search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
588 stars 237 forks source link

Debian 12 sssd (2.8.2) does'nt support host regexp when enabling access_provider=ldap and ldap_access_order=host #7263

Open guiguithub opened 5 months ago

guiguithub commented 5 months ago

I'm working on debian 12 servers and i need to filter users by hosts enabling comparison also with regexp could be useful instead of having a static list of servers in host attributes on my ldap server

seems the file to be modified is src/providers/ldap/sdap_access.c in the function sdap_access_host_comp like 1251 which could look something like that

`

include

static errno_t sdap_access_host_comp(struct ldb_message_element el, char hostname) { errno_t ret = ENOENT; unsigned int i; char *host; regex_t regex;

for (i = 0; i < el->num_values; i++) {
    host = (char *)el->values[i].data;

    // Check if host is a regular expression
    if (host[0] == '/' && host[strlen(host) - 1] == '/') {
        // Compile the regular expression
        if (regcomp(&regex, host + 1, REG_EXTENDED | REG_NOSUB) != 0) {
            // Handle compilation error
            DEBUG(SSSDBG_CONF_SETTINGS, "Error: Invalid regular expression: %s\n", host);
            continue;
        }

        // Match the hostname against the regular expression
        if (regexec(&regex, hostname, 0, NULL, 0) == 0) {
            // Match found, access granted
            DEBUG(SSSDBG_CONF_SETTINGS, "Access granted for [%s] (regex)\n", host);
            ret = EOK;
            regfree(&regex);
            return ret;
        }

        // Free the compiled regular expression
        regfree(&regex);
    }
    else if (host[0] == '!' && strcasecmp(hostname, host + 1) == 0) {
        // This host is explicitly denied
        DEBUG(SSSDBG_CONF_SETTINGS, "Access denied by [%s]\n", host);
        return ERR_ACCESS_DENIED;
    } else if (strcasecmp(hostname, host) == 0 || strcmp("*", host) == 0) {
        // This host is explicitly allowed or '*' is specified
        DEBUG(SSSDBG_CONF_SETTINGS, "Access granted for [%s]\n", host);
        ret = EOK;
    }
}
return ret;

} `

I tried to rebuild on my own but didn't see much documentation on how to do it on debian distros

Thanks in advance for your help

alexey-tikhonov commented 5 months ago

I tried to rebuild on my own but didn't see much documentation on how to do it on debian distros

It should be pretty much distribution agnostic:

autoreconf -if
./configure ...
sudo make install

The catch is proper args for ./configure You can take a look at how Debian package is built here: https://salsa.debian.org/sssd-team/sssd/-/blob/master/debian/rules?ref_type=heads#L30

https://github.com/SSSD/sssd/blob/master/contrib/ci/deps.sh#L103 lists Debian build dependencies.

sandinak commented 1 month ago

+1 on this idea, or perhaps allowing definition of a groupname in an sssd.conf on endpoints that could be matched explicitly. something like ldap_sudo_hostgroup_name .. and then a check in the code similar to 

} else if (strcasecmp(hostname, hostgroup_name) == 0) {
            /* This host is explicitly allowed */
            DEBUG(SSSDBG_CONF_SETTINGS, "Access granted for hostgroup %s for  [%s]\n", hostgroup_name, host);
            /* We still need to loop through to make sure
             * that it's not also explicitly denied
             */
            ret = EOK;