Hi Alexander and others, As you know, SSSD 1.13.4 added support of reading the native SUDO tree [1]. This means that FreeIPA deployments with all clients being SSSD 1.13.4 or older will be able to disable the sudoers schema compatiblity tree (cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config).
Right now, I am only aware of an attribute tu disable the whole Schema Compat plugin (exposed via ipa-compat-manage tool), but this would not fly for people with legacy clients reading from Compat tree. I am thinking, is there an easy way we can recommend to admins on how to do disable just certain Schema Compatibility rules? Ideally having a config options something like: schema-compat-enabled: on|off That could be changed via ldapmodify. [1] https://fedorahosted.org/sssd/ticket/1108 -- Martin Kosek <mko...@redhat.com> Manager, Software Engineering - Identity Management Team Red Hat, Inc. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code