Hi Jakub and Rich,

Got it.

Thanks a lot on the HBAC and sudoes maps access. I think I got confused with 
the graph in the powerpoint 
presentation http://www.redhat.com/summit/2011/presentations/summit/whats_next/friday/pal_crittenden_f_1100_ipa_overview_rev3.pdf.
 The graph 'Under the hood' claimed that user/group/netgroup/HBAC will go 
through sssd, while other maps (sudo, autofs?)  would goes through nss_ldap.

 So it could be that FreeIPA has been further developed to provide DIRECTLY 
more mappings without the help of pam_(ldap/kerberos) and nss_ldap? To Rich, 
could you confirm that -- and probably more mappings -- in this version 2.1.3-9 
on red hat 6.2? If not, how about 2.2 on Redhat 6.3Beta?  Thanks a lot.

 Have a nice weekend.


 From: Jakub Hrozek <jhro...@redhat.com>
To: Gelen James <hahaha_...@yahoo.com> 
Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
Sent: Saturday, May 19, 2012 10:16 AM
Subject: Re: [Freeipa-users] sudo rules in IPA infrastructure
On Fri, May 18, 2012 at 02:35:18PM -0700, Gelen James wrote:
>    Hi all,
>     Are the sudo rules applied to IPA clients through nss_ldap, instead of
>    sssd? 

Neither :-)

sudo looks up the user information via the standard name-service-switch
maps, so if your machine is configured to fetch user and group
information using the sss NSS module in nsswitch.conf, then the requests
get to sssd.

As Stephen Ingram pointed out elsewhere in this thread, sudo only reads
the nss_ldap/nss-pam-ldapd config files but establishes the connection
to the LDAP server and fetches the data on its own.

Freeipa-users mailing list
Freeipa-users mailing list

Reply via email to