authentication sources: matching rules for admin and sponsored access

[nqb]

If you use administration rules in sources to give sponsored and/or admin access, you will notice following results:

Admin access

• if an AD source match for an admin user but they are no admin rule specified, PF will not try other sources.
• if an AD source match for an admin user with a "mark as sponsor" (only) rule specified, PF will not try other sources and other rules.

Sponsored access

• if an AD source match for a sponsor user but they are no admin rule specified, PF will not try other sources.
• if an AD source match for a sponsor user with a "access level" (only) rule specified, PF will not try other sources and other rules.

Expected results

Depending on context (admin or portal) and rule_class, PF should try to use only relevant sources:

• doesn't use sources with no administration rules
• use only sources with Mark as sponsor actions for sponsored access
• use only sources with Access level actions for admin access

Some work has been already done see #1858.

In these contexts, PF should try to use other sources if administration rule(s) for a maching source return no results.

I didn't test CLI access but I assume same behavior.

Workaround if you have Sponsored and Admin access on your setup

Notes:

• Create a general authentication source with all the admin rules in it
• This source need to be on top of the list due to current matching on AD source without administratio
  rules.
• If an admin rule failed in the selected source, PF will try next admin rules.

Example with AD sources:

[AD_meta]
cache_match=0
read_timeout=10
realms=
password=**removed**
scope=sub
binddn=**removed**
port=389
description=Meta
write_timeout=5
type=AD
basedn=**removed**
monitor=1
set_access_level_action=
shuffle=0
email_attribute=mail
usernameattribute=sAMAccountName
connection_timeout=1
encryption=none
host=**removed**

[AD_meta rule sponsor_and_admin]
action0=set_access_level=ALL
condition0=memberOf,equals,CN=test_sponsor,CN=Users,DC=example,DC=lan
condition1=memberOf,equals,CN=test_itstaff,CN=Users,DC=example,DC=lan
match=all
class=administration
action1=mark_as_sponsor=1
description=Sponsor and admin access

[AD_meta rule sponsor_only]
action0=mark_as_sponsor=1
condition0=memberOf,equals,CN=test_sponsor,CN=Users,DC=example,DC=lan
match=all
class=administration
description=Only sponsor access

[AD_meta rule admin_only]
action0=set_access_level=ALL
condition0=memberOf,equals,CN=test_itstaff,CN=Users,DC=example,DC=lan
match=all
class=administration
description=Only admin access

[nqb]

My workaround is not perfect.

If you put AD_meta source on top of the authentication sources list and you have connection profiles or portal modules that use all available sources, they will match AD_meta source and 0 authentication rule. Consequently, users won't get role and access duration. You can bypass these behavior by using a closed list of sources in connection profiles or portal modules.

It means that when PF can authenticate a user on an authentication source, it will use only that authentication source to get:

• authentication rules results
• administration rules results

for all access.

In my opinion, this is not really a first win match algorithm and we should change that behavior.

[jrouzierinverse]

I not sure this is a bug but a limitation of authentication rule matching.
I will move this to the 8.3 milestone.

[jrouzierinverse]

Can be partially addressed by #4061