On Wed, 2011-12-21 at 09:08 -0900, Erinn Looney-Triggs wrote: > On 12/21/2011 04:37 AM, Stephen Gallagher wrote: > > On Tue, 2011-12-20 at 12:59 -0900, Erinn Looney-Triggs wrote: > > > I have been working through configuring sudo via IPA and ran into the > > > following situation. > > > > > > There is a directive in the documentation to configure > > > /etc/sssd/sssd.conf on the clients with something like the following: > > > > > > ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com > > > > > > > > > This is pulled from the docse here for reference: > > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/example-configuring-sudo.html > > > > > > This is fine and causes no problems, however, when I mistakenly left it > > > out on a few systems, sudo continued to function, so I am wondering what > > > it is that this directive does? Does this get sssd into the loop to > > > cache sudo rules for offline use? > > > > > > Any ideas? > > Sorry for the confusion in the other responses to this thread. The short > > answer is this: SUDO can use LDAP rules (as you clearly know). It does > > this with its own internal LDAP lookup (it doesn't currently go through > > SSSD to accomplish this). > > > > However, SUDO rules can specify netgroups as part of their restrictions > > on who can do what (usually these are used to limit functions to certain > > hosts). In order to do this, SSSD needs to be configured to look up > > netgroups properly so that SUDO can use the 'getnetgrent()' glibc > > command to locate the netgroups. > > > > The doc you are looking at is actually a bit out of date. It's no longer > > necessary to provide that option, because if it's unspecified, we set it > > automatically to cn=ng,cn=compat,dc=example,dc=com (using the > > appropriate base, of course). > > > > Jan's comments about upstream work were that we recently made changes to > > avoid needing to use the compat tree for netgroup lookups and can > > instead use FreeIPA's native, custom schema for netgroups. That's not > > terribly relevant to you, but it's a useful piece of information. > > > > So, in short, you don't need to set it, the doc is outdated. > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Ok thanks, that makes sense. One final question here, is there a way > to verify that sssd is in fact setting this properly? Not that I doubt > you of course, it is just a matter of so many versions of sssd in so > many places that it would be good to verify that it works > automagically on RHEL 5, 6, and whatever else, say Ubuntu etc. > > -Erinn >
You can set 'debug_level = 6' in [domain/<DOMAINNAME>] of sssd.conf and restart. If you look in the sssd_<DOMAINNAME>.log, you should see a line setting the ldap_netgroup_search_base option.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
