Andrew Meyer wrote:
> What would the equivalent of Cmnd_Alias DEVS?  Is that somewhere in the
> documentation?  I was also trying to find something to convert my
> sudoers to what it would be in IPA commands. 

For Cmnd_Alias I'm not sure if it is supported or documented. IPA just
uses the standard sudo LDAP schema so you could start with the
sudoers.ldap man page I guess. I don't recall a specific option in IPA
sudocmd to do that though, but I've been out of the game for a while.

I'm 99% sure there is no sudoers -> IPA conversion script. It's
certainly a nice-to-have but it'd probably be death by a thousand cuts
to try to implement such a thing and be useful for more than 80% of users.

rob

> 
> 
> On Thursday, November 2, 2017 4:02 PM, Rob Crittenden via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> In preparation for a migration I am trying to setup sudoers within
>> freeipa.  I have about a dozen people that will need to sudo to another
>> user and run commands.  However I want to add all the commands for that
>> user into my rule.
>>
>> would this be best practice to add ALL the commands into 1 rule?  or
>> should I do a sudocmdgroup?
> 
> Up to you but that's what the groups were made for: to combine a common
> set of commands together to make management easier. Seems to fit well.
> 
>> ipa sudorule-add-allow-command --sudocmds "/usr/bin/vim" files-commands
>>
>> Would I just put a comma after each command? Or should I do this all
>> individually and add all the commands to a cmd group?
> 
> Try: --sudocmds={"/usr/bin/vim","cat /etc/passwd",...}
> 
> Bash will expand it.
> 
> I'd use a group though so you can make one change and affect any/all rules.
> 
> rob
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to