Progress!

Ok, here is the latest data from the lab.

The compat translation is almost there!!!

* The sudoers container has correctly been moved out to the top of the
tree.  I think it only needs 1 small final edit, the sudo ldap default is
to look for: ou=sudoers, rather than what is currently "cn=sudoers"

* sudoUser correctly translates to a %<usergroup_name>
* sudoCommand: correctly translates to the individual members of the
ipaSudoCmdGroup
* sudoHost: is incorrectly enumerating the individual members of the
ipaHostgroup

This similar to how sudoCommand is being populated.

It wants to be like how sudoUser is being populated.

sudoHost: +prod

Here is the ldapsearch for the pieces that need adjustment.

# prod, hostgroups, accounts, example.com
dn: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com
objectClass: ipaobject
objectClass: ipahostgroup
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: top
cn: prod
description: prod
ipaUniqueID: 15261e98-f7ee-11df-968e-8a3d259cb0b9
member: 
fqdn=auth3.ops.example.com,cn=computers,cn=accounts,dc=example,dc=com


# sudoers, example.com
dn: cn=sudoers, dc=example,dc=com
objectClass: extensibleObject
cn: sudoers

# operations, sudoers, example.com
dn: cn=operations,cn=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoUser: %ops
sudoHost: auth3.ops.example.com
sudoCommand: /usr/bin/less
cn: operations



Thank you very much for your help Nalin!


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to