Univention Bugzilla – Full Text Bug Listing |
Summary: | Make subnet filtering configurable for Kerberos-Auth in SAML-IdP | ||
---|---|---|---|
Product: | UCS | Reporter: | Michel Smidt <michelsmidt> |
Component: | SAML | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Julia Bremer <bremer> |
Severity: | normal | ||
Priority: | P5 | CC: | best, bremer, damrose |
Version: | UCS 4.4 | Flags: | best:
Patch_Available+
|
Target Milestone: | UCS 4.4-2-errata | ||
Hardware: | Other | ||
OS: | Mac OS X 10.1 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 5: Blocking further progress on the daily work |
User Pain: | 0.286 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 56474, 50533 |
Description
Michel Smidt
2019-05-16 09:41:29 CEST
The effort to add this is low, just add a UCRv that configures a line in /etc/univention/templates/files/etc/simplesamlphp/01authsources-negotiate.php 'subnet' => array('127.0.0.0/16','192.168.0.0/16'), Customer asked for it because it would be workaround for Bug #47242 and blocks the further rollout of schools. Patch in branch git:fbest/49485-saml-negotiate-filter-subnets. +[saml/idp/negotiate/filter-subnets] +Description[de]=Beschränkt die Anmeldung per Kerberos / HTTP Negotiate auf Anfragen aus dem angegebenen Subnetz. Der Wert ist eine kommaseparierte Liste von Netzwerken (z.B.: 127.0.0.0/16,192.168.0.0/16). +Description[en]=Restrict single sign on via Kerberos / HTTP negotiate only to clients requesting from the specified subnet. The value is a comma spearated list of networks (example: 127.0.0.0/16,192.168.0.0/16). +Type=str +Categories=saml univention-saml (6.0.2-9) 0d3489f1a3f4 | Bug #49485: allow to restrict negotiate authentication to certain IP networks univention-saml.yaml 0d3489f1a3f4 | Bug #49485: allow to restrict negotiate authentication to certain IP networks The package didn't declare a build dependency to python-support and therefore the UDM handler was not correctly installed. This let all tests fail / not being executed: 23:49:25 [master091] . utils.sh; assert_join 23:49:56 23:49:56 stdout: Warning: 'univention-saml' is not configured. 23:49:56 Warning: 'univention-management-console-web-server' is not configured. 23:49:56 Error: Not all install files configured: 2 missing 23:49:56 Warning: 'univention-saml' is not configured. 23:49:56 Warning: 'univention-management-console-web-server' is not configured. 23:49:56 Error: Not all install files configured: 2 missing 23:49:56 Warning: 'univention-saml' is not configured. 23:49:56 Warning: 'univention-management-console-web-server' is not configured. 23:49:56 Error: Not all install files configured: 2 missing join.log: Object created: cn=serviceprovider,cn=custom attributes,cn=univention,dc=AutoTest091,dc=local unknown module saml/serviceprovider. Available Modules are: … __JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst Fixed in: univention-saml (6.0.2-12) 4b48e227b564 | Bug #49485: add missing build dependency to python-support UCR-Variable sets /etc/simplesamlphp/authsources.php : OK UCR-Variable description: OK Only UCS Clients in set subnet can use Kerberos-Auth in Saml OK Only Windows Clients "" : OK Yaml: OK missing built dependecy added:OK Verified |