Progress! Ok, here is the latest data from the lab.
The compat translation is almost there!!! * The sudoers container has correctly been moved out to the top of the tree. I think it only needs 1 small final edit, the sudo ldap default is to look for: ou=sudoers, rather than what is currently "cn=sudoers" * sudoUser correctly translates to a %<usergroup_name> * sudoCommand: correctly translates to the individual members of the ipaSudoCmdGroup * sudoHost: is incorrectly enumerating the individual members of the ipaHostgroup This similar to how sudoCommand is being populated. It wants to be like how sudoUser is being populated. sudoHost: +prod Here is the ldapsearch for the pieces that need adjustment. # prod, hostgroups, accounts, example.com dn: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com objectClass: ipaobject objectClass: ipahostgroup objectClass: nestedGroup objectClass: groupOfNames objectClass: top cn: prod description: prod ipaUniqueID: 15261e98-f7ee-11df-968e-8a3d259cb0b9 member: fqdn=auth3.ops.example.com,cn=computers,cn=accounts,dc=example,dc=com # sudoers, example.com dn: cn=sudoers, dc=example,dc=com objectClass: extensibleObject cn: sudoers # operations, sudoers, example.com dn: cn=operations,cn=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ops sudoHost: auth3.ops.example.com sudoCommand: /usr/bin/less cn: operations Thank you very much for your help Nalin! _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel