> On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: > > I have been working through configuring sudo via IPA and ran into the > > following situation. > > > > There is a directive in the documentation to configure > > /etc/sssd/sssd.conf on the clients with something like the following: > > > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com > > > > > > This is pulled from the docse here for reference: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identit > > y_Management_Guide/example-configuring-sudo.html > > > > This is fine and causes no problems, however, when I mistakenly left it > > out on a few systems, sudo continued to function, so I am wondering what > > it is that this directive does? Does this get sssd into the loop to > > cache sudo rules for offline use? > > > > Any ideas? > > Sorry for the confusion in the other responses to this thread. The short > answer is this: SUDO can use LDAP rules (as you clearly know). It does > this with its own internal LDAP lookup (it doesn't currently go through > SSSD to accomplish this). > > However, SUDO rules can specify netgroups as part of their restrictions > on who can do what (usually these are used to limit functions to certain > hosts). In order to do this, SSSD needs to be configured to look up > netgroups properly so that SUDO can use the 'getnetgrent()' glibc > command to locate the netgroups. > > The doc you are looking at is actually a bit out of date. It's no longer > necessary to provide that option, because if it's unspecified, we set it > automatically to cn=ng,cn=compat,dc=example,dc=com (using the > appropriate base, of course). > > Jan's comments about upstream work were that we recently made changes to > avoid needing to use the compat tree for netgroup lookups and can > instead use FreeIPA's native, custom schema for netgroups. That's not > terribly relevant to you, but it's a useful piece of information.
Actually no, my comment was a reaction to the original question if the SSSD can get into loop to cache sudo rules for offline use. > So, in short, you don't need to set it, the doc is outdated. Jan
Description: This is a digitally signed message part.
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users