[Freeipa-devel] [PATCH] sudo and netgroup schema compat updates
JR Aquino
JR.Aquino at citrix.com
Wed Dec 8 22:10:56 UTC 2010
I just had a chance to revisit this.
It appears that the host piece still doesn't work quite right.
This time, I am missing the sudoHost translation entirely.
dn:
ipaUniqueID=e52c8e06-0315-11e0-b2dd-8a3d259cb0b9,cn=sudorules,dc=example,dc
=com
objectClass: ipaassociation
objectClass: ipasudorule
ipaEnabledFlag: TRUE
cn: devel
ipaUniqueID: e52c8e06-0315-11e0-b2dd-8a3d259cb0b9
memberAllowCmd: cn=readonly,cn=sudocmdgroups,cn=accounts,dc=example,dc=com
memberHost: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com
memberUser: cn=ops,cn=groups,cn=accounts,dc=example,dc=com
dn: cn=devel,cn=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoUser: %ops
sudoCommand: /usr/bin/less
cn: devel
On 11/30/10 3:38 PM, "Nalin Dahyabhai" <nalin at redhat.com> wrote:
>This is what I've got now; I think it's correct.
>
> - fix quoting in the netgroup compat configuration entry
> - don't bother looking for members of netgroups by looking for entries
> which list "memberOf: $netgroup" -- the netgroup should list them as
> "member" or "memberUser" or "memberHost" values
> - use newer slapi-nis functionality to produce cn=sudoers
> - drop the real cn=sudoers container to make room for the compat
> container
>
>Feel free to adjust the "schema-compat-container-group" for the
>"cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config" entry -- the
>location of the compat sudo entries is of no concern to me.
>
>Cheers,
>
>Nalin
>_______________________________________________
>Freeipa-devel mailing list
>Freeipa-devel at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list