websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
freeipa/doc/designs/adtrust/sudorules-with-ad-objects.md
geos_one 9181ee2487 Import Upstream version 4.12.4
2025-08-12 22:28:56 +02:00

208 lines
8.7 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Include users and groups from a trusted Active Directory domain into SUDO rules
Allow users and groups from trusted Active Directory forests to be directly
added to SUDO rules.
## Use Cases
* As an FreeIPA administrator, I want to add AD users and groups directly to SUDO
rules without creating an indirect POSIX group membership for them.
## Design
### FreeIPA integration
FreeIPA manages and stores SUDO rules in LDAP and SSSD retrieves the rules
related to the specific host it runs on. The rules are then provided to SUDO
via a special SUDOERS plugin which is talking to SSSD.
SUDOERS allows multiple ways of expressing users and groups as a part of the rule.
According to the SUDOERS manual page, the following syntax is supported:
```console
User ::= '!'* user name |
'!'* #uid |
'!'* %group |
'!'* %#gid |
'!'* +netgroup |
'!'* %:nonunix_group |
'!'* %:#nonunix_gid |
'!'* User_Alias
```
> A `User_List` is made up of one or more user names, user-IDs (prefixed with #),
> system group names and IDs (prefixed with `%` and `%#` respectively), netgroups
> (prefixed with +), non-Unix group names and IDs (prefixed with `%:` and `%:#`
> respectively) and `User_Aliases`. Each list item may be prefixed with zero or
> more `!` operators. An odd number of `!` operators negate the value of the
> item; an even number just cancel each other out. User netgroups are matched
> using the user and domain members only; the host member is not used when
> matching.
As can be seen from the SUDOERs definition of a `User`, any object that maps
into a user or a group is allowed. LDAP schema used to model SUDO rules in
FreeIPA does require SUDO `User` references to be real LDAP objects. In order
to support non-LDAP objects both FreeIPA and SSSD support a special attribute
`externalUser`. `externalUser` is a string that is merged with other `User`
references at SSSD side.
SSSD already supports querying with first five forms. When SUDO rules are
retrieved from FreeIPA, the references for groups are converted to `%group`
format in SSSD database. Correspondingly, ID-based forms (`#uid` and `%#gid`)
are added as well. It does not, however, support queries for non-Unix group
names and IDs.
SSSD team decided to not support `%:nonunix_group` and `%:nonunix_gid` syntax.
Without changes on SSSD side it will be not possible to support them.
Since in FreeIPA environment all AD users and groups resolvable by SSSD will
have POSIX attributes, they can be queried with the first four name forms.
### Implementation
FreeIPA framework's LDAP abstraction layer allows to validate and transform
membership information when members are added to 'group' objects or removed
from them. SUDO rules represent one such 'group' object.
LDAP abstraction layer provides `add_external_pre_callback()` method that
allows to redefine validators used to validate member names. Originally this
was done to allow hostname validation and reused default validators associated
with a parameter type associated with a specific parameter.
We extend `add_external_pre_callback()` to provide per-object validator
callbacks.
Validator callbacks can be extended to allow a fine grained validation
strategy. This is helpful to apply an alternative validation strategy in the
case a default validator fails.
New validators can be added to `member_validator` registry in a similar
way to how API objects are registered:
```python
from .baseldap import member_validator
@member_validator(membertype='foo')
def my_new_validator(ldap, dn, keys, options, value):
<validate value here>
```
Arguments passed to the validator are arguments passed to the
`add_external_pre_callback()` augmented with the value to validate.
This approach provides a general method to extend validation mechanism for any
parameter. The feature utilizes existing infrastructure for resolving objects
from trusted Active Directory forests provided by ID views plugin. Any user or
group from a trusted Active Directory domain can be resolved in the validator
and mapped to a user or group member type for SUDO rule inclusion.
Since `options` dictionary is the only object shared between the caller to
`add_external_pre_callback()` and the member type validator, ID views' member
type validator returns all validated values as a list stored as a
`trusted_objects` element of the `options` dictionary.
SUDO rule plugin implementation then processes the translated trusted object
members reported after calling the `add_external_pre_callback()`. Each
translated member is the one not found in LDAP as a direct reference and found
in a trusted domain. All these members are then added to `externalUser`
attribute.
Note that direct manipulation of `externalUser` attribute through IPA
parameters is not allowed since 2011 (FreeIPA tickets
https://pagure.io/freeipa/issue/1320). With membership validation method SUDO
rules can now handle those members through the normal `--users` mechanism.
Same approach is used to provide handling of `RunAs_Member` specification
which is mapped to either `ipaSudoRunAsExtUser` or `ipaSudoRunAsExtGroup`.
#### Web UI
Web UI already allows to specify external users and groups in SUDO rules. Names
provided by the user weren't validated, now they are verified to belong to
trusted domains.
### Upgrade and migration
The changes to plugins do not require any schema updates because there are no
LDAP schema changes.
## Usage
In order to add an Active Directory user to a SUDO rule, there must be a trust
established to the Active Directory forest where a domain of the user is
located. Any modification of SUDO rules with Active Directory users and groups
should happen on Trust Controllers or Trust Agents because other IPA replica
types are unable to validate AD users and group.
### Sample usage
Below example shows a generic usage of SUDO rules with AD users. It assumes we
want to allow an Active Directory user(s) ability to operate on all hosts and
all commands without authentication. In real life it is not recommended to
grant so wide access.
1. As admin, create an HBAC rule to permit all users to run SUDO on all hosts:
```console
ipa hbacrule-add hbacrule --usercat=all --hostcat=all
ipa hbacrule-add-service hbacrule --hbacsvcs=sudo
```
2. As an admin, create SUDO rule that allows to run all commands on all hosts:
```console
ipa sudocmd-add ALL
ipa sudorule-add sudorule --hostcat=all
ipa sudorule-add-option sudorule --sudooption '!authenticate'
ipa sudorule-add-allow-command sudorule --sudocmds ALL
```
2. Add `ad-user\@ad.example.test` to the SUDO rule:
```console
ipa sudorule-add-user sudorule --users ad-user@ad.example.test
```
3. Alternatively, add an Active Directory group `somegroup@ad.example.test` to the SUDO rule:
```console
ipa sudorule-add-user sudorule --groups 'somegroup@ad.example.test'
```
4. On an IPA-enrolled client, perform SUDO access as an Active Directory user:
```console
# su - ad-user@ad.example.test -c 'sudo -l'
Matching Defaults entries for ad-user@ad.example.test on client:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User ad-user@ad.example.test may run the following commands on master:
(root) NOPASSWD: ALL
```
5. To limit rule execution to a specific user and/or group, `runAsUser` and
`runAsGroup` properties can be set individually:
```console
ipa sudorule-add-runasuser sudorule --users 'ad-user@ad.example.test'
ipa sudorule-add-runasgroup sudorule --groups 'somegroup@ad.example.test'
```
6. The limits will be reflected in `sudo -l` output:
```console
# su - ad-user@ad.example.test -c 'sudo -l'
Matching Defaults entries for ad-user@ad.example.test on client:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User ad-user@ad.example.test may run the following commands on master:
(ad-user@ad.example.test : "%somegroup@ad.example.test") NOPASSWD: ALL
```
Reference in New Issue View Git Blame Copy Permalink