SIDs). On the WAD server, the "sys_protected" WAD group's Posix schema attribute "gidNumber" would have been populated already as "345", before the SSSD connects to WAD server. Similarly, the WAD user's "uidNumber" attribute needs to be populated in the WAD server. This commit also optimizes the SSSD sudo rules search. Test Plan: PASS: Successful install in AIO-SX system configuration. PASS: The Linux uid and gid configuration for users and groups respectively is configured correctly in sssd.conf. PASS: SSSD service is successfully started. PASS: Verify SSSD caches WAD users and groups and they have the Linux IDs set correctly. PASS: Verify remote ssh connection for discovered WAD ldap users. PASS: Verify WAD users in "sys_protected" WAD group can perform privileged operations like "source /etc/platform/openrc". PASS: SSSD sudo rules search works as expected and the sudo rules are discovered. Story: 2010589 Task: 48010 Signed-off-by: Carmen Rata Change-Id: I452b1097c607cd270bd56f03f7eba0d1f21f325c --- sysinv/sysinv/sysinv/sysinv/puppet/sssd.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py b/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py index a22a07ff57..487550cede 100644 --- a/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py +++ b/sysinv/sysinv/sysinv/sysinv/puppet/sssd.py @@ -236,7 +236,7 @@ class SssdPuppet(base.BasePuppet): 'debug_level': '0x0270', 'id_provider': 'ldap', 'access_provider': 'ldap', - 'ldap_id_mapping': 'true', + 'ldap_id_mapping': 'false', 'ldap_schema': 'rfc2307bis', 'ldap_user_object_class': 'user', 'ldap_group_member': 'member', @@ -245,8 +245,6 @@ class SssdPuppet(base.BasePuppet): 'ldap_user_principal': 'userPrincipalName', 'ldap_user_name': 'sAMAccountName', 'ldap_group_name': 'sAMAccountName', - 'ldap_user_objectsid': 'objectSid', - 'ldap_group_objectsid': 'objectSid', 'ldap_user_primary_group': 'primaryGroupID', 'case_sensitive': 'false', 'default_shell': '/bin/bash', @@ -279,7 +277,7 @@ class SssdPuppet(base.BasePuppet): domain_parameters['ldap_uri'] = uri domain_parameters['ldap_access_filter'] = access_filter domain_parameters['ldap_search_base'] = search_base - sudo_search_base = "OU=sudoers" + search_base[search_base.find(','):] + sudo_search_base = "OU=sudoers" + search_base[search_base.find('DC='):] domain_parameters['ldap_sudo_search_base'] = sudo_search_base domain_parameters['ldap_default_bind_dn'] = default_bind_dn domain_parameters['ldap_default_authtok'] = default_authtok