diff --git a/lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb b/lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb index ca9a15d1..b2264d9b 100644 --- a/lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb +++ b/lib/manageiq/appliance_console/external_httpd_authentication/external_httpd_configuration.rb @@ -31,11 +31,12 @@ module ExternalHttpdConfiguration TIMESTAMP_FORMAT = "%Y%m%d_%H%M%S".freeze LDAP_ATTRS = { - "mail" => "REMOTE_USER_EMAIL", - "givenname" => "REMOTE_USER_FIRSTNAME", - "sn" => "REMOTE_USER_LASTNAME", - "displayname" => "REMOTE_USER_FULLNAME", - "domainname" => "REMOTE_USER_DOMAIN" + "mail" => "REMOTE_USER_EMAIL", + "givenname" => "REMOTE_USER_FIRSTNAME", + "sn" => "REMOTE_USER_LASTNAME", + "displayname" => "REMOTE_USER_FULLNAME", + "domainname" => "REMOTE_USER_DOMAIN", + "krbPrincipalName" => "REMOTE_USER_PRINCIPAL" }.freeze def template_directory diff --git a/spec/external_httpd_authentication_spec.rb b/spec/external_httpd_authentication_spec.rb index bf71ff16..b1fff0f3 100644 --- a/spec/external_httpd_authentication_spec.rb +++ b/spec/external_httpd_authentication_spec.rb @@ -204,4 +204,75 @@ expect(described_class.config_status).to eq("External Auth SAML") end end + + context "#configure_sssd_domain" do + let(:domain) { "example.com" } + let(:base_config) do + <<~CONFIG + [sssd] + services = nss, pam + + [domain/example.com] + id_provider = ipa + ipa_server = ipa.example.com + CONFIG + end + + it "adds ldap_user_extra_attrs when not present" do + config = base_config.dup + subject.send(:configure_sssd_domain, config, domain) + expect(config).to include("ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname, krbPrincipalName") + end + + it "updates existing ldap_user_extra_attrs" do + config = "#{base_config} ldap_user_extra_attrs = mail\n" + subject.send(:configure_sssd_domain, config, domain) + + # Verify the line contains all expected attributes + expect(config).to include("ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname, krbPrincipalName") + + # Verify there's only one ldap_user_extra_attrs line + expect(config.scan("ldap_user_extra_attrs").length).to eq(1) + + # Verify the original "mail" only value was replaced, not just appended + expect(config).not_to include("ldap_user_extra_attrs = mail\n") + end + + it "preserves existing configuration while adding attributes" do + config = base_config.dup + subject.send(:configure_sssd_domain, config, domain) + expect(config).to include("id_provider = ipa") + expect(config).to include("ipa_server = ipa.example.com") + end + end + + context "#configure_sssd_ifp" do + let(:base_config) do + <<~CONFIG + [sssd] + services = nss, pam + CONFIG + end + + it "adds [ifp] section when not present" do + config = base_config.dup + subject.send(:configure_sssd_ifp, config) + expect(config).to include("[ifp]") + expect(config).to include("allowed_uids = apache, root, manageiq") + expect(config).to include("user_attributes = +mail, +givenname, +sn, +displayname, +domainname, +krbPrincipalName") + end + + it "updates user_attributes in existing [ifp] section" do + config = "#{base_config}\n[ifp]\nallowed_uids = apache\nuser_attributes = +mail\n" + subject.send(:configure_sssd_ifp, config) + expect(config).to include("user_attributes = +mail, +givenname, +sn, +displayname, +domainname, +krbPrincipalName") + expect(config.scan("user_attributes").length).to eq(1) + end + + it "adds user_attributes when [ifp] exists but user_attributes doesn't" do + config = "#{base_config}\n[ifp]\nallowed_uids = apache\n" + subject.send(:configure_sssd_ifp, config) + expect(config).to include("user_attributes = +mail, +givenname, +sn, +displayname, +domainname, +krbPrincipalName") + end + end end