> On 12/21/2011 12:22 AM, Jan Zelený wrote:
> >> On 12/20/2011 10:27 PM, Jan Zelený wrote:
> >>>> I have been working through configuring sudo via IPA and ran into the
> >>>> following situation.
> >>>> 
> >>>> There is a directive in the documentation to configure
> >>>> /etc/sssd/sssd.conf on the clients with something like the following:
> >>>> 
> >>>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
> >>>> 
> >>>> 
> >>>> This is pulled from the docse here for reference:
> >>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Iden
> >>>> ti ty_ Management_Guide/example-configuring-sudo.html
> >>>> 
> >>>> This is fine and causes no problems, however, when I mistakenly left
> >>>> it out on a few systems, sudo continued to function, so I am
> >>>> wondering what it is that this directive does? Does this get sssd
> >>>> into the loop to cache sudo rules for offline use?
> >>> 
> >>> Support for SUDO in SSSD has been added just about a week ago into
> >>> master branch and is considered experimental right now. And as I
> >>> understand it, the support in SUDO itself is still not entirely
> >>> complete. So the simple answer is: hang on, the support is coming.
> >>> 
> >>> Jan
> >> 
> >> Hmm, that is odd. I am not trying to be on the bleeding edge here, my
> >> sudo setup is taken directly from the RHEL 6.2 documentation concerning
> >> identity management. It would be very strange if RHEL was running such
> >> an experimental and bleeding edge thing in the base RHEL setup.
> > 
> > Of course, it's not even in Fedora yet. The documentation link you sent
> > doesn't refer to SSSD but directly to sudo LDAP plugin which should be
> > working as described there.
> > 
> >> So I guess to back up a bit here, IF sudo were working with SSSD as it
> >> will in the future would the aforementioned directive be the way to make
> >> it work. Understanding of course that for now it doesn't.
> > 
> > I assume you are referring to the SSSD search base directive. In that
> > case the correct directive will be ldap_sudo_search_base. There are also
> > 11 more directives which can be used to configure attribute names of
> > LDAP sudo objects like ldap_sudorule_name, ldap_sudorule_command, etc.
> > 
> > Some configuration will be also needed for the entire chain to work. For
> > example sudo responder config section will have to be set up. But let's
> > not skip ahead, I'm sure everything will be well documented by the time
> > when the sudo chain is stable.
> > 
> > I hope this answers your question. If you have any more questions please
> > don't hesitate to ask.
> > 
> > Thanks
> > Jan
> Ok thanks. I think we are talking about two slightly different things
> here. I am just trying to figure out why that directive is supposed to
> be in sssd.conf (according to the docs) and why sudo continues to
> function with the IPA server if that directive is not in sssd.conf.

It's there because sudo rules can be based, among other things, on netgroups 
and users' memberships in them. Therefore what happens with that configuration 
is that sudo LDAP plugin asks for sudo objects, but SSSD is used to retreive 
information about netgroups and maybe also about common users/groups (I'm not 
completely sure about that since I haven't check the documentation 

I hope the whole thing is a bit more clear to you now


Attachment: signature.asc
Description: This is a digitally signed message part.

Freeipa-users mailing list

Reply via email to