On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: > I have been working through configuring sudo via IPA and ran into the > following situation. > > There is a directive in the documentation to configure > /etc/sssd/sssd.conf on the clients with something like the following: > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com > > > This is pulled from the docse here for reference: > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html > > This is fine and causes no problems, however, when I mistakenly left it > out on a few systems, sudo continued to function, so I am wondering what > it is that this directive does? Does this get sssd into the loop to > cache sudo rules for offline use? > > Any ideas?
Sorry for the confusion in the other responses to this thread. The short answer is this: SUDO can use LDAP rules (as you clearly know). It does this with its own internal LDAP lookup (it doesn't currently go through SSSD to accomplish this). However, SUDO rules can specify netgroups as part of their restrictions on who can do what (usually these are used to limit functions to certain hosts). In order to do this, SSSD needs to be configured to look up netgroups properly so that SUDO can use the 'getnetgrent()' glibc command to locate the netgroups. The doc you are looking at is actually a bit out of date. It's no longer necessary to provide that option, because if it's unspecified, we set it automatically to cn=ng,cn=compat,dc=example,dc=com (using the appropriate base, of course). Jan's comments about upstream work were that we recently made changes to avoid needing to use the compat tree for netgroup lookups and can instead use FreeIPA's native, custom schema for netgroups. That's not terribly relevant to you, but it's a useful piece of information. So, in short, you don't need to set it, the doc is outdated.
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users