I've been testing the sudo integration with IPA and I came across some
1. When I disable or delete a sudo rule, it's not removed from the
ou=sudoers until I restart the directory server. Am I doing something
wrong? (389-ds-base-188.8.131.52-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)
2. Perhaps the documentation should mention creating a rule called
"defaults" to put default options for all sudo rules in. Or even better
having one created by default with a fresh IPA installation. It took me
a few seconds to figure out where to put default options for all sudo rules.
3. sudo integration with SSSD does not work when anonymous LDAP
authentication is disabled at the server. Enabling verbose logging in
SSSD seem to suggest that it's attempting anonymous auth only.
4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
sudo display these options as errors when sudo debugging is enabled
(sudoers_debug 1 in /etc/ldap.conf or /etc/sudo-ldap.conf):
sudo: unknown defaults entry `env_keep '
5. It would be great to have a set of sudo commands and a set of sudo
command groups installed by default.
6. Adding a sudo command having multiple commands listed (such as:
"/sbin/route, /sbin/ifconfig, /bin/ping
is allowed in IPA and does list it correctly as allowed commands when
doing "sudo -l", however attempting to execute one of the commands in
the list using sudo fails.
I did my testing with IPA server 2.2 in CentOS 6.3.
Freeipa-users mailing list