[Freeipa-devel] Sudo Schema Bug/Feature
JR Aquino
JR.Aquino at citrixonline.com
Thu Sep 30 17:37:00 UTC 2010
> btw. I cannot reproduce your issue where a command is denied where only
> user and host is matching, can you give an example where this is
> happening? Thanks
I retract my previous statement and stand corrected:
I have run a test and verified on Redhat Enterprise 5.5 that Sudo is behaving as we believe it should.
A command NO MATCH occurs only if sudo parses all results and does not find a match.
I am documenting this for my internal team so that we can investigate the systems that have had contrary results as they are likely the result of a definite bug.
I apologize for the F.U.D.
So then, that just leaves us with:
How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any Allow-IPASudoRules ?
Sudo Debug:
-------------------
sudo: ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,cn=SUDOers,dc=example,dc=com
sudo: ldap sudoOption: 'logfile=/var/log/sudolog'
sudo: ldap sudoOption: 'ignore_dot'
sudo: ldap search '(|(sudoUser=testuser)(sudoUser=%testuser)(sudoUser=%UGRP-Test1)(sudoUser=ALL))'
sudo: found:cn=ROLE-jumpers_RO,cn=SUDOers,dc=example,dc=com
sudo: ldap sudoHost 'jump2.example.com' ... not
sudo: ldap sudoHost 'jump1.example.com' ... MATCH!
sudo: found:cn=ROLE-jr-test,cn=SUDOers,dc=example,dc=com
sudo: ldap sudoHost 'jump2.example.com' ... not
sudo: ldap sudoHost 'jump1.example.com' ... MATCH!
sudo: found:cn=ROLE-jr-test2,cn=SUDOers,dc=example,dc=com
sudo: ldap sudoHost 'jump2.example.com' ... not
sudo: ldap sudoHost 'jump1.example.com' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
More information about the Freeipa-devel
mailing list