Skip to content

Support for ID Override Templates #7924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Support for ID Override Templates #7924

wants to merge 4 commits into from

Conversation

@justin-stephenson
Copy link
Contributor

@justin-stephenson justin-stephenson commented Apr 11, 2025
edited
Loading

Add support for ID override templates for Trusted AD/IPA users.

Testing this PR can be done with https://copr.fedorainfracloud.org/coprs/abbra/wip-ipa-trust/ which contains FreeIPA ID override templates code, and SSSD build with these code changes.

=====================

Add functionality for SSSD to apply domain templates and global templates as fallback override values to trusted IDM and AD users.

Templates are only assigned loginShell and/or homeDirectory attribute values. On the FreeIPA server, templates are added to ID views (Default trust view, or other) and will be used as fallback in ID override lookups. ID override templates can be set for user home directory(SSSD ‘override_homedir’ template syntax), or default login shell.

Two types of templates will exist, domain templates and global templates. Allow specifying a template entry for trusted domain users.

--template <domain> – specify per-domain templates that apply to all users in the trusted domain <domain>
--global-template – specify a global template that applies to any authenticated user from a trusted domain

=====================

Domain template can be added with:

# ipa idoverrideuser-add 'example_for_c1' '*' --template ipa2demo.test --homedir /home/%d/%u-DOMAIN --shell /bin/ksh

Global template can be added with:

# ipa idoverrideuser-add 'example_for_c1' '*' --global-template --homedir /home/%d/%u-GLOBAL --shell /bin/csh

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Apr 11, 2025

Is it kind of "addition" to IPA-IPA trust support, and thus should go to sssd-2-9 as well?

@justin-stephenson
Copy link
Contributor Author

justin-stephenson commented Apr 11, 2025

Is it kind of "addition" to IPA-IPA trust support, and thus should go to sssd-2-9 as well?

Yes, I added the label.

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 11, 2025
View reviewed changes
@justin-stephenson justin-stephenson force-pushed the id_override_templates_v4 branch 2 times, most recently from 85945ee to c719017 Compare April 11, 2025 15:25
@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Apr 12, 2025

Hi @justin-stephenson,
could you please expand commit messages and maybe add a release note?

@justin-stephenson justin-stephenson force-pushed the id_override_templates_v4 branch from c719017 to a60320b Compare April 14, 2025 18:04
@justin-stephenson
Copy link
Contributor Author

justin-stephenson commented Apr 14, 2025

Hi @justin-stephenson, could you please expand commit messages and maybe add a release note?

Updated.

@andreboscatto andreboscatto requested a review from aplopez April 15, 2025 12:37
aplopez
aplopez reviewed Apr 22, 2025
View reviewed changes
Copy link
Contributor

@aplopez aplopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't finished yet, but I already have two comments that I can share.

@justin-stephenson justin-stephenson force-pushed the id_override_templates_v4 branch from a60320b to 081dbcc Compare May 7, 2025 14:56
aplopez
aplopez reviewed May 9, 2025
View reviewed changes
@justin-stephenson justin-stephenson force-pushed the id_override_templates_v4 branch 2 times, most recently from b8dc7d1 to 2c001ce Compare May 13, 2025 15:41
aplopez
aplopez reviewed May 15, 2025
View reviewed changes
@justin-stephenson justin-stephenson force-pushed the id_override_templates_v4 branch from 2c001ce to 1a4f2f8 Compare May 15, 2025 15:57
aplopez
aplopez approved these changes May 15, 2025
View reviewed changes
Copy link
Contributor

@aplopez aplopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

sumit-bose
sumit-bose reviewed Jun 11, 2025
View reviewed changes
sumit-bose
sumit-bose reviewed Jun 11, 2025
View reviewed changes
@alexey-tikhonov alexey-tikhonov added Waiting for review coverity Trigger a coverity scan Accepted and removed coverity Trigger a coverity scan Waiting for review labels Jul 25, 2025
@sumit-bose
Copy link
Contributor

sumit-bose commented Jul 29, 2025

Hi,

I'm still fine with the current state, CI failures do not seem related.

bye,
Sumit

@alexey-tikhonov alexey-tikhonov added coverity Trigger a coverity scan and removed coverity Trigger a coverity scan labels Jul 29, 2025
alexey-tikhonov
alexey-tikhonov reviewed Jul 29, 2025
View reviewed changes
@justin-stephenson justin-stephenson force-pushed the id_override_templates_v4 branch from 25fdd71 to a6501f4 Compare July 29, 2025 16:58
@justin-stephenson
IPA: Support ID override templates
520081c 
Retrieve ID override templates on subdomain
initialization. When overrides are checked
during IPA lookups, check for fallback template
values.

:relnote: SSSD now checks for existence of ID override templates
          in an IPA provider configuration. ID override templates
          supports overriding loginShell and homeDirectory values
          for trusted AD, or upcoming IPA-IPA trusted users. This
          behavior is enabled by default.
@justin-stephenson justin-stephenson force-pushed the id_override_templates_v4 branch from a6501f4 to 520081c Compare July 29, 2025 17:20
@alexey-tikhonov alexey-tikhonov added coverity Trigger a coverity scan and removed Changes requested coverity Trigger a coverity scan labels Jul 29, 2025
@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Jul 30, 2025

Note: Covscan is green.

@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Jul 30, 2025

All failed system tests are due to 'pylibsshext.errors.LibsshChannelException: Failed to open_session: [-2]'

@alexey-tikhonov alexey-tikhonov added the Ready to push Ready to push label Jul 30, 2025
@alexey-tikhonov
Copy link
Member

alexey-tikhonov commented Jul 30, 2025

Pushed PR: #7924

  • master
    • 753c76f - IPA: Support ID override templates
    • f1768ba - SYSDB: Support ID override templates
    • e7a3cac - CONFDB: Store domain ID override templates
    • 6c29c14 - UTIL: Add string_ends_with utility function
  • sssd-2-9
    • bbe9200 - IPA: Support ID override templates
    • 17c10b9 - SYSDB: Support ID override templates
    • deafbfc - CONFDB: Store domain ID override templates
    • 480772b - UTIL: Add string_ends_with utility function

@justin-stephenson justin-stephenson mentioned this pull request Aug 25, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sumit-bose sumit-bose sumit-bose approved these changes

@alexey-tikhonov alexey-tikhonov alexey-tikhonov left review comments

@aplopez aplopez aplopez approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@sumit-bose sumit-bose

@aplopez aplopez

Labels

backport-to-sssd-2-9 coverity Trigger a coverity scan Pushed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@justin-stephenson @alexey-tikhonov @sumit-bose @aplopez @ikerexxe