-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add anonymousdse_enabled
config option
#79
feat: add anonymousdse_enabled
config option
#79
Conversation
`anonymousdse` must be enabled for applications like SSSD to successfully bind to the Glauth server, but it's recommended to keep off if not using applications that need to anonymously query the root DSE. Signed-off-by: Jason C. Nucciarone <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution, lgtm. Only 1 comment:
Should we add an anonymousdse_enabled
field in the ldap provider databag so that the requirer charm can block if it requires it in order to work?
Alternatively we could add anonymousdse_required
to the ldap requirer databag so that we can log an error/block on glauth side.
(I am fine with merging this PR as it is and implementing this change at a different PR)
@wood-push-melon what do you think?
yep, good suggestion to me. The only tiny concern about the configuration is the case when multiple requirer charms are integrate with a single glauth charm. In this case, if the configuration is turned on, that means true for all requirers (correct me if I'm wrong). We probably would need to let users aware that and carefully evaluate it before they turn it on. |
I do have
|
This feature sounds like a good idea to me! That way SSSD doesn't silently fail in the backend on the machine charms. The I would agree that this should be a separate PR however as it requires changing both integrations.py and the |
yeah, what I meant was that we probably need to put something somewhere (maybe security.MD?) to let users be aware of how to properly use this configuration, the risk if they would like to turn it on, and what they probably need to do (depending their use cases and deployments). We can do it later, definitely not in this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
anonymousdse
must be enabled for applications like SSSD to successfully bind to the Glauth server, but it's recommended to keep the option set to false if you're not using applications that need to anonymously query the root DSE. See the Glauth Security documentation for more info.This option is needed for the SSSD operator in Charmed HPC to successfully bind to the Glauth service, otherwise the SSSD service will silently fail in background with the error message
Insufficient permissions (50)
. Onceanonymousdse
is enabled, SSSD successfully binds to Glauth if also using the patches provided in #78.