On Wed, Dec 08, 2010 at 10:10:56PM +0000, JR Aquino wrote: > I just had a chance to revisit this. > > It appears that the host piece still doesn't work quite right. > > This time, I am missing the sudoHost translation entirely. > > dn: > ipaUniqueID=e52c8e06-0315-11e0-b2dd-8a3d259cb0b9,cn=sudorules,dc=example,dc > =com > objectClass: ipaassociation > objectClass: ipasudorule > ipaEnabledFlag: TRUE > cn: devel > ipaUniqueID: e52c8e06-0315-11e0-b2dd-8a3d259cb0b9 > memberAllowCmd: cn=readonly,cn=sudocmdgroups,cn=accounts,dc=example,dc=com > memberHost: cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com > memberUser: cn=ops,cn=groups,cn=accounts,dc=example,dc=com > > dn: cn=devel,cn=sudoers,dc=example,dc=com > objectClass: sudoRole > sudoUser: %ops > sudoCommand: /usr/bin/less > cn: devel
This is what I see when I manually add the ipaSudoRule entry to my test server: dn: cn=devel,cn=sudoers,dc=example,dc=com objectClass: sudoRole sudoUser: %ops sudoHost: auth4.ops.expertcity.com sudoCommand: /usr/bin/less cn: devel That's assuming the group and host entries you're using are still the same as the sample ones from a while back, of course. In the currently proposed configuration, the expansion of memberHost attribute values depends on functionality that's new in slapi-nis 0.20 and later. Which version are you using? Nalin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel