On Wed, Feb 11, 2026 at 11:32:17AM +0100, Martin Pitt wrote:
Marc Haber [2026-02-10 14:50 +0100]:
How would a test case to check "sssd configuration of sudo rules" look like?
Cockpit's test suite models a typical "large org" setup: Centralized user
management with https://tracker.debian.org/pkg/freeipa ; part of that is
maintaining users and their roles in LDAP. sssd abstracts away most of that,
i.e. provides the integration into NSS, for both passwd/groups and also
`sudoers`, so that these can be managed centrally through IPA as well. I.e. our
test (effectively) calls `realmd join` which calls `ipa-client-install`.
On the IPA server side, you need to run the output of `ipa-advise
enable-admins-sudo` to enable central sudoers management.
Setting all of this up is quite involved. If it's unclear how this happens,
I can spend an hour trying to replicate everything in a Debian testing VM with
just a FreeIPA container -- but I hope that can be done in a simpler way? I.e.
extending the above sed shell code in the postinst to create a missing entry
keeps the previous behaviour with libnss-sudo, and reduces the dependency
assumption.
I was hoping for something that would fit easily into the horrible mess
called https://salsa.debian.org/sudo-team/sudo/-/blob/debian/latest/debian/tests/04-getroot-sssd?ref_type=heads
such as
(1) installing the LDAP extensions that are probably needed to have
sudoers in LDAP
(2) installing a test rule into the sudoers set that is stored in LDAP
(3) checking that this rule is actually honored by sudo
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
