I've been testing the sudo integration with IPA and I came across some questions:

1. When I disable or delete a sudo rule, it's not removed from the ou=sudoers until I restart the directory server. Am I doing something wrong? (389-ds-base-, slapi-nis-0.40-1.el6.x86_64)

2. Perhaps the documentation should mention creating a rule called "defaults" to put default options for all sudo rules in. Or even better having one created by default with a fresh IPA installation. It took me a few seconds to figure out where to put default options for all sudo rules.

3. sudo integration with SSSD does not work when anonymous LDAP authentication is disabled at the server. Enabling verbose logging in SSSD seem to suggest that it's attempting anonymous auth only. (sssd-1.8.4-14.fc17.x86_64)

4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make sudo display these options as errors when sudo debugging is enabled (sudoers_debug 1 in /etc/ldap.conf or /etc/sudo-ldap.conf):
sudo: unknown defaults entry `env_keep '

5. It would be great to have a set of sudo commands and a set of sudo command groups installed by default.

6. Adding a sudo command having multiple commands listed (such as: "/sbin/route, /sbin/ifconfig, /bin/ping <https://lieipa01.ix.nixtra.com/ipa/ui/#/sbin/route,%20/sbin/ifconfig,%20/bin/ping,%20/sbin/dhclient,%20/usr/bin/net,%20/sbin/iptables,%20/usr/bin/%20rfcomm,%20/usr/bin/wvdial,%20/sbin/iwconfig,%20/sbin/mii-tool>") is allowed in IPA and does list it correctly as allowed commands when doing "sudo -l", however attempting to execute one of the commands in the list using sudo fails.

I did my testing with IPA server 2.2 in CentOS 6.3.


Freeipa-users mailing list

Reply via email to