On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote:
> I have been working through configuring sudo via IPA and ran into the
> following situation.
> 
> There is a directive in the documentation to configure
> /etc/sssd/sssd.conf on the clients with something like the following:
> 
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
> 
> 
> This is pulled from the docse here for reference:
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html
> 
> This is fine and causes no problems, however, when I mistakenly left it
> out on a few systems, sudo continued to function, so I am wondering what
> it is that this directive does? Does this get sssd into the loop to
> cache sudo rules for offline use?
> 
> Any ideas?

Sorry for the confusion in the other responses to this thread. The short
answer is this: SUDO can use LDAP rules (as you clearly know). It does
this with its own internal LDAP lookup (it doesn't currently go through
SSSD to accomplish this).

However, SUDO rules can specify netgroups as part of their restrictions
on who can do what (usually these are used to limit functions to certain
hosts). In order to do this, SSSD needs to be configured to look up
netgroups properly so that SUDO can use the 'getnetgrent()' glibc
command to locate the netgroups.

The doc you are looking at is actually a bit out of date. It's no longer
necessary to provide that option, because if it's unspecified, we set it
automatically to cn=ng,cn=compat,dc=example,dc=com (using the
appropriate base, of course).

Jan's comments about upstream work were that we recently made changes to
avoid needing to use the compat tree for netgroup lookups and can
instead use FreeIPA's native, custom schema for netgroups. That's not
terribly relevant to you, but it's a useful piece of information.

So, in short, you don't need to set it, the doc is outdated.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to