Nalin Dahyabhai wrote:
> On Wed, Dec 08, 2010 at 11:12:34PM +0000, JR Aquino wrote:
>   
>> I guess the piece that is still missing then is:
>>
>> Instead of:
>>
>> sudoHost: hostname.com
>>
>> It should be:
>>
>> sudoHost: +production <- which is the group assigned to the ipasudorule.
>>     
>
> The memberHost "cn=prod,cn=hostgroups,cn=accounts,dc=example,dc=com" in
> the rule is a hostgroup but not a netgroup, so I think it's doing the
> right thing by resolving the group down to its members' names.
>
>   
JR,

Can we check that we are running with the same test data set?
In the data set that Nalin uses the sudo rule points to a host group so
according to the rules it gets expanded.
Have you implemented a capability to add a netgroup to the the
memberHost in the SUDO plugin?
If you make a netgroup a member of the SUDO rule the compat plugin will
do what you expect.

Thanks
Dmitri

> Nalin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>   


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to