-----BEGIN PGP SIGNED MESSAGE-----
> These are both on our roadmap, we just haven't gotten to them yet:
Okay, I did not find these two pages while searching. It appears to be
what I have just discussed however.
>> Of the sudo bindpw or krb5_cc method in nss_ldap which is
> We currently provide a shared account for use with sudo as a
> temporary measure. sssd support is our preferred solution.
Okay. In terms of the SSSD sudo / automount provider, the biggest
issue I see is that to read the ou=SUDOers branch of the LDAP tree,
you must be bound (Or for automount if anon bind is disabled). For
that you need either
A) A shared account for sudo reading
B) A way to extract the systems host krb5 ticket inside of SSSD to
make that query
It would be reasonable for SSSD to be able to extract the keytab to a
localcache, and just to re-new / re-extract it if it expires when a
query is performed.
However, I see the benefit as being that you can cache those queries -
especially sudo's. Automount may not benefit from this however, since
in a situation where you are away from the IPA server, you are likely
away from NFS also.
An aside point - during the client auto-configuration, it would be
good to have automount "work out" the location of the client. This
could be used in
"SEARCH_BASE="cn=location,cn=automount,dc=example,dc=com"" for example.
Has any work started on the SSSD sudo provider?
Research and Teaching
Information and Technology Services
The University of Adelaide
CRICOS Provider Number 00123M
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete
all copies and advise the sender. For the purposes of the SPAM Act
2003, this email is authorised by The University of Adelaide.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Freeipa-devel mailing list