[Freeipa-users] sudo rules in IPA infrastructure
Jakub Hrozek
jhrozek at redhat.com
Mon May 21 08:51:51 UTC 2012
On Sat, May 19, 2012 at 03:11:44PM -0700, David Copperfield wrote:
> Hi Jakub and Rich,
> Got it.
> Thanks a lot on the HBAC and sudoes maps access. I think I got confused
> with the graph in the powerpoint
> presentation http://www.redhat.com/summit/2011/presentations/summit/whats_next/friday/pal_crittenden_f_1100_ipa_overview_rev3.pdf.
> The graph 'Under the hood' claimed that user/group/netgroup/HBAC will go
> through sssd, while other maps (sudo, autofs?) would goes through
> nss_ldap.
There's no hard rule, we've historically developed support for the most
important name-service-switch libc maps such as groups and passwd, then
gradually added support for other maps like netgroups depending on demand
for them.
In some special cases, we even add application-specific responders such
as the ones for sudo and autofs in 1.8. These communicate with the app
using their own protocol via a unix pipe, not through the name service
switch maps (even though both sudo and autofs are configured in the
nsswitch.conf file).
More information about the Freeipa-users
mailing list