[Freeipa-users] Sudo configuration question
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Wed Dec 21 18:08:55 UTC 2011
On 12/21/2011 04:37 AM, Stephen Gallagher wrote:
> On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote:
>> I have been working through configuring sudo via IPA and ran into the
>> following situation.
>>
>> There is a directive in the documentation to configure
>> /etc/sssd/sssd.conf on the clients with something like the following:
>>
>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
>>
>>
>> This is pulled from the docse here for reference:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
>>
>> This is fine and causes no problems, however, when I mistakenly left it
>> out on a few systems, sudo continued to function, so I am wondering what
>> it is that this directive does? Does this get sssd into the loop to
>> cache sudo rules for offline use?
>>
>> Any ideas?
> Sorry for the confusion in the other responses to this thread. The short
> answer is this: SUDO can use LDAP rules (as you clearly know). It does
> this with its own internal LDAP lookup (it doesn't currently go through
> SSSD to accomplish this).
>
> However, SUDO rules can specify netgroups as part of their restrictions
> on who can do what (usually these are used to limit functions to certain
> hosts). In order to do this, SSSD needs to be configured to look up
> netgroups properly so that SUDO can use the 'getnetgrent()' glibc
> command to locate the netgroups.
>
> The doc you are looking at is actually a bit out of date. It's no longer
> necessary to provide that option, because if it's unspecified, we set it
> automatically to cn=ng,cn=compat,dc=example,dc=com (using the
> appropriate base, of course).
>
> Jan's comments about upstream work were that we recently made changes to
> avoid needing to use the compat tree for netgroup lookups and can
> instead use FreeIPA's native, custom schema for netgroups. That's not
> terribly relevant to you, but it's a useful piece of information.
>
> So, in short, you don't need to set it, the doc is outdated.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Ok thanks, that makes sense. One final question here, is there a way to
verify that sssd is in fact setting this properly? Not that I doubt you
of course, it is just a matter of so many versions of sssd in so many
places that it would be good to verify that it works automagically on
RHEL 5, 6, and whatever else, say Ubuntu etc.
-Erinn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111221/da70449d/attachment.htm>
More information about the Freeipa-users
mailing list