himmelblau: add Entra ID provider with libhimmelblau integration#8661
Draft
dmulder wants to merge 4 commits intoSSSD:masterfrom
Draft
himmelblau: add Entra ID provider with libhimmelblau integration#8661dmulder wants to merge 4 commits intoSSSD:masterfrom
dmulder wants to merge 4 commits intoSSSD:masterfrom
Conversation
Add a minimal himmelblau authentication provider for Azure AD / Microsoft Entra ID authentication with device join capabilities. The provider implements: - Authentication target (DPT_AUTH) - returns PAM_AUTHINFO_UNAVAIL stub - Identity target (DPT_ID) - returns ENOENT stub - Configuration options for domain and device storage path - Preparation for transparent device join during first authentication This is a loadable scaffold that integrates with SSSD's provider framework via dlopen/dlsym. The provider will store device credentials (RSA key pair, certificate, device_id) for authentication. New files: - src/providers/himmelblau/himmelblau_init.c - Module and target initialization - src/providers/himmelblau/himmelblau_auth.c - Authentication handler - src/providers/himmelblau/himmelblau_id.c - Identity handler - src/providers/himmelblau/himmelblau_opts.c - Configuration options - src/providers/himmelblau/himmelblau_common.h - Context structures - src/providers/himmelblau/himmelblau_opts.h - Options declarations Signed-off-by: David Mulder <dmulder@samba.org> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add build system support for linking the himmelblau provider against libhimmelblau (Rust library with C FFI bindings). Implements a hybrid approach that prefers system-installed libhimmelblau via pkg-config, with optional fallback to vendored build using cargo-c for development. - Add src/external/libhimmelblau.m4 for library detection - Add --with-himmelblau configure option (auto/yes/no) - Make himmelblau provider conditional on BUILD_HIMMELBLAU - Add HIMMELBLAU_CFLAGS and HIMMELBLAU_LIBS to provider build - Support vendored build with cargo cbuild when system library unavailable - Update RPM spec for optional libhimmelblau-devel BuildRequires The provider remains a stub; actual integration with libhimmelblau C API will follow in subsequent commits. Signed-off-by: David Mulder <dmulder@samba.org> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implement complete himmelblau provider for Azure AD/Entra ID authentication in SSSD. This integrates libhimmelblau C API to provide Azure AD authentication with MFA support and device enrollment. Key features: - Azure AD authentication with MFA (polling and user input types) - Automatic device enrollment on first authentication - Persistent device state (auth_value, transport_key, cert_key) - NSS integration for user lookups via broker_check_user_exists() - TPM-backed machine key and broker initialization - Error mapping from libhimmelblau to PAM status codes Implementation: - himmelblau_auth.c: PAM authentication handler with MFA flows - himmelblau_id.c: NSS account info handler for user lookups - himmelblau_device.c: Device state management and key persistence - himmelblau_util.c: Error mapping utilities - himmelblau_init.c: Broker, TPM, and key initialization Device enrollment state persists across SSSD restarts by saving: - auth_value for machine key - LoadableMsOapxbcRsaKey (transport key) - LoadableMsDeviceEnrolmentKey (certificate key) These keys are loaded on startup and passed to broker_init() to restore enrolled device state for device-based authentication. Signed-off-by: David Mulder <dmulder@samba.org> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the Himmelblau provider to SSSD, enabling Azure AD authentication and identity lookups via libhimmelblau. The changes include build system updates, provider initialization with TPM support, device enrollment logic, and MFA-capable authentication handlers. Feedback was provided regarding the insecure clearing of sensitive password buffers in destructors, where using strlen may leave data behind if null bytes are present.
Contributor
Author
|
@sumit-bose and @abbra this is a WIP start to the discussions we had the other day. |
| BuildRequires: libdhash-devel >= 0.4.2 | ||
| BuildRequires: libfido2-devel | ||
| %if 0%{?with_himmelblau} | ||
| BuildRequires: libhimmelblau-devel >= 0.8.0 |
Member
There was a problem hiding this comment.
Do I understand correctly lib isn't yet(?) available in Fedora repos?
Contributor
Author
There was a problem hiding this comment.
It is not. It's not even in openSUSE distro repos yet: https://build.opensuse.org/package/show/network:samba:STABLE/libhimmelblau
Contributor
Author
There was a problem hiding this comment.
Canonical is currently shipping it vendored as part of Authd. SUSE ships it via the rust crate, inside of Himmelblau.
Contributor
Author
There was a problem hiding this comment.
So you could alternatively just vendor the package within SSSD, and ship it bundled.
Replace unsafe memset() with strlen() calls with secure memory erasure using sss_erase_talloc_mem_securely(). The previous implementation had several security issues: strlen() stops at embedded null bytes leaving password remnants in memory, memset() can be optimized away by the compiler, and authentication tokens were not being erased at all. The fix sets sss_erase_talloc_mem_securely as a destructor on all sensitive data (passwords, access_tokens, refresh_tokens) immediately after allocation. This ensures full buffer erasure using explicit_bzero() which cannot be optimized away, and works correctly with embedded nulls. Signed-off-by: David Mulder <dmulder@samba.org> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This series introduces a new himmelblau provider to support Microsoft Entra ID authentication in SSSD, backed by libhimmelblau through its C API.
The three commits are structured as:
What this adds:
Build/dependency notes:
For details on building and packaging the new system library, see:
https://build.opensuse.org/package/show/network:samba:STABLE/libhimmelblau