Here is the outuput of ldapsearch :-
dn: cn=Admins,ou=sudoers,dc=example,dc=com
objectClass: sudoRole
sudoUser: %ctsadmin
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
cn: Admins

The rule still says that the group ctsadmin is allowed (Which should
not happen after I remove the ctsadmin group from sudo access)
On the IPA Web Interface there is not sudo role attached to the  User
"rsiwal" (Neither Direct nor Indirect).
May be there is some bug.

On Mon, Feb 4, 2013 at 1:22 PM, Rajnesh Kumar Siwal
<> wrote:
> Hi all,
> I have just created a setup for sudo on the IPA Server 2.2.
> I modified nsswitch.conf to use ldap.
> ldap.conf has been modified to fetch sudo users from the IPA Server.
> Now, th euser in group "admin" can do sudo.
>       1. rsiwal being a user of group sudo can run all commands as sudo (FINE)
>       2. If I disable the rule "Admins" (that I admin group access to
> sudo), the sudo still works for the user rsiwal (Which should not work
> logically).
>       3. Removed the group "Admins" (including rsiwal) from the Sudo
> rule. The rule is still allowing user rsiwal to run "sudo su -". (It
> should Fail)
> Is there some kind of caching being at the Server / client end ?
> --
> Regards,
> Rajnesh Kumar Siwal

Rajnesh Kumar Siwal

Freeipa-users mailing list

Reply via email to