WAD users can't authenticate with oidc-auth
When Windows Activide Directory users are configured in the system and they are logged in through SSH, their username has two parts, the username and the WAD domain which the user belongs to, check the environment variables USER and HOME. USER: wadusername@ad.wad.domain.com HOME: /home/ad.wad.domain.com/wadusername When oidc-auth-apps is configured to authenticate through WAD backend we provide through dex overrides, all the required WAD information including the WAD domain. However, the oidc-auth script used the username wrongly ( WAD username + @ + WAD domain ) to perform the authentication with dex. Dex requires only the username portion since we already provided the WAD domain during the configuration. In other words, when a WAD user is logged into the system and need to authenticate through oidc-auth to reveice kubernetes privileges, the oidc-auth script need to inform only 'wadusername' portion not 'wadusername@ad.wad.domain.com' including the @domain. How to know if the oidc-auth script is used by a WAD user? The current SSSD configuration defines the home directory for wad users as follows: /etc/sssd/sssd.conf fallback_homedir = /home/%d/%u Where: %d: represent the WAD(Windows Active DIrectory) domain. %u: represent the username that belongs to the wad server. Normal users, not WAD, follow the pattern: /home/%u That way the oidc-auth script knows which kind of user if using it. When the WAD user runs the oidc-auth script without giving any options, the script will show a WARNING message giving the guidelines to the correct usage of the script: wadusername@ad.wad.domain.com@controller-0:~$ oidc-auth WARNING: Windows Active Directory user detected Please use: (-u) option to specify the username without the WAD domain. Usage: oidc-auth -u wadusername wadusername@ad.wad.domain.com@controller-0:~$ oidc-auth -u wadusername Password: Login succeeded. Updating kubectl config ... User "wadusername" set. Test Plan: PASS: Build an master ISO with the the changes. PASS: Deploy a SX. PASS: Apply & Test procedure: - Apply oidc-auth-apps acording 'Set up OIDC Auth Applications' guide. The oidc-auth-apps should be applied successfully. - Once oidc-auth-apps in applied status. PASS: Configure WAD users to authenticate through SSH: - Follow the guide 'SSH User Authentication using Windows Active Directory (WAD)' to configure the WAD and let the WAD users authenticate through SSH. - WAD users should be able to authenticate through SSH. PASS: Test oidc-auth script with WAD users logged in: - execute oidc-auth script without any option. The script should warn the user to provide he wad username without domain - execute oidc-auth script with -u option and the wadusername. The script be able to authenticate this user successfully. PASS: Test oidc-auth script with Local users logged in: - execute oidc-auth script without any option. The script be able to authenticate this user successfully. Closes-Bug: 2107559 Change-Id: I6962400d65ebb873ee43036ff1abcb8978bf58e7 Signed-off-by: Joaci Morais <joaci.demorais@windriver.com>
This commit is contained in:
Joaci Morais
parent
1724dfc7b5
commit
c5fe7e37f5
@ -45,6 +45,19 @@ def main():
|
||||
client = args.client
|
||||
cacert = args.cacert
|
||||
|
||||
home_path = os.getenv('HOME', '')
|
||||
wad_pattern = r'^/home/([^/]+\.[^/]+)/([^/]+)$'
|
||||
match_wad_user = re.match(wad_pattern, home_path)
|
||||
|
||||
if match_wad_user and not username:
|
||||
wad_username = match_wad_user.group(2)
|
||||
WARN_WAD_USER = f"""WARNING: Windows Active Directory user detected
|
||||
Please use (-u) option to specify the username without the WAD domain
|
||||
Usage:
|
||||
oidc-auth -u {wad_username}"""
|
||||
print(WARN_WAD_USER)
|
||||
sys.exit(1)
|
||||
|
||||
if not username:
|
||||
try:
|
||||
username = getpass.getuser()
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user