On Wed, 31 May 2023, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
We managed to integrate AIX IPA clients successfully some time ago. sudo
was also working fine. A few weeks ago sudo stopped working.
It begs the question: what happened a few weeks ago? Did you upgrade
anything?
What version of IPA server?
What version of slapi-nis package?
The /etc/ldap.conf on our AIX clients contains the following line:
sudoers_base cn=users,cn=compat,ou=sudoers,dc=linux,dc=mydomain,dc=at
I believe it should be ou=sudoers,dc=linux,dc=mydomain,dc=at
If we try to look that up with an LDAP browser we do not even find a OU
named "sudoers". Did the LDAP structure change in the recent past? What
should the sudoers_base line contain?
Changes were made in slapi-nis which provides the compat tree but like I
said, I don't know that cn=users,cn=compat,ou=sudoers would have ever
worked.
Indeed. That DN would have never matched anything.
# grep -E 'dn: .*,cn=Schema Compatibility|schema-compat-container'
/etc/dirsrv/slapd-IPA-TEST/dse.ldif
dn: cn=computers,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-container-group: cn=compat, dc=ipa,dc=test
schema-compat-container-rdn: cn=computers
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-container-group: cn=compat, dc=ipa,dc=test
schema-compat-container-rdn: cn=groups
dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-container-group: cn=compat, dc=ipa,dc=test
schema-compat-container-rdn: cn=ng
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-container-group: ou=SUDOers, dc=ipa,dc=test
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-container-group: cn=compat, dc=ipa,dc=test
schema-compat-container-rdn: cn=users
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
